IT Measures for Securities/Funds Institutions Issued

来源:汉坤律师事务所

文章摘要
Following a consultation draft of the Administrative Measures for the Information Technology of Inst

Following a consultation draft of the Administrative Measures for the Information Technology of Institutions Engaged in Securities or Funds Business (《证券基金经营机构信息技术管理办法(征求意见稿)》) issued on 5 May 2017, the China Securities Regulatory Commission ("CSRC") officially promulgated the Administrative Measures for the Information Technology of Institutions Engaged in Securities or Funds Business (《证券基金经营机构信息技术管理办法》) (the "IT Measures") on 19 December 2018, which will take effect on 1 June 2019.
The IT Measures will apply to (i) the use of information technology by securities companies and mutual fund management companies (collectively, "Securities/Funds Institutions") when engaging in securities or funds business; and (ii) the provision of IT services by information technology service institutions ("IT Service Institutions") to institutions engaged in securities or funds business. Other relevant institutions will be required to manage their IT matters by reference to the IT Measures, such as commercial banks that provide depositary services for securities companies' client settlement funds, mutual fund custodians and the subsidiaries of Securities/Funds Institutions which use information technology for securities or funds business. Accordingly the private fund managers registered with the Asset Management Association of China would not be subject to the IT Measures.
Below, we have summarized the key aspects of the IT Measures which may affect the governance and operation of Securities/Funds Institutions:
1. Information technology governance committee or special committee required
The IT Measures expressly require Securities/Funds Institutions to establish an information technology governance committee or to designate a special committee. The members of the information technology governance committee will be the senior management personnel and the heads of the compliance department, risk management department, auditing department, main business departments and the IT management department. Securities/Funds Institutions may also engage an external specialist as one of the committee members or as counsel to the committee.
2. Chief information officer ("CIO") required
Securities/Funds Institutions will be required to appoint a CIO who is familiar with both information technology as well as securities/funds business. The IT Measures also provide detailed qualifications for CIOs.
3. The responsibilities of the board of directors and the management team clarified
According to the IT Measures, the board of directors is ultimately responsible for the effectiveness of IT management, while the management team will primarily implement relevant plans or resolutions approved by the board of directors. The IT Measures also specify the duties of the board of directors and the management team.
4. Compliance, risk control, auditing and IT management
The IT Measures bring the information technology used in securities and funds business under the supervision of the compliance department and the risk management department. Securities/Funds Institutions will be required to run their risk management systems and business trading systems concurrently. The IT Measures will also require internal audits, special audits, comprehensive audits and corrective audits of IT management.
5. Specialized IT subsidiaries may provide intercompany services
The IT Measures allow Securities/Funds Institutions to establish specialized subsidiaries that provide intercompany IT services to the parent institution. These IT subsidiaries may also provide IT services to other financial institutions, provided they have filed with CSRC.
6. Outsourcing services: IT Service Institutions
Securities/Funds Institutions may engage a qualified IT Service Institution to provide information technology services by entering into a service agreement and a non-disclosure agreement. However, IT Service Institutions will not be allowed to independently operate, maintain or conduct routine security management of important information systems.
7. Deployment of important information systems and management of client data
The IT Measures reiterate data protection requirements for business and client data found in related cybersecurity law provisions with respect to client consent, use, storage, collection, and transfer practices, among others.
8. External Connections to internal information systems
External connections to internal information systems of Securities/Funds Institutions are currently subject to the Notice on Strengthening the Management of External Connections to Securities Firm's Information Systems (《关于加强证券公司信息系统外部接入管理的通知》) and the Evaluation and Certification Standards of External Connections to Securities Firm's Information Systems (《证券公司外部接入信息系统评估认证规范》). The consultation draft allowed external connections so long as they complied with the relevant CSRC rules. However, the IT Measures strike this clause and instead remain silent on this point. Considering external connections are not expressly prohibited, CSRC or another self-regulatory institution may issue further rules on this issue.
According to the IT Measures, the China Securities Information Technology Service Limited Company (中证信息技术服务有限公司) will formulate and issue detailed operating rules to assist CSRC with filing, monitoring, testing and inspecting information technology. We will continue to monitor the relevant rules and keep you updated on any developments.

技术驱动法律,专业成就未来