In order to strengthen the information technology risk management of commercial banks, these Guidelines are formulated in accordance with the Banking Supervision Law of the People's Republic of China, the Commercial Bank Law of People's Republic of China (PRC), the Regulations of People's Republic of China (PRC) on the Administration of Foreign Banks, the relevant requirements of national information security and relevant laws and regulations.
These Guidelines are applicable to corporate commercial banks established in People's Republic of China (PRC). Policy banks, rural cooperative banks, urban credit cooperatives, rural credit cooperatives, rural banks, loan companies, financial asset management companies, trust companies, finance companies, financial leasing companies, auto finance companies, money brokerage companies and other banking financial institutions shall refer to the implementation.
The information technology mentioned in these Guidelines refers to the application of modern information technologies such as computers, communications, microelectronics and software engineering in the transaction processing, operation management and internal control of commercial banks, including information technology governance, establishment of a complete management organization structure, and formulation of sound management systems and processes.
The information technology risks mentioned in these Guidelines refer to the operational, legal and reputational risks arising from natural factors, human factors, technical loopholes and management defects in the application of information technology by commercial banks.
The goal of information technology risk management is to realize the identification, measurement, monitoring and control of information technology risks of commercial banks, promote the safe, sustainable and steady operation of commercial banks, promote business innovation, improve the application level of information technology, and enhance the core competitiveness and sustainable development ability.
outside audit
Article 67. Commercial banks may, in accordance with laws, regulations and regulatory requirements, entrust external audit institutions with corresponding qualifications to conduct external audit of information technology.
Article 68. In the process of entrusted audit, commercial banks should ensure that external audit institutions can check the bank's hardware, software, documents and data to find risks in information technology, except for important commercial and technical confidential information stipulated by national laws, regulations, rules and normative documents.
Article 69. Before implementing external audit, commercial banks should fully communicate with external audit institutions, determine the audit scope in detail, and shall not deliberately conceal facts or obstruct audit inspection.