1、 What is the background and significance of formulating the Measures?

A: In recent years, bancassurance institutions have actively carried out digital transformation. While increasing scientific and technological innovation to better meet the needs of financial consumers, they have increasingly relied on IT outsourcing services. At the same time, some bancassurance institutions failed to control the risks of IT outsourcing, resulting in business interruption, sensitive information leakage and other incidents from time to time. In addition, outsourcing service providers in some fields are highly concentrated, forming industry concentration risk. To this end, in accordance with the risk-based orientation, with the goal of making up for weaknesses and strengthening supervision, it is proposed to formulate the Measures to put forward requirements for IT outsourcing of banks and insurance institutions from aspects of IT outsourcing governance, access, monitoring and evaluation, risk management, etc.

The formulation and promulgation of the Measures will promote bancassurance institutions to establish and improve IT outsourcing governance structure, strengthen the construction of IT outsourcing risk management system, improve IT outsourcing risk management and control capabilities, and promote bancassurance institutions to steadily carry out digital transformation.

2、 What are the main contents of the Measures?

A: There are 7 chapters and 46 articles in the Measures, which put forward comprehensive requirements on IT outsourcing risk management of bancassurance institutions. First, in the general provisions, the purpose and basis, scope of application and general principles of the Measures are clarified, and the general requirements for IT outsourcing risk management are clarified, that is, bancassurance institutions should establish an IT outsourcing management system that is compatible with their IT strategic objectives, incorporate IT outsourcing risks into the overall risk management system, and effectively control the risks arising from outsourcing. The second is to put forward clear requirements on the organization and responsibilities of bancassurance institutions, outsourcing strategy, outsourcing prohibition, service provider management strategy, outsourcing classification, outsourcing hierarchical management, exit strategy, etc. in the IT outsourcing governance. The third is to put forward regulatory requirements for IT outsourcing access, including pre access assessment, due diligence, contracts, etc., and put forward additional requirements for off-site centralized outsourcing, cross-border outsourcing, interbank and affiliated outsourcing. The fourth is to define the monitoring and evaluation requirements for IT outsourcing, and make provisions for outsourcing process monitoring, efficiency and quality monitoring, service monitoring and evaluation, service provider operation monitoring, anomaly correction, associated outsourcing evaluation, and outsourcing termination. Fifthly, standardize IT outsourcing risk management, and put forward requirements for outsourcing risk identification and assessment, business continuity management, information security management, concentration risk management, off-site outsourcing on-site inspection, annual risk assessment and audit. Sixthly, regulations were made on the implementation of outsourcing supervision and management by regulators, including requirements for prior reporting, reporting of major events, regulatory assessment and inspection, risk monitoring, regulatory intervention, on-site verification, regulatory accountability, etc. Seventh, the definition of terms, the power of interpretation, the effective time and the abolition of documents are stipulated in the supplementary provisions.

3、 How to define the IT outsourcing behavior regulated by the Measures?

A: The IT outsourcing applicable to the Measures refers to the behavior that a bancassurance institution entrusts its own IT activities to a service provider for processing. In addition to the above outsourcing activities, with the increasing cooperation between bancassurance institutions and third parties in various fields in recent years, many of which involve the processing of institutions' important data and customers' personal information, in order to fully protect the rights and interests of financial consumers, strengthen information technology risk management in third-party cooperation, and prevent the leakage and improper use of sensitive information, Information technology activities involving the processing of important data of bancassurance institutions and personal information of customers in the cooperation between bancassurance institutions and other third parties shall be managed in accordance with the relevant requirements of the Measures.

4、 What principles should bancassurance institutions follow when implementing IT outsourcing?

A: According to the Measures, bancassurance institutions should adhere to the following principles when implementing IT outsourcing: (1) They should not outsource IT management responsibility and network security subject responsibility; （2） Guided by not hindering core capacity building and actively mastering key technologies; （3） Maintain the balance of outsourcing risks, costs and benefits; （4） Ensure network and information security and strengthen personal information protection; （5） Emphasize beforehand control and in-process supervision; （6） Continuously improve outsourcing strategies and risk management measures.

5、 Will the Measures raise the access threshold for service providers?

A: The target of the Measures is the bancassurance institutions under the supervision of the CBRC. All service providers are treated equally, and no other access threshold has been added. The bancassurance institutions independently decide the selection criteria and access methods of service providers.

6、 The banking industry has a special regulatory guidance on IT outsourcing risk before. Is the regulatory guidance before the issuance of the Measures still effective?

A: The Measures will be implemented as of the date of promulgation. The Guidelines for the Supervision of Information Technology Outsourcing Risks of Banking Financial Institutions (YJF [2013] No. 5), the Notice of the General Office of the CBRC on Strengthening the Risk Management of Non resident Centralized Outsourcing of Banking Financial Institutions (YJF [2014] No. 187) The Notice of the General Office of the CBRC on the Supervision and Evaluation of Non resident Centralized Outsourcing of Information Technology of Banking Financial Institutions (CBRC [2014] No. 272) shall be repealed at the same time.