China’s Banking Regulator Includes IT Outsourcing in Risk Management Assessments


The China Banking and Insurance Regulatory Commission (CBIRC) has issued new risk management rules for the banking sector that include risk in relation to IT outsourcing.

On 21 January CBIRC issued the “Banking and Insurance Institution Information Technology Outsourcing Risk Administrative Measures” (银行保险机构信息科技外包风险监管办法).

CBIRC said that in future it would include IT outsourcing risk in daily risk monitoring as well as on-site inspections.

According to CBIRC the Measures call for banking and insurance sector institutions to “include IT outsourcing risk in comprehensive risk management systems, and effectively control risk that arises from outsourcing.”

The Measures outline several principles in particular for IT outsourcing by banks and insurers, including:

  • A prohibition on outsourcing of information technology management responsibilities and Internet security entity responsibilities.
  • Maintaining a balance between outsourcing risk, cost and efficiency.
  • Guaranteeing internet and information security, and strengthening key data and personal information protections.
  • Stressing preemptive control and ongoing supervision.
  • Ongoing improvement of outsourcing strategy and risk control measures.