关于印发《公开发行证券的公司信息披露内容与格式准则第3号<半年度报告的内容与格式>》(2003年修订)的通知
中国证券监督管理委员会
关于印发《公开发行证券的公司信息披露内容与格式准则第3号<半年度报告的内容与格式>》(2003年修订)的通知
证监公司字[2003]25号
各上市公司:
现将修订后的《公开发行证券的公司信息披露内容与格式准则第3号<半年度报告的内容与格式>》(2003年修订)印发给你们,请遵照执行。
中国证券监督管理委员会
二○○三年六月二十四日
附件:
公开发行证券的公司信息披露内容与格式准则第3号《半年度报告的内容与格式》(2003年修订)
第一章 总则
第一条 为规范在中华人民共和国境内公开发行股票并在证券交易所上市的股份有限公司(以下简称公司)的信息披露行为,保护投资者的合法权益,依据《中华人民共和国公司法》、《中华人民共和国证券法》等法律法规,制定本准则。
第二条 半年度报告是中期报告的一种类型。公司应当遵循本准则的规定,编制半年度报告。
第三条 本准则的规定是对半年度报告信息披露的最低要求。凡对投资者决策可能产生重大影响的信息,不论本准则是否有明确规定,公司均应当披露。
第四条 本准则的某些规定对公司确实不适用的,经证券交易所批准后,公司可以根据实际情况,在不影响披露内容完整性的前提下做出适当修改。
因涉及商业秘密等特殊原因,公司确实不便遵循本准则某些规定的,可以向证券交易所申请豁免,并保证该豁免不会导致对投资者利益的实质性损害。经证券交易所批准后,公司可不予披露相关信息。
第五条 为避免不必要的重复和保持文字简洁,在不影响信息披露的完整性和不致引起阅读不便的前提下,公司可以采用相互引征的方法,对各相关部分的内容进行适当简化。
第六条 公司半年度报告的全文应当按本准则第二章的要求编制,摘要的编制应遵循本准则第三章的要求,并按照附件的格式进行披露。
半年度报告的报告期是指年初至报告期期末。
第七条 同时在境内、境外证券交易所上市的公司,如果境外证券监管部门对半年度报告的要求与本准则不一致,应当遵循报告披露内容从多不从少,披露时限从短不从长,其他要求从严不从宽的原则办理,并应在同一时间公布半年度报告。
第八条 半年度报告中的财务报告可以不经审计,但中国证券监督管理委员会(以下简称中国证监会)和证券交易所另有规定的除外。
第九条 半年度报告中的财务数据可以以人民币元、千元或百万元为单位。
第十条 半年度报告的封面应当载明公司法定名称、“半年度报告”字样和报告期间。半年度报告印刷文本应采用质地良好的纸张印制,幅面应为209毫米×295毫米(相当于标准的A4纸规格)。
第十一条 公司应当在每个会计年度上半年结束之日起两个月内编制半年度报告,并在该期限内将报告全文刊登于中国证监会指定的互联网网站,将半年度报告摘要刊登于至少一种中国证监会指定的报纸上。在指定报纸上刊登的半年度报告摘要最小字号应为标准六号字,最小行距为0.02。
公司可以将半年度报告刊登于公司自己或其他互联网网站、其他报刊上,但不得早于在中国证监会指定的互联网网站或报刊上披露的时间。
第十二条 公司应当在半年度报告披露后及时将半年度报告原件或有法律效力的复印件及备查文件备置于办公地点和证券交易所,以供投资者查阅。
第十三条 公司应当在半年度报告披露后,上半年度结束之日起两个月内,将半年度报告各两份分别报送中国证监会、公司所在地的证券监管派出机构和证券交易所。
第十四条 公司董事会及董事应当保证半年度报告内容的真实性、准确性与完整性,承诺其中不存在虚假记载、误导性陈述或重大遗漏,并就其保证承担个别和连带责任。
如有董事对半年度报告内容的真实性、准确性、完整性无法做出保证或存在异议,或有董事未出席董事会会议,公司应作特别提示。
第十五条 已发行境内上市外资股及其衍生证券且已在证券交易所上市的公司,应当参照执行本准则。国家另有规定的,从其规定。
已发行境内上市外资股及其衍生证券且已在证券交易所上市的公司,应同时编制半年度报告外文译本。公司应保证两种文本内容的一致性,并在外文文本上注明:“本报告分别以中、英(或日、法等)文两种文字编制,在对两种文本的理解发生歧义时,以中文文本为准。”
第十六条 特殊行业公司除应当遵循本准则的规定外,还应执行中国证监会关于该行业信息披露的特别规定。
第二章 半年度报告全文
第一节 重要提示、释义及目录
第十七条 公司应当在半年度报告全文的显要位置刊登如下重要提示:“公司董事会及董事保证本报告所载资料不存在虚假记载、误导性陈述或者重大遗漏,并对其内容的真实性、准确性和完整性承担个别及连带责任。”
如有董事对半年度报告内容的真实性、准确性、完整性无法做出保证或存在异议,公司应披露如下声明:“××董事无法保证本报告内容的真实性、准确性、完整性,理由是:…”。
公司还应单独披露未出席董事会会议董事的姓名。
公司负责人、主管会计工作负责人及会计机构负责人(会计主管人员)应当声明:保证半年度报告中财务报告的真实、完整。
第十八条 财务报告已经会计师事务所审计并被出具标准无保留意见的审计报告的,公司应当明确表述“公司半年度财务报告已经××会计师事务所审计并出具标准无保留意见的审计报告”。
财务报告已经审计并被出具有解释性说明、保留意见、拒绝表示意见或否定意见的审计报告的,公司应说明审计意见涉及事项的披露位置,并作以下提示:“公司半年度财务报告已经××会计师事务所审计并出具有解释性说明(或保留意见、否定意见、拒绝表示意见)的审计报告,本公司管理层对相关事项已作详细说明,请投资者注意阅读”。
第十九条 公司应当对半年度报告中投资者理解有障碍及有特定含义的术语做出解释。
第二十条 半年度报告的目录应当标明各部分的标题及对应页码。
第二节 公司基本情况
第二十一条 公司应当披露如下事项:
(一)法定中、英文名称及缩写;
(二)股票上市证券交易所,股票简称和股票代码;
(三)注册地址,办公地址及其邮政编码,互联网网址,电子信箱;
(四)法定代表人;
(五)董事会秘书及董事会证券事务代表的姓名、联系地址、电话、传真及电子信箱;
(六)选定的中国证监会指定报纸,指定互联网网址,半年度报告备置地点;
(七)其他有关资料。
第二十二条 公司应当遵循如下规定,披露主要财务数据和指标:
(一)公司应采用列表方式,提供报告期期末和上年末(或报告期和上年相同期间)主要财务数据与指标:
流动资产、流动负债、总资产、股东权益(不包含少数股东权益)、净利润、扣除非经常性损益后的净利润、经营活动产生的现金流量净额、净资产收益率、每股收益、每股净资产和调整后的每股净资产。
公司在披露“扣除非经常性损益后的净利润”时,应说明扣除的项目及相关金额。
同时按国际会计准则编制财务报告的公司,还应披露分别按国内、国际会计准则编制的财务报告在报告期净利润并说明其差异。
(二)第(一)项中的财务数据与指标应按照《公开发行证券的公司信息披露内容与格式准则第2号--年度报告的内容与格式》(以下简称《年度报告准则》)以及中国证监会颁布的其他有关信息披露规范的相关规定填列或计算。
第三节 股本变动和主要股东持股情况
第二十三条 报告期内因送股、转增股本、增发新股、可转换公司债券转股或其他原因引起股份总数及结构变动的,公司应当按照《年度报告准则》的附件《公司股份变动情况表》要求的格式及其他相关要求予以披露。
第二十四条 公司应当披露报告期期末股东总数。
第二十五条 公司应当披露报告期期末持有公司股份达5%以上(含5%)股东的全称、报告期内股份的增减变动及期末余额、所持股份类别以及所持股份被质押、冻结或托管的情况。持股5%以上(含5%)的股东少于10名的,公司应披露至少10名最大股东的持股情况。
公司在遵循前款规定时,还应披露如下信息:前10名股东所持股份中包括已上市流通股份和未上市流通股份的,应分别披露其数量;前10名股东之间存在的关联关系;因作为战略投资者或一般法人参与配售新股成为前10名股东的,应予以说明,并披露约定持股期间的起止时间;前10名股东中代表国家持股的单位以及外资股东。
第二十六条 公司控股股东或实际控制人报告期内发生变化的,应当列明披露相关信息的指定报刊及日期。
第四节 董事、监事、高级管理人员情况
第二十七条 公司应当披露报告期内董事、监事、高级管理人员持有公司股票的变动情况。
第二十八条 公司应当披露报告期内董事、监事、高级管理人员的新聘或解聘情况。
第五节 管理层讨论与分析
第二十九条 公司管理层应当对财务报告与其他必要的统计数据以及报告期内发生或将要发生的重大事项,进行讨论与分析,以有助于投资者了解其经营成果、财务状况(含现金流量情况,下同)。
管理层的讨论与分析不能只重复财务报告的内容,应着重于其已知的、可能导致财务报告难以显示公司未来经营成果与财务状况的重大事项和不确定性因素,包括已对报告期产生重要影响但对未来没有影响的事项,以及未对报告期产生影响但对未来具有重要影响的事项等。
第三十条 公司管理层应当介绍报告期内经营情况, 分析公司报告期内经营活动的总体状况,至少包括:
(一)主营业务的范围及经营状况,对占报告期主营业务收入或主营业务利润10%以上(含10%)的行业或产品,应分别列示其主营业务收入、主营业务成本、毛利率。
(二)若报告期内利润构成、主营业务或其结构、主营业务盈利能力发生重大变化的,应予以说明
(三)对报告期利润产生重大影响的其他经营业务活动。
(四)如来源于单个参股公司的投资收益对公司净利润影响达到10%以上(含10%),应介绍该公司业务性质、主要产品或服务和净利润等情况。
(五)经营中的问题与困难。
第三十一条 公司管理层应当说明报告期投资情况,包括:
(一)在报告期内募集资金或以前期间募集资金的使用延续到报告期的,公司应披露有关投资项目的实际进度及收益情况;未达到计划进度和收益的,应解释原因;尚未使用募集资金的用途;募集资金用途发生变更的,应说明变更原因、是否已履行变更程序、新的用途、实际进度与收益情况;
(二)重大非募集资金投资项目的实际进度和收益情况。
第三十二条 公司管理层应当将报告期实际经营成果与招股上市文件或定期报告披露的盈利预测、有关计划或展望进行比较,说明完成预测或计划的进度情况。
第三十三条 公司对上年年度报告中披露的本年度经营计划做出修改的,应说明调整的内容。
第三十四条 公司管理层如果预测本年至下一报告期期末的净利润可能为亏损或者与上年同期相比发生大幅度变动,应当予以警示。
第三十五条 财务报告经注册会计师审计,并被出具非标准无保留意见的审计报告的,公司管理层应当对审计意见涉及的事项予以说明。
上年年度报告中的财务报告被注册会计师出具非标准无保留意见的审计报告的,公司管理层应对审计意见涉及事项的变化及处理情况予以说明。
第六节 重要事项
第三十六条 公司的公司治理实际状况与中国证监会有关文件的要求存在差异的,应当披露差异的内容及报告期内已采取的整改措施及整改情况。
第三十七条 公司应当披露以前期间拟定、在报告期实施的利润分配方案、公积金转增股本方案或发行新股方案的执行情况。中期拟定的利润分配预案、公积金转增股本预案。
第三十八条 公司应当披露在报告期内发生及以前期间发生但持续到报告期的重大诉讼、仲裁事项,包括进展情况或审理结果,及对经营成果与财务状况的影响(包括由此产生的损益占报告期净利润的比例等,本节下同)。
第三十九条 公司应当披露在报告期内发生及以前期间发生但持续到报告期的重大资产收购、出售及资产重组事项的简要情况,重点说明自资产重组报告书或收购出售资产公告刊登后,该事项的进展情况及对报告期经营成果与财务状况的影响。
第四十条 公司应当遵循如下规定,分类披露在报告期内发生的重大关联交易事项:
(一)购销商品、提供劳务交易应披露:交易总金额及占同类交易总金额的比例;在前一定期报告或临时报告披露过的有关协议在报告期内的履行情况;交易方、交易内容、定价原则、交易价格、交易金额、占同类交易金额的比例、结算方式及关联交易事项对公司利润的影响。可以获得同类交易市场价格的,应披露市场参考价格,实际交易价格与市场参考价格差异较大的,应说明原因;关联方之间存在大额销货退回的,应予说明。
(二)资产收购、出售交易应披露:交易方、交易内容、定价原则、资产的账面价值、评估价值(若有)、市场公允价值(若有)、交易价格、结算方式,交易对公司经营成果与财务状况的影响。交易价格与账面价值、评估价值或公允价值差异较大的,应说明原因。
(三)公司与关联方存在债权、债务或担保事项的,应披露期末余额、发生额、形成原因、清偿情况、对经营成果与财务状况的影响以及有关承诺(若有)。
(四)其他重大关联交易信息。
第四十一条 公司应当披露如下重大合同及其履行情况信息:
(一)在报告期内发生或以前期间发生但延续到报告期的重大托管、承包、租赁其他公司资产或其他公司托管、承包、租赁公司资产事项的信息,包括交易金额、期限以及对经营成果与财务状况的影响。
(二)在报告期内发生或以前期间发生但延续到报告期的重大担保合同信息,包括担保金额与担保期限。对有明显迹象表明可能承担连带清偿责任的担保事项,公司应予明确说明。
(三)在报告期内发生或以前期间发生但延续到报告期的重大委托他人进行现金资产管理的信息,包括受托单位、委托金额、起止时间、约定收益、实际收益、期末余额以及该项行为是否履行了必要的程序。
第四十二条 公司或持有公司股份5%以上(含5%)的股东在报告期内发生或以前期间发生但持续到报告期的对公司经营成果、财务状况可能产生重要影响的承诺事项的,公司应当披露该承诺在报告期内的履行情况。
第四十三条 财务报告已经审计的,公司应当披露会计师事务所的名称、注册会计师的名字以及审计费用。
更换会计师事务所的,公司应披露解聘原会计师事务所的原因,以及是否履行了必要的程序。
第四十四条 公司应当披露在报告期内其他对公司产生重大影响的重要事项,包括:公司、公司董事会及董事受中国证监会稽查、中国证监会行政处罚、通报批评、被其他行政管理部门处罚及证券交易所公开谴责的情况,说明接受稽查及处罚的次数、原因及处罚结论;公司董事、管理层有关人员被采取司法强制措施的情况。
第四十五条 对上述第三十六条至四十四条规定之外,且已在前一定期报告或临时报告中披露过的在报告期内发生以及在以前期间发生但持续到报告期的其他重要事项信息,公司应当编制索引,注明有关事项的名称,有关报告刊载的报刊名称、日期及版面,刊载的互联网网站名称及检索路径。其中,对多次发生的同类重大事项,公司应注明涉及金额的合计数。
第七节 财务报告
第四十六条 公司应当在半年度报告中披露利润及利润分配表、资产负债表、现金流量表及报表附注。其编制应当按照财政部发布的《企业会计准则-中期报告》的要求进行。
第四十七条 财务报告未经审计的,公司应当注明“未经审计”字样。财务报告经过审计的,若注册会计师出具的审计意见为标准无保留意见,公司应明确说明注册会计师出具标准无保留意见的审计报告;若注册会计师出具的审计意见为非标准无保留意见,公司应披露审计报告全文。
第三章 半年度报告摘要
第一节 重要提示
第四十八条 公司应当在半年度报告摘要的显要位置刊登如下重要提示:“公司董事会及董事保证本报告摘要所载资料不存在虚假记载、误导性陈述或者重大遗漏,并对其内容的真实性、准确性和完整性承担个别及连带责任。”
“本半年度报告摘要摘自半年度报告全文,报告全文同时刊载于……。投资者欲了解详细内容,应当仔细阅读半年度报告全文。”
其他重要提示内容应按照第十七、十八条的规定披露。
第二节 公司基本情况
第四十九条 公司应当按照第二十一条第(二)、(五)项的规定披露有关信息。
第五十条 公司应当按照第二十二条的规定,披露主要财务数据和指标。
第三节 股本变动和主要股东持股情况
第五十一条 公司应当按照第二十三、二十四、二十五、二十六条的规定,披露股东变动和主要股东持股信息。
第四节 董事、监事、高级管理人员情况
第五十二条 公司应当按照第二十七条的规定,披露报告期内董事、监事、高级管理人员的有关持股变动情况。
第五节 管理层讨论与分析
第五十三条 公司应当披露第三十、三十一、三十三、三十四、三十五条的内容。
第六节 重要事项
第五十四条 公司应当按照第三十七、三十八、三十九、四十、四十四条的规定披露重要事项信息。
报告期内发生或以前期间发生但延续到报告期的其他重大事项,若对本报告期或以后期间的公司财务状况、经营成果产生重大影响,应披露该重大事项,并说明其影响和解决方案。
第七节 财务报告
第五十五条 公司应当披露合并及母公司的利润表。
第五十六条 财务报表附注至少应当包括以下内容:
(一)会计政策、会计估计变更与会计差错更正的内容、原因及影响数;
(二)财务报表合并范围的重大变化、原因及影响数;
(三)非标准无保留审计意见(如有)涉及事项的有关附注。
第五十七条 公司应当按照第四十七条的规定,披露财务报告是否经过审计及审计报告的有关信息。
第四章 备查文件
第五十八条 公司的备查文件应当包括:
(一)载有董事长签名的半年度报告文本;
(二)载有单位负责人、主管会计工作的负责人、会计机构负责人签名并盖章(如设置总会计师,还须由总会计师签名并盖章)的财务报告文本;
(三)载有会计师事务所盖章、注册会计师签名并盖章的审计报告文本(如有);
(四)报告期内在中国证监会指定报刊上公开披露过的所有文件文本;
(五)公司章程文本;
(六)在其它证券市场披露的半年度报告文本;
(七)其他有关资料。
第五章 附则
第五十九条 本准则由中国证监会负责解释。
第六十条 本准则自颁布之日起施行。中国证监会此前发布的《公开发行股票的公司信息披露的内容与格式准则第3号--中期报告的内容与格式(2002年修订稿)》同时废止。
附件:
半年度报告摘要披露格式
××××股份有限公司年度报告摘要
§1 重要提示
1.1 本公司董事会及其董事保证本报告所载资料不存在任何虚假记载、误导性陈述或者重大遗漏,并对其内容的真实性、准确性和完整性负个别及连带责任。
本半年度报告摘要摘自半年度报告全文,报告全文同时刊载于……。投资者欲了解详细内容,应当仔细阅读半年度报告全文。
1.2 如个别董事声明对半年度报告内容的真实性、准确性、完整性无法保证或存在异议的,应当声明:
××董事无法保证本报告内容的真实性、准确性和完整性,理由是:……。
1.3 如有董事未出席董事会,应当单独列示其姓名。
1.4 如执行审计的会计师事务所出具了有解释性说明、保留意见、拒绝表示意见或否定意见的审计报告(以下简称“非标意见”),应当特别提示:
公司半年度财务报告已经××会计师事务所审计并出具有解释性说明(或保留意见、拒绝表示意见、否定意见)的审计报告,本公司管理层对相关事项已作详细说明,请投资者注意阅读。
1.5 公司负责人、主管会计工作负责人及会计机构负责人(会计主管人员)应当声明:保证半年度报告中财务报告的真实、完整。
§2 上市公司基本情况
2.1 基本情况简介
股票简称
股票代码
上市证券交易所
董事会秘书 证券事务代表
姓名
联系地址
电话
传真
电子信箱
2.2 主要财务数据和指标
2.2.1主要会计数据和财务指标
本报告期末 上年度期末 本报告期末比年初数增减(%)
流动资产
流动负债
总资产
股东权益(不含少数股东权益)
每股净资产
调整后的每股净资产
报告期(1-6月) 上年同期 本报告期比上年同期增减(%)
净利润
扣除非经常性损益后的净利润
每股收益
每股收益注1
净资产收益率
经营活动产生的现金流量净额
2.2.2非经常性损益项目
□适用 □不适用
非经常性损益项目 金额
合计
2.2.3国内外会计准则差异
□适用 □不适用
单位:
国内会计准则 境外(国际)会计准则注2
净利润
差异说明
§3 股本变动及股东情况
3.1 股份变动情况表
□适用 □不适用
3.2 前十名股东持股情况
报告期末股东总数
前十名股东持股情况
股东名称(全称) 年度内增减 年末持股数量 比例(%) 股份类别注3(已流通或未流通) 质押或冻结的股份数量 股东性质(国有股东或外资股东)
前十名股东关联关系的说明注4
战略投资者或一般法人参与配售新股约定持股期限的说明 股东名称 约定持股期限
3.3控股股东及实际控制人注5变更情况
□适用 □不适用
新控股股东名称
新实际控制人名称
变更日期
刊登日期和报刊
§4 董事、监事和高级管理人员情况
4.1 董事、监事和高级管理人员持股变动
□适用 □不适用
姓名 职务注6 年初持股数 年末持股数 变动原因
§5 管理层讨论与分析
5.1 主营业务分行业、产品情况表注7
主营业务收入 主营业务成本 毛利率(%) 主营业务收入比上年同期增减(%) 主营业务成本比上年同期增减(%) 毛利率比上年同期增减(%)
分行业
行业1
行业2
……
其中:关联交易注8
分产品
产品1
产品2
…..
其中:关联交易
关联交易的定价原则
5.2 主营业务分地区情况
地区 主营业务收入 主营业务收入比上年增减(%)
地区1
地区2
……
5.3 对净利润产生重大影响的其他经营业务
□适用 □不适用
其他经营业务 产生的损益 占净利润的比重
5.4 参股公司经营情况(适用投资收益占净利润10%以上的情况)
□适用 □不适用
参股公司名称
本期贡献的投资收益 占上市公司净利润的比重
参股公司 经营范围
净利润
5.5 主营业务及其结构发生重大变化的原因说明
□适用 □不适用
5.6 主营业务盈利能力(毛利率)与上年相比发生重大变化的原因说明
□适用 □不适用
5.7 利润构成与上年度相比发生重大变化的原因分析
□适用 □不适用
5.8 募集资金使用情况
5.8.1 募集资金运用
□适用 □不适用
募集资金总额 本年度已使用募集资金总额
已累计使用募集资金总额
承诺项目 拟投入金额 是否变更项目 实际投入金额 产生收益金额 是否符合计划进度和预计收益
合计 — —
未达到计划进度和收益的说明(分具体项目)
变更原因及变更程序说明(分具体项目)
5.8.2变更项目情况
□适用 □不适用
变更投资项目的资金总额
变更后的项目 对应的原承诺项目 变更项目拟投入金额 实际投入金额 产生收益金额 是否符合计划进度和预计收益
合计 — —
未达到计划进度和收益的说明(分具体项目)
5.9 董事会下半年的经营计划修改计划
□适用 □不适用
调整经营计划内容
5.10 预测年初至下一报告期期末的累计净利润可能为亏损或者与上年同期相比发生大幅度变动的警示及原因说明
□适用 □不适用
5.11 公司管理层对会计师事务所本报告期“非标意见”的说明
□适用 □不适用
5.12 公司管理层对会计师事务所上年度“非标意见”涉及事项的变化及处理情况的说明
□适用 □不适用
6 重要事项
6.1 收购、出售资产及资产重组
6.1.1 收购或置入资产注10
□适用 □不适用
交易对方及被收购或置入资产 购买日 交易价格 自购买日起至报告期末为上市公司贡献的净利润注11 是否为关联交易(如是,说明定价原则
6.1.2 出售或置出资产注12
□适用 □不适用
交易对方及被出售或置出资产 出售日 交易价格 本年初起至出售日该出售资产为上市公司贡献的净利润注13 出售产生的损益 是否为关联交易(如是,说明定价原则)
6.1.3 自资产重组报告书或收购出售资产公告刊登后,该事项的进展情况及对报告期经营成果与财务状况的影响。
□适用 □不适用
6.2 担保事项
□适用 □不适用
担保对象名称 发生日期(协议签署日) 担保金额 担保类型 担保期 是否履行完毕 是否为关联方担保(是或否)
担保发生额合计
担保余额合计
其中:关联担保余额合计
6.3 关联债权债务往来
□适用 □不适用
关联方 向关联方提供资金 关联方向上市公司提供资金
发生额 注14 余额 发生额 余额
合计
6.4 重大诉讼仲裁事项
□适用 □不适用
6.5 其他重大事项及其影响和解决方案的分析说明
□适用 □不适用
§ 7 财务报告
7.1 审计意见
财务报告 □未经审计 □审计
审计意见 □标准无保留意见 □非标意见
审计意见全文
7.2 披露比较式合并及母公司的利润表
7.3 报表附注
7.3.1如果出现会计政策、会计估计变更或会计差错更正的,说明有关内容、原因及影响数。
7.3.2 如果财务报表合并范围发生重大变化的,说明原因及影响数。
7.3.2 如果被出具非标准无保留意见,列示涉及事项的有关附注。
填表说明:
一、 如选择“不适用”,可省略披露表格。
二、 本摘要“§6 重要事项”应当包括按照《公开发行证券的公司信息披露内容与格式准则第2号<年度报告的内容与格式>》和《股票上市规则》第七章有关标准界定的事项,不包括上市公司与其控股子公司或控股子公司相互之间发生的事项。
三、 注释
注1:如果报告期末至报告披露日,公司股本发生变化的,按新股本计算。
注2:境外会计准则包括国际会计准则、主要募集行为发生地会计准则。
注3:如同一股东持有两类股份应当分别列示。
注4:关联关系的认定按照《上市规则》第七章第三节规定
注5:实际控制人的认定按照《上市公司收购管理办法》的规定。
注6:如是独立董事,需单独注明。
注7:分别按照行业、产品列示占主营业务收入或主营业务利润10%以上的主要行业和产品。
注8:仅披露在上市公司主营收入和主营成本中涉及关联交易的总额。
注9:披露最近一次定期报告中调整的本年度经营计划。
注10、注12:对于资产置换应当视为同时进行了收购和出售资产,并分别填入6.2和6.3的相关表格。
注11、注13:适用于收购、出售公司股权的情形。
注14:如往来发生频繁,按照每月累计发生额填列。
Guidelines on the Risk Management of Commercial Banks’ Information Technology ——附加英文版
China Banking Regulatory Commission
Guidelines on the Risk Management of Commercial Banks’ Information Technology
Chapter I General Provisions
Article 1. Pursuant to the Law of the People’s Republic of China on Banking Regulation and Supervision, the Law of the People's Republic of China on Commercial Banks, the Regulations of the People’s Republic of China on Administration of Foreign-funded Banks, and other applicable laws and regulations, the Guidelines on the Risk Management of Commercial Banks’ Information Technology (hereinafter referred to as the Guidelines) is formulated.
Article 2. The Guidelines apply to all the commercial banks legally incorporated within the territory of the People’s Republic of China.
The Guidelines may apply to other banking institutions including policy banks, rural cooperative banks, urban credit cooperatives, rural credit cooperatives, village banks, loan companies, financial asset management companies, trust and investment companies, finance firms, financial leasing companies, automobile financial companies and money brokers.
Article 3. The term “information technology” stated in the Guidelines shall refer to the system built with computer, communication and software technologies, and employed by commercial banks to handle business transactions, operation management, and internal communication, collaborative work and controls. The term also include IT governance, IT organization structure and IT policies and procedures.
Article 4. The risk of information technology refers to the operational risk, legal risk and reputation risk that are caused by natural factor, human factor, technological loopholes or management deficiencies when using information technology.
Article 5. The objective of information system risk management is to establish an effective mechanism that can identify, measure, monitor, and control the risks of commercial banks’ information system, ensure data integrity, availability, confidentiality and consistency, provide the relevant early warning, and thereby enable commercial banks’ business innovations, uplift their capability in utilizing information technology, improve their core competitiveness and capacity for sustainable development.
Chapter II IT governance
Article 6. The legal representative of commercial bank should be responsible to ensure compliance of this guideline.
Article 7. The board of directors of commercial banks should have the following responsibilities with respect to the management of information systems:
(1) Implementing and complying with the national laws, regulations and technical standards pertaining to the management of information systems, as well as the regulatory requirements set by the China Banking Regulatory Commission (hereinafter referred to as the “CBRC”);
(2) Periodically reviewing the alignment of IT strategy with the overall business strategies and significant policies of the bank, assessing the overall effectiveness and efficiency of the IT organization.
(3) Approving IT risk management strategies and policies, understanding the major IT risks involved, setting acceptable levels for these risks, and ensuring the implementation of the measures necessary to identify, measure, monitor and control these risks.
(4) Setting high ethical and integrity standards, and establishing a culture within the bank that emphasizes and demonstrates to all levels of personnel the importance of IT risk management.
(5) Establishing an IT steering committee which consists of representatives from senior management, the IT organization, and major business units, to oversee these responsibilities and report the effectiveness of strategic IT planning, the IT budget and actual expenditure, and the overall IT performance to the board of directors and senior management periodically.
(6) Establishing IT governance structure, proper segregation of duty, clear role and responsibility, maintaining check and balances and clear reporting relationship. Strengthening IT professional staff by developing incentive program.
(7) Ensuring that there is an effective internal audit of the IT risk management carried out by operationally independent, well-trained and qualified staff. The internal audit report should be submitted directly to the IT audit committee;
(8) Submitting an annual report to the CBRC and its local offices on information system risk management that has been reviewed and approved by the board of directors ;
(9) Ensuring the appropriating funding necessary for IT risk management works;
(10) Ensuring that all employees of the bank fully understand and adhere to the IT risk management policies and procedures approved by the board of directors and the senior management, and are provided with pertinent training.
(11) Ensuring customer information, financial information, product information and core banking system of the legal entity are held independently within the territory, and complying with the regulatory on-site examination requirements of CBRC and guarding against cross-border risk.
(12) Reporting in a timely manner to the CBRC and its local offices any serious incident of information systems or unexpected event, and quickly respond to it in accordance with the contingency plan;
(13) Cooperating with the CBRC and its local offices in the supervisory inspection of the risk management of information systems, and ensure that supervisory opinions are followed up; and
(14) Performing other related IT risk management tasks.
Article 8. The head of the IT organization, commonly known as the Chief Information Officer (CIO) should report directly to the president. Roles and responsibilities of the CIO should include the following:
(1) Playing a direct role in key decisions for the business development involving the use of IT in the bank;
(2) The CIO should ensure that information systems meet the needs of the bank, and IT strategies, in particular information system development strategies, comply with the overall business strategies and IT risk management policies of the bank;
(3) The CIO should also be responsible for the establishment of an effective and efficient IT organization to carry out the IT functions of the bank. These include the IT budget and expenditure, IT risk management, IT policies, standards and procedures, IT internal controls, professional development, IT project initiatives, IT project management, information system maintenance and upgrade, IT operations, IT infrastructure, Information security, disaster recovery plan (DRP), IT outsourcing, and information system retirement;
(4) Ensuring the effectiveness of IT risk management throughout the organization including all branches.
(5) Organizing professional trainings to improve technical proficiency of staff.
(6) Performing other related IT risk management tasks.
Article 9. Commercial banks should ensure that a clear definition of the IT organization structure and documentation of all job descriptions of important positions are always in place and updated in a timely manner. Staff in each position should meet relevant requirements on professional skills and knowledge. The following risk mitigation measures should be incorporated in the management program of related staff:
(1) Verification of personal information including confirmation of personal identification issued by government, academic credentials, prior work experience, professional qualifications;
(2) Ensuring that IT staff can meet the required professional ethics by checking character reference;
(3) Signing of agreements with employees about understanding of IT policies and guidelines, non-disclosure of confidential information, authorized use of information systems, and adherence to IT policies and procedures; and
(4) Evaluation of the risk of losing key IT personnel, especially during major IT development stage or in a period of unstable IT operations, and the relevant risk mitigation measures such as staff backup arrangement and staff succession plan.
Article 10. Commercial banks should establish or designate a particular department for IT risk management. It should report directly to the CIO and the Chief Risk Officer (or risk management committee), serve as a member of the IT incident response team, and be responsible for coordinating the establishment of policies regarding IT risk management, especially the areas of information security, BCP, and compliance with the CBRC regulations, advising the business departments and IT department in implementing these policies, providing relevant compliance information, conducting on-going assessment of IT risks, and ensuring the follow-up of remediation advice, monitoring and escalating management of IT threats and non-compliance events.
Article 11. Commercial banks should establish a special IT audit role and responsibility within internal audit function, which should put in place IT audit policies and procedures, develop and execute IT audit plan.
Article 12. Commercial banks should put in place policies and procedures to protect intellectual property rights according to laws regarding intellectual properties, ensure purchase of legitimate software and hardware, prevention of the use of pirated software, and the protection of the proprietary rights of IT products developed by the bank, and ensure that these are fully understood and complied by all employees.
Article 13. Commercial banks should, in accordance with relevant laws and regulations, disclose the risk profile of their IT normatively and timely.
Chapter III IT Risk Management
Article 14. Commercial banks should formulate an IT strategy that aligns with the overall business plan of the bank, IT risk assessment plan and an IT operational plan that can ensure adequate financial resources and human resources to maintain a stable and secure IT environment.
Article 15. Commercial banks should put in place a comprehensive set of IT risk management policies that include the following areas:
(1) Information security classification policy
(2) System development, testing and maintenance policy
(3) IT operation and maintenance policy
(4) Access control policy
(5) Physical security policy
(6) Personnel security policy
(7) Business Continuity Planning and Crisis and Emergency Management procedure
Article 16. Commercial banks should maintain an ongoing risk identification and assessment process that allows the bank to pinpoint the areas of concern in its information systems, assess the potential impact of the risks on its business, rank the risks, and prioritize mitigation actions and the necessary resources (including outsourcing vendors, product vendors and service vendors).
Article 17. Commercial banks should implement a comprehensive set of risk mitigation measures complying with the IT risk management policies and commensurate with the risk assessment of the bank. These mitigation measures should include:
(1) A set of clearly documented IT risk policies, technical standards, and operational procedures, which should be communicated to the staff frequently and kept up to date in a timely manner;
(2) Areas of potential conflicts of interest should be identified, minimized, and subject to careful, independent monitoring. Also it requires that an appropriate control structure is set up to facilitate checks and balances, with control activities defined at every business level, which should include:
- Top level reviews;
- Controls over physical and logical access to data and system;
- Access granted on “need to know” and “minimum authorization” basis;
- A system of approvals and authorizations; and
- A system of verification and reconciliation.
Article 18. Commercial banks should put in place a set of ongoing risk measurement and monitoring mechanisms, which should include
(1) Pre and post-implementation review of IT projects;
(2) Benchmarks for periodic review of system performance;
(3) Reports of incidents and complaints about IT services;
(4) Reports of internal audit, external audit, and issues identified by CBRC; and
(5) Arrangement with vendors and business units for periodic review of service level agreements (SLAs).
(6) The possible impact of new development of technology and new threats to software deployed.
(7) Timely review of operational risk and management controls in operation area.
(8) Assess the risk profile on IT outsourcing projects periodically.
Article 19. Chinese commercial banks operating offshore and the foreign commercial banks in China should comply with the relevant regulatory requirements on information systems in and outside the People’s Republic of China.
Chapter IV Information Security
Article 20. Information technology department of commercial banks should oversee the establishment of an information classification and protection scheme. All employees of the bank should be made aware of the importance of ensuring information confidentiality and provided with the necessary training to fully understand the information protection procedures within their responsibilities.
Article 21. Commercial banks should put in place an information security management function to develop and maintain an ongoing information security management program, promote information security awareness, advise other IT functions on security issues, serve as the leader of IT incident response team, and report the evaluation of the information security of the bank to the IT steering committee periodically. The Information security management program should include Information security standards, strategy, an implementation plan, and an ongoing maintenance plan.
Information security policy should include the following areas:
(1) IT security policy management
(2) Organization information security
(3) Asset management
(4) Personnel security
(5) Physical and environment security
(6) Communication and operation security
(7) Access control and authentication
(8) Acquirement, development and maintenance of information system
(9) Information security event management
(10) Business continuity management
(11) Compliance
Article 22. Commercial banks should have an effective process to manage user authentication and access control. Access to data and system should be strictly limited to authorized individuals whose identity is clearly established, and their activities in the information systems should be limited to the minimum required for their legitimate business use. Appropriate user authentication mechanism commensurate with the classification of information to be accessed should be selected. Timely review and removal of user identity from the system should be implemented when user transfers to a new job or leave the commercial bank.
Article 23. Commercial banks should ensure all physical security zones, such as computer centers or data centers, network closets, areas containing confidential information or critical IT equipment, and respective accountabilities are clearly defined, and appropriate preventive, detective, and recuperative controls are put in place.
Article 24. Commercial banks should divide their networks into logical security domains (hereinafter referred to as the “domain”) with different levels of security. The following security factors have to be assessed in order to define and implement effective security controls, such as physical or logical segregation of network, network filtering, logical access control, traffic encryption, network monitoring, activity log, etc., for each domain and the whole network.
(1) criticality of the applications and user groups within the domain;
(2) Access points to the domain through various communication channels;
(3) Network protocols and ports used by the applications and network equipment deployed within the domain;
(4) Performance requirement or benchmark;
(5) Nature of the domain, i.e. production or testing, internal or external;
(6) Connectivity between various domains; and
(7) Trustworthiness of the domain.
Article 25. Commercial banks should secure the operating system and system software of all computer systems by
(1) Developing baseline security requirement for each operating system and ensuring all systems meet the baseline security requirement;
(2) Clearly defining a set of access privileges for different groups of users, namely, end-users, system development staff, computer operators, and system administrators and user administrators;
(3) Setting up a system of approval, verification, and monitoring procedures for using the highest privileged system accounts;
(4) Requiring technical staff to review available security patches, and report the patch status periodically; and
(5) Requiring technical staff to include important items such as unsuccessful logins, access to critical system files, changes made to user accounts, etc. in system logs, monitors the systems for any abnormal event manually or automatically, and report the monitoring periodically.
Article 26. Commercial banks should ensure the security of all the application systems by
(1) Clearly defining the roles and responsibilities of end-users and IT staff regarding the application security;
(2) Implementing a robust authentication method commensurate with the criticality and sensibility of the application system;
(3) Enforcing segregation of duties and dual control over critical or sensitive functions;
(4) Requiring verification of input or reconciliation of output at critical junctures;
(5) Requiring the input and output of confidential information are handled in a secure manner to prevent theft, tampering, intentional leakage, or inadvertent leakage;
(6) Ensuring system can handle exceptions in a predefined way and provide meaningful message to users when the system is forced to terminate; and
(7) Maintaining audit trail in either paper or electronic format.
(8) Requiring user administrator to monitor and review unsuccessful logins and changes to users accounts.
Article 27. Commercial banks should have a set of policies and procedures controlling the logging of activities in all production systems to support effective auditing, security forensic analysis, and fraud prevention. Logging can be implemented in different layers of software and on different computer and networking equipment, which falls into two broad categories:
(1) Transaction journals. They are generated by application software and database management system, and contain authentication attempts, modification to data, error messages, etc. Transaction journals should be kept according to the national accounting policy.
(2) System logs. They are generated by operating systems, database management system, firewalls, intrusion detection systems, and routers, etc., and contain authentication attempts, system events, network events, error messages, etc. System logs should be kept for a period scaled to the risk classification, but no less than one year.
Banks should ensure that sufficient items be included in the logs to facilitate effective internal controls, system troubleshooting, and auditing while taking appropriate measures to ensure time synchronization on all logs. Sufficient disk space should be allocated to prevent logs from being overwritten. System logs should be reviewed for any exception. The review frequency and retention period for transaction logs or database logs should be determined jointly by IT organization and pertinent business lines, and approved by the IT steering committee.
Article 28. Commercial banks should have the capacity to employ encryption technologies to mitigate the risk of losing confidential information in the information systems or during its transmission. Appropriate management processes of the encryption facilities should be put in place to ensure that
(1) Encryption facilities in use should meet national security standards or requirements;
(2) Staff in charge of encryption facilities are well trained and screened;
(3) Encryption strength is adequate to protect the confidentiality of the information; and
(4) Effective and efficient key management procedures, especially key lifecycle management and certificate lifecycle management, are in place.
Article 29. Commercial banks should put in place an effective and efficient system of securing all end-user computing equipment which include desktop personal computers (PCs), portable PCs, teller terminals, automatic teller machines (ATMs), passbook printers, debit or credit card readers, point of sale (POS) terminals, personal digital assistant (PDAs), etc and conduct periodic security checks on all equipments.
Article 30. Commercial banks should put in place a set of policies and procedures to govern the collection, processing, storage, transmission, dissemination, and disposal of customer information.
Article 31. All employees, including contract staff, should be provided with the necessary trainings to fully understand these policies procedures and the consequences of their violation. Commercial banks should adopt a zero tolerance policy against security violation.
Chapter V Application System Development, Testing and Maintenance
Article 32. Commercial banks should have the capability to identify, plan, acquire, develop, test, deploy, maintain, upgrade, and retire information systems. Policies and procedures should be in place to govern the initiation, prioritization, approval, and control of IT projects. Progress reports of major IT projects should be submitted to and reviewed by the IT steering committee periodically. Decisions involving significant change of schedule, change of key personnel, change of vendors, and major expenditures should be included in the progress report.
Article 33. Commercial banks should recognize the risks associated with IT projects, which include the possibilities of incurring various kinds of operational risk, financial losses, and opportunity costs stemming from ineffective project planning or inadequate project management controls of the bank. Therefore, appropriate project management methodologies should be adopted and implemented to control the risks associated with IT projects.
Article 34. Commercial banks should adopt and implement a system development methodology to control the life cycle of Information systems. The typical phases of system life cycle include system analysis, design, development or acquisition, testing, trial run, deployment, maintenance, and retirement. The system development methodology to be used should be commensurate with the size, nature, and complexity of the IT project, and, generally speaking, should facilitate the management of the following risks.
Article 35. Commercial banks should ensure system reliability, integrity, and maintainability by controlling system changes with a set of policies and procedures, which should include the following elements.
(1) Ensure that production systems are separated from development or testing systems;
(2) Separating the duties of managing production systems and managing development or testing systems;
(3) Prohibiting application development and maintenance staff from accessing production system under normal circumstances unless management approval is granted to perform emergency repair, and all emergency repair activities should be recorded and reviewed promptly;
(4) Promoting changes of program or system configuration from development and testing systems to production systems should be jointly approved by IT organization and business departments, properly documented, and reviewed periodically.
Article 36. Commercial banks should have in place a set of policies, standards, and procedures to ensure data integrity, confidentiality, and availability. These policies should be in accordance with data integrity amid IT development procedure.
Article 37. Commercial banks should ensure that Information system problems could be tracked, analyzed, and resolved systematically through an effective problem management process. Problems should be documented, categorized, and indexed. Support services or technical assistance from vendors, if necessary, should also be documented. Contacts and relevant contract information should be made readily available to the employees concerned. Accountability and line of command should be delineated clearly and communicated to all employees concerned, which is of utmost importance to performing emergency repair.
Article 38. Commercial banks should have a set of policies and procedures controlling the process of system upgrade. System upgrade is needed when the hardware reaches its lifespan or runs out of capacity, the underpinning software, namely, operating system, database management system, middleware, has to be upgraded, or the application software has to be upgraded. The system upgrade should be treated as a project and managed by all pertinent project management controls including user acceptance testing.
Chapter VI IT Operations
Article 39. Commercial banks should consider fully the environmental threats (e.g. proximity to natural disaster zones, dangerous or hazardous facilities or busy/major roads) when selecting the locations of their data centers. Physical and environmental controls should be implemented to monitor environmental conditions could affect adversely the operation of information processing facilities. Equipment facilities should be protected from power failures and electrical supply interference.
Article 40. In controlling access by third-party personnel (e.g. service providers) to secured areas, proper approval of access should be enforced and their activities should be closely monitored. It is important that proper screening procedures including verification and background checks, especially for sensitive technology-related jobs, are developed for permanent and temporary technical staff and contractors.
Article 41. Commercial banks should separate IT operations or computer center operations from system development and maintenance to ensure segregation of duties within the IT organization. The commercial banks should document the roles and responsibilities of data center functions.
Article 42. Commercial banks are required to retain transactional records in compliance with the national accounting policy. Procedures and technology are needed to be put in place to ensure the integrity, safekeeping and retrieval requirements of the archived data.
Article 43. Commercial banks should detail operational instructions such as computer operator tasks, job scheduling and execution in the IT operations manual. The IT operations manual should also cover the procedures and requirements for on-site and off-site backup of data and software in both the production and development environments (i.e. frequency, scope and retention periods of back-up).
Article 44. Commercial banks should have in place a problem management and processing system to respond promptly to IT operations incidents, to escalate reported incidents to relevant IT management staff and to record, analyze and keep tracks of all these incidents until rectification of the incidents with root cause analysis completed. A helpdesk function should be set up to provide front-line support to users on all technology-related problems and to direct the problems to relevant IT functions for investigation and resolution.
Article 45. Commercial banks should establish service level agreement and assess the IT service level standard attained.
Article 46. Commercial banks should implement a process to ensure that the performance of application systems is continuously monitored and exceptions are reported in a timely and comprehensive manner. The performance monitoring process should include forecasting capability to enable exceptions to be identified and corrected before they affect system performance.
Article 47. Commercial banks should carry out capacity plan to cater for business growth and transaction increases due to changes of economic conditions. Capacity plan should be extended to cover back-up systems and related facilities in addition to the production environment.
Article 48. Commercial banks should ensure the continued availability of technology related services with timely maintenance and appropriate system upgrades. Proper record keeping (including suspected and actual faults and preventive and corrective maintenance records) is necessary for effective facility and equipment maintenance.
Article 49. Commercial banks should have an effective change management process in place to ensure integrity and reliability of the production environment. Commercial banks should develop a formal change management process.
Chapter VII Business Continuity Management
Article 50. Commercial banks should have in place appropriate arrangements, having regard to the nature, scale and complexity of its business, to ensure that it can continue to function and meet its regulatory obligations in the event of an unforeseen interruption. These arrangements should be regularly updated and tested to ensure their effectiveness.
Article 51. Commercial banks should consider the likelihood and impact of a disruption to the continuity of its operation from unexpected events. This should include assessing the disruptions to which it is particularly susceptible including but not limited to:
(1) Loss of failure of internal and external resources (such as people, systems and other assets);
(2) The loss or corruption of its information; and
(3) External events (such as war, earthquake, typhoon, etc).
Article 52. Commercial bank should act to reduce both the likelihood of disruptions (including system resilience and dual processing); and the impact of disruptions (including by contingency arrangements and insurance).
Article 53. Commercial bank should document its strategy for maintaining continuity of its operations, and its plans for communicating and regularly testing the adequacy and effectiveness of this strategy. Commercial bank should establish:
(1) Formal business continuity plans that outline arrangements to reduce the impact of a short, medium and long-term disruption, including:
a) Resource requirements such as people, systems and other assets, and arrangements for obtaining these resources;
b) The recovery priorities for the commercial bank’s operations; and
c) Communication arrangements for internal and external concerned parties (including CBRC, clients and the press);
(2) Escalation and invocation plans that outline the processes for implementing the business continuity plans, together with relevant contact information;
(3) Processes to validate the integrity of information affected by the disruption;
(4) Processes to review and update (1) to (3) following changes to the commercial bank’s operations or risk profile.
Article 54. A final BCP plan and an annual drill result must be signed off by the IT Risk management, or internal auditor and IT Steering Committee.
Chapter VIII Outsourcing
Article 55. Commercial banks cannot contract out its regulatory obligations and should take reasonable care to supervise the discharge of outsourcing functions.
Article 56. Commercial banks should take particular care to manage material outsourcing arrangement (such as outsourcing of data center, IT infrastructure, etc.), and should notify CBRC when it intends to enter into material outsourcing arrangement.
Article 57. Before entering into, or significantly changing, an outsourcing arrangement, the commercial bank should:
(1) Analyze how the arrangement will fit with its organization and reporting structure; business strategy; overall risk profile; and ability to meet its regulatory obligations;
(2) Consider whether the arrangements will allow it to monitor and control its operational risk exposure relating to the outsourcing;
(3) Conduct appropriate due diligence of the service provider’s financial stability, expertise and risk assessment of the service provider, facilities and ability to cover the potential liabilities;
(4) Consider how it will ensure a smooth transition of its operations from its current arrangements to a new or changed outsourcing arrangement (including what will happen on the termination of the contract); and
(5) Consider any concentration risk implications such as the business continuity implications that may arise if a single service provider is used by several firms.
Article 58. In negotiating its contract with a service provider, the commercial bank should have regard to ( but not limited to ):
(1) Reporting and negotiation requirements it may wish to impose on the service provider;
(2) Whether sufficient access will be available to its internal auditors, external auditors and banking regulators;
(3) Information ownership rights, confidentiality agreements and Firewalls to protect client and other information (including arrangements at the termination of contract);
(4) The adequacy of any guarantees and indemnities;
(5) The extent to which the service provider must comply with the commercial bank’s polices and procedures covering IT Risk;
(6) The extent to which the service provider will provide business continuity for outsourced operations, and whether exclusive access to its resources is agreed;
(7) The need for continued availability of software following difficulty at a third party supplier;
(8) The processes for making changes to the outsourcing arrangement and the conditions under which the commercial bank or service provider can choose to change or terminate the outsourcing arrangement, such as where there is:
a) A change of ownership or control of the service provider or commercial bank; or
b) Significant change in the business operations of the service provider or commercial bank; or
c) Inadequate provision of services that may lead to the commercial bank being unable to meet its regulatory obligations.
Article 59. In implementing a relationship management framework, and drafting the service level agreement with the service provider, the commercial bank should have regarded to (but not limited to):
(1) The identification of qualitative and quantitative performance targets to assess the adequacy of service provision, to both the commercial bank and its clients, where appropriate;
(2) The evaluation of performance through service delivery reports and periodic self assessment and independent review by internal or external auditors; and
(3) Remediation action and escalation process for dealing with inadequate performance.
Article 60. The commercial bank should enhance IT related outsourcing management, in place following (not limited to ) measures to ensure data security of sensitive information such as customer information:
(1) Effectively separated from other customer information of the service provider;
(2) The related staff of service provider should be authorized on “need to know” and “minimum authorization” basis;
(3) Ensure service provider guarantee its staff for meeting the confidential requests;
(4) All outsourcing arrangements related to customer information should be identified as material outsourcing arrangements and the customers should be notified;
(5) Strictly monitor re-outsourcing actions of the service provider, and implement adequate control measures to ensure information security of the bank;
(6) Ensure all related sensitive information be refunded or deleted from the service provider’s storage when terminating the outsourcing arrangement.
Article 61. The commercial bank should ensure that it has appropriate contingency in the event of a significant loss of services from the service provider. Particular issues to consider include a significant loss of resources, turnover of key staff, or financial failure of, the service provider, and unexpected termination of the outsourcing agreement.
Article 62. All outsourcing contracts must be reviewed or signed off by IT Risk management, internal IT auditors, legal department and IT Steering Committee. There should be a process to periodically review and refine the service level agreements.
Chapter IX Internal Audit
Article 63. Depending on the nature, scale and complexity of its business, it may be appropriate for the commercial banks to delegate much of the task of monitoring the appropriateness and effectiveness of its systems and controls to an internal audit function. An internal audit function should be adequately resourced and staffed by competent individuals, be independent of the day-to-day activities of the commercial bank and have appropriate access to the bank’s records.
Article 64. The responsibilities of the internal IT audit function are:
(1) To establish, implement and maintain an audit plan to examine and evaluate the adequacy and effectiveness of the bank’s systems and internal control mechanisms and arrangements;
(2) To issue recommendations based on the result of work carried out in accordance with 1;
(3) To verify compliance with those recommendations;
(4) To carry out special audit on information technology. The term “special audit” of information technology refers to the investigation, analysis and assessment on the security incidents of the information system, or the audit performed on a special subject based on IT risk assessment result as deemed necessary by the audit department.
Article 65. Based on the nature, scale and complexity of its business, deployment of information technology and IT risk assessment, commercial banks could determine the scope and frequency of IT internal audit. However, a comprehensive IT internal audit shall be performed at a minimum once every 3 years.
Article 66. Commercial banks should engage its internal audit department and IT Risk management department when implementing system development of significant size and scale to ensure it meets the IT Risk standards of the Commercial banks.
Chapter X External Audit
Article 67. The external information technology audit of commercial banks can be carried out by certified service providers in accordance with laws, rules and regulations.
Article 68. The commercial bank should ensure IT audit service provider to review and examine bank’s hardware, software, documentation and data to identify IT risk when they are commissioned to perform the audit. Vital commercial and technical information which is protected by national laws and regulations should not be reviewed.
Article 69. Commercial bank should communicate with the service provider in depth before the audit to determine audit scope, and should not withhold the truth or do not corporate with the service provider intentionally.
Article 70. CBRC and its local offices could designate certified service providers to carry out IT audit or related review on commercial banks when needed. When carrying out audit on commercial banks, as commissioned or authorized by CBRC or its local offices, the service providers shall present the letter of authority, and carry out the audit in accordance to the scope prescribed in the letter of authority.
Article 71. Once the IT audit report produced by the service providers is reviewed and approved by CBRC or its local offices, the report will have the same legal status as if it is produced by the CBRC itself. Commercial banks should come up with a correction action plan prescribed in the report and implement the corrective actions according to the timeframe.
Article 72. Commercial banks should ensure the service providers to strictly comply with laws and regulations to keep confidential and data security of any commercial secrets and private information learnt and IT risk information when conducting the audit. The service provider should not modify copy or take away any documents provided by the commercial banks.
Chapter XI Supplementary Provisions
Article 73. Commercial banks with no board of directors should have their operating decision-making bodies perform the responsibilities of the board with regard to IT risk management specified herein.
Article 74. The China Banking Regulatory Commission supervises and regulates the IT risk management of commercial banks under its authority by law.
Article 75. The power of interpretation and modification of the Guidelines shall rest with the China Banking Regulatory Commission.
Article 76. The Guidelines shall become effective as of the date of its issuance and the former Guidelines on the Risk Management of Banking Institutions’ Information Systems shall be revoked at the same time.
