Scope of coverage Encompassing 55 Articles in seven Chapters, the Guidelines: provide guidance to banking financial institutions in relation to strengthening data governance, improving d
Trang 1Financial Institutions Introduction
On 21 May 2018 China’s Banking and Insurance Regulatory Commission (CBIRC)
issued Guidelines on Data Governance for Banking Financial Institutions (the
Guidelines), effective as of the issue date In this briefing, we outline the key features of the Guidelines and discuss the implications for banking financial institutions in China Scope of coverage
Encompassing 55 Articles in seven Chapters, the Guidelines:
provide guidance to banking financial institutions in relation to strengthening data governance, improving data quality, realising full value of data, and improving the level
of operation and management, from high-speed growth to high-quality development; and
apply to all banking financial institutions in the territory of China The term
“banking financial institutions” as used in the Guidelines refers to commercial banks, rural credit cooperatives and other deposit-taking financial institutions, China
Development Bank and policy banks in the People’s Republic of China The branches of foreign banks in China and other financial institutions under the supervision of CBIRC are also required to comply with the Guidelines
Data governance structure
The Guidelines clarify the structure of data governance in banking financial institutions, aiming to eliminate ambiguity in the powers and duties among various departments and
to create unified data management
Under the Guidelines, banking financial institutions must build a top-down and
coordinated system for data governance, allocating responsibilities among the board of directors, board of supervisors and its senior management team
Specifically, the board of directors must:
formulate a data strategy;
approve the major issues related to the data governance; and take ultimate responsibility for data governance
Senior executives are responsible for setting up:
a data governance system;
a mechanism for data quality control; and the necessary incentive and accountability mechanism
The board of supervisors, on the other hand, must supervise and evaluate the
performance of the board of directors and senior executives on data governance
In addition, banking financial institutions may set up a position of Chief Data Officer (the CDO), even though it is not a mandatory requirement The institutions can
determine whether the CDO is a member of the senior managers based on their business
Trang 2needs For those CDOs who are considered to be senior managers, they should also be subject to relevant qualification requirements specified by the CBIRC
The CDO, as a newly created role, currently lacks any more detailed descriptions of its duties and responsibilities in the Guidelines Generally speaking, in the light of domestic and global data security laws and regulations, the CDO is expected to have a
well-balanced mix of technical know-how, analytical skills, expertise in legal and regulatory matters as well as business acumen
Data management and data quality control
Apart from providing guidance in relation to the data governance framework, the
Guidelines also expressly require banking financial institutions to establish a
comprehensive data management and data quality control system, as follows:
banking financial institutions must allocate adequate resources for data governance management, and formulate the data management policies accordingly Such policies should extend to matters such as organisation and management, duties and
responsibilities of the relevant departments, security control, system maintenance, data quality control and supervision systems;
the Guidelines reinforce the data protection requirement prescribed by the PRC Cyber Security Law If banking financial institutions collect any personal data, they must follow the requirements in the relevant data protection laws and regulations and
comply with the national standards related to personal information security This
means that the newly promulgated guideline, “Information Security Technology —
Personal Information Security Specification”, shall also apply to the data governance
of banking financial institutions; and
the Guidelines require banking financial institutions to ensure the truthfulness,
accuracy, continuity, and completeness of data and to keep it up-to-date Banking financial institutions must also establish on-site supervision systems and inspect data quality regularly (at least once per year)
Data monetisation
The Guidelines underscore the CBIRC’s emphasis on technology innovation and data monetisation They provide that banking financial institutions should embed data
applications intotheir business operations, risk management and internal controls By doing that, banking financial institutions will be able to effectively capture risks and optimise business procedures, as well as promote data-driven development
One can take from the Guidelines that the Chinese government would appear to be highly encouraging of the development of technology innovation in the banking industry generally Specifically, banking financial institutions are called upon to enhance their capability in relation to data aggregation in order to satisfy the risk management needs Similarly the Guidelines encourage banking financial institutions to use cutting-edge technologies, such as Big Data analytics, to advance business and unlock commercial value
Our take
Data is becoming increasingly valuable assets and have significant competitive
advantages in the banking industry Indeed, without high quality data and upward
reporting of meaningful management information, financial institutions cannot identify
Trang 3and monitor their risk Nor can they properly understand the performance of business activities
In spite of already gathering, processing and storing massive quantities of data, banking financial institutions are still in the early stages of taking full advantage of the
opportunities such data present As technological transformation and innovation expand their ability to profit from data, data-related activities also give rise to new
vulnerabilities Protecting data remains among the most pressing issues facing financial institutions The Guidelines will, therefore, have significant operational and business implications for all banking financial institutions in China
The Guidelines are a tangible example of how the Chinese government wishes to
encourage banking financial institutions to establish efficient data governance structures and independent comprehensive risk management systems, customised to each
institution’s own business operations
Implementing such measures is likely to strengthen the privacy protection for clients More importantly, the Guidelines can be taken as an expression of governmental support
in relation to technology innovation in the banking industry, encouraging banking
financial institutions to use data aggregation and Big Data analytics to fully realise value inherent in data In order to crystallise such value, and at the same time manage risk, banking financial institutions will need to develop a strategic vision and a clear road map for deployment of technology approaches to data
While the Guidelines can provide a great opportunity for financial institutions to further explore Big Data, for rolling out innovative business models, and for capturing new business opportunities, they also impose heightened compliance requirements on
financial institutions to safeguard data privacy and manage cybersecurity for their business operations in China – an approach which is in line with the evolving regulatory regime in the banking industry in China more generally