Recently, the China Banking and Insurance Regulatory Commission issued the measures for the supervision of IT outsourcing risks of bank and insurance institutions (hereinafter referred to as the measures), which put forward comprehensive requirements for IT outsourcing of bank and insurance institutions from the aspects of overall requirements, governance system, access system, monitoring and evaluation, risk management and supervision and management, Promote banking and insurance institutions to improve the risk management and control ability of information technology outsourcing and escort their digital transformation. The following points deserve attention:
First, the pace of digital transformation of banks has accelerated, and the demand for information technology outsourcing has a strong growth momentum. While improving quality and efficiency, there are risks. The measures ensure a "balance" between innovation and risk. The epidemic has given birth to new opportunities for the development of digital economy, and financial technology has entered a new stage from quantity to quality. The "14th five year plan" for the development of digital economy, the development plan of financial technology and the guidance on the digital transformation of banking and insurance industry have been released one after another. From top-level design to technology application, the digital transformation of banks has been accelerated. With financial technology becoming a competitive highland, banks' requirements for science and technology support capacity are constantly improving, information technology investment is rising year by year, and the demand for science and technology outsourcing is growing rapidly. In 2020, the information technology capital investment of banking institutions totaled 207.8 billion yuan, a year-on-year increase of 20%; In 2019, the bank's information technology outsourcing contract amount increased by 56.3% year-on-year, and the number of projects increased by 13.8% year-on-year. As an important channel to supplement its own scientific and technological strength, it outsourcing has the advantages of rapid response, cost saving, obtaining high-end and cutting-edge technologies in a short time and improving the level of scientific and technological services. In recent years, banks have increasingly relied on IT outsourcing services, and the industry concentration of outsourcing services in some fields has increased, If the control is not effective, it is easy to breed a series of outsourcing risks, such as information leakage, business interruption, loss of scientific and technological capacity, etc. Based on the main principles of risk-based, strengthened supervision and international connection, the measures put forward comprehensive requirements for the risk management of bank information technology outsourcing, and set a good risk gateway for digital transformation.
Second, the measures integrate the previous banking IT outsourcing risk supervision standards, and form a unified IT outsourcing risk supervision guidance for financial institutions by expanding the scope of application, integrating the original supervision rules, adding new standards and new requirements. Before the promulgation of the measures, the guidelines on IT outsourcing risk supervision for the banking industry had been formulated as early as 2013 and 2014. With the increase of the scope of outsourcing business, the diversification of outsourcing project forms and the gradual increase of outsourcing risk points, it is necessary to keep pace with the times, update the supervision methods, fill weaknesses and plug loopholes. In terms of applicable institutions, the measures have added insurance institutions, including insurance group (holding) companies, insurance companies, insurance asset management companies and insurance professional intermediaries, on the basis of the original various banks, rural credit cooperatives and other financial institutions implemented with reference, so as to promote the information technology supervision of the insurance industry closer to the banking industry. In terms of integration rules, most of the three guidelines and notices on banking outsourcing risk supervision are retained, and the cross-border outsourcing, off-site outsourcing, off-site centralized outsourcing and important outsourcing service institutions mentioned in them are integrated to simplify the regulatory framework, clarify the regulatory standards and shorten the management chain, so as to make the regulatory rules more universal. In terms of new content, the definition of IT outsourcing behavior is more extensive, and it activities involving the processing of important data and customers' personal information are included in the cooperation between banks and insurance institutions and other third parties; The types of IT outsourcing services have been further refined. On the basis of the original R & D consulting, operation and maintenance and business support, the development and testing and security services have been added, and the service contents have been refined, with particular emphasis on information security. The supervision of network security, data security and personal information protection has been improved according to the corresponding laws; Emphasize the main responsibility of financial institutions, make it clear in the implementation principles that it management responsibility and network security main responsibility shall not be outsourced, and require prior control and in-process supervision.
