结汇、售汇及付汇管理规定
中国人民银行
结汇、售汇及付汇管理规定
(中国人民银行1996年6月20日发布)
第一条为规范结汇、售汇及付汇行为,实现人民币在
经常项目下可兑换,特制定本规定。
第二条经营外汇业务的银行应当按照本规定和中国人
民银行、国家外汇管理局批准的业务范围办理结汇、售汇
、开立外汇帐户及对外支付业务。
第三条境内机构外汇收入,除国家另有规定外应当及
时调回境内。
第四条境内机构、居民个人、驻华机构及来华人员应
当按照本规定办理结汇、购汇、开立外汇帐户及对外支付
。
第五条境内机构和居民个人通过经营外汇业务的银行
办理对外收支时,应当按照《国际收支统计申报办法》及
有关规定办理国际收支统计申报。
第二章经常项目下的结汇、售汇与付汇
第六条除本规定第七条、第八条、第十条限定的范围
和数量外,境内机构取得的下列外汇应当结汇:
(一)出口或者先支后收转口货物及其他交易行为收
入的外汇。其中用跟单信用证/保函和跟单托收方式结算
的贸易出口外汇可以凭有效商业单据结汇,用汇款方式结
算的贸易出口外汇持出口收汇核销单结汇;
(二)境外贷款项下国际招标中标收入的外汇;
(三)海关监管下境内经营免税商品收入的外汇;
(四)交通运输(包括各种运输方式)及港口(含空
港)、邮电(不包括国际汇兑款)、广告、咨询、展览、
寄售、维修等行业及各类代理业务提供商品或者服务收入
的外汇;
(五)行政、司法机关收入的各项外汇规费、罚没款
等;
(六)土地使用权、著作权、商标权、专利权、非专
利技术、商誉等无形资产转让收入的外汇,但上述无形资
产属于个人所有的,可不结汇;
(七)境外投资企业汇回的外汇利润、对外经援项下
收回的外汇和境外资产的外汇收入;
(八)对外索赔收入的外汇、退回的外汇保证金等;
(九)出租房地产和其他外汇资产收入的外汇;
(十)保险机构受理外汇保险所得外汇收入;
(十一)取得《经营外汇业务许可证》的金融机构经
营外汇业务的净收入;
(十二)国外捐赠、资助及援助收入的外汇;
(十三)国家外汇管理局规定的其他应当结汇的外汇
。
第七条境内机构(不含外商投资企业)的下列外汇,
可以向国家外汇管理局及其分支局(以下简称“外汇局”
)申请,在经营外汇业务的银行开立外汇帐户,按照规定
办理结汇:
(一)经营境外承包工程、向境外提供劳务、技术合
作及其他服务业务的公司,在上述业务项目进行过程中收
到的业务往来外汇;
(二)从事代理对外或者境外业务的机构代收代付的
外汇;
(三)暂收待付或者暂收待结项下的外汇,包括境外
汇入的投标保证金、履约保证金、先收后支的转口贸易收
汇、邮电部门办理国际汇兑业务的外汇汇兑款、一类旅行
社收取的国外旅游机构预付的外汇、铁路部门办理境外保
价运输业务收取的外汇、海关收取的外汇保证金、抵押金
等;
(四)保险机构受理外汇保险、需向境外分保以及尚
未结算的保费。
上述各项外汇的净收入,应当按照规定的时间全部卖
给外汇指定银行。
第八条捐赠、资助及援助合同规定用于境外支付的外
汇,经外汇局批准后方可保留。
第九条下列范围的外汇,可以保留:
(一)外国驻华使领馆、国际组织及其他境外法人驻
华机构的外汇;
(二)居民个人及来华人员的外汇。
第十条外商投资企业经常项目下外汇收入可在外汇局
核定的最高金额以内保留外汇,超出部分应当卖给外汇指
定银行,或者通过外汇调剂中心卖出。
第十一条超过等值1万美元的现钞结汇,结汇人应当
向外汇指定银行提供真实的身份证明和外汇来源证明,外
汇指定银行予以结汇登记后报外汇局备案。
第十二条本规定第七、八、九、十条允许开立外汇帐
户的境内机构和居民个人、驻华机构及来华人员,应当按
照外汇帐户管理的有关规定,到经营外汇业务的银行办理
开户手续。
第十三条境内机构下列贸易及非贸易经营性对外支付
用汇,持与支付方式相应的有效商业单据和所列有效凭证
从其外汇帐户中支付或者到外汇指定银行兑付:
(一)用跟单信用证/保函方式结算的贸易进口,如
需在开证时购汇,持进口合同、进口付汇核销单、开证申
请书;如需在付汇时购汇,还应当提供信用证结算方式要
求的有效商业单据。核销时必须凭正本进口货物报关单办
理;
(二)用跟单托收方式结算的贸易进口,持进口合同
、进口付汇核销单、进口付汇通知书及跟单托收结算方式
要求的有效商业单据。核销时必须凭正本进口货物报关单
办理;
(三)用汇款方式结算的贸易进口,持进口合同、进
口付汇核销单、发票、正本进口货物报关单、正本运输单
据,若提单上的“提货人”和报关单上的“经营单位”与
进口合同中列明的买方名称不一致,还应当提供两者间的
代理协议;
(四)进口项下不超过合同总金额的百分之十五或者
虽超过百分之十五但未超过等值10万美元的预付货款,
持进口合同、进口付汇核销单;
上述(一)至(四)项下进口,实行进口配额管理或
者特定产品进口管理的货物,还应当提供有关部门签发的
许可证或者进口证明;进口实行自动登记制的货物,还应
当提供填好的登记表格。
(五)进口项下的运输费、保险费,持进口合同、正
本运输费收据和保险费收据;
(六)出口项下不超过合同总金额百分之二的暗佣(
暗扣)和百分之五的明佣(明扣)或者虽超过上述比例但
未超过等值1万美元的佣金,持出口合同或者佣金协议、
结汇水单或者收帐通知;出口项下的运输费、保险费,持
出口合同、正本运输费收据和保险费收据;
(七)进口项下的尾款,持进口合同、进口付汇核销
单、验货合格证明;
(八)进出口项下的资料费、技术费、信息费等从属
费用,持进口合同或者出口合同、进口付汇核销单或者出
口收汇核销单、发票或者收费单据及进口或者出口单位负
责人签字的说明书;
(九)从保税区购买商品以及购买国外入境展览展品
的用汇,持(一)至(八)项规定的有效凭证和有效商业
单据;
(十)专利权、著作权、商标、计算机软件等无形资
产的进口,持进口合同或者协议;
(十一)出口项下对外退赔外汇,持结汇水单或者收
帐通知、索赔协议、理赔证明和已冲减出口收汇核销的证
明;
(十二)境外承包工程所需的投标保证金持投标文件
,履约保证金及垫付工程款项持合同。
第十四条境内机构下列贸易及非贸易经营性对外支付
,经营外汇业务的银行凭用户提供的支付清单先从其外汇
帐户中支付或者兑付,事后核查:
(一)经国务院批准的免税品公司按照规定范围经营
免税商品的进口支付;
(二)民航、海运、铁道部门(机构)支付境外国际
联运费、设备维修费、站场港口使用费、燃料供应费、保
险费、非融资性租赁费及其他服务费用;
(三)民航、海运、铁道部门(机构)支付国际营运
人员伙食、津贴补助;
(四)邮电部门支付国际邮政、电信业务费用。
第十五条境内机构下列对外支付用汇,由外汇局审核
其真实性后,从其外汇帐户中支付或者到外汇指定银行兑
付:
(一)超过本规定第十三条(四)规定比例和金额的
预付货款;
(二)超过本规定第十三条(六)规定比例和金额的
佣金;
(三)转口贸易项下先支后收的对外支付;
(四)偿还外债利息;
(五)超过等值1万美元的现钞提取。
第十六条境内机构偿还境内中资金融机构外汇贷款利
息,持《外汇(转)贷款登记证》、借贷合同及债权人的
付息通知单,从其外汇帐户中支付或者到外汇指定银行兑
付。
第十七条财政预算内的机关、事业单位和社会团体的
非贸易非经营性用汇,按照《非贸易非经营性外汇财务管
理暂行规定》办理。
第十八条财政预算外的境内机构下列非经营性用汇,
持所列有效凭证从其外汇帐户中支付或者到外汇指定银行
兑付:
(一)在境外举办展览、招商、培训及拍摄影视片等
用汇,持合同、境外机构的支付通知书及主管部门批准文
件;
(二)对外宣传费、对外援助费、对外捐赠外汇、国
际组织会费、参加国际会议的注册费、报名费,持主管部
门的批准文件及有关函件;
(三)在境外设立代表处或者办事机构的开办费和年
度预算经费,持主管部门批准设立该机构的批准文件和经
费预算书;
(四)国家教委国外考试协调机构支付境外的考试费
,持对外合同和国外考试机构的帐单或者结算通知书;
(五)在境外办理商标、版权注册、申请专利和法律
、咨询服务等所需费用,持合同和发票;
(六)因公出国费用,持国家授权部门出国任务批件
。
上述(一)至(六)项以外的非经营性用汇,由外汇
局审核其真实性以后,从其外汇帐户中支付或者到外汇指
定银行兑付。
第十九条居民个人的因私用汇,按照《境内居民因私
兑换外汇办法》和《境内居民外汇存款汇出境外的规定》
办理。
第二十条居民个人移居出境后,下列合法人民币收益
,持本人身份证明和所列有效凭证到外汇局授权的外汇指
定银行兑付:
(一)人民币存款利息,持人民币存款利息清单;
(二)房产出租收入的租金,持房产租赁合同和房产
出租管理部门的证明;
(三)其他资产的收益,持有关的证明材料和收益清
单。
第二十一条外商投资企业外方投资者依法纳税后的利
润、红利的汇出,持董事会利润分配决议书,从其外汇帐
户中支付或者到外汇指定银行兑付。
外商投资企业中外籍、华侨、港澳台职工依法纳税后
的人民币工资及其他正当收益,持证明材料到外汇指定银
行兑付。
第二十二条按照规定应当以外币支付的股息,依法纳
税后持董事会利润分配决议书从其外汇帐户中支付或者到
外汇指定银行兑付。
第二十三条驻华机构及来华人员的合法人民币收入,
需汇出境外时,持证明材料和收费清单到外汇局授权的外
汇指定银行兑付。
第二十四条驻华机构及来华人员从境外携入或者在境
内购买的自用物品、设备、用具等,出售后所得人民币款
项,需汇出境外时,持工商登记证或者本人身份证明和出
售凭证到外汇局授权的外汇指定银行兑付。
第二十五条临时来华的外国人、华侨、港澳台同胞出
境时未用完的人民币,可以凭本人护照、原兑换水单(有
效期为6个月)兑回外汇,携出境外。
第三章资本项目下的结汇、售汇与付汇
第二十六条境内机构资本项目下的外汇应当在经营外
汇业务的银行开立外汇帐户。
第二十七条境内机构下列范围内的外汇,未经外汇局
批准,不得结汇:
(一)境外法人或自然人作为投资汇入的外汇;
(二)境外借款及发行外币债券、股票取得的外汇;
(三)经国家外汇管理局批准的其他资本项目下外汇
收入。
除出口押汇外的国内外汇贷款和中资企业借入的国际
商业贷款不得结汇。
第二十八条境内机构向境外出售房地产及其他资产收
入的外汇,除本规定第十条限定的数额外应当卖给外汇指
定银行。
第二十九条境内机构偿还境内中资金融机构外汇贷款
本金,持《外汇(转)贷款登记证》、借贷合同及债权机
构的还本通知单,从其外汇帐户中支付或者到外汇指定银
行兑付。
第三十条境内机构资本项目下的下列用汇,持所列有
效凭证向外汇局申请,凭外汇局的核准件从其外汇帐户中
支付或者到外汇指定银行兑付:
(一)偿还外债本金,持《外债登记证》、借贷合同
及债权机构还本通知单;
(二)对外担保履约用汇,持担保合同、外汇局核发
的《外汇担保登记证》及境外机构支付通知;
(三)境外投资资金的汇出,持国家主管部门的批准
文件和投资合同;
(四)外商投资企业的中方投资者经批准需以外汇投
入的注册资金,持国家主管部门的批准文件和合同。
第三十一条外商投资企业的外汇资本金的增加、转让
或者以其他方式处置,持董事会决议,经外汇局核准后,
从其外汇帐户中支付或者持外汇局核发的售汇通知单到外
汇指定银行兑付:
投资性外商投资企业外汇资本金在境内投资及外方所
得利润在境内增资或者再投资,持外汇局核准件办理。
第四章结汇、售汇及付汇的监管
第三十二条外商投资企业可以在外汇指定银行办理结
汇和售汇,也可以在外汇调剂中心买卖外汇,其他境内机
构、居民个人、驻华机构及来华人员只能在外汇指定银行
办理结汇和售汇。
第三十三条从外汇帐户中对外支付时,经营外汇业务
的银行应当根据规定的外汇帐户收支范围及本规定第二、
三章相应的规定进行审核,办理支付。
第三十四条外汇指定银行办理售汇和付汇后,应当在
相应的有效凭证和有效商业单据上签章后留存备查。
第三十五条外汇指定银行应当根据中国人民银行每日
公布的人民币汇率中间价和规定的买卖差价幅度,确定对
客户的外汇买卖价格,办理结汇和售汇业务。
第三十六条从外汇帐户中支付或者购汇支付,应当在
有关结算方式或者合同规定的日期办理,不得提前对外付
款;除用于还本付息的外汇和信用证/保函保证金外,不
得提前购汇。
第三十七条为使有远期支付合同或者偿债协议的用汇
单位避免汇率风险,外汇指定银行可以按照有关规定为其
办理人民币与外币的远期买卖及其他保值业务。
第三十八条易货贸易项下进口,未经外汇局批准,不
得购汇或者从外汇帐户支付。
第三十九条经营外汇业务的银行应当按照规定向外汇
局报送结汇、售汇及付汇情况报表。
外汇指定银行应当建立结售汇内部监管制度,遇有结
售汇异常情况,应当及时向国家外汇管理局当地分支局报
告。
第四十条境内机构应当在其注册地选择经营外汇业务
的银行开立外汇帐户、按照本规定办理结汇、购汇、付汇
业务。境内机构在异地和境外开立外汇帐户,应当向外汇
局申请。
外商投资企业经常项下的外汇收入,经批准可以在注
册地选择经营外汇业务的银行开立外汇结算帐户。
第四十一条经营外汇业务的银行和有结汇、购汇、付
汇业务的境内机构,应当无条件接受外汇局的监督、检查
,并出示、提供有关材料。对违反本规定的,外汇局可对
其处以警告、没收违法所得、罚款的处罚;对违反本规定
,情节严重的经营外汇业务的银行,外汇局可对其处以暂
停结售汇业务的处罚。
第五章附则
第四十二条本规定由国家外汇管理局负责解释。
第四十三条本规定自1996年7月1日起施行。1
994年3月26日发布的《结汇、售汇及付汇管理暂行
规定》同时废止。其他规定与本规定相抵触的,以本规定
为准。
Guidelines on the Risk Management of Commercial Banks’ Information Technology ——附加英文版
China Banking Regulatory Commission
Guidelines on the Risk Management of Commercial Banks’ Information Technology
Chapter I General Provisions
Article 1. Pursuant to the Law of the People’s Republic of China on Banking Regulation and Supervision, the Law of the People's Republic of China on Commercial Banks, the Regulations of the People’s Republic of China on Administration of Foreign-funded Banks, and other applicable laws and regulations, the Guidelines on the Risk Management of Commercial Banks’ Information Technology (hereinafter referred to as the Guidelines) is formulated.
Article 2. The Guidelines apply to all the commercial banks legally incorporated within the territory of the People’s Republic of China.
The Guidelines may apply to other banking institutions including policy banks, rural cooperative banks, urban credit cooperatives, rural credit cooperatives, village banks, loan companies, financial asset management companies, trust and investment companies, finance firms, financial leasing companies, automobile financial companies and money brokers.
Article 3. The term “information technology” stated in the Guidelines shall refer to the system built with computer, communication and software technologies, and employed by commercial banks to handle business transactions, operation management, and internal communication, collaborative work and controls. The term also include IT governance, IT organization structure and IT policies and procedures.
Article 4. The risk of information technology refers to the operational risk, legal risk and reputation risk that are caused by natural factor, human factor, technological loopholes or management deficiencies when using information technology.
Article 5. The objective of information system risk management is to establish an effective mechanism that can identify, measure, monitor, and control the risks of commercial banks’ information system, ensure data integrity, availability, confidentiality and consistency, provide the relevant early warning, and thereby enable commercial banks’ business innovations, uplift their capability in utilizing information technology, improve their core competitiveness and capacity for sustainable development.
Chapter II IT governance
Article 6. The legal representative of commercial bank should be responsible to ensure compliance of this guideline.
Article 7. The board of directors of commercial banks should have the following responsibilities with respect to the management of information systems:
(1) Implementing and complying with the national laws, regulations and technical standards pertaining to the management of information systems, as well as the regulatory requirements set by the China Banking Regulatory Commission (hereinafter referred to as the “CBRC”);
(2) Periodically reviewing the alignment of IT strategy with the overall business strategies and significant policies of the bank, assessing the overall effectiveness and efficiency of the IT organization.
(3) Approving IT risk management strategies and policies, understanding the major IT risks involved, setting acceptable levels for these risks, and ensuring the implementation of the measures necessary to identify, measure, monitor and control these risks.
(4) Setting high ethical and integrity standards, and establishing a culture within the bank that emphasizes and demonstrates to all levels of personnel the importance of IT risk management.
(5) Establishing an IT steering committee which consists of representatives from senior management, the IT organization, and major business units, to oversee these responsibilities and report the effectiveness of strategic IT planning, the IT budget and actual expenditure, and the overall IT performance to the board of directors and senior management periodically.
(6) Establishing IT governance structure, proper segregation of duty, clear role and responsibility, maintaining check and balances and clear reporting relationship. Strengthening IT professional staff by developing incentive program.
(7) Ensuring that there is an effective internal audit of the IT risk management carried out by operationally independent, well-trained and qualified staff. The internal audit report should be submitted directly to the IT audit committee;
(8) Submitting an annual report to the CBRC and its local offices on information system risk management that has been reviewed and approved by the board of directors ;
(9) Ensuring the appropriating funding necessary for IT risk management works;
(10) Ensuring that all employees of the bank fully understand and adhere to the IT risk management policies and procedures approved by the board of directors and the senior management, and are provided with pertinent training.
(11) Ensuring customer information, financial information, product information and core banking system of the legal entity are held independently within the territory, and complying with the regulatory on-site examination requirements of CBRC and guarding against cross-border risk.
(12) Reporting in a timely manner to the CBRC and its local offices any serious incident of information systems or unexpected event, and quickly respond to it in accordance with the contingency plan;
(13) Cooperating with the CBRC and its local offices in the supervisory inspection of the risk management of information systems, and ensure that supervisory opinions are followed up; and
(14) Performing other related IT risk management tasks.
Article 8. The head of the IT organization, commonly known as the Chief Information Officer (CIO) should report directly to the president. Roles and responsibilities of the CIO should include the following:
(1) Playing a direct role in key decisions for the business development involving the use of IT in the bank;
(2) The CIO should ensure that information systems meet the needs of the bank, and IT strategies, in particular information system development strategies, comply with the overall business strategies and IT risk management policies of the bank;
(3) The CIO should also be responsible for the establishment of an effective and efficient IT organization to carry out the IT functions of the bank. These include the IT budget and expenditure, IT risk management, IT policies, standards and procedures, IT internal controls, professional development, IT project initiatives, IT project management, information system maintenance and upgrade, IT operations, IT infrastructure, Information security, disaster recovery plan (DRP), IT outsourcing, and information system retirement;
(4) Ensuring the effectiveness of IT risk management throughout the organization including all branches.
(5) Organizing professional trainings to improve technical proficiency of staff.
(6) Performing other related IT risk management tasks.
Article 9. Commercial banks should ensure that a clear definition of the IT organization structure and documentation of all job descriptions of important positions are always in place and updated in a timely manner. Staff in each position should meet relevant requirements on professional skills and knowledge. The following risk mitigation measures should be incorporated in the management program of related staff:
(1) Verification of personal information including confirmation of personal identification issued by government, academic credentials, prior work experience, professional qualifications;
(2) Ensuring that IT staff can meet the required professional ethics by checking character reference;
(3) Signing of agreements with employees about understanding of IT policies and guidelines, non-disclosure of confidential information, authorized use of information systems, and adherence to IT policies and procedures; and
(4) Evaluation of the risk of losing key IT personnel, especially during major IT development stage or in a period of unstable IT operations, and the relevant risk mitigation measures such as staff backup arrangement and staff succession plan.
Article 10. Commercial banks should establish or designate a particular department for IT risk management. It should report directly to the CIO and the Chief Risk Officer (or risk management committee), serve as a member of the IT incident response team, and be responsible for coordinating the establishment of policies regarding IT risk management, especially the areas of information security, BCP, and compliance with the CBRC regulations, advising the business departments and IT department in implementing these policies, providing relevant compliance information, conducting on-going assessment of IT risks, and ensuring the follow-up of remediation advice, monitoring and escalating management of IT threats and non-compliance events.
Article 11. Commercial banks should establish a special IT audit role and responsibility within internal audit function, which should put in place IT audit policies and procedures, develop and execute IT audit plan.
Article 12. Commercial banks should put in place policies and procedures to protect intellectual property rights according to laws regarding intellectual properties, ensure purchase of legitimate software and hardware, prevention of the use of pirated software, and the protection of the proprietary rights of IT products developed by the bank, and ensure that these are fully understood and complied by all employees.
Article 13. Commercial banks should, in accordance with relevant laws and regulations, disclose the risk profile of their IT normatively and timely.
Chapter III IT Risk Management
Article 14. Commercial banks should formulate an IT strategy that aligns with the overall business plan of the bank, IT risk assessment plan and an IT operational plan that can ensure adequate financial resources and human resources to maintain a stable and secure IT environment.
Article 15. Commercial banks should put in place a comprehensive set of IT risk management policies that include the following areas:
(1) Information security classification policy
(2) System development, testing and maintenance policy
(3) IT operation and maintenance policy
(4) Access control policy
(5) Physical security policy
(6) Personnel security policy
(7) Business Continuity Planning and Crisis and Emergency Management procedure
Article 16. Commercial banks should maintain an ongoing risk identification and assessment process that allows the bank to pinpoint the areas of concern in its information systems, assess the potential impact of the risks on its business, rank the risks, and prioritize mitigation actions and the necessary resources (including outsourcing vendors, product vendors and service vendors).
Article 17. Commercial banks should implement a comprehensive set of risk mitigation measures complying with the IT risk management policies and commensurate with the risk assessment of the bank. These mitigation measures should include:
(1) A set of clearly documented IT risk policies, technical standards, and operational procedures, which should be communicated to the staff frequently and kept up to date in a timely manner;
(2) Areas of potential conflicts of interest should be identified, minimized, and subject to careful, independent monitoring. Also it requires that an appropriate control structure is set up to facilitate checks and balances, with control activities defined at every business level, which should include:
- Top level reviews;
- Controls over physical and logical access to data and system;
- Access granted on “need to know” and “minimum authorization” basis;
- A system of approvals and authorizations; and
- A system of verification and reconciliation.
Article 18. Commercial banks should put in place a set of ongoing risk measurement and monitoring mechanisms, which should include
(1) Pre and post-implementation review of IT projects;
(2) Benchmarks for periodic review of system performance;
(3) Reports of incidents and complaints about IT services;
(4) Reports of internal audit, external audit, and issues identified by CBRC; and
(5) Arrangement with vendors and business units for periodic review of service level agreements (SLAs).
(6) The possible impact of new development of technology and new threats to software deployed.
(7) Timely review of operational risk and management controls in operation area.
(8) Assess the risk profile on IT outsourcing projects periodically.
Article 19. Chinese commercial banks operating offshore and the foreign commercial banks in China should comply with the relevant regulatory requirements on information systems in and outside the People’s Republic of China.
Chapter IV Information Security
Article 20. Information technology department of commercial banks should oversee the establishment of an information classification and protection scheme. All employees of the bank should be made aware of the importance of ensuring information confidentiality and provided with the necessary training to fully understand the information protection procedures within their responsibilities.
Article 21. Commercial banks should put in place an information security management function to develop and maintain an ongoing information security management program, promote information security awareness, advise other IT functions on security issues, serve as the leader of IT incident response team, and report the evaluation of the information security of the bank to the IT steering committee periodically. The Information security management program should include Information security standards, strategy, an implementation plan, and an ongoing maintenance plan.
Information security policy should include the following areas:
(1) IT security policy management
(2) Organization information security
(3) Asset management
(4) Personnel security
(5) Physical and environment security
(6) Communication and operation security
(7) Access control and authentication
(8) Acquirement, development and maintenance of information system
(9) Information security event management
(10) Business continuity management
(11) Compliance
Article 22. Commercial banks should have an effective process to manage user authentication and access control. Access to data and system should be strictly limited to authorized individuals whose identity is clearly established, and their activities in the information systems should be limited to the minimum required for their legitimate business use. Appropriate user authentication mechanism commensurate with the classification of information to be accessed should be selected. Timely review and removal of user identity from the system should be implemented when user transfers to a new job or leave the commercial bank.
Article 23. Commercial banks should ensure all physical security zones, such as computer centers or data centers, network closets, areas containing confidential information or critical IT equipment, and respective accountabilities are clearly defined, and appropriate preventive, detective, and recuperative controls are put in place.
Article 24. Commercial banks should divide their networks into logical security domains (hereinafter referred to as the “domain”) with different levels of security. The following security factors have to be assessed in order to define and implement effective security controls, such as physical or logical segregation of network, network filtering, logical access control, traffic encryption, network monitoring, activity log, etc., for each domain and the whole network.
(1) criticality of the applications and user groups within the domain;
(2) Access points to the domain through various communication channels;
(3) Network protocols and ports used by the applications and network equipment deployed within the domain;
(4) Performance requirement or benchmark;
(5) Nature of the domain, i.e. production or testing, internal or external;
(6) Connectivity between various domains; and
(7) Trustworthiness of the domain.
Article 25. Commercial banks should secure the operating system and system software of all computer systems by
(1) Developing baseline security requirement for each operating system and ensuring all systems meet the baseline security requirement;
(2) Clearly defining a set of access privileges for different groups of users, namely, end-users, system development staff, computer operators, and system administrators and user administrators;
(3) Setting up a system of approval, verification, and monitoring procedures for using the highest privileged system accounts;
(4) Requiring technical staff to review available security patches, and report the patch status periodically; and
(5) Requiring technical staff to include important items such as unsuccessful logins, access to critical system files, changes made to user accounts, etc. in system logs, monitors the systems for any abnormal event manually or automatically, and report the monitoring periodically.
Article 26. Commercial banks should ensure the security of all the application systems by
(1) Clearly defining the roles and responsibilities of end-users and IT staff regarding the application security;
(2) Implementing a robust authentication method commensurate with the criticality and sensibility of the application system;
(3) Enforcing segregation of duties and dual control over critical or sensitive functions;
(4) Requiring verification of input or reconciliation of output at critical junctures;
(5) Requiring the input and output of confidential information are handled in a secure manner to prevent theft, tampering, intentional leakage, or inadvertent leakage;
(6) Ensuring system can handle exceptions in a predefined way and provide meaningful message to users when the system is forced to terminate; and
(7) Maintaining audit trail in either paper or electronic format.
(8) Requiring user administrator to monitor and review unsuccessful logins and changes to users accounts.
Article 27. Commercial banks should have a set of policies and procedures controlling the logging of activities in all production systems to support effective auditing, security forensic analysis, and fraud prevention. Logging can be implemented in different layers of software and on different computer and networking equipment, which falls into two broad categories:
(1) Transaction journals. They are generated by application software and database management system, and contain authentication attempts, modification to data, error messages, etc. Transaction journals should be kept according to the national accounting policy.
(2) System logs. They are generated by operating systems, database management system, firewalls, intrusion detection systems, and routers, etc., and contain authentication attempts, system events, network events, error messages, etc. System logs should be kept for a period scaled to the risk classification, but no less than one year.
Banks should ensure that sufficient items be included in the logs to facilitate effective internal controls, system troubleshooting, and auditing while taking appropriate measures to ensure time synchronization on all logs. Sufficient disk space should be allocated to prevent logs from being overwritten. System logs should be reviewed for any exception. The review frequency and retention period for transaction logs or database logs should be determined jointly by IT organization and pertinent business lines, and approved by the IT steering committee.
Article 28. Commercial banks should have the capacity to employ encryption technologies to mitigate the risk of losing confidential information in the information systems or during its transmission. Appropriate management processes of the encryption facilities should be put in place to ensure that
(1) Encryption facilities in use should meet national security standards or requirements;
(2) Staff in charge of encryption facilities are well trained and screened;
(3) Encryption strength is adequate to protect the confidentiality of the information; and
(4) Effective and efficient key management procedures, especially key lifecycle management and certificate lifecycle management, are in place.
Article 29. Commercial banks should put in place an effective and efficient system of securing all end-user computing equipment which include desktop personal computers (PCs), portable PCs, teller terminals, automatic teller machines (ATMs), passbook printers, debit or credit card readers, point of sale (POS) terminals, personal digital assistant (PDAs), etc and conduct periodic security checks on all equipments.
Article 30. Commercial banks should put in place a set of policies and procedures to govern the collection, processing, storage, transmission, dissemination, and disposal of customer information.
Article 31. All employees, including contract staff, should be provided with the necessary trainings to fully understand these policies procedures and the consequences of their violation. Commercial banks should adopt a zero tolerance policy against security violation.
Chapter V Application System Development, Testing and Maintenance
Article 32. Commercial banks should have the capability to identify, plan, acquire, develop, test, deploy, maintain, upgrade, and retire information systems. Policies and procedures should be in place to govern the initiation, prioritization, approval, and control of IT projects. Progress reports of major IT projects should be submitted to and reviewed by the IT steering committee periodically. Decisions involving significant change of schedule, change of key personnel, change of vendors, and major expenditures should be included in the progress report.
Article 33. Commercial banks should recognize the risks associated with IT projects, which include the possibilities of incurring various kinds of operational risk, financial losses, and opportunity costs stemming from ineffective project planning or inadequate project management controls of the bank. Therefore, appropriate project management methodologies should be adopted and implemented to control the risks associated with IT projects.
Article 34. Commercial banks should adopt and implement a system development methodology to control the life cycle of Information systems. The typical phases of system life cycle include system analysis, design, development or acquisition, testing, trial run, deployment, maintenance, and retirement. The system development methodology to be used should be commensurate with the size, nature, and complexity of the IT project, and, generally speaking, should facilitate the management of the following risks.
Article 35. Commercial banks should ensure system reliability, integrity, and maintainability by controlling system changes with a set of policies and procedures, which should include the following elements.
(1) Ensure that production systems are separated from development or testing systems;
(2) Separating the duties of managing production systems and managing development or testing systems;
(3) Prohibiting application development and maintenance staff from accessing production system under normal circumstances unless management approval is granted to perform emergency repair, and all emergency repair activities should be recorded and reviewed promptly;
(4) Promoting changes of program or system configuration from development and testing systems to production systems should be jointly approved by IT organization and business departments, properly documented, and reviewed periodically.
Article 36. Commercial banks should have in place a set of policies, standards, and procedures to ensure data integrity, confidentiality, and availability. These policies should be in accordance with data integrity amid IT development procedure.
Article 37. Commercial banks should ensure that Information system problems could be tracked, analyzed, and resolved systematically through an effective problem management process. Problems should be documented, categorized, and indexed. Support services or technical assistance from vendors, if necessary, should also be documented. Contacts and relevant contract information should be made readily available to the employees concerned. Accountability and line of command should be delineated clearly and communicated to all employees concerned, which is of utmost importance to performing emergency repair.
Article 38. Commercial banks should have a set of policies and procedures controlling the process of system upgrade. System upgrade is needed when the hardware reaches its lifespan or runs out of capacity, the underpinning software, namely, operating system, database management system, middleware, has to be upgraded, or the application software has to be upgraded. The system upgrade should be treated as a project and managed by all pertinent project management controls including user acceptance testing.
Chapter VI IT Operations
Article 39. Commercial banks should consider fully the environmental threats (e.g. proximity to natural disaster zones, dangerous or hazardous facilities or busy/major roads) when selecting the locations of their data centers. Physical and environmental controls should be implemented to monitor environmental conditions could affect adversely the operation of information processing facilities. Equipment facilities should be protected from power failures and electrical supply interference.
Article 40. In controlling access by third-party personnel (e.g. service providers) to secured areas, proper approval of access should be enforced and their activities should be closely monitored. It is important that proper screening procedures including verification and background checks, especially for sensitive technology-related jobs, are developed for permanent and temporary technical staff and contractors.
Article 41. Commercial banks should separate IT operations or computer center operations from system development and maintenance to ensure segregation of duties within the IT organization. The commercial banks should document the roles and responsibilities of data center functions.
Article 42. Commercial banks are required to retain transactional records in compliance with the national accounting policy. Procedures and technology are needed to be put in place to ensure the integrity, safekeeping and retrieval requirements of the archived data.
Article 43. Commercial banks should detail operational instructions such as computer operator tasks, job scheduling and execution in the IT operations manual. The IT operations manual should also cover the procedures and requirements for on-site and off-site backup of data and software in both the production and development environments (i.e. frequency, scope and retention periods of back-up).
Article 44. Commercial banks should have in place a problem management and processing system to respond promptly to IT operations incidents, to escalate reported incidents to relevant IT management staff and to record, analyze and keep tracks of all these incidents until rectification of the incidents with root cause analysis completed. A helpdesk function should be set up to provide front-line support to users on all technology-related problems and to direct the problems to relevant IT functions for investigation and resolution.
Article 45. Commercial banks should establish service level agreement and assess the IT service level standard attained.
Article 46. Commercial banks should implement a process to ensure that the performance of application systems is continuously monitored and exceptions are reported in a timely and comprehensive manner. The performance monitoring process should include forecasting capability to enable exceptions to be identified and corrected before they affect system performance.
Article 47. Commercial banks should carry out capacity plan to cater for business growth and transaction increases due to changes of economic conditions. Capacity plan should be extended to cover back-up systems and related facilities in addition to the production environment.
Article 48. Commercial banks should ensure the continued availability of technology related services with timely maintenance and appropriate system upgrades. Proper record keeping (including suspected and actual faults and preventive and corrective maintenance records) is necessary for effective facility and equipment maintenance.
Article 49. Commercial banks should have an effective change management process in place to ensure integrity and reliability of the production environment. Commercial banks should develop a formal change management process.
Chapter VII Business Continuity Management
Article 50. Commercial banks should have in place appropriate arrangements, having regard to the nature, scale and complexity of its business, to ensure that it can continue to function and meet its regulatory obligations in the event of an unforeseen interruption. These arrangements should be regularly updated and tested to ensure their effectiveness.
Article 51. Commercial banks should consider the likelihood and impact of a disruption to the continuity of its operation from unexpected events. This should include assessing the disruptions to which it is particularly susceptible including but not limited to:
(1) Loss of failure of internal and external resources (such as people, systems and other assets);
(2) The loss or corruption of its information; and
(3) External events (such as war, earthquake, typhoon, etc).
Article 52. Commercial bank should act to reduce both the likelihood of disruptions (including system resilience and dual processing); and the impact of disruptions (including by contingency arrangements and insurance).
Article 53. Commercial bank should document its strategy for maintaining continuity of its operations, and its plans for communicating and regularly testing the adequacy and effectiveness of this strategy. Commercial bank should establish:
(1) Formal business continuity plans that outline arrangements to reduce the impact of a short, medium and long-term disruption, including:
a) Resource requirements such as people, systems and other assets, and arrangements for obtaining these resources;
b) The recovery priorities for the commercial bank’s operations; and
c) Communication arrangements for internal and external concerned parties (including CBRC, clients and the press);
(2) Escalation and invocation plans that outline the processes for implementing the business continuity plans, together with relevant contact information;
(3) Processes to validate the integrity of information affected by the disruption;
(4) Processes to review and update (1) to (3) following changes to the commercial bank’s operations or risk profile.
Article 54. A final BCP plan and an annual drill result must be signed off by the IT Risk management, or internal auditor and IT Steering Committee.
Chapter VIII Outsourcing
Article 55. Commercial banks cannot contract out its regulatory obligations and should take reasonable care to supervise the discharge of outsourcing functions.
Article 56. Commercial banks should take particular care to manage material outsourcing arrangement (such as outsourcing of data center, IT infrastructure, etc.), and should notify CBRC when it intends to enter into material outsourcing arrangement.
Article 57. Before entering into, or significantly changing, an outsourcing arrangement, the commercial bank should:
(1) Analyze how the arrangement will fit with its organization and reporting structure; business strategy; overall risk profile; and ability to meet its regulatory obligations;
(2) Consider whether the arrangements will allow it to monitor and control its operational risk exposure relating to the outsourcing;
(3) Conduct appropriate due diligence of the service provider’s financial stability, expertise and risk assessment of the service provider, facilities and ability to cover the potential liabilities;
(4) Consider how it will ensure a smooth transition of its operations from its current arrangements to a new or changed outsourcing arrangement (including what will happen on the termination of the contract); and
(5) Consider any concentration risk implications such as the business continuity implications that may arise if a single service provider is used by several firms.
Article 58. In negotiating its contract with a service provider, the commercial bank should have regard to ( but not limited to ):
(1) Reporting and negotiation requirements it may wish to impose on the service provider;
(2) Whether sufficient access will be available to its internal auditors, external auditors and banking regulators;
(3) Information ownership rights, confidentiality agreements and Firewalls to protect client and other information (including arrangements at the termination of contract);
(4) The adequacy of any guarantees and indemnities;
(5) The extent to which the service provider must comply with the commercial bank’s polices and procedures covering IT Risk;
(6) The extent to which the service provider will provide business continuity for outsourced operations, and whether exclusive access to its resources is agreed;
(7) The need for continued availability of software following difficulty at a third party supplier;
(8) The processes for making changes to the outsourcing arrangement and the conditions under which the commercial bank or service provider can choose to change or terminate the outsourcing arrangement, such as where there is:
a) A change of ownership or control of the service provider or commercial bank; or
b) Significant change in the business operations of the service provider or commercial bank; or
c) Inadequate provision of services that may lead to the commercial bank being unable to meet its regulatory obligations.
Article 59. In implementing a relationship management framework, and drafting the service level agreement with the service provider, the commercial bank should have regarded to (but not limited to):
(1) The identification of qualitative and quantitative performance targets to assess the adequacy of service provision, to both the commercial bank and its clients, where appropriate;
(2) The evaluation of performance through service delivery reports and periodic self assessment and independent review by internal or external auditors; and
(3) Remediation action and escalation process for dealing with inadequate performance.
Article 60. The commercial bank should enhance IT related outsourcing management, in place following (not limited to ) measures to ensure data security of sensitive information such as customer information:
(1) Effectively separated from other customer information of the service provider;
(2) The related staff of service provider should be authorized on “need to know” and “minimum authorization” basis;
(3) Ensure service provider guarantee its staff for meeting the confidential requests;
(4) All outsourcing arrangements related to customer information should be identified as material outsourcing arrangements and the customers should be notified;
(5) Strictly monitor re-outsourcing actions of the service provider, and implement adequate control measures to ensure information security of the bank;
(6) Ensure all related sensitive information be refunded or deleted from the service provider’s storage when terminating the outsourcing arrangement.
Article 61. The commercial bank should ensure that it has appropriate contingency in the event of a significant loss of services from the service provider. Particular issues to consider include a significant loss of resources, turnover of key staff, or financial failure of, the service provider, and unexpected termination of the outsourcing agreement.
Article 62. All outsourcing contracts must be reviewed or signed off by IT Risk management, internal IT auditors, legal department and IT Steering Committee. There should be a process to periodically review and refine the service level agreements.
Chapter IX Internal Audit
Article 63. Depending on the nature, scale and complexity of its business, it may be appropriate for the commercial banks to delegate much of the task of monitoring the appropriateness and effectiveness of its systems and controls to an internal audit function. An internal audit function should be adequately resourced and staffed by competent individuals, be independent of the day-to-day activities of the commercial bank and have appropriate access to the bank’s records.
Article 64. The responsibilities of the internal IT audit function are:
(1) To establish, implement and maintain an audit plan to examine and evaluate the adequacy and effectiveness of the bank’s systems and internal control mechanisms and arrangements;
(2) To issue recommendations based on the result of work carried out in accordance with 1;
(3) To verify compliance with those recommendations;
(4) To carry out special audit on information technology. The term “special audit” of information technology refers to the investigation, analysis and assessment on the security incidents of the information system, or the audit performed on a special subject based on IT risk assessment result as deemed necessary by the audit department.
Article 65. Based on the nature, scale and complexity of its business, deployment of information technology and IT risk assessment, commercial banks could determine the scope and frequency of IT internal audit. However, a comprehensive IT internal audit shall be performed at a minimum once every 3 years.
Article 66. Commercial banks should engage its internal audit department and IT Risk management department when implementing system development of significant size and scale to ensure it meets the IT Risk standards of the Commercial banks.
Chapter X External Audit
Article 67. The external information technology audit of commercial banks can be carried out by certified service providers in accordance with laws, rules and regulations.
Article 68. The commercial bank should ensure IT audit service provider to review and examine bank’s hardware, software, documentation and data to identify IT risk when they are commissioned to perform the audit. Vital commercial and technical information which is protected by national laws and regulations should not be reviewed.
Article 69. Commercial bank should communicate with the service provider in depth before the audit to determine audit scope, and should not withhold the truth or do not corporate with the service provider intentionally.
Article 70. CBRC and its local offices could designate certified service providers to carry out IT audit or related review on commercial banks when needed. When carrying out audit on commercial banks, as commissioned or authorized by CBRC or its local offices, the service providers shall present the letter of authority, and carry out the audit in accordance to the scope prescribed in the letter of authority.
Article 71. Once the IT audit report produced by the service providers is reviewed and approved by CBRC or its local offices, the report will have the same legal status as if it is produced by the CBRC itself. Commercial banks should come up with a correction action plan prescribed in the report and implement the corrective actions according to the timeframe.
Article 72. Commercial banks should ensure the service providers to strictly comply with laws and regulations to keep confidential and data security of any commercial secrets and private information learnt and IT risk information when conducting the audit. The service provider should not modify copy or take away any documents provided by the commercial banks.
Chapter XI Supplementary Provisions
Article 73. Commercial banks with no board of directors should have their operating decision-making bodies perform the responsibilities of the board with regard to IT risk management specified herein.
Article 74. The China Banking Regulatory Commission supervises and regulates the IT risk management of commercial banks under its authority by law.
Article 75. The power of interpretation and modification of the Guidelines shall rest with the China Banking Regulatory Commission.
Article 76. The Guidelines shall become effective as of the date of its issuance and the former Guidelines on the Risk Management of Banking Institutions’ Information Systems shall be revoked at the same time.