保险代理人管理暂行规定
作者:法律资料网 时间:2024-07-24 09:01:38 浏览:9400
来源:法律资料网
下载地址: 点击此处下载
保险代理人管理暂行规定
保险代理人管理暂行规定
中国人民银行
第一章 总 则
第一条 为规范保险代理人代理行为,促进保险事业的发展,根据《中华人民共和国保险法》,制定本规定。
第二条 保险代理人是指根据保险人的委托,向保险人收取代理手续费,并在保险人授权的范围内代为办理保险业务的单位和个人。
保险代理人根据保险人的授权代为办理保险业务的行为,由保险人承担责任。
第三条 凡按本规定注册登记的单位和个人均可在中华人民共和国境内经营保险代理业务。
第四条 本规定所指保险代理人包括专业代理人、兼业代理人和个人代理人。
第五条 保险代理人的监督管理部门是中国人民银行。
第二章 资 格
第六条 除兼业代理外,保险代理人员必须参加保险代理人资格考试并获得《保险代理人资格证书》。
第七条 年满18周岁、具有高中以上学历或同等学历的个人可报名参加保险代理人员资格考试。
有下列情形之一者,不得参加保险代理人员资格考试:
(一)曾触犯国家法律而受处罚者;
(二)曾被吊销《保险代理人资格证书》者;
(三)保险监督管理部门、保险公司和保险行业协会现职人员;
(四)中国人民银行认定其他不宜从事保险代理业务者。
第八条 保险代理人资格考试由中国人民银行或其授权的机构组织实施。
第九条 保险代理人资格考试合格者,可向中国人民银行省、自治区、直辖市、计划单列市分行或其授权的机构申请领取《保险代理人资格证书》。
第十条 《保险代理人资格证书》由中国人民银行总行统一印制。
第三章 专业代理人
第十一条 专业代理人是指专门从事保险代理业务的保险代理公司。保险代理公司的组织形式为有限责任公司。
第十二条 保险代理公司必须具备以下条件:
(一)公司最低实收货币资本金为人民币50万元;
(二)有符合规定的章程;
(三)有至少30名持有《保险代理人资格证书》的代理人员;
(四)有符合任职资格的董事长和总经理;
(五)有符合要求的营业场所。
第十三条 在保险代理公司的资本中,个人资本之和不得超过资本金总额的30%,每一个人资本不得超过资本金总额的5%。
第十四条 设立保险代理公司应经过筹建和开业两个阶段。
第十五条 申请筹建保险代理公司,应向当地中国人民银行提交下列资料(一式三份):
(一)筹建申请报告;
(二)筹建可行性报告;
(三)筹建方案;
(四)筹建人员名单、简历及其《保险代理人资格证书》;
(五)中国人民银行要求的其他文件、资料。
第十六条 保险代理公司由中国人民银行省、自治区、直辖市、计划单列市分行负责审批,但批准其筹建前,应向中国人民银行总行备案,中国人民银行总行在收到备案文件之日起30日内未提出异议的,视同认可。
第十七条 保险代理公司的筹建期限为6个月。筹建就绪后,应向中国人民银行省、自治区、直辖市、计划单列市分行申请开业,并提交下列资料(一式三份):
(一)开业申请报告;
(二)资本金验资证明、入帐原始凭证复印件;
(三)股东简介及其资信证明材料;
(四)拟任负责人名单、简历及其《保险代理人资格证书》;
(五)公司章程;
(六)中国人民银行要求的其他资料。
第十八条 经批准开业的保险代理公司由中国人民银行省、自治区、直辖市、计划单列市分行颁发《经营保险代理业务许可证》并在工商行政管理局注册登记,方可营业。
第十九条 保险代理公司名称中必须冠有“保险代理”字样。
第二十条 保险代理公司应将代理业务收支单独设立帐户。
第二十一条 保险公司的在职人员不得在保险代理公司兼职。
第二十二条 各级政府及各级政府职能部门、社团法人、银行、保险公司不得投资于保险代理公司。
第二十三条 保险代理公司的业务范围:
(一)代理销售保险单;
(二)代理收取保险费;
(三)保险和风险管理咨询服务;
(四)代理保险人进行损失的勘查和理赔;
(五)中国人民银行批准的其他业务。
第二十四条 保险代理公司的主要负责人(董事长、总经理)除应具有《保险代理人资格证书》外,还应符合下列条件之一:
(一)具有保险专业大专以上学历,从事保险工作5年以上;
(二)具有非保险专业大专以上学历,从事保险工作7年以上;
(三)具有高中学历,从事保险工作10年以上;
(四)从事经济工作12年以上。
第二十五条 保险代理公司自正式批准后6个月内,无正当理由未营业者,中国人民银行吊销其《经营保险代理业务许可证》。
第二十六条 保险代理公司下列变更事项须经中国人民银行省、自治区、直辖市、计划单列市分行批准:
(一)修改章程;
(二)变更资本金;
(三)变更股东;
(四)调整业务范围;
(五)变更营业场所。
保险代理公司更换董事长、总经理,须报经中国人民银行审核其任职资格。
第二十七条 颁发的《经营保险代理业务许可证》有效期为3年,持证人应在有效期满前2个月内申请换发。
第二十八条 保险代理公司未经批准不得设立分支机构。
第二十九条 保险代理公司申请歇业、破产、解散,应按其设立时的申报程序报经中国人民银行批准。
第三十条 保险代理公司被收购或兼并、破产、解散或被责令关闭,应在中国人民银行和有关部门监督下依法清算。
第三十一条 保险代理公司依法终止其业务活动,应缴回《经营保险代理业务许可证》,持中国人民银行通知书向工商行政管理局办理注销手续,并在中国人民银行指定的报纸上公告。
第四章 兼业代理人
第三十二条 兼业代理人是指受保险人委托、在从事自身业务的同时、指定专人为保险人代办保险业务的单位。
第三十三条 兼业保险代理人必须符合下列条件:
(一)具有所在单位法人授权书;
(二)有专人从事保险代理业务;
(三)有符合规定的营业场所。
第三十四条 兼业代理人代理保险业务,须由被代理的保险公司为其申请办理《经营保险代理业务许可证》。
申请办理《经营保险代理业务许可证》,应向当地中国人民银行呈报下列文件:
(一)申请报告;
(二)保险代理合同议向书;
(三)兼业代理人资信证明及有关资料;
(四)保险代理业务负责人简历及《保险代理人资格证书》。
第三十五条 兼业代理人的业务范围:
(一)代理销售保险单;
(二)代理收取保险费。
第三十六条 兼业代理人只能代理与本行业直接相关,且能为被保险人提供便利的保险业务。
第三十七条 党政机关及其职能部门不得兼业从事保险代理业务。
第三十八条 变更保险代理合同须报当地中国人民银行备案。
第三十九条 兼业保险代理机构审批办法由中国人民银行省、自治区、直辖市、计划单列市分行另行规定。
第五章 个人代理人
第四十条 个人代理人是根据保险人委托,向保险人收取代理手续费,并在保险人授权的范围内代为办理保险业务的个人。
第四十一条 凡持有《保险代理人资格证书》者,均可申请从事保险代理业务,并由被代理的保险公司审核登记报中国人民银行当地分行备案。
第四十二条 个人代理人由被代理的保险公司颁发代理证,代理证须包括以下内容:
(一)姓名、性别、身份证号码;
(二)本人一寸免冠照片并加盖被代理保险公司钢印;
(三)被代理保险公司名称及颁发代理证日期;
(四)被代理保险公司授权范围和可代理保险险种;
(五)代理证的有效期限。
第四十三条 个人代理人业务范围:
(一)代理销售保险单;
(二)代理收取保险费。
第四十四条 个人代理人不得办理企业财产保险和团体人身保险。
第四十五条 个人代理人不得同时为两家(含两家)以上保险公司代理保险业务;转为其他保险公司代理人员时,应重新办理登记手续。
第四十六条 任何个人不得兼职从事保险代理业务。
第六章 执业管理
第四十七条 保险代理人只能为经中国人民银行批准设立的保险公司代理保险业务。
第四十八条 代理人寿保险业务的保险代理人只能为一家人寿保险公司代理业务。
第四十九条 保险代理人只能为其注册登记的行政辖区内的保险公司代理保险业务。
第五十条 保险代理人在从事代理业务前应与保险人签订代理合同,明确双方的权利和义务,代理期限、手续费支付标准和方式、代理范围、代理险种、保险费交付方式和其他有关代理事项。保险代理合同应报当地中国人民银行备案。
第五十一条 保险代理人应以诚信原则,将被保险人应该知道的保险公司业务情况和保险条款的内容及其含义如实告诉被保险人。
第五十二条 保险代理人不得利用行政权力、职务或者职业便利以及其他不正当手段强迫、引诱或者限制投保人投保或转换保险人。
第五十三条 保险代理人向保险公司投保,均视为保险公司的直接业务,保险代理人不得从中提取代理手续费。
第五十四条 中国人民银行对保险代理人的经营情况、帐册、业务记录、收据进行检查时,保险代理人不得拒绝。
第五十五条 保险代理人不得签发保险单。
第七章 罚 则
第五十六条 违反本规定,未经批准擅自开办保险代理业务的,由中国人民银行予以取缔,没收其非法所得,并处以非法所得5倍以上10倍以下的罚款。构成犯罪的,依法追究刑事责任。
第五十七条 未经批准擅自设立保险代理公司的,按《全国人民代表大会常务委员会关于惩治破坏金融秩序犯罪的决定》有关规定处罚。
第五十八条 违反本规定,有下列行为之一的,由中国人民银行责令改正,并给予个人1000-5000元、单位5000-10000元罚款的处罚;情节严重的,吊销其《保险代理人资格证书》或《经营保险代理业务许可证》:
(一)申请《保险代理人资格证书》、《经营保险代理业务许可证》时申报不实的;
(二)申请设立保险代理公司时申报不实的;
(三)提供虚假帐册、报表、文件和资料的;
(四)拒绝或妨碍中国人民银行监督检查的。
第五十九条 违反本规定,有下列行为之一的,由中国人民银行责令改正,没收其非法所得,并给予个人5000-10000元、单位10000-50000元罚款的处罚;情节严重的,给予一个月以上3年以下停止业务的处罚或吊销《保险代理人资格证书》、《经营保险代理业
务许可证》:
(一)为未经中国人民银行批准的保险公司代理业务;
(二)在业务经营中,超出中国人民银行核定的业务范围;
(三)为两家(含两家)以上人寿保险公司代理业务;
(四)为注册登记的行政辖区外的保险公司代理业务。
第六十条 违反本规定,有下列行为之一的,给予10000-50000元罚款的处罚;情节严重的,吊销其《保险代理人资格证书》或《经营保险代理业务许可证》;构成犯罪的,依法追究刑事责任:
(一)在保险代理业务中欺骗投保人、被保险人或受益人;
(二)串通被保险人欺骗保险公司。
第六十一条 保险代理人拖欠、挪用保险费用或保险金,中国人民银行视情节轻重给予警告、个人5000-10000元、单位10000-50000元罚款、或吊销《保险代理人资格证书》、《经营保险代理业务许可证》的处罚,构成犯罪的,依法追究刑事责任。
第六十二条 违反本规定第五十三条或向保险合同当事人索取额外报酬者,没收其非法所得,并处以非法所得5-10倍罚款;构成犯罪的,依法追究刑事责任。
第六十三条 以上处罚可以并处。
第六十四条 凡《保险代理人资格证书》、《经营保险代理业务许可证》被吊销者,保险公司不得再委托或接受其业务。
第八章 附 则
第六十五条 本规定由中国人民银行负责解释,修改亦同。
第六十六条 中国人民银行省、自治区、直辖市、计划单列市分行可根据本规定制定实施细则。
第六十七条 本规定自1996年5月1日起实施,1992年11月2日中国人民银行发布的《保险代理机构管理暂行办法》同时废止。
1996年1月1日
下载地址: 点击此处下载
交通银行关于印发《交通银行担保业务管理办法》和《关于担保业务的会计核算规定》的通知
交通银行关于印发《交通银行担保业务管理办法》和《关于担保业务的会计核算规定》的通知
1995年10月11日,交通银行
交通银行各分、支行:
为加强对我行本外币担保业务的管理,规范担保业务的操作程序,保证我行担保业务稳步健康地发展,现将《交通银行担保业务管理办法》和《关于担保业务的会计核算规定》印发给你们,请认真贯彻执行。各行如在执行中遇到问题,请及时报告总行。
附一:交通银行担保业务管理办法
第一章 总 则
第一条 为加强对我行本外币担保业务的管理,保证我行担保业务稳步健康地发展,根据《中华人民共和国担保法》和国家外汇管理局对外担保的有关规定以及我行的资产负债管理办法,特制定本办法。
第二条 本办法所称担保系指以总行自有本外币资金向境内外债权人承诺,当债务人未按合同规定履行义务时,由担保人履行偿付义务的保证。
第三条 凡未经批准经营外汇业务的分行,均不得提供任何形式的外汇担保。
第四条 担保业务应在总行书面授权的范围内由各分支行本部办理,不得将审批权限下放给所属机构。
第五条 不得为企业的注册资本金提供担保。
第六条 不得为企业发行债券提供担保。
第七条 各分支行受总行授权所承办的担保业务的总金额最高为:本币担保业务不得超过其本币营运资金的1倍;外汇担保业务不得超过其外汇营运资金的10倍(总行另行授权的除外)。
第二章 担保对象和种类
第八条 凡具有清偿能力的法人,均可向我行申请担保。
第九条 担保种类及释义
(一)融资性担保
1.借款担保:指为借款人向贷款人提供的还本付息的保证。
2.透支担保:指对有关金融机构所给予申请人的透支便利承担偿还责任的保证。
3.租赁担保:指为承租人向出租人出具的按期支付租金的付款保证。
4.补偿贸易担保:指为设备或技术的引进方,向设备或技术的提供方,出具的履行有关补偿贸易合同项下义务的保证。
5.项目融资性的信用证:指以开立信用证方式为项目融资出具的付款保证。
(二)非融资性担保
1.付款担保:指为买主或业主向卖主或承包方所出具的支付货款的保证。
2.投标担保:指为投标人向招标人出具的,在中标后履行标书中义务的保证。
3.履约担保:指为供货方或劳务方,向买方或业主所作出的履约保证。
4.预付款担保:指为出口商或承包方,向进口方或业主出具的履行合同或按约施工,否则负责退回预付款和利息的保证。
5.其他担保。
第三章 审批权限
第十条 凡有足额现金抵押的各类担保,须在出具保函后一周内逐级上报备案。
第十一条 凡按有关审批权限批准的贷款项下的担保,在出具保函后一周内须上报备案,并附贷款审批有关批件。
第十二条 凡没有足额现金抵押的担保,按以下规定执行:
(一)属第二章第九条第(一)款中的各项融资性担保:
1.辖属分支行审查后逐笔报管辖行审核,由管辖行签署意见后,报总行审批。
2.管辖分行和直辖分行亦须逐笔报总行审批。
(二)属第二章第九条第(二)款中的各项非融资性担保:
1.北京分行和上海分行单笔保函审批权限为200万美元(或等值的其他外币)或1,000万元人民币。年度审批发生额最高为2,000万美元或5,000万元人民币。审批辖内行担保业务的年度发生额最高为2,000万美元或5,000万元人民币。超过上述单笔审批权限或年度最高发生额以后的保函须逐笔报总行审批。
2.管辖分行和直属分行单笔保函审批权限为100万美元(或等值的其他外币)或500万元人民币。年度审批发生额最高为800万美元或2,000万元人民币。管辖分行审批辖内行担保业务的年度发生额最高为800万美元或2,000万元人民币。超过上述单笔审批权限或年度最高发生额以后的保函须逐笔报总行审批。
3.辖属分支行单笔保函审批权限为50万美元(或等值的其他外币)或200万元人民币。年度审批发生额最高为500万美元或1,000万元人民币。超过上述单笔审批权限或年度最高发生额以后的保函须逐笔报其管辖分行审批。
上述审批权限在全行实施内部评级后将按所获等级作适当调整。各行凡在审批权限内已批准的项目,须在批准后一周内逐级上报总行备案。
第十三条 各分支行不得向任何单位开立超过有关审批权限的“担保意向书”、“担保承诺书”等实质承担担保责任的文件。
第四章 担保业务办理程序
第十四条 有关分支行在收到客户的担保申请后,应由办理信贷业务的部门按相应的贷款条件对其进行评估(或调查),将评估报告(或调查报告)及有关业务材料交信贷管理部门复审后,按各行有关规定,提交贷审会审查后,由行长或行长授权签字人审批。
第十五条 对于超过经办行审批权限的担保项目,应按本办法第三章第十二条的规定逐级申报,上级行对所属分支行上报的项目应认真审查,签署审批意见。
第十六条 需上报上级行审批的担保项目应提供下列材料:
(一)经办行的申请报告;
(二)经办行的评估报告(或调查报告);
(三)企业的有关资料,包括合法性文件和财务情况以及有关合同文件;
(四)担保申请人的申请书;
(五)反担保措施的有关资料,抵押证明和反担保人资信情况;
(六)上级行要求的其他资料。
第十七条 凡向境外债权人出具的外汇担保,在上述审批获准后,由有关担保行按当地外管部门的规定办妥审报手续。
第十八条 完成上述程序后,有关分支行应要求担保申请人填写“开具保函申请书”(见附表一),并与担保申请人签订担保协议,其主要内容有:
(一)担保要求;
(二)担保额及币种;
(三)反担保条款;
(四)担保协议与保函的关系;
(五)担保协议与被担保合同的关系;
(六)违约条款;
(七)偿付方式;
(八)担保有效期;
(九)担保费的计收。
第十九条 担保费的币种应为担保函项下的币种。担保费率按融资性保函为1—2%,非融资性保函为0.3—1%计收。
第二十条 出具保函。
保函的主要内容有:
(一)保函编号;
(二)各当事人的法定名称和地址;
(三)被担保合同种类、金额等主要内容;
(四)担保范围和担保方式;
(五)申请人、我行及受益人三方的权利和义务;
(六)补偿条件,方式,单据及证明;
(七)保函的生效和期限;
(八)适用法律和管辖法院。
第二十一条 我行出具的保函原则上只适用于中国法律的条款。外汇担保可按具体业务情况选用第三国或地区的法律,原则上争取选用香港法律。
第二十二条 凡属外汇担保,在出具保函后,应按当地外管部门的规定办理有关登记手续。
第二十三条 信贷部门在出具保函后应立即按“关于各项担保业务的会计核算规定”,填写“开出保证凭信凭证”一式五联单,连同担保函和担保协议的副本各一份交至会计部门进行会计核算。在担保函有效期间,也应按有关会计核算规定,担保项下的每一次担保额的自然核减或发生垫款或贷款,以及当有关担保函到期,担保责任免除时,都应填写有关凭证通知会计部门,以便按类核销。如果在有关担保的有效期内发生担保函的金额、期限、责任范围等主要条款的修改,信贷部门也应填写“开出保证凭信修改通知书”交会计部门。
第五章 出具保函的条件
第二十四条 已取得被担保人、担保项目以及被担保合同的合法性文件。
第二十五条 凡基本建设项下的和技术改造项下的担保,要求申请人落实不少于总投资额30%的自筹资金。
第二十六条 申请人应在我行开立本外币结算帐户,凡担保项下的资金结算均要通过我行办理。融资性担保的申请人,一律要在我行开立专门帐户,由我行根据担保协议实行监管。
第二十七条 切实落实好反担保,其主要方式有:
(一)保证金。申请人存入一定比例的现金作为质押,在担保期间不得动用。
(二)保证反担保。由金融机构或有相当财务实力的企业提供信用保证。分支行应按审查贷款担保人的要求审查反担保人的资格、信誉和反担保人的代偿能力,并要求反担保人承担连带保证责任。我行不接受一般保证责任的反担保。反担保函的内容应根据我行出具的担保函制定,反担保的责任范围不得小于我行出具的担保项下的责任范围,反担保的有效期不得短于担保有效期。
(三)抵押和质押反担保。根据《交通银行担保贷款办法》中规定的可以设定抵押权的抵押物和可以接受的质押物均可作为反担保。在接受抵押和质押时,均要求抵押人或质押人到有关部门依法办理批准、核准和登记备案手续。《担保法》中规定的自愿登记的抵押物,我行也要求抵押人办好登记手续。以实物作为押品的,还应要求抵押人办理好以我行为第一受益人的财产保险。
第六章 担保管理
第二十八条 有关分支行在出具担保函后,应要求申请人按季报送企业财务报表和项目有关资料,随时了解和掌握申请人在所担保主合同项下的生产经营情况,资金财务情况或建设项目的进展情况,并作书面报告存档备案。上级行审批的项目,经办行亦应按季向上级行提交有关项目的书面报告。
第二十九条 信贷部门应建立担保项目台帐,按担保函的条款规定及时核减担保余额或履行义务,根据担保协议按期计收担保费,并及时填写有关凭证通知会计核算,核销。
第三十条 在担保期间,信贷员应监督被担保人履行被担保合同,督促被担保人及时主张被担保合同项下的权利。
第三十一条 当发现担保申请人,可能在被担保合同到期不能履约时,应督促和帮助担保申请人及时采取补救措施。
第三十二条 当发现担保申请人确定无力履约时,分支行应在履行担保义务前15天内逐级上报。
第三十三条 分支行在被要求履行担保义务时,或履行担保义务后,应根据担保协议或反担保函立即向申请人或反担保人书面追索。
第三十四条 担保义务解除后应及时向受益人收回保函正本,并及时逐级通知上报行。
第三十五条 凡需展期的保函,一律按有关担保的审批权限重新办理审批手续。
第三十六条 如要对已出具的担保函项下的金额、期限、责任范围等主要条款作修改,应按原担保函的审批程序及时报批。担保协议和反担保文件也要作相应的修改。
第三十七条 分支行应每月向总行报送担保业务统计表(见附表二)。报送时间为每月15日(如遇节假日顺延)。
第三十八条 总行信贷部是主管担保业务的职能部门。各分支行的担保业务由负责信贷业务的部门办理,由信贷管理部门统一监控、管理和业务统计。
第三十九条 各分支行应严格按照本办法执行。
第七章 附 则
第四十条 本办法由总行负责解释和修改。
第四十一条 本办法自发布之日起执行。
附二:关于担保业务的会计核算规定
根据新制订的《交通银行担保业务管理办法》,制定本会计核算规定。
一、使用的会计科目
各项本、外币担保业务,均通过“4621应付开出保证凭信”与“3621应收开出保证凭信”科目进行核算。
二、核算手续
(一)开证的核算手续。
业务部门签发保函(空白保函按空白重要凭证管理)后,应立即填具“开出保证凭信凭证”(附式:一)一式五联,连同担保函和担保合同副本送会计部门。
会计部门审查填写内容和签章无误后,按担保申请人、担保种类及发生顺序在“开出保证凭信凭证”上编列帐号,以“开出保证凭信凭证”的二联传票联办理转帐;并将“开出保证凭信凭证”的回单联退还业务部门。
转帐分录为:
借:“3621应收开出保证凭信”科目
贷:“4621应付开出保证凭信”科目(保函及担保合同副本作传票附件)
“开出保证凭信凭证”的帐卡联由该科目经管人员专夹保管。
(二)反担保的核算手续。
担保申请人向本行提供反担保,按不同方式进行帐务处理。
1.采用交存保证金方式的,通过“251保证金”科目核算,会计分录为:
借:有关存款科目或其他有关科目
贷:“251保证金”科目
2.采用抵押、质押方式的,暂照本行“关于各项抵押贷款的押品点收和封存手续的规定”办理。
3.采用保函方式的,按开来保证凭信登记“开来保证凭信”表外科目。
反担保的具体内容(包括反担保方式、金额、期限等)均应在“开出保证凭信凭证”上注明。
(三)修改保函的核算手续。
保函开立以后,申请人和受益人如需修改保函内容,经本行审核同意后,予以修改,业务部门应填具“开出保证凭信修改通知书”(附式:二)一式三联送会计部门进行相应的帐务处理。
如需修改保函金额的,会计部门应根据“开出保证凭信修改通知书”另行缮制转帐传票进行转帐,调整“应收开出保证凭信”和“应付开出保证凭信”科目余额,同时在有关“开出保证凭信凭证”卡片联上进行记载。
如需调整存入保证金金额的,会计部门应缮制特种转帐传票进行转帐。传票上应注明“开出保证凭信修改通知书”号码。
如调整抵押或质押品的及修改保函期限的,则由业务部门办理调整抵押、质押品手续后,由会计部门凭“开出保证凭信修改通知书”在“开出保证凭信凭信”卡片联备注栏注明,并将“开出保证凭信修改通知书”作“开出保证凭信”卡片的附件保管。
(四)担保手续费及担保费用的核算手续。
1.业务部门应在“开出保证凭信凭证”上注明手续费率、手续费金额、支付方式、收取日期等要素,由会计部门填具“手续费计收清单”按时向申请人收取。担保费计收的标准币种应为担保函项下的币种。
2.修改、转期的手续费由业务部门填具“手续费计收清单”交由会计部门向申请人一次收取。
3.因担保事项发生的一切费用按实际发生额向申请人收取。
(五)保函核销的核算手续。
在保函有效期间,担保项下每一次担保金额的自然核减,以及保函到期,担保责任免除时,业务部门都应填具“开出保证凭信核销凭证”(附式:三)一式三联,通知会计部门办理转帐,并登记“开出保证凭信凭证”卡片帐。如保函到期,担保责任免除时,业务部门还应向受益人收回保函正本,作“开出保证凭信核销凭证”附件,一并送会计部门。
1.担保函下款项由申请人主动支付时,会计分录为:
借:“4621应付开出保证凭信”科目(正本保函作传票附件,下同)
贷:“3621应收开出保证凭信”科目
2.被担保人如需通过我行划付担保函下款项时,业务部门应在付款期前督促申请人将足额资金存入我行备付,同时在付款日前一天将“开出保证凭信核销凭证”送达会计部门,凭以办理划付手续。
会计分录为:
(1)借:“4621应付开出保证凭信”科目
贷:有关科目
(2)借:有关存款科目
“251保证金”科目
贷:“3621应收开出保证凭信”科目
3.申请人到期未能按合同规定履行债务,需银行承担保证责任,办理支付手续时,业务部门应填具“开出保证凭信核销凭证”一式三联及“有问题贷款凭信”交会计部门办理转帐,会计分录为:
(1)借:“4621应付开出保证凭信”科目
贷:有关科目
(2)如全部由银行贷款偿付的:
借:“1281逾期贷款”科目
贷:“3621应收开出保证凭信”科目
如部分由银行贷款偿付的:
借:“251保证金”科目
有关存款科目
“1281逾期贷款”科目
贷:“3621应收开出保证凭信”科目
(六)追偿的核算手续。
由我行贷款偿付的款项应及时向反担保人或申请人追偿,或处理抵押、质押品,并按担保合同规定,计收违约金。有关核算手续比照有关规定办理。
(七)融资性的信用证(备付信用证)应按信用证核算规定进行核算。
附表:一
开具保证凭信申请书
交通银行--------------分(支)行 编号
------------------------------------------------------------------------------
|申请人(法定名称) 企业性质 |
|--------------------------------------------------------------------------|
|申请人法定地址 电话 传真 |
|--------------------------------------------------------------------------|
|担保金额(币种) 期限 |
|--------------------------------------------------------------------------|
|担保内容 |
|--------------------------------------------------------------------------|
|受益人 |
|--------------------------------------------------------------------------|
|反担保措施 |
|--------------------------------------------------------------------------|
|------保证金(金额--------) ----信用反担保 ----抵押 |
|--------------------------------------------------------------------------|
|其他情况 |
|--------------------------------------------------------------------------|
|备 注 |
------------------------------------------------------------------------------
申请人法人代表(签字)公章
----年----月----日
------------------------------------------------------------------------------
银行审批:负责人 信贷部门主管 信贷员
------------------------------------------------------------------------------
会计 复核 记帐 核印
附表:二
交通银行担保业务统计表
填报单位: 月报表 单位:万(美)元
--------------------------------------------------------------------------------
| 担 保 | 担 保 金 额 | 担保项下的垫付或贷款金额 |
| |------------------------------|--------------------------------|
| 种 类 |期初| 本期 |本期到期|期末|期初| 本期 | 本期 |期末 |
| |余额|发生额 |核减金额|余额|余额|发生额 |归还额 |余额 |
|----------|----|--------|--------|----|----|--------|--------|------|
|借款担保 | | | | | | | | |
|----------|----|--------|--------|----|----|--------|--------|------|
|租赁担保 | | | | | | | | |
|----------|----|--------|--------|----|----|--------|--------|------|
|补偿贸易 | | | | | | | | |
|担保 | | | | | | | | |
|----------|----|--------|--------|----|----|--------|--------|------|
|投标担保 | | | | | | | | |
|----------|----|--------|--------|----|----|--------|--------|------|
|履约担保 | | | | | | | | |
|----------|----|--------|--------|----|----|--------|--------|------|
|预付款担保| | | | | | | | |
|----------|----|--------|--------|----|----|--------|--------|------|
|备付信用证| | | | | | | | |
|----------|----|--------|--------|----|----|--------|--------|------|
|付款保函 | | | | | | | | |
|----------|----|--------|--------|----|----|--------|--------|------|
| 其 他 | | | | | | | | |
|----------|----|--------|--------|----|----|--------|--------|------|
| 合 计 | | | | | | | | |
--------------------------------------------------------------------------------
负责人: 复核: 填表人: 填表日期:
附式:一
交通银行 开出保证凭信凭证(回单) ①
------------------------------------
19 年 月 日 帐号------------
--------------------------------------------------------------------------------------
| 保证书 | |保证书| |开证| |有效|自一九 年 月 日 | 本
| | | | | | | |--------------------------| 回
| 种 类 | |号 码| |方式| |日期|至一九 年 月 日 | 单
|----------|----------------------------------------------------------------------| 由
| 申请人 | |结算户| |受益人| |结算户| | 会
| | |帐 号| | | |帐 号| | 计
|----------|----------------------------------------------------------------------| 部
|保证事项 | | 门
|----------|----------------------------------------------------------------------| 盖
| 反担保 | | 章
| 内 容 | | 后
|----------|----------------------------------------------------------------------| 退
|手续费率 | |手续费| |支付方式| |收取 | | 还
| | |金 额| | | |日期 | | 业
|----------|----------------------------------------------------------------------| 务
| | 金 额 |千|百|十|万|千|百|十|元|角|分| 部
|保证金额 |货币名称 |--|--|--|--|--|--|--|--|--|--| 门
| | (大写) | | | | | | | | | | | 留
| | | | | | | | | | | | | 存
|----------------------------------------------------------------------------------|
| 业签 | |会签| |
| 务 |业务公章 经办人员 |计 |业务章 经 办 |
| 部 | |部 | |
| 门章 | 负 责 人|门章| 复 核 |
--------------------------------------------------------------------------------------
(白底黑字)
交通银行 开出保证凭信凭证(贷方传票) ②
----------------------------------------
贷:应付开出保证凭信 19 年 月 日 帐号------------
----------------
--------------------------------------------------------------------------------------
| 保证书 | |保证书| |开证| |有效|自一九 年 月 日 |
| | | | | | | |--------------------------|
| 种 类 | |号 码| |方式| |日期|至一九 年 月 日 |
|----------|----------------------------------------------------------------------|
| 申请人 | |结算户| |受益人| |结算户| |
| | |帐 号| | | |帐 号| |
|----------|----------------------------------------------------------------------|
|保证事项 | |
|----------|----------------------------------------------------------------------|
| 反担保 | |
| 内 容 | |
|----------|----------------------------------------------------------------------|
|手续费率 | |手续费| |支付方式| |收取 | |
| | |金 额| | | |日期 | |
|----------|----------------------------------------------------------------------|
| | 金 额 |千|百|十|万|千|百|十|元|角|分|
|保证金额 |货币名称 |--|--|--|--|--|--|--|--|--|--|
| | (大写) | | | | | | | | | | |
| | | | | | | | | | | | |
|----------------------------------------------------------------------------------|
| 业签 | |会签| |
| 务 |业务公章 经办人员 |计 |业务章 经 办 |
| 部 | |部 | |
| 门章 | 负 责 人|门章| 复 核 |
--------------------------------------------------------------------------------------
(白底红字)
交通银行 开出保证凭信凭证(借方传票) ③
----------------------------------------
借:应收开出保证凭信 19 年 月 日 帐号------------
----------------
--------------------------------------------------------------------------------------
| 保证书 | |保证书| |开证| |有效|自一九 年 月 日 |
| | | | | | | |--------------------------|
| 种 类 | |号 码| |方式| |日期|至一九 年 月 日 |
|----------|----------------------------------------------------------------------|
| 申请人 | |结算户| |受益人| |结算户| |
| | |帐 号| | | |帐 号| |
|----------|----------------------------------------------------------------------|
|保证事项 | |
|----------|----------------------------------------------------------------------|
| 反担保 | |
| 内 容 | |
|----------|----------------------------------------------------------------------|
|手续费率 | |手续费| |支付方式| |收取 | |
| | |金 额| | | |日期 | |
|----------|----------------------------------------------------------------------|
| | 金 额 |千|百|十|万|千|百|十|元|角|分|
|保证金额 |货币名称 |--|--|--|--|--|--|--|--|--|--|
| | (大写) | | | | | | | | | | |
| | | | | | | | | | | | |
|----------------------------------------------------------------------------------|
| 业签 | |会签| |
| 务 |业务公章 经办人员 |计 |业务章 经 办 |
| 部 | |部 | |
| 门章 | 负 责 人|门章| 复 核 |
--------------------------------------------------------------------------------------
(白底蓝字)
交通银行 开出保证凭信(卡片帐) ④
----------------------------------
科目:应付开出保证凭信 19 年 月 日 帐号------------
----------------
--------------------------------------------------------------------------------------
| 保证书 | |保证书| |开证| |有效|自一九 年 月 日 |
| | | | | | | |--------------------------|
| 种 类 | |号 码| |方式| |日期|至一九 年 月 日 |
|----------|----------------------------------------------------------------------|
| 申请人 | |结算户| |受益人| |结算户| |
| | |帐 号| | | |帐 号| |
|----------|----------------------------------------------------------------------|
|保证事项 | |
|----------|----------------------------------------------------------------------|
| 反担保 | |
| 内 容 | |
|----------|----------------------------------------------------------------------|
|手续费率 | |手续费| |支付方式| |收取 | |
| | |金 额| | | |日期 | |
|----------|----------------------------------------------------------------------|
| | 金 额 |千|百|十|万|千|百|十|元|角|分|
|保证金额 |货币名称 |--|--|--|--|--|--|--|--|--|--|
| | (大写) | | | | | | | | | | |
| | | | | | | | | | | | |
|----------------------------------------------------------------------------------|
| | 日期 | 摘 要 | 修改或核销金额| 修改或核销后余额 |记 帐|复核|
| 金 |--------|----------|----------------|--------------------|------|----|
| 额 | | | | | | |
| 修 |--------|----------|----------------|--------------------|------|----|
| 改 | | | | | | |
| 及 |--------|----------|----------------|--------------------|------|----|
| 核 | | | | | | |
| 销 |--------|----------|----------------|--------------------|------|----|
| | | | | | | |
|------|--------------------------------------------------------------------------|
| 备 | |
| 注 | |
--------------------------------------------------------------------------------------
会计 复核 记帐
(白底蓝字)
交通银行 开出保证凭信(卡片帐) ⑤
--------------------------------------
科目:应收开出保证凭信 19 年 月 日 帐号------------
----------------
--------------------------------------------------------------------------------------
| 保证书 | |保证书| |开证| |有效|自一九 年 月 日 |
| | | | | | | |--------------------------|
| 种 类 | |号 码| |方式| |日期|至一九 年 月 日 |
|----------|----------------------------------------------------------------------|
| 申请人 | |结算户| |受益人| |结算户| |
| | |帐 号| | | |帐 号| |
|----------|----------------------------------------------------------------------|
|保证事项 | |
|----------|----------------------------------------------------------------------|
| 反担保 | |
| 内 容 | |
|----------|----------------------------------------------------------------------|
|手续费率 | |手续费| |支付方式| |收取 | |
| | |金 额| | | |日期 | |
|----------|----------------------------------------------------------------------|
| | 金 额 |千|百|十|万|千|百|十|元|角|分|
|保证金额 |货币名称 |--|--|--|--|--|--|--|--|--|--|
| | (大写) | | | | | | | | | | |
|----------------------------------------------------------------------------------|
| | 日期 | 摘 要 | 修改或核销金额| 修改或核销后余额|记 帐|复 核|
| 金 |--------|----------|----------------|------------------|------|------|
| 额 | | | | | | |
| 修 |--------|----------|----------------|------------------|------|------|
| 改 | | | | | | |
| 及 |--------|----------|----------------|------------------|------|------|
| 核 | | | | | | |
| 销 |--------|----------|----------------|------------------|------|------|
| | | | | | | |
|------|--------------------------------------------------------------------------|
| 备 | |
| 注 | |
--------------------------------------------------------------------------------------
会计 复核 记帐
(白底蓝字)
附式:二 号码×××××××
交通银行 开出保证凭信修改通知书(回单) ①
------------------------------------------
19 年 月 日 帐号:------------
--------------------------------------------------------------------------------------
| 保证书 | |保证书| |开证| |有效|自一九 年 月 日 |本后
| | | | | | | |--------------------------|回退
| 种 类 | |号 码| |日期| |日期|至一九 年 月 日 |单还
|----------|----------------------------------------------------------------------|由业
| 申请人 | |结算户| |受益人| |结算户| |会务
| | |帐 号| | | |帐 号| |计部
|----------------------------------------------------------------------------------|部门
| 修 | |门留
| 改 | |盖存
| 事 | |章
| 项 | |
--------------------------------------------------------------------------------------
业务公章 负责人 经办人员
(白底黑字)
号码×××××××
(应付开出保证
交通银行 开出保证凭信修改通知书 ②
凭信帐卡附页)
--------------------------------------------------
19 年 月 日 帐号:------------
--------------------------------------------------------------------------------------
| 保证书 | |保证书| |开证| |有效|自一九 年 月 日 |
| | | | | | | |--------------------------|
| 种 类 | |号 码| |日期| |日期|至一九 年 月 日 |
|----------|----------------------------------------------------------------------|
| 申请人 | |结算户| |受益人| |结算户| |
| | |帐 号| | | |帐 号| |
|----------------------------------------------------------------------------------|
| 修 | |
| 改 | |
| 事 | |
| 项 | |
--------------------------------------------------------------------------------------
业务公章 负责人 经办人员
(白底蓝字)
号码×××××××
(应付开出保证
交通银行 开出保证凭信修改通知书 ③
凭信帐卡附页)
--------------------------------------------------
19 年 月 日 帐号:------------
--------------------------------------------------------------------------------------
| 保证书 | |保证书| |开证| |有效|自一九 年 月 日 |
| | | | | | | |--------------------------|
| 种 类 | |号 码| |日期| |日期|至一九 年 月 日 |
|----------|----------------------------------------------------------------------|
| 申请人 | |结算户| |受益人| |结算户| |
| | |帐 号| | | |帐 号| |
|----------------------------------------------------------------------------------|
| 修 | |
| 改 | |
| 事 | |
| 项 | |
--------------------------------------------------------------------------------------
业务公章 负责人 经办人员
(白底蓝字)
附式:三 号码×××××××
交通银行 开出保证凭信核销凭证(回单) ①
----------------------------------------
19 年 月 日 帐号------------
--------------------------------------------------------------------------------------
| 保证书 | |保证书| |开证| |有效|自一九 年 月 日 | 本
| | | | | | | |--------------------------| 回
| 种 类 | |号 码| |日期| |日期|至一九 年 月 日 | 单
|----------|----------------------------------------------------------------------| 由
| 申请人 | |结算户| |受益人| |结算户| | 会
| | |帐 号| | | |帐 号| | 计
|----------|----------------------------------------------------------------------| 部
| | 金 额 |千|百|十|万|千|百|十|元|角|分| 门
|核销金额 |货币名称 |--|--|--|--|--|--|--|--|--|--| 盖
| | (大写) | | | | | | | | | | | 章
| | | | | | | | | | | | | 后
|----------|----------------------------------------------------------------------| 退
| 备 注 | | 还
|----------------------------------------------------------------------------------| 业
| 业签 | | 会签 | | 务
| 务 |业务公章 经办人员 | 计 | | 部
| 部 | | 部 | 会计 复核 记帐| 门
| 门章 | 负责人 | 门章 | | 留
-------------------------------------------------------------------------------------- 存
(白底蓝字)
号码×××××××
交通银行 开出保证凭信核销凭证(借方传票) ②
--------------------------------------------
借:应付开出保证凭信 19 年 月 日 帐号------------
----------------
--------------------------------------------------------------------------------------
| 保证书 | |保证书| |开证| |有效|自一九 年 月 日 |
| | | | | | | |--------------------------|
| 种 类 | |号 码| |日期| |日期|至一九 年 月 日 |
|----------|----------------------------------------------------------------------|
| 申请人 | |结算户| |受益人| |结算户| |
| | |帐 号| | | |帐 号| |
|----------|----------------------------------------------------------------------|
不分页显示 总共2页 1 [2]
下一页
Guidelines on the Risk Management of Commercial Banks’ Information Technology ——附加英文版
Guidelines on the Risk Management of Commercial Banks’ Information Technology
Chapter I General Provisions
Article 1. Pursuant to the Law of the People’s Republic of China on Banking Regulation and Supervision, the Law of the People's Republic of China on Commercial Banks, the Regulations of the People’s Republic of China on Administration of Foreign-funded Banks, and other applicable laws and regulations, the Guidelines on the Risk Management of Commercial Banks’ Information Technology (hereinafter referred to as the Guidelines) is formulated.
Article 2. The Guidelines apply to all the commercial banks legally incorporated within the territory of the People’s Republic of China.
The Guidelines may apply to other banking institutions including policy banks, rural cooperative banks, urban credit cooperatives, rural credit cooperatives, village banks, loan companies, financial asset management companies, trust and investment companies, finance firms, financial leasing companies, automobile financial companies and money brokers.
Article 3. The term “information technology” stated in the Guidelines shall refer to the system built with computer, communication and software technologies, and employed by commercial banks to handle business transactions, operation management, and internal communication, collaborative work and controls. The term also include IT governance, IT organization structure and IT policies and procedures.
Article 4. The risk of information technology refers to the operational risk, legal risk and reputation risk that are caused by natural factor, human factor, technological loopholes or management deficiencies when using information technology.
Article 5. The objective of information system risk management is to establish an effective mechanism that can identify, measure, monitor, and control the risks of commercial banks’ information system, ensure data integrity, availability, confidentiality and consistency, provide the relevant early warning, and thereby enable commercial banks’ business innovations, uplift their capability in utilizing information technology, improve their core competitiveness and capacity for sustainable development.
Chapter II IT governance
Article 6. The legal representative of commercial bank should be responsible to ensure compliance of this guideline.
Article 7. The board of directors of commercial banks should have the following responsibilities with respect to the management of information systems:
(1) Implementing and complying with the national laws, regulations and technical standards pertaining to the management of information systems, as well as the regulatory requirements set by the China Banking Regulatory Commission (hereinafter referred to as the “CBRC”);
(2) Periodically reviewing the alignment of IT strategy with the overall business strategies and significant policies of the bank, assessing the overall effectiveness and efficiency of the IT organization.
(3) Approving IT risk management strategies and policies, understanding the major IT risks involved, setting acceptable levels for these risks, and ensuring the implementation of the measures necessary to identify, measure, monitor and control these risks.
(4) Setting high ethical and integrity standards, and establishing a culture within the bank that emphasizes and demonstrates to all levels of personnel the importance of IT risk management.
(5) Establishing an IT steering committee which consists of representatives from senior management, the IT organization, and major business units, to oversee these responsibilities and report the effectiveness of strategic IT planning, the IT budget and actual expenditure, and the overall IT performance to the board of directors and senior management periodically.
(6) Establishing IT governance structure, proper segregation of duty, clear role and responsibility, maintaining check and balances and clear reporting relationship. Strengthening IT professional staff by developing incentive program.
(7) Ensuring that there is an effective internal audit of the IT risk management carried out by operationally independent, well-trained and qualified staff. The internal audit report should be submitted directly to the IT audit committee;
(8) Submitting an annual report to the CBRC and its local offices on information system risk management that has been reviewed and approved by the board of directors ;
(9) Ensuring the appropriating funding necessary for IT risk management works;
(10) Ensuring that all employees of the bank fully understand and adhere to the IT risk management policies and procedures approved by the board of directors and the senior management, and are provided with pertinent training.
(11) Ensuring customer information, financial information, product information and core banking system of the legal entity are held independently within the territory, and complying with the regulatory on-site examination requirements of CBRC and guarding against cross-border risk.
(12) Reporting in a timely manner to the CBRC and its local offices any serious incident of information systems or unexpected event, and quickly respond to it in accordance with the contingency plan;
(13) Cooperating with the CBRC and its local offices in the supervisory inspection of the risk management of information systems, and ensure that supervisory opinions are followed up; and
(14) Performing other related IT risk management tasks.
Article 8. The head of the IT organization, commonly known as the Chief Information Officer (CIO) should report directly to the president. Roles and responsibilities of the CIO should include the following:
(1) Playing a direct role in key decisions for the business development involving the use of IT in the bank;
(2) The CIO should ensure that information systems meet the needs of the bank, and IT strategies, in particular information system development strategies, comply with the overall business strategies and IT risk management policies of the bank;
(3) The CIO should also be responsible for the establishment of an effective and efficient IT organization to carry out the IT functions of the bank. These include the IT budget and expenditure, IT risk management, IT policies, standards and procedures, IT internal controls, professional development, IT project initiatives, IT project management, information system maintenance and upgrade, IT operations, IT infrastructure, Information security, disaster recovery plan (DRP), IT outsourcing, and information system retirement;
(4) Ensuring the effectiveness of IT risk management throughout the organization including all branches.
(5) Organizing professional trainings to improve technical proficiency of staff.
(6) Performing other related IT risk management tasks.
Article 9. Commercial banks should ensure that a clear definition of the IT organization structure and documentation of all job descriptions of important positions are always in place and updated in a timely manner. Staff in each position should meet relevant requirements on professional skills and knowledge. The following risk mitigation measures should be incorporated in the management program of related staff:
(1) Verification of personal information including confirmation of personal identification issued by government, academic credentials, prior work experience, professional qualifications;
(2) Ensuring that IT staff can meet the required professional ethics by checking character reference;
(3) Signing of agreements with employees about understanding of IT policies and guidelines, non-disclosure of confidential information, authorized use of information systems, and adherence to IT policies and procedures; and
(4) Evaluation of the risk of losing key IT personnel, especially during major IT development stage or in a period of unstable IT operations, and the relevant risk mitigation measures such as staff backup arrangement and staff succession plan.
Article 10. Commercial banks should establish or designate a particular department for IT risk management. It should report directly to the CIO and the Chief Risk Officer (or risk management committee), serve as a member of the IT incident response team, and be responsible for coordinating the establishment of policies regarding IT risk management, especially the areas of information security, BCP, and compliance with the CBRC regulations, advising the business departments and IT department in implementing these policies, providing relevant compliance information, conducting on-going assessment of IT risks, and ensuring the follow-up of remediation advice, monitoring and escalating management of IT threats and non-compliance events.
Article 11. Commercial banks should establish a special IT audit role and responsibility within internal audit function, which should put in place IT audit policies and procedures, develop and execute IT audit plan.
Article 12. Commercial banks should put in place policies and procedures to protect intellectual property rights according to laws regarding intellectual properties, ensure purchase of legitimate software and hardware, prevention of the use of pirated software, and the protection of the proprietary rights of IT products developed by the bank, and ensure that these are fully understood and complied by all employees.
Article 13. Commercial banks should, in accordance with relevant laws and regulations, disclose the risk profile of their IT normatively and timely.
Chapter III IT Risk Management
Article 14. Commercial banks should formulate an IT strategy that aligns with the overall business plan of the bank, IT risk assessment plan and an IT operational plan that can ensure adequate financial resources and human resources to maintain a stable and secure IT environment.
Article 15. Commercial banks should put in place a comprehensive set of IT risk management policies that include the following areas:
(1) Information security classification policy
(2) System development, testing and maintenance policy
(3) IT operation and maintenance policy
(4) Access control policy
(5) Physical security policy
(6) Personnel security policy
(7) Business Continuity Planning and Crisis and Emergency Management procedure
Article 16. Commercial banks should maintain an ongoing risk identification and assessment process that allows the bank to pinpoint the areas of concern in its information systems, assess the potential impact of the risks on its business, rank the risks, and prioritize mitigation actions and the necessary resources (including outsourcing vendors, product vendors and service vendors).
Article 17. Commercial banks should implement a comprehensive set of risk mitigation measures complying with the IT risk management policies and commensurate with the risk assessment of the bank. These mitigation measures should include:
(1) A set of clearly documented IT risk policies, technical standards, and operational procedures, which should be communicated to the staff frequently and kept up to date in a timely manner;
(2) Areas of potential conflicts of interest should be identified, minimized, and subject to careful, independent monitoring. Also it requires that an appropriate control structure is set up to facilitate checks and balances, with control activities defined at every business level, which should include:
- Top level reviews;
- Controls over physical and logical access to data and system;
- Access granted on “need to know” and “minimum authorization” basis;
- A system of approvals and authorizations; and
- A system of verification and reconciliation.
Article 18. Commercial banks should put in place a set of ongoing risk measurement and monitoring mechanisms, which should include
(1) Pre and post-implementation review of IT projects;
(2) Benchmarks for periodic review of system performance;
(3) Reports of incidents and complaints about IT services;
(4) Reports of internal audit, external audit, and issues identified by CBRC; and
(5) Arrangement with vendors and business units for periodic review of service level agreements (SLAs).
(6) The possible impact of new development of technology and new threats to software deployed.
(7) Timely review of operational risk and management controls in operation area.
(8) Assess the risk profile on IT outsourcing projects periodically.
Article 19. Chinese commercial banks operating offshore and the foreign commercial banks in China should comply with the relevant regulatory requirements on information systems in and outside the People’s Republic of China.
Chapter IV Information Security
Article 20. Information technology department of commercial banks should oversee the establishment of an information classification and protection scheme. All employees of the bank should be made aware of the importance of ensuring information confidentiality and provided with the necessary training to fully understand the information protection procedures within their responsibilities.
Article 21. Commercial banks should put in place an information security management function to develop and maintain an ongoing information security management program, promote information security awareness, advise other IT functions on security issues, serve as the leader of IT incident response team, and report the evaluation of the information security of the bank to the IT steering committee periodically. The Information security management program should include Information security standards, strategy, an implementation plan, and an ongoing maintenance plan.
Information security policy should include the following areas:
(1) IT security policy management
(2) Organization information security
(3) Asset management
(4) Personnel security
(5) Physical and environment security
(6) Communication and operation security
(7) Access control and authentication
(8) Acquirement, development and maintenance of information system
(9) Information security event management
(10) Business continuity management
(11) Compliance
Article 22. Commercial banks should have an effective process to manage user authentication and access control. Access to data and system should be strictly limited to authorized individuals whose identity is clearly established, and their activities in the information systems should be limited to the minimum required for their legitimate business use. Appropriate user authentication mechanism commensurate with the classification of information to be accessed should be selected. Timely review and removal of user identity from the system should be implemented when user transfers to a new job or leave the commercial bank.
Article 23. Commercial banks should ensure all physical security zones, such as computer centers or data centers, network closets, areas containing confidential information or critical IT equipment, and respective accountabilities are clearly defined, and appropriate preventive, detective, and recuperative controls are put in place.
Article 24. Commercial banks should divide their networks into logical security domains (hereinafter referred to as the “domain”) with different levels of security. The following security factors have to be assessed in order to define and implement effective security controls, such as physical or logical segregation of network, network filtering, logical access control, traffic encryption, network monitoring, activity log, etc., for each domain and the whole network.
(1) criticality of the applications and user groups within the domain;
(2) Access points to the domain through various communication channels;
(3) Network protocols and ports used by the applications and network equipment deployed within the domain;
(4) Performance requirement or benchmark;
(5) Nature of the domain, i.e. production or testing, internal or external;
(6) Connectivity between various domains; and
(7) Trustworthiness of the domain.
Article 25. Commercial banks should secure the operating system and system software of all computer systems by
(1) Developing baseline security requirement for each operating system and ensuring all systems meet the baseline security requirement;
(2) Clearly defining a set of access privileges for different groups of users, namely, end-users, system development staff, computer operators, and system administrators and user administrators;
(3) Setting up a system of approval, verification, and monitoring procedures for using the highest privileged system accounts;
(4) Requiring technical staff to review available security patches, and report the patch status periodically; and
(5) Requiring technical staff to include important items such as unsuccessful logins, access to critical system files, changes made to user accounts, etc. in system logs, monitors the systems for any abnormal event manually or automatically, and report the monitoring periodically.
Article 26. Commercial banks should ensure the security of all the application systems by
(1) Clearly defining the roles and responsibilities of end-users and IT staff regarding the application security;
(2) Implementing a robust authentication method commensurate with the criticality and sensibility of the application system;
(3) Enforcing segregation of duties and dual control over critical or sensitive functions;
(4) Requiring verification of input or reconciliation of output at critical junctures;
(5) Requiring the input and output of confidential information are handled in a secure manner to prevent theft, tampering, intentional leakage, or inadvertent leakage;
(6) Ensuring system can handle exceptions in a predefined way and provide meaningful message to users when the system is forced to terminate; and
(7) Maintaining audit trail in either paper or electronic format.
(8) Requiring user administrator to monitor and review unsuccessful logins and changes to users accounts.
Article 27. Commercial banks should have a set of policies and procedures controlling the logging of activities in all production systems to support effective auditing, security forensic analysis, and fraud prevention. Logging can be implemented in different layers of software and on different computer and networking equipment, which falls into two broad categories:
(1) Transaction journals. They are generated by application software and database management system, and contain authentication attempts, modification to data, error messages, etc. Transaction journals should be kept according to the national accounting policy.
(2) System logs. They are generated by operating systems, database management system, firewalls, intrusion detection systems, and routers, etc., and contain authentication attempts, system events, network events, error messages, etc. System logs should be kept for a period scaled to the risk classification, but no less than one year.
Banks should ensure that sufficient items be included in the logs to facilitate effective internal controls, system troubleshooting, and auditing while taking appropriate measures to ensure time synchronization on all logs. Sufficient disk space should be allocated to prevent logs from being overwritten. System logs should be reviewed for any exception. The review frequency and retention period for transaction logs or database logs should be determined jointly by IT organization and pertinent business lines, and approved by the IT steering committee.
Article 28. Commercial banks should have the capacity to employ encryption technologies to mitigate the risk of losing confidential information in the information systems or during its transmission. Appropriate management processes of the encryption facilities should be put in place to ensure that
(1) Encryption facilities in use should meet national security standards or requirements;
(2) Staff in charge of encryption facilities are well trained and screened;
(3) Encryption strength is adequate to protect the confidentiality of the information; and
(4) Effective and efficient key management procedures, especially key lifecycle management and certificate lifecycle management, are in place.
Article 29. Commercial banks should put in place an effective and efficient system of securing all end-user computing equipment which include desktop personal computers (PCs), portable PCs, teller terminals, automatic teller machines (ATMs), passbook printers, debit or credit card readers, point of sale (POS) terminals, personal digital assistant (PDAs), etc and conduct periodic security checks on all equipments.
Article 30. Commercial banks should put in place a set of policies and procedures to govern the collection, processing, storage, transmission, dissemination, and disposal of customer information.
Article 31. All employees, including contract staff, should be provided with the necessary trainings to fully understand these policies procedures and the consequences of their violation. Commercial banks should adopt a zero tolerance policy against security violation.
Chapter V Application System Development, Testing and Maintenance
Article 32. Commercial banks should have the capability to identify, plan, acquire, develop, test, deploy, maintain, upgrade, and retire information systems. Policies and procedures should be in place to govern the initiation, prioritization, approval, and control of IT projects. Progress reports of major IT projects should be submitted to and reviewed by the IT steering committee periodically. Decisions involving significant change of schedule, change of key personnel, change of vendors, and major expenditures should be included in the progress report.
Article 33. Commercial banks should recognize the risks associated with IT projects, which include the possibilities of incurring various kinds of operational risk, financial losses, and opportunity costs stemming from ineffective project planning or inadequate project management controls of the bank. Therefore, appropriate project management methodologies should be adopted and implemented to control the risks associated with IT projects.
Article 34. Commercial banks should adopt and implement a system development methodology to control the life cycle of Information systems. The typical phases of system life cycle include system analysis, design, development or acquisition, testing, trial run, deployment, maintenance, and retirement. The system development methodology to be used should be commensurate with the size, nature, and complexity of the IT project, and, generally speaking, should facilitate the management of the following risks.
Article 35. Commercial banks should ensure system reliability, integrity, and maintainability by controlling system changes with a set of policies and procedures, which should include the following elements.
(1) Ensure that production systems are separated from development or testing systems;
(2) Separating the duties of managing production systems and managing development or testing systems;
(3) Prohibiting application development and maintenance staff from accessing production system under normal circumstances unless management approval is granted to perform emergency repair, and all emergency repair activities should be recorded and reviewed promptly;
(4) Promoting changes of program or system configuration from development and testing systems to production systems should be jointly approved by IT organization and business departments, properly documented, and reviewed periodically.
Article 36. Commercial banks should have in place a set of policies, standards, and procedures to ensure data integrity, confidentiality, and availability. These policies should be in accordance with data integrity amid IT development procedure.
Article 37. Commercial banks should ensure that Information system problems could be tracked, analyzed, and resolved systematically through an effective problem management process. Problems should be documented, categorized, and indexed. Support services or technical assistance from vendors, if necessary, should also be documented. Contacts and relevant contract information should be made readily available to the employees concerned. Accountability and line of command should be delineated clearly and communicated to all employees concerned, which is of utmost importance to performing emergency repair.
Article 38. Commercial banks should have a set of policies and procedures controlling the process of system upgrade. System upgrade is needed when the hardware reaches its lifespan or runs out of capacity, the underpinning software, namely, operating system, database management system, middleware, has to be upgraded, or the application software has to be upgraded. The system upgrade should be treated as a project and managed by all pertinent project management controls including user acceptance testing.
Chapter VI IT Operations
Article 39. Commercial banks should consider fully the environmental threats (e.g. proximity to natural disaster zones, dangerous or hazardous facilities or busy/major roads) when selecting the locations of their data centers. Physical and environmental controls should be implemented to monitor environmental conditions could affect adversely the operation of information processing facilities. Equipment facilities should be protected from power failures and electrical supply interference.
Article 40. In controlling access by third-party personnel (e.g. service providers) to secured areas, proper approval of access should be enforced and their activities should be closely monitored. It is important that proper screening procedures including verification and background checks, especially for sensitive technology-related jobs, are developed for permanent and temporary technical staff and contractors.
Article 41. Commercial banks should separate IT operations or computer center operations from system development and maintenance to ensure segregation of duties within the IT organization. The commercial banks should document the roles and responsibilities of data center functions.
Article 42. Commercial banks are required to retain transactional records in compliance with the national accounting policy. Procedures and technology are needed to be put in place to ensure the integrity, safekeeping and retrieval requirements of the archived data.
Article 43. Commercial banks should detail operational instructions such as computer operator tasks, job scheduling and execution in the IT operations manual. The IT operations manual should also cover the procedures and requirements for on-site and off-site backup of data and software in both the production and development environments (i.e. frequency, scope and retention periods of back-up).
Article 44. Commercial banks should have in place a problem management and processing system to respond promptly to IT operations incidents, to escalate reported incidents to relevant IT management staff and to record, analyze and keep tracks of all these incidents until rectification of the incidents with root cause analysis completed. A helpdesk function should be set up to provide front-line support to users on all technology-related problems and to direct the problems to relevant IT functions for investigation and resolution.
Article 45. Commercial banks should establish service level agreement and assess the IT service level standard attained.
Article 46. Commercial banks should implement a process to ensure that the performance of application systems is continuously monitored and exceptions are reported in a timely and comprehensive manner. The performance monitoring process should include forecasting capability to enable exceptions to be identified and corrected before they affect system performance.
Article 47. Commercial banks should carry out capacity plan to cater for business growth and transaction increases due to changes of economic conditions. Capacity plan should be extended to cover back-up systems and related facilities in addition to the production environment.
Article 48. Commercial banks should ensure the continued availability of technology related services with timely maintenance and appropriate system upgrades. Proper record keeping (including suspected and actual faults and preventive and corrective maintenance records) is necessary for effective facility and equipment maintenance.
Article 49. Commercial banks should have an effective change management process in place to ensure integrity and reliability of the production environment. Commercial banks should develop a formal change management process.
Chapter VII Business Continuity Management
Article 50. Commercial banks should have in place appropriate arrangements, having regard to the nature, scale and complexity of its business, to ensure that it can continue to function and meet its regulatory obligations in the event of an unforeseen interruption. These arrangements should be regularly updated and tested to ensure their effectiveness.
Article 51. Commercial banks should consider the likelihood and impact of a disruption to the continuity of its operation from unexpected events. This should include assessing the disruptions to which it is particularly susceptible including but not limited to:
(1) Loss of failure of internal and external resources (such as people, systems and other assets);
(2) The loss or corruption of its information; and
(3) External events (such as war, earthquake, typhoon, etc).
Article 52. Commercial bank should act to reduce both the likelihood of disruptions (including system resilience and dual processing); and the impact of disruptions (including by contingency arrangements and insurance).
Article 53. Commercial bank should document its strategy for maintaining continuity of its operations, and its plans for communicating and regularly testing the adequacy and effectiveness of this strategy. Commercial bank should establish:
(1) Formal business continuity plans that outline arrangements to reduce the impact of a short, medium and long-term disruption, including:
a) Resource requirements such as people, systems and other assets, and arrangements for obtaining these resources;
b) The recovery priorities for the commercial bank’s operations; and
c) Communication arrangements for internal and external concerned parties (including CBRC, clients and the press);
(2) Escalation and invocation plans that outline the processes for implementing the business continuity plans, together with relevant contact information;
(3) Processes to validate the integrity of information affected by the disruption;
(4) Processes to review and update (1) to (3) following changes to the commercial bank’s operations or risk profile.
Article 54. A final BCP plan and an annual drill result must be signed off by the IT Risk management, or internal auditor and IT Steering Committee.
Chapter VIII Outsourcing
Article 55. Commercial banks cannot contract out its regulatory obligations and should take reasonable care to supervise the discharge of outsourcing functions.
Article 56. Commercial banks should take particular care to manage material outsourcing arrangement (such as outsourcing of data center, IT infrastructure, etc.), and should notify CBRC when it intends to enter into material outsourcing arrangement.
Article 57. Before entering into, or significantly changing, an outsourcing arrangement, the commercial bank should:
(1) Analyze how the arrangement will fit with its organization and reporting structure; business strategy; overall risk profile; and ability to meet its regulatory obligations;
(2) Consider whether the arrangements will allow it to monitor and control its operational risk exposure relating to the outsourcing;
(3) Conduct appropriate due diligence of the service provider’s financial stability, expertise and risk assessment of the service provider, facilities and ability to cover the potential liabilities;
(4) Consider how it will ensure a smooth transition of its operations from its current arrangements to a new or changed outsourcing arrangement (including what will happen on the termination of the contract); and
(5) Consider any concentration risk implications such as the business continuity implications that may arise if a single service provider is used by several firms.
Article 58. In negotiating its contract with a service provider, the commercial bank should have regard to ( but not limited to ):
(1) Reporting and negotiation requirements it may wish to impose on the service provider;
(2) Whether sufficient access will be available to its internal auditors, external auditors and banking regulators;
(3) Information ownership rights, confidentiality agreements and Firewalls to protect client and other information (including arrangements at the termination of contract);
(4) The adequacy of any guarantees and indemnities;
(5) The extent to which the service provider must comply with the commercial bank’s polices and procedures covering IT Risk;
(6) The extent to which the service provider will provide business continuity for outsourced operations, and whether exclusive access to its resources is agreed;
(7) The need for continued availability of software following difficulty at a third party supplier;
(8) The processes for making changes to the outsourcing arrangement and the conditions under which the commercial bank or service provider can choose to change or terminate the outsourcing arrangement, such as where there is:
a) A change of ownership or control of the service provider or commercial bank; or
b) Significant change in the business operations of the service provider or commercial bank; or
c) Inadequate provision of services that may lead to the commercial bank being unable to meet its regulatory obligations.
Article 59. In implementing a relationship management framework, and drafting the service level agreement with the service provider, the commercial bank should have regarded to (but not limited to):
(1) The identification of qualitative and quantitative performance targets to assess the adequacy of service provision, to both the commercial bank and its clients, where appropriate;
(2) The evaluation of performance through service delivery reports and periodic self assessment and independent review by internal or external auditors; and
(3) Remediation action and escalation process for dealing with inadequate performance.
Article 60. The commercial bank should enhance IT related outsourcing management, in place following (not limited to ) measures to ensure data security of sensitive information such as customer information:
(1) Effectively separated from other customer information of the service provider;
(2) The related staff of service provider should be authorized on “need to know” and “minimum authorization” basis;
(3) Ensure service provider guarantee its staff for meeting the confidential requests;
(4) All outsourcing arrangements related to customer information should be identified as material outsourcing arrangements and the customers should be notified;
(5) Strictly monitor re-outsourcing actions of the service provider, and implement adequate control measures to ensure information security of the bank;
(6) Ensure all related sensitive information be refunded or deleted from the service provider’s storage when terminating the outsourcing arrangement.
Article 61. The commercial bank should ensure that it has appropriate contingency in the event of a significant loss of services from the service provider. Particular issues to consider include a significant loss of resources, turnover of key staff, or financial failure of, the service provider, and unexpected termination of the outsourcing agreement.
Article 62. All outsourcing contracts must be reviewed or signed off by IT Risk management, internal IT auditors, legal department and IT Steering Committee. There should be a process to periodically review and refine the service level agreements.
Chapter IX Internal Audit
Article 63. Depending on the nature, scale and complexity of its business, it may be appropriate for the commercial banks to delegate much of the task of monitoring the appropriateness and effectiveness of its systems and controls to an internal audit function. An internal audit function should be adequately resourced and staffed by competent individuals, be independent of the day-to-day activities of the commercial bank and have appropriate access to the bank’s records.
Article 64. The responsibilities of the internal IT audit function are:
(1) To establish, implement and maintain an audit plan to examine and evaluate the adequacy and effectiveness of the bank’s systems and internal control mechanisms and arrangements;
(2) To issue recommendations based on the result of work carried out in accordance with 1;
(3) To verify compliance with those recommendations;
(4) To carry out special audit on information technology. The term “special audit” of information technology refers to the investigation, analysis and assessment on the security incidents of the information system, or the audit performed on a special subject based on IT risk assessment result as deemed necessary by the audit department.
Article 65. Based on the nature, scale and complexity of its business, deployment of information technology and IT risk assessment, commercial banks could determine the scope and frequency of IT internal audit. However, a comprehensive IT internal audit shall be performed at a minimum once every 3 years.
Article 66. Commercial banks should engage its internal audit department and IT Risk management department when implementing system development of significant size and scale to ensure it meets the IT Risk standards of the Commercial banks.
Chapter X External Audit
Article 67. The external information technology audit of commercial banks can be carried out by certified service providers in accordance with laws, rules and regulations.
Article 68. The commercial bank should ensure IT audit service provider to review and examine bank’s hardware, software, documentation and data to identify IT risk when they are commissioned to perform the audit. Vital commercial and technical information which is protected by national laws and regulations should not be reviewed.
Article 69. Commercial bank should communicate with the service provider in depth before the audit to determine audit scope, and should not withhold the truth or do not corporate with the service provider intentionally.
Article 70. CBRC and its local offices could designate certified service providers to carry out IT audit or related review on commercial banks when needed. When carrying out audit on commercial banks, as commissioned or authorized by CBRC or its local offices, the service providers shall present the letter of authority, and carry out the audit in accordance to the scope prescribed in the letter of authority.
Article 71. Once the IT audit report produced by the service providers is reviewed and approved by CBRC or its local offices, the report will have the same legal status as if it is produced by the CBRC itself. Commercial banks should come up with a correction action plan prescribed in the report and implement the corrective actions according to the timeframe.
Article 72. Commercial banks should ensure the service providers to strictly comply with laws and regulations to keep confidential and data security of any commercial secrets and private information learnt and IT risk information when conducting the audit. The service provider should not modify copy or take away any documents provided by the commercial banks.
Chapter XI Supplementary Provisions
Article 73. Commercial banks with no board of directors should have their operating decision-making bodies perform the responsibilities of the board with regard to IT risk management specified herein.
Article 74. The China Banking Regulatory Commission supervises and regulates the IT risk management of commercial banks under its authority by law.
Article 75. The power of interpretation and modification of the Guidelines shall rest with the China Banking Regulatory Commission.
Article 76. The Guidelines shall become effective as of the date of its issuance and the former Guidelines on the Risk Management of Banking Institutions’ Information Systems shall be revoked at the same time.
