目录 Contents
- 促进和规范数据跨境流动规定
Provisions on Facilitating and Regulating Cross-border Data Transfer - 银行保险机构数据安全管理办法(征求意见稿)
Draft Administrative Measures for Data Security of Banking and Insurance Institutions - 人身保险公司监管评级办法
Measures for Regulatory Rating of Life Insurance Companies - 关于扩大城乡居民住宅巨灾保险保障范围进一步完善巨灾保险制度的通知
Notice on Expanding the Coverage of Urban and Rural Residential Catastrophe Insurance and Further Improving the Catastrophe Insurance System
01、促进和规范数据跨境流动规定
Provisions on Facilitating and Regulating Cross-border Data Transfer
2024年3月22日,国家互联网信息办公室(“国家网信办”)发布《促进和规范数据跨境流动规定》,当日生效。《数据出境安全评估办法》《个人信息出境标准合同办法》等相关监管规则与《规定》不一致的,适用《规定》。《规定》共14条,针对上述有关监管规则所规定的与数据及个人信息跨境传输有关的义务,进行减负并澄清实务中的一些问题。
On March 22, 2024, the Cyberspace Administration of China (“CAC”) issued the Provisions on Facilitating and Regulating Cross-border Data Transfer, which became effective immediately and should prevail over any inconsistent provisions of the relevant earlier regulatory rules, such as the Measures for the Security Assessment of Cross-border Data Transfer and the Measures for the Standard Contract for Cross-border Transfer of Personal Information. The Provisions, consisting of 14 articles, eases the burden of the obligations related to the cross-border transfer of data and personal information (“PI”) as stipulated in the aforesaid regulatory rules, and clarifies certain issues that have arisen in practice.
根据之前的有关监管规则,因业务等需要,确需向中国境外提供数据和/或个人信息的,应从拟传输信息的性质、过往处理个人信息数量、涉及个人数量、是否为敏感个人信息等多个维度判断,在跨境传输前相应完成安全评估、个人信息保护认证或签署跨境传输标准合同。具体而言,数据处理者向境外提供重要数据、关键信息基础设施运营者和处理100万人以上个人信息的数据处理者向境外提供个人信息、自上年1月1日起累计向境外提供10万人个人信息或者1万人敏感个人信息的数据处理者向境外提供个人信息应当申报数据出境安全评估;除上述情形外,应按照国家网信部门的规定经专业机构进行个人信息保护认证,或按照国家网信部门制定的标准合同与境外接收方订立合同,约定双方的权利和义务(合称“出境前置合规手续”)。
According to the relevant earlier regulatory rules, if it is necessary to provide data and/or PI overseas due to business needs, the data transferors should take into account a variety of factors such as the nature of the information involved, the volume of PI processed in the past, the number of individuals involved and whether sensitive PI is involved, and should, before the cross-border transfer, conduct security assessment, PI protection certification or sign a cross-border data transfer standard contract accordingly. Specifically, a cross-border data transfer security assessment is required for cross-border data transfer by those data processors who provide “important data” overseas, critical information infrastructure operators (“CIIOs”) and data processors who process PI of more than 1 million people, or data processors who have provided overseas PI of 100,000 people or “sensitive PI” of 10,000 people since January 1 of the previous year; except for the above circumstances, a PI protection certification should be conducted by a professional institution in accordance with the regulations of the national cybersecurity department, or alternatively, a contract should be signed with the overseas recipient in accordance with the standard contract formulated by the national cybersecurity department, specifying the rights and obligations of both parties (collectively referred to as the “Pre-Cross-Border Transfer Compliance Procedures”).
上述有关监管规则已经生效施行了一段时间,已有一些企业按要求进行了安全评估或完成了跨境传输标准合同签署及备案。但仍有很多企业因其数据出境数量不大等原因而尚未实质性地开展有关工作,并对该等规则的实施口径产生了一些疑惑。《规定》在如下方面作出了重要调整:
The aforesaid regulatory rules have been in effect for some time, some enterprises have conducted a security assessment or have signed and filed the standard contracts for cross-border data transfer as required by the rules. However, many enterprises have not yet carried out any substantial work, because of the small volume of cross-border data transfer and other reasons, and have even become confused about the boundaries and enforcement of such rules. The Provisions make significant adjustments in the following aspects:
1. 澄清“重要数据”
Important data clarified
《数据安全法》规定,各地区、各部门应当按照数据分类分级保护制度,确定本地区、本部门以及相关行业、领域的重要数据具体目录。目前,尚未有公开资料显示有关地区/部门发布了其行业/领域的重要数据目录。现行法律法规只是给出了重要数据的宽泛定义,没有明确其具体范围。《规定》明确规定,未被相关部门、地区告知或者公开发布为重要数据的,数据处理者不需要作为重要数据申报数据出境安全评估。
The Data Security Law stipulates that each region and department should, in accordance with the data classification and tiered-protection system, determine the specific catalogs of important data in their respective regions, departments and the related industries and sectors. There has been no public report that any relevant regions/departments have released any catalogs of important data for their industries/sectors. The current laws and regulations only provide for a broad definition of important data without details. The Provisions clearly provide that data processors do not need to treat the relevant data as important data subject to a security assessment, unless the relevant departments or regions have notified them or publicly announced that such data are important data.
2. 合规义务基于当年数据出境情况
Compliance obligations based on cross-border data transfer in the current year
根据《规定》,关键信息基础设施运营者以外的数据处理者自当年1月1日起累计向境外提供10万人以上、不满100万人个人信息(不含敏感个人信息)或者不满1万人敏感个人信息的,应当与境外接收方订立个人信息出境标准合同或者通过个人信息保护认证;关键信息基础设施运营者以外的数据处理者向境外提供重要数据,或者自当年1月1日起累计向境外提供100万人以上个人信息(不含敏感个人信息)或者1万人以上敏感个人信息,应当申报数据出境安全评估;关键信息基础设施运营者向境外提供个人信息或者重要数据,应当申报数据出境安全评估。因此,数据处理者在判断所适用的出境前置合规手续时不再需要考虑往年个人信息处理量以及企业实际掌握的个人信息数量等其他因素,而只需按当年的数据出境情况进行判断。
According to the Provisions, non-CIIO data processors who provide to overseas PI of 100,000 or more people but less than 1 million people in total (containing no sensitive PI) or sensitive PI of less than 10,000 people in total since January 1 of the current year should either sign a standard contract for cross-border transfer of PI with the overseas recipient or complete a PI protection certification; non-CIIO data processors who provide to overseas important data, or PI of 1 million or more people in total (containing no sensitive PI) or sensitive PI of 10,000 or more people in total since January 1 of the current year should apply for a security assessment; CIIOs who provide to overseas PI or important data should apply for a security assessment. As a result, data processors no longer need to consider other factors such as the volume of PI processing in the previous years or the actual volume of PI in their possession when determining the applicable Pre-Cross-Border Transfer Compliance Procedures, but only need to make a judgment based on the status of cross-border data transfer in the current year.
3. 进一步扩大豁免范围
Expanded exemptions
《规定》明确列举了多项豁免出境前置合规手续的情形:
The Provisions set out several circumstances under which the Pre-Cross-Border Transfer Compliance Procedures are exempted:
1) 国际贸易、跨境运输、学术合作、跨国生产制造和市场营销等活动中收集和产生的数据(不包含个人信息或者重要数据)向境外提供;
cross-border transfer of data (containing no PI or important data) collected and generated in international trade, cross-border transportation, academic cooperation, multinational production and manufacturing, and marketing activities;
2) 在境外收集和产生的个人信息传输至境内处理后向境外提供,处理过程中没有引入境内个人信息或者重要数据的;
PI collected and generated outside the territory of the PRC is transmitted and processed domestically before being provided to overseas, without introducing domestic PI or important data during the processing;
3) 为订立、履行个人作为一方当事人的合同,如跨境购物、跨境寄递、跨境汇款、跨境支付、跨境开户、机票酒店预订、签证办理、考试服务等,确需向境外提供个人信息(不含重要数据)的;
cross-border transfer of PI (containing no important data) required in order to enter into and perform contracts to which an individual is a party, such as cross-border shopping, cross-border mailing, cross-border remittances, cross-border payment, cross-border account opening, airline and hotel reservations, visa application, examination services, and etc.;
4) 按照依法制定的劳动规章制度和依法签订的集体合同实施跨境人力资源管理,确需向境外提供员工个人信息(不含重要数据)的;
cross-border transfer of PI of employees (containing no important data) due to cross-border human resource management in accordance with legally formulated labor rules and collective contracts signed in accordance with laws;
5) 紧急情况下为保护自然人的生命健康和财产安全,确需向境外提供个人信息(不含重要数据)的;
cross-border transfer of PI (containing no important data) under emergency situations in order to protect the life, health and property safety of natural persons;
6) 关键信息基础设施运营者以外的数据处理者自当年1月1日起累计向境外提供不满10万人个人信息(不含敏感个人信息及重要数据)的。
Non-CIIO data processors who provide to overseas PI (containing no sensitive PI or important data) of less than 100,000 people in total since January 1 of the current year.
这些豁免事项意在解决一些之前规则下的实践难点。例如在之前规则下,部分企业(例如外资企业等)每年预计出境涉及信息总量不大(甚至可能只涉及个位数的自然人),但基于商业或管理原因必须进行信息出境,而由于这些企业在运营中已经接触和持有大量的个人信息,因而无论其出境信息总量如何仍需申报安全评估;又或者在跨境医疗或救援过程中,需要紧急跨境提供个人信息的情况下仍需先签署标准合同。需要提醒的是,这些豁免事项仅针对出境前置合规手续,其他出境相关的合规义务(如管理义务、报告义务、告知同意义务等)仍需按照相关规则履行。
These exemptions are intended to address some practical difficulties under the earlier rules. For example, under the earlier rules, some enterprises (such as foreign-invested enterprises) expect to have a small volume of information involved in their cross-border transfer activities each year (even involving only a handful of people), but for commercial or management reasons, information must be transferred overseas. However, due to the fact that these enterprises already have access to and hold a large volume of PI during their operations, they still need to apply for a security assessment regardless of their total volume of cross-border data transfer; or, in the case of urgent cross-border transfer of PI for cross-border medical care or rescue purposes, standard contracts still need to be signed first. It should be noted that these exemptions are only applicable to the Pre-Cross-Border Transfer Compliance Procedures, and other cross-border transfer related compliance obligations (such as management obligations, reporting obligations, notification and consent obligations) still need to be fulfilled in accordance with the relevant rules.
4.数据出境安全评估有效期限
Validity period of cross-border data transfer security assessment
《规定》明确,通过数据出境安全评估的结果有效期为3年,自评估结果出具之日起计算。有效期届满,需要继续开展数据出境活动且未发生需要重新申报安全评估情形的,数据处理者可以在期满前60个工作日内提出延长评估结果有效期的申请。经国家网信部门批准,可以延长评估结果有效期3年。
The Provisions provide that the cross-border data transfer security assessment result has a validity period of 3 years, starting from the date of issuance of the assessment result. If upon the expiry of the validity period, cross-border data transfer is still necessary and no circumstance arises requiring a new security assessment, the data processors may apply for an extension of the validity period within 60 working days before the expiry. With the approval of the national cybersecurity department, the validity period can be extended for 3 years.
5.自贸区特别规定
Special rules for free trade zones
《规定》允许自贸区自行制定该自贸区需要纳入数据出境安全评估、个人信息出境标准合同、个人信息保护认证管理范围的数据清单(“负面清单”),报经省级网络安全和信息化委员会批准后,报国家网信部门、国家数据管理部门备案。负面清单之外数据出境,无需申报出境前置合规手续。
The Provisions permit free trade zones to formulate their respective lists of data (“Negative List”) that require a cross-border data transfer security assessment, the execution of cross-border PI transfer standard contract or a PI protection certification. The Negative Lists should be approved by the provincial cybersecurity and informatization authorities and then filed with the national cybersecurity and data management authorities. Data not on the Negative Lists can be provided to overseas without going through the Pre-Cross-Border Transfer Compliance Procedures.
02、银行保险机构数据安全管理办法(征求意见稿)
Draft Administrative Measures for Data Security of Banking and Insurance Institutions
2024年3月22日,国家金融监督管理总局(“金监总局”)发布《银行保险机构数据安全管理办法(征求意见稿)》,向社会公开征求意见。意见反馈截止日期为2024年4月23日。
On March 22, 2024, the National Financial Regulatory Administration (“NFRA”) published the draft Administrative Measures for Data Security of Banking and Insurance Institutions for public comment until April 23, 2024.
明确数据安全治理架构。要求银行保险机构建立数据安全责任制,指定归口管理部门负责数据安全工作,承担制定数据安全管理制度标准、建立维护数据目录、推动数据分类分级保护、组织开展风险监测、预警及处置等职责。明确银行保险机构党委、董事会对数据安全工作负主体责任,机构主要负责人为数据安全第一责任人,分管数据安全的领导为直接责任人。
Clarify data security governance framework. Banking and insurance institutions should establish a data security responsibility system, designate a centralized management department to be responsible for the data security work and undertake a number of tasks, such as formulating the data security management policies and standards, establishing and maintaining the data catalogue, promoting data classification and tiered-protection, and organizing the monitoring, early warning and resolution of risk. The party committee and board of directors of a banking or insurance institution are the responsible subjects for the data security work, the institution’s main responsible person is the first responsible person for data security, and the officer in charge of data security is the directly responsible person for data security.
建立数据分类分级标准。要求银行保险机构制定数据分类分级保护制度,建立数据目录和分类分级规范,并采取差异化的安全保护措施。应当根据数据的重要性和敏感程度,将数据分为核心数据、重要数据、一般数据。其中,一般数据细分为敏感数据和其他一般数据。
Establish data classification and tiering standards. Banking and insurance institutions should establish a data classification and tiered protection system, establish data catalogues, establish data classification and tiering standards, and adopt differentiated security protection measures. Data should be divided into core data, important data and ordinary data based on their importance and sensitivity, and ordinary data is further divided into sensitive data and other ordinary data.
强化数据安全管理。要求银行保险机构根据自身发展战略建立数据安全管理制度和数据处理管控机制。在处理敏感级及以上数据的业务活动时,或者开展对数据主体有较大影响的活动时,应当事先开展数据安全评估。应当以信息系统为数据收集的主要渠道,限制或者减少其他渠道、临时性数据收集;建立专职数据服务团队。应当制定数据访问闭环管理机制,并对数据访问行为实施审计。在数据集团内部共享的过程中,应建立总行(公司)与其子公司数据安全隔离的“防火墙”,并对共享数据采取有效保护措施。因兼并、重组、破产等需要转移数据,应当明确数据转移内容,通过协议、承诺等方式约定数据接收方全面承接对应数据的安全保护义务,通过公告等方式告知数据主体。《征求意见稿》还对数据加工、委托处理、共同处理、数据转移等具体的数据处理场景分别提出了相应安全管理要求。
Strengthen data security management. Banking and insurance institutions should establish data security management systems and data processing control mechanisms based on their own development strategies. A data security assessment should be conducted before conducting business activities involving processing of data at the sensitive or greater level, or before carrying out activities that have a significant impact on data subjects. Banking and insurance institutions should use IT systems as the main channel for data collection, limit or reduce data collection through other channels or on an ad hoc basis, and should establish a dedicated data service team. A closed-loop management mechanism should be established for data access, and audit should be conducted on data access behaviours. During the course of sharing data within a company group, a firewall for data security segregation should be established between the parent companies and their subsidiaries, and effective protection measures should be adopted for the shared data. When transferring data due to merger and acquisition, reorganization, bankruptcy, etc., the contents of data transfer should be clarified, and the parties should agree by contract, commitment or otherwise for data recipients to fully assume the corresponding data security protection obligations, and inform data subjects by a public announcement or otherwise. The Draft also sets out the corresponding security management requirements for specific data processing scenarios, such as data processing, entrusted processing, joint processing, and data transfer.
健全数据安全技术保护体系。要求银行保险机构建立数据安全技术架构,明确数据保护策略方法,采取技术手段保障数据安全。应当将数据纳入网络安全等级保护,建立分区域数据安全保护基线,制定用户对数据的访问策略,敏感级及以上数据的操作应当进行日志记录。应当定期对数据操作行为进行审计,审计周期不超过6个月。敏感级及以上数据达到使用或者保存期限后,应当采取技术措施及时删除或者销毁,确保数据不可恢复。开发信息系统时,应当明确系统拟处理的数据及其安全级别、访问规则、保护需求,并实施有效的系统安全控制。
Improve technical protection of data security. Banking and insurance institutions should establish a data security technical framework, clarify data protection strategies and methods, and adopt technical means to safeguard data security. Banking and insurance institutions should include data in the tiered protection of network security, establish baselines for data security protection in different areas, formulate strategies for users to access data, and establish daily logs for handling data at the sensitive or greater level. Banks and insurance institutions should conduct audits of data handling on a periodic basis, with an audit period not exceeding 6 months. Upon expiry of the term for the use or storage of data at the sensitive or greater level, technical measures should be taken to delete or destroy the data in a timely manner to ensure that the data are unrecoverable. When developing an IT system, it is necessary to clarify the data to be processed by the system and its security classification, access rules and protection requirements, and to implement effective system security controls.
加强个人信息保护。要求银行保险机构按照“明确告知、授权同意”原则处理个人信息,收集个人信息应限于最小范围,不得过度收集。发生或者可能发生个人信息泄露、篡改、丢失的,应当立即采取补救措施,同时通知个人并报送金监总局或其派出机构。
Strengthen personal information protection. Banks and insurance institutions should process personal information in accordance with the principle of “Clear Notice and Authorized Consent”, and should collect personal information within the minimum scope and not excessively. Where personal information is or may be divulged, tampered with or lost, remedial measures should be taken immediately, with simultaneous notice to the individuals concerned and report to NFRA or its local bureaus.
完善数据安全风险监测与处置机制。要求银行保险机构将数据安全风险纳入全面风险管理体系,明确风险监测评估、应急响应报告、事件处置的管理流程。应当每年开展一次数据安全风险评估,审计部门应当每三年至少开展一次数据安全全面审计,发生重大数据安全事件后应当开展专项审计。
Improve data security risk monitoring and resolution mechanism. Banks and insurance institutions should incorporate data security risks into their comprehensive risk management system, clarify the management processes for risk monitoring and assessment, emergency response reporting, and incident handling. Banking and insurance institutions should conduct an annual data security risk assessment, and their audit departments should conduct a comprehensive data security audit at least once every three years, and a special audit should be conducted after a major data security incident occurs.
明确监督管理职责。金监总局制定银行业保险业重要数据目录,提出核心数据目录建议,银行保险机构应当按要求向其报送重要数据目录,重要数据目录发生重大变化应当及时报备更新后的数据目录。涉及批量敏感级及以上数据的数据共享、委托处理、转让交易、数据转移,银行保险机构应当在处理、合同签署前二十个工作日向国家金融监督管理总局或者其派出机构报告,除另有规定外。银行保险机构应当于每年1月15日前向金监总局或其派出机构报送上一年度数据安全风险评估报告。
Clarify supervision and administration responsibilities. NFRA should formulate a catalogue of important data for the banking and insurance industry, and make suggestions for a catalogue of core data, and banking and insurance institutions should report their catalogs of important data to NFRA as required, and promptly report the updated catalogues upon any major change. For data sharing, entrusted processing, transfer transactions and data transfer involving batch data at the sensitive or greater level, banking and insurance institutions should report to NFRA or its local bureaus 20 working days before the processing or execution of contracts, unless otherwise stipulated. Banking and insurance institutions should submit an annual data security risk assessment report to NFRA or its local bureaus by January 15 of the next year.
03、人身保险公司监管评级办法
Measures for Regulatory Rating of Life Insurance Companies
2024年3月18日,金监总局发布《人身保险公司监管评级办法》,并于当日生效。《办法》要求人身保险公司按照附表要求填报相关数据,首次报送(含2023年年末和2024年一季度末数据)应于2024年4月20日前完成。
On March 18 2024, NFRA issued the Measures for Regulatory Rating of Life Insurance Companies, effective immediately. The Measures require life insurance companies to complete and submit the relevant data as required by the appendix attached thereto, and the first submission (including data as at the 2023 year end and at the first quarter end of 2024) should be made by April 20, 2024.
合规监管和风险监管相结合。人身保险公司风险监测和监管评级要素及各权重分配如下:公司治理(22%)、业务经营(14%)、资金运用(22%)、资产负债管理(14%)、偿付能力管理(14%)和其他方面(14%)六个维度。另设置“履行环境社会治理(ESG)责任情况”作为特别加分项,对开展绿色保险、普惠保险较多的人身保险公司,给予适当加分。金监总局可以根据监管工作需要,修订完善人身保险公司风险监测和监管评级内容、指标和规则。
Combining compliance supervision and risk supervision. The risk monitoring and regulatory rating of life insurance companies cover the following six dimensions with the respective weights: corporate governance (22%), business operations (14%), fund utilization (22%), asset liability management (14%), solvency management (14%) and other aspects (14%). Additionally, “Fulfilling Environmental, Social and Governance (ESG) Responsibilities” is also included as a special extra item, and those life insurance companies that are active in green insurance and inclusive insurance will receive some extra points. NFRA can revise and improve the contents, indicators and rules for the risk monitoring and regulatory rating of life insurance companies based on regulatory needs.
动态监测和定期评估相结合。通过监管评估指标体系,监管部门对人身险公司进行日常动态监测和风险预警,原则上每年对人身保险公司开展一次监管评级。评级期间为上一年1月1日至12月31日,应于4月30日前完成。
Combining dynamic monitoring and periodic assessment. Through the regulatory rating indicator system, the regulatory authorities will conduct day-to-day dynamic monitoring and early warning of the risks of life insurance companies, and in principle, will conduct a regulatory rating of life insurance companies once a year. The regulatory rating will cover the last calendar year and should be completed by April 30 of each year.
搭建风险综合评估体系。《办法》系统整合、优化完善现有监测指标,从六个维度评价,确定公司综合风险等级。综合风险等级划分为1级(大于80分)、2级(大于75分小于等于80分)、3级(大于70分小于等于75分)、4级(大于60分小于等于70分)和5级(小于等于60分),级别越大风险越高。正处于重组、被接管、实施市场退出或风险处置进入实质性阶段的人身保险公司,经监管机构认定后直接列为S级。
Building an integrated risk rating system. The Measures systematically integrate, optimize and improve the existing monitoring indicators, evaluate the companies from six dimensions, and determine the integrated risk levels. The integrated risk level is divided into Level 1 (greater than 80 points), Level 2 (greater than 75 points but no more than 80 points), Level 3 (greater than 70 points, but no more than 75 points), Level 4 (greater than 60 points, but no more than 70 points), and Level 5 (60 points or less), with higher levels indicating higher risks. Life insurance companies that are found by regulatory authorities to be in the substantive process of restructuring, take-over, market exit or risk resolution are directly rated as Level S.
风险等级调整。对出现下列定性或定量风险因素之一的人身保险公司,监管机构将综合风险水平上调一个等级,直到5级为止:1.两个及以上评估维度的风险水平等级为高;2.公司治理维度、资金运用任一评估维度的风险水平等级为高;3.规模保费收入/净资产>5,或规模保费增速>40%,或规模保费增速显著高于行业平均水平(公司成立时间在三年以上),业务激进扩张;4.人身保险公司投资单一关联方账面余额/净资产大于30%,关联交易存在较大风险;5.监管机构认定的其他情形。出现下列定性或定量风险因素的,认定为重大风险情形,将综合风险水平等级评定为5级:1.公司治理存在严重问题;2.关联交易管理存在严重问题;3.偿付能力严重不足;4.流动性存在不足;5.有效资产不足以抵御风险;6.净资产<0,或其他偿债能力严重不足的情形;7.其他存在重大风险的情况。
Adjustment of risk levels. For life insurance companies that encounter one of the following qualitative or quantitative risk factors, regulatory authorities will raise their integrated risk level by one level until Level 5: 1. the risk level of two or more assessment dimensions is high; 2. the risk level of either the corporate governance dimension or the fund utilization dimension is high; 3. scale premium income divided by net assets is greater than 5, or scale premium growth rate is greater than 40%, or scale premium growth rate is significantly higher than the industry average (the company having been operating for more than three years), business expanding aggressively; 4. the book balance of investment in a single related party divided by net assets is greater than 30%, and there is a significant risk in affiliated transactions; 5. other circumstances determined by regulatory authorities. If there are the following qualitative or quantitative risk factors, the company will be recognized as having significant risk and will receive an integrated risk level of Level 5: 1. there are serious problems in corporate governance; 2. there are serious problems in affiliated transaction management; 3. serious insufficient solvency; 4. insufficient liquidity; 5. effective assets are insufficient to withstand risks; 6. negative net assets, or there are other situations where the solvency is seriously insufficient; 7. other circumstances with significant risks.
强化评估结果应用,推动人身保险公司差异化经营。监管部门将根据监管评级结果,对各人身保险公司进行分级分类管理。对监管评级结果为3级的公司,应适当提高非现场监管和现场检查的频率和深度,督促公司控制风险较高、管理薄弱领域业务增长和风险敞口,依法采取监管措施。对监管评级结果为4级的公司,除可采取上述监管措施外,还应区别情形采取下列措施:责令限期整改,责令增加资本金,限制业务范围,限制向股东分红,限制增设分支机构,责令停止接受新业务,限制股东权利等。对监管评级结果为5级的公司,在采取上述监管措施基础上,必要时应制定实施风险处置方案。可视情况依法安排重组、实行接管或实施市场退出。
Strengthen the application of rating results and promote differentiated operation of life insurance companies. Regulatory authorities will classify and supervise life insurance companies based on the regulatory rating results. For companies with a regulatory rating of Level 3, the frequency and depth of off-site supervision and on-site inspection should be increased appropriately, and the companies should be urged to restrict their business growth and risk exposure where risks are high and management is weak, and regulatory measures may be taken in accordance with law. For companies with a regulatory rating of Level 4, the following additional measures should also be taken depending on the situation: ordering rectification within a specified period, ordering a capital increase, restricting scope of business, restricting dividends to shareholders, restricting establishing branches, ordering to stop accepting new business, and restricting shareholders’ rights. For companies with a regulatory rating of Level 5, in addition to the aforementioned regulatory measures, risk resolution plans should be developed and implemented when necessary. Regulatory authorities may arrange for restructuring, takeover or market exit in accordance with law in light of the circumstances.
04、关于扩大城乡居民住宅巨灾保险保障范围进一步完善巨灾保险制度的通知
Notice on Expanding the Coverage of Urban and Rural Residential Catastrophe Insurance and Further Improving the Catastrophe Insurance System
2024年2月28日,金监总局和财政部发布《关于扩大城乡居民住宅巨灾保险保障范围进一步完善巨灾保险制度的通知》。
On February 28 2024, NFRA and the Ministry of Finance issued the Notice on Expanding the Coverage of Urban and Rural Residential Catastrophe Insurance and Further Improving the Catastrophe Insurance System.
扩展巨灾保险责任。以城乡居民住宅及室内附属设施为保障对象,保险责任由现有的破坏性地震,扩展增加台风及其引起的风暴潮等次生灾害,洪水,暴雨,泥石流、滑坡等地质灾害。扩展巨灾保险的运行机制、损失分层和运行保障,按照城乡居民住宅地震巨灾保险制度统一管理和运行。扩展巨灾保险专项准备金的计提、管理、使用等事项,由财政部另行规定。
Expand catastrophe insurance liability. Coving urban and rural residential buildings and indoor auxiliary facilities, the insurance liability will be expanded from destructive earthquakes under the existing rules to also include typhoons and secondary disasters such as storm surges, and geological disasters such as floods, rainstorms, debris flows and landslides. The operational mechanism, loss stratification, and operational protection related to the expanded catastrophe insurance should be uniformly handled in accordance with the urban and rural residential earthquake catastrophe insurance system. The provision, management and use of the special reserves for the expanded catastrophe insurance will be separately stipulated by the Ministry of Finance.
提升基本保险金额。地震巨灾保险的基本保险金额提升至城镇居民住宅每户10万元、农村居民住宅每户4万元。扩展巨灾保险的基本保险金额为城镇居民住宅每户10万元、农村居民住宅每户4万元。每户可参考房屋市场价值,根据需要与保险公司协商确定保险金额,每项保险的保险金额最高不超过每户100万元。100万元以上部分可由保险公司提供商业保险补充。
Increase the basic insurance amount. The basic insurance amount for earthquake catastrophe insurance has been increased to RMB100,000 per household for urban residents and RMB40,000 per household for rural residents. The basic insurance amount for the expanded catastrophe insurance is RMB100,000 per household for urban residents and RMB40,000 per household for rural residents. Each household can refer to the market value of the property and negotiate with the insurance company to determine the insurance amount as needed. The maximum insurance amount should not exceed RMB1 million per household for each item of insurance. Insurance companies can provide commercial insurance to cover any additional amount beyond RMB1 million.
支持商业巨灾保险发展。中国城乡居民住宅地震巨灾保险共同体更名为中国城乡居民住宅巨灾保险共同体。对于上述保障内容之外的风险责任和保障对象,中国城乡居民住宅巨灾保险共同体经成员大会同意,可以提供商业保险补充,充分满足各地区差异化风险保障需求。
Support development of commercial catastrophe insurance. The China Urban and Rural Residential Earthquake Catastrophe Insurance Community has been renamed as the China Urban and Rural Residential Catastrophe Insurance Community. For the risk liability and protection targets beyond those mentioned above, the Community can, with the approval of its assembly of members, provide supplemental commercial insurance in order to fully meet the differentiated risk protection demand in different regions.
条款费率。使用经监管机构备案的、适用于全国的城乡居民住宅巨灾保险示范条款。根据地区风险状况、建筑结构、城乡差别等情况,在监管机构确定的范围内拟定差异化的保险费率,并设置风险集中度调整系数。
Insurance clauses and rates. The insurance companies should use the demonstration clauses that have been registered with regulatory authorities and are applicable nationwide for urban and rural residential catastrophe insurance. Based on regional risk conditions, building structures, urban-rural differences and etc., differentiated premium rates may be adopted within the range determined by regulatory authorities, and adjustment coefficients may be put in place for risk concentration.
