On December 19th 2018, China Securities Regulatory Commission (“CSRC“) issued the Administrative Measure for Information Technology of Securities and Fund Operators (the “Information Technology Measure”). The Information Technology Measure contains seven chapters, 64 provisions in total. Although the number of the provisions remains the same as that of the draft of the measure which was issued for public consultation in May 2017, the content of the Information Technology Measure has been significantly modified and improved. This briefing aims to explain the key provisions in the Information Technology Measure.
During recent years, CSRC has issued a number of rules aiming to strengthen informatization and security of information system, including the General Plan for the Informatization Works in Capital Markets (2014-2020) in 2014, the Working Plan for Information Security Works in Chinese Securities and Futures Sectors in 2015 and the Overall Scheme for Regulation Technology Development in 2018. Meanwhile, on June 1st 2017, the PRC Cybersecurity Law (the “Cybersecurity Law”) became effective. The Cybersecurity Law requires that network operators perform necessary obligations to ensure the security of the networks they operate as well as the information and data contained therein. The said obligations also apply to securities and fund operators in China. Following these legislation and rules, the Information Technology Measure which regulates the information technology management of securities and fund operators has come into shape.
1. Scope of Application of the Information Technology Measure
According to the Information Technology Measure, the scope of application includes:
(1) Both the performance of securities and fund business by securities and fund operators by using information technology and the provision of information technology service by information technology service providers to securities and fund operators are subject to the Information Technology Measure.
The term “securities and fund operators” refers to securities firms and fund managers which manage publicly raised funds (the “fund managers”). However, the definition does not capture futures companies, or private fund managers which are registered with the Asset Management Association of China (“AMAC”). “Information services providers” refer to those institutions which provide the services relating to development, testing, integration and evaluation of important information systems, as well as those which provide maintenance services and daily security management service in relation to important information systems used in securities and fund business.
The term “important information systems” refers to information systems that support the key business functions of securities and fund operators as well as securities and fund special service providers, and that will have material impact on securities and futures market and investors if running abnormal. With respect to fund managers, important information systems primarily include centralized trading system, investment and trading system, fund distribution system, valuation and accounting system, investment monitoring system, fund unit registration system, online trading system, telephone order system, mobile terminal trading system, and portal website with the functions of account opening, trading or change of clients information etc.
(2) The Information Technology Measure also applies to, by reference, the performance of securities and fund business activities by the securities and fund special service providers by taking advantage of information technology. The term “securities and fund special service providers” refers to those institutions which engage in the sales, sales payment and settlement, fund unit registration, evaluation, investment consulting and rating of publicly raised funds. Additionally, securities and fund special service providers also include securities investment consulting firms.
(3) The Information Technology Measure also applies to, by reference, the performance of securities and fund business activities, by means of information technology, by (i) commercial banks which engage in the deposit and management of the clients’ securities trading and settlement fund of securities firms (ii) custodians of publicly raised funds and (iii) subsidiaries of securities and fund operators and their subordinate entities in China.
In light of the above, the Information Technology Measure appears to have a wide scope of application and generally captures all entities in the securities and fund business activities which may actively utilize information technology.
2. Parties Responsible for Information Technology Management
The Information Technology Measure explicitly confirms that securities and fund operators must be responsible for information technology management. The Information Technology Measure, in line with the principle of whichever operates or uses information technology being responsible for it, provides for the statutory obligations and responsibilities of securities and fund operators. Although securities and fund operators are allowed to engage information technology service providers to provide information products or services, their responsibility for management of information technology will not be released or otherwise reduced merely by the engagement. Securities and fund operators must ensure that the operation of important information systems be within its own control. Unless otherwise provided by laws and regulations or rules issued by CSRC, securities and fund operators must not delegate, completely, the maintenance and daily security management of important information systems to information technology service providers.
3. Duties of China Securities Information Technology Service Co., Ltd.
China Securities Information Technology Service Co., Ltd. will formulate the implementation rules under the supervision of CSRC and assist in the works such as filing, monitoring, testing and inspection of information technology. This is to resolve the issue of lack of information technology professionals of CSRC and to make full use of professional institutions.
4. Information Technology Governance
(1) Governance Structure
The Information Technology Measure upgrades information technology management onto a company strategy level and brings the duty from management team to the board of directors. The draft of Information Technology Measure required that the management team of securities and fund operators be ultimately responsible for the management of information technology. The formally adopted Information Technology Measure clarifies that it is the board of directors that must take responsibility for the effectiveness of information technology management, and elaborates the basic duties of the board of directors to manage information technology. In current regulatory framework, the management team are mainly responsible for implementation of the requirements of the board of directors and for works relating to information technology management.
(2) Formation of Information Technology Governance Committee
The Information Technology Measure requires that securities and fund operators establish an information technology governance committee or designate a committee under the company management board (hereinafter both referred to as “IT Governance Committee”) to take charge of formulating information technology strategy and approving related matters. The Information Technology Measure further clarifies that the personnel of IT Governance Committee must include senior managers of the company and heads of relevant divisions, and external professionals may be appointed as member of the committee or as consultants.
(3) Addition of Chief Information Officer
The Information Technology Measure requires that a securities and fund operator appoint a senior manager who is familiar with securities and fund business and also has experience in information technology, as the chief information officer to be primarily responsible for the management of information technology. The Information Technology Measure provides for the conditions to act as a chief information officer, which include (i) at least ten years’ experience in information technology related works, among which at least three years of experience in information technology related works for securities and fund business or (ii) at least eight years of experience in securities regulatory organizations or a self-discipline organization for securities and fund business.
(4) Absence of Mandatory Requirements on the Number of Personnel in Information Technology Divisions
The Information Technology Measure requires that a securities and fund operator establish an information technology management division or designate a division to take care of information technology management. However, it does not set out the minimum number or qualification standards for the personnel of such division. Securities firms can take as reference the standards set out in the Guidance for Information Technology Governance of Securities and Futures Operators (Provisional) issued by the Securities Association of China; that is, in principle, the personnel for information technology related works must be no less than six percent of the total number of the personnel of the firm.
5. Information Technology Compliance and Risk Management
(1) Establishment of Three-dimensional Risk Management Systems
The Information Technology Measure requires that business system and risk management system be launched at the same time and that internal audit be performed before the business launch. Securities and fund operators are required to establish an ongoing effective risk monitoring system and to conduct assessment against such risk monitoring system at least once a year. They are required to perform special audits against information technology management works at least once a year and to ensure that the audits of all information technology management matters be completed within three years. They are also required to engage an external professional institution to carry out comprehensive audits against information technology management works at least once every three years. If a securities and fund operator receives administrative penalties for a failure to implement information technology matter, it must complete a special audit against such matter within three months.
(2) Cautious Attitudes towards External Connections to Information Systems of Securities and Fund Operators
In 2015 when the stock market suffered an unusual fluctuation, CSRC issued the Notice on Strengthening the Management of External Connections to Securities Firms’ Information Systems, which notice prohibits carrying out securities business by connecting to securities firms’ information systems from external sources and restated that securities firms must not facilitate securities margin trading or illegal securities business by providing connections to the trading ports of their online securities systems, thus prohibiting the business of providing external connections to securities firms’ information systems. Article 17 of the Information Technology Measure clarifies that securities and fund operators must directly take clients instructions by using information systems which they operate and record the time where client instruction arrives. The Information Technology Measure in principle prohibits external connections, which reflect CSRC’s cautious attitude. However, the Information Technology Measure leaves rooms for future change in business model by providing that law and regulations, or CSRC’s rules may provide for exceptions to the prohibitions.
(3) Restatement of Compliance and Risk Management Measures in Place
The Information Technology Measure provides for rules on collection, recordation, storage and report of client trading terminal information (Article 18), on storage, enquiry and downloading of electronic contracts (Article 19), and on the functionality of verification of funds and securities by risk management systems (Article 20), of which all have already been implemented. The Rule on Strengthening the Information Management of Client Trading Terminal Information and Other Client Information by Securities and Futures Operators (CSRC Announcement [2013] No.30) has already clarified requirements for collecting trading terminal information. At present, internet protocol addresses (IP addresses), media access control addresses (MAC addresses) and telephone numbers are used to identify clients, but not all information is consistent. It remains to be clarified which type of information will be considered trading terminal information.
Additionally, for the fund managers, newly formed fund managers has already adopted the pilot model where fund transactions are settled through securities firms as brokers (the “broker settlement model”), by which, securities firms’ risk management systems are used to verify funds and to verify securities. However, fund managers which are established before the promotion of the broker settlement model connect to stock exchanges’ trading systems by leasing participant business units from securities firms as brokers. This model in theory is exposed to overdraft risks. It remains uncertain as to whether these fund managers are required to be converted to adopt the broker settlement model.
6. Security Requirements of Information Technology
The Information Technology Measure has a large version of requirements on information technology security, including information systems security, data governance and contingency management.
(1) Information Systems Security
The Information Technology Measure regulates technology management works and provides rules on the development, testing, launch, deployment and change etc. of the information systems of securities and fund operators. Compared with the draft measure for public consultation, the Information Technology Measure has changed from the following two aspects:
The first change relates to domestic deployment of important information systems. The Information Technology Measure deleted the requirement to deploy within China important information systems and to store in China important data and client information, which is provided in Article 25 of the draft measure. As we understood, however, the deletion does not mean that CSRC allows the deployment of important information system outside of China or to store important data outside of China. Rather, the deletion in fact results from the enforcement of that requirement regarding the deployment of important information system and storage of data under Cybersecurity Law and other related relations. Provisions in the Cybersecurity Law do not need to be repeated in the Information Technology Measure, and the Information Technology Measure cannot be in conflict with Cybersecurity Law. Therefore, Article 26 of the Information Technology Measure provides for a principal requirement that securities and fund operators must follow the law and regulations in relation to the deployment of important information systems and the management of the data stored thereon.
The second change is that securities and fund operators are allowed to establish subsidiaries specially engaged in information technology services. The Information Technology Measure allows securities and fund operators to provide information technology services to its subsidiaries, and, at the same time, allows securities and fund operators to establish subsidiaries to engage in the business of providing information services to them. Upon filing with CSRC, such subsidiaries engaged in information technology services may provide information technology services to other financial intuitions as well. This article further improves the efficient usage of securities and fund operators’ information technology resources and encourages securities and fund operators with good information technology capacity to develop diversified business.
(2) Data Governance
The Information Technology Measure upgrades “data security management” under the consultation draft onto a “data governance” level, which indicates that data governance is a part of company strategy. Data are no longer only a type of materials but also an important type of assets. Only the data which undergo professional governance can satisfy the basic requirements of digitalization. The Information Technology Measure explicitly requires that securities and fund operators build up data governance organizational structure and data life cycle management systems, and classify data according to their importance and sensitivities, and provides for rules on data security, confidentiality, data exploration as well as strengthening data security management and protecting client formation effectively.
(3) Contingency Management
The Information Technology Measure clarifies the requirement to establish contingency plan and to maintain the capability to back-up important systems and important data. Regarding contingency plans, securities and fund operators are required to prepare contingency plans according to the legal requirements (Articles 38 and 39), to allocate responsibilities to implement such plans (Article 37) and to organize rehearsals according to the contingency plans at a frequency no lower than once a year. The rehearsal must cover all important aspects of information system within two years and the recordation of rehearsals must be kept for at least 5 years. Securities and fund operators are also required to display publicly on company website, trading terminals and other channels the information about alternative applicable trading methods when incidents related to information technology happen and about prevention of possible risks (Article 40). Regarding the backup, the Information Technology Measure defines the scope of important information systems (Article 63), and clarifies the requirements on the data backup of important information systems depending on whether the systems belong to securities firms or fund managers and whether the systems is a real time trading system or a non-real-time trading system (Article 41). For details, securities and fund operators may take reference to the Backup Capability Standards for Securities and Futures Operators’ Information Systems (JR/T 0059—2010, issued on April 14th 2011).
7. Information Technology Service Providers
(1) Differential Regulatory Rules for Fund Information Technology Service Providers and Securities Information Service Providers
Fund information technology service providers are required to be filed with CSRC, whilst securities information service providers may voluntarily receive guidance from China Securities Information Technology Service Co., Ltd. and observe relevant rules, without any mandatory filing requirements. Fund managers are required to select only those information technology service providers which are filed with CSRC and to cooperate with them only within the flied service scope. Securities firms are required to cooperate with those information service providers which satisfies the conditions set out in Article 47 of the Information Technology Measure.
(2) Differentiated Filing/Registration Requirements on Information Technology Service Providers for Providing Services to Fund Managers and Private Fund Managers
Since the Information Technology Measure only regulates the provision of information technology services to the fund managers, it does not apply to the provision of information services to private fund managers. The latter is still required to register with AMAC according to the Administrative Measure for Private Investment Fund Services Business (Provisional).
(3) Prohibition on the Business of Providing Client Redirecting Service while Securities and Fund Operators Making Direct distribution
In the past cooperation between fund information technology service providers and fund managers, fund managers making direct distribution rely on fund information technology service providers (including third party E-commerce platforms) to provide client redirecting services. Fund information technology service providers were involved in the promotion, marketing and introduction of fund products and, at the same time, fund information technology service providers may have access to information and data about fund investors, and the fees payable by fund managers to fund information service providers are calculated based on the sales volume of relevant funds. Upon the effectiveness of the Information Technology Measure, such business model will be prohibited.
Article 51 of the Information Technology Measure provides that, when information technology service providers provide services to fund managers, they must not perform securities and fund business at any segment that should be conducted by securities and fund operators to their client, and not circulate any information to lead the investors or the public to misunderstand that they were performing securities and fund business at any segment, and they must not intercept, store, forward or use any operational data or client information about securities and fund business activities. Meanwhile, upon the effectiveness of the Information Technology Measure, the Provisional Administrative Rule on the Sales of Funds by Securities Investment Fund Sales Institutions through Third Party E-commerce Platforms (CSRC Announcement [2013] No.18) will be abolished, which reflects the principle that different institutions should focus on their own specialized business.
8. Regulatory Management
The Information Technology Measure strengthens daily regulatory management over information technology. It provides that if securities and fund operators build or change securities and fund trading systems or the server rooms where important information systems are located, it must report relevant materials to CSRC within five working days as of the commencement of related business activities by using such systems or server rooms. Securities and fund operators are also required to submit annual information technology management special report together with their annual report to CSRC. Information technology service providers are also required to report relevant materials to CSRC according to the requirements by CSRC (Articles 53 and 55).
The Information Technology Measure also provides for penalties for relevant violations by information technology service providers of the provisions in the Information Technology Measure. In the past, information technology service providers were not within the scope of regulation by CSRC and therefore CSRC had difficulties to conduct inspections and impose administrative penalties on them. The Information Technology Measure, in line with the principle of comprehensive regulation, provides in Article 59 that CSRC has authority to adopt administrative supervision measures or administrative punishments on information technology service providers if they violate the Information Technology Measure, and, in the case that an information technology service provider fails to satisfy ongoing statutory requirements, CSRC has authority to order the service providers to rectify or in serious cases, to cancel the filing with it.
9. Miscellaneous
The Information Technology Measure will become effective on June 1st 2019. According to the Information Technology Measure, securities and fund operators as well as securities and fund special service providers must report to CSRC regarding the existing securities and fund trading information systems and the existing server rooms where important information systems are located according to Article 52 of the Information Technology Measure before December 1st 2019.
The fund information technology service providers which has already performed services before the effectiveness of the Information Technology Measure must apply for filing with CSRC before December 1st 2019.
Securities and fund operators which have already performed business activities in violation of Article 17 of the Information Technology Measure (that is, to take client instructions through channels other than the information systems which securities and fund operators operate themselves) must rectify the violations properly before December 1st 2019. These securities and fund operators must not take new clients or provide new services through the violative information systems before the rectification has been completed.
Understanding IT Measure for Securities and Fund Operators
作者:SandraLu XunYang FrankLu来源:通力律师

On December 19th 2018, China Securities Regulatory Commission (“CSRC“) issued the Administrative Mea