On May 5, 2017, the China Securities Regulatory Commission (“CSRC”) began soliciting public comments on the Administrative Measures on Information Technology of Securities and Fund Operation Institutions (Consultation Paper) (“Measures”), where the deadline for consultation is June 4, 2017. Given that the Cyber Security Law is set to take effect on June 1, 2017, the CSRC’s release of the Measures is endowed with additional significance, which makes the Measures a “cyber security law” for the securities and fund industries.
As introduced by the CSRC in the Statement of Drafting of the Measures (“Statement of Drafting”), releasing the Measures is not only directed at existing issues of securities and fund operation institution information technology governance, information technology-associated compliance risks, and internet risks, but is also intended to address the information security risks of the “Special Business Servicing Institutions” (as defined below). Although Special Business Servicing Institutions have already been placed under the supervision of the CSRC, currently there is a lack of detailed regulatory standards applicable to such institutions, and the CSRC particularly emphasizes the concerns of cross-industry and cross-institution spread-risks caused by extensive interconnectedness of information systems between the Special Business Servicing Institutions and the securities and fund operation institutions. In the meantime, the CSRC is considering including third-party institution information technology service providers under its supervision so as to ameliorate regulatory deficiencies.
Below we have integrated an analysis based on the application of the Statement of Drafting to the Measures primary content, for purposes of identifying regulatory principles of information technology and attempting to propose certain opinions on some issues remaining to be clarified in the Measures.
Scope of Application
A key point that deserves attention is the subjects and scope that the Measures apply to. The Measures apply to three kinds of institutions:
(i)Securities and fund operation institutions (“Operation Institutions”), which refer to securities companies and fund management companies established within the territory of China according to law, and subsidiary of any such securities company or fund management company shall be also governed with reference to the Measures.
(ii)Special business servicing institutions (“Special Business Servicing Institutions”), which refer to institutions engaging in the securities or fund related business activities recognized by the CSRC other than the Operation Institutions, including fund custodians, fund distribution agencies, fund unit registration institutions and commercial banks engaging in the depository and custody of client trading settlement funds for a securities company.
(iii)Information technology servicing institutions (“IT Servicing Institutions”), which refer to information technology servicing institutions providing the Operation Institutions and the Special Business Servicing Institutions with some information technology services to engage in the securities or fund related business activities. As illustrated in the Measures, such information technology services include: (a) development, testing, integration and assessment of any Key Information Systems (as defined below), (b) operation, maintenance, and day-to-day safety management of any Key Information Systems, (c) lease of computer facilities for any Key Information Systems, (d) other circumstances determined by the CSRC.
Operation Institutions and Special Business Servicing Institutions are governed by the Measures only if they engage in the securities or fund related business activities by means of information technology. IT Servicing Institutions are mainly governed by the Measures for their certain services in association with the Key Information Systems. Regarding “Key Information Systems”, the Measures first define them as any information system supporting the key business functions of an Operation Institution, which will cause material impact on the securities markets and the investors upon occurrence of any abnormality. The Measures illustrate several systems, including the centralized trading system, investment trading system, online fund distribution system, valuation and accounting system, investment supervision system, information disclosure system, unit registration system, third party depository system, securities financing business system, online trading system, telephone entrustment system, trading system for mobile terminals, clearing system for legal persons, web portals functioning with account opening, trading or alternation of the materials of clients, system stored with data in relation to underwriting or sponsorship business working papers, and other information systems having similar functions.
Futures brokerage companies or servicing institutions providing the futures companies with special business services or information technology services to engage in the futures related business activities are not the regulatory subjects of the Measures. We understand that for the futures industry, it remains to be governed by the current Administrative Measures on Information Security Protection of Securities and Futures Industries (Order of the President of the CSRC No. 82) and the Measures for Reporting, Investigating and Handling Information Security Incidents of Securities and Futures Industries (Announcement of the CSRC [2012] No. 46). Afterwards, we anticipate that the CSRC may formulate special information technology administrative measures with respect to the futures industry.
According to our interpretation of the Measures, private securities fund managers (“PFMs”) registered with the Asset Management Association of China (“AMAC”) shall not fall under the scope of application of the Measures. We suggest the Measures expressly stipulate that the Operation Institutions refer only to the securities companies and the securities fund management companies established upon approval by the CSRC, and all business activities of such two kinds of institutions, including private fund business activities and public fund business activities, shall be included under the regulation of the Measures. In addition, we suggest the Measures clarify that a Special Business Servicing Institution shall not be subject to the Measures in relation to its custody, distribution, unit registration services provided to a private securities fund issued by a PFM.
It is worth noting that the upper-level laws mentioned by the Measures include the Cyber Security Law, which will become effective on June 1, 2017, however, the Measures did not define the “Critical Information Infrastructure” of the securities or fund industry. We believe it will be pending till the State Council separately formulates the relevant measures with respect to the specific scope and security protection of the Critical Information Infrastructure.
Information Technology Governance
Focusing on the existing issues of information technology governance of the Operation Institutions pointed out by the Statement of Drafting, for example, some Operation Institutions have failed to formulate internal mechanisms for the allocation and supervision of powers and responsibilities for effective information technology management; the level or structure of financial and human resource allocation to information technology has been unreasonable; there is an overreliance on external suppliers for information system construction; and a lack of overall planning. The Measures provide a range of information technology governance requirements for the Operation Institutions, including maintaining information technology investment adaptable to the scale and extent of business activities, evaluation and updating of the information technology scheme on a regular basis, continuous perfection of the information technology management policies and operational process; and the Operation Institutions shall appoint or designate senior management personnel familiar with information technology to take charge of the information technology management work and sets up special department(s) responsible for managing information technology related work.
Compliance of Information Technology
The CSRC believes that the business compliance risks of the Operation Institutions for application of information technology are relatively prominent. The information technology risks not only manifest as traditional information security risks, but also may cause business compliance risks. In practice, some Operation Institutions are short of assessment for the compliance of the internal process of information systems, thus exposing a potential risk.
Therefore, the Measures set up a chapter for the compliance of information systems, and require the Operation Institutions to carry out the requirements for compliance management and risk control across every step of the information technology management, including establishing the information technology compliance management mechanism for pre-event compliance review, in-event risk monitoring and post-event evaluation and auditing; establishing synchronization mechanisms for information technology application and risk control measures, which requires the business information system to be put online simultaneously with the risk monitoring system; and for specific business systems features, requiring the Operation Institutions to ensure the implementation of the key “points of compliance” in the system design.
Those provisions regarding the “points of compliance” are mainly reflected in their requirements for the Operation Institutions to comply with the relevant standards for the use of external information systems. An Operation Institution may only receive the trading orders from clients directly through the information system operated and managed by itself, unless otherwise permitted by laws and regulations and the CSRC. They also require that the information systems of an Operation Institution shall function with examination of the sufficiency of the capital and securities in the relevant accounts, monitoring of abnormal transactions and abnormal capital transfer, and even require the Operation Institutions to store electronic contracts in a specific information system available for the investors or counterparties to query and download. The Measures also require the Operation Institutions to conduct comprehensive internal auditing of their information technology management work and assessment for the efficiency of risk monitoring respectively at least one time per annum. The period of preservation of the above internal auditing reports shall not be less than 20 years.
System Deployment and Information Storage
The information technology safety management includes technology management, data security management and business continuity management. In terms of the data security management, the Measures require the Operation Institutions to independently deploy the Key Information Systems within the territory of China, and to store client information and important data collected and produced during the activities of securities and funds operation within the territory of China, except for the following circumstances: (i) the information systems, important data and client information in relation to the securities transactions or derivatives transactions carried out by the Operation Institutions in overseas trading venues or the OTC securities transactions or OTC derivatives transactions carried out between the Operation Institutions and overseas counterparties according to law; (ii) the information systems, important data and client information in relation to the foreign exchange transactions carried out by the Operation Institutions according to law; (iii) other circumstances permitted by laws and regulations and the CSRC. It is worth noting that such requirement is actually stricter than the Cross-border Transfer of Personal Information and Important Data (Consultation Paper) published by the State Internet Information Office on April 11, 2017. We suggest the CSRC grant a general permission for cross-border information and data transfer arising from reasonable business needs, with the prerequisite that for any cross-border information or data transfer a recipient of the information and data shall take proper confidentiality and security protection measures.
Supervision on Special Business Servicing Institutions
The Measures specify the detailed regulatory provisions for the Special Business Servicing Institutions for the first time. According to the Measures, the Special Business Servicing Institutions shall establish a risk segregation mechanism between the special business information system and other business information systems, and properly deploy, store the special business information system and its data. However, it remains unclear how the segregation can be implemented and what influence it might bring to the existing businesses. In view of the current situation that the Special Business Servicing Institutions usually provide services for a large number of PFMs, these regulatory requirements on the Special Business Servicing Institutions and the operational costs correspondingly increased may affect the service recipients related to the private fund business. The Measures also require the Special Business Servicing Institutions to take reference to the CSRC’s provisions on reporting, investigating and handling of information security incidents, to establish multi-level responding mechanisms for information security incidents, and to report their reporting and handling mechanisms to the CSRC and its dispatched agencies.
Supervision on IT Servicing Institutions
The Measures specify the scope and selection requirements for the Operation Institutions to engage IT Servicing Institutions to provide information technology services. One of the regulatory emphases on information technology services is that an Operation Institution or a Special Business Servicing Institution shall not engage any IT Servicing Institution to independently implement the operation, maintenance or day-to-day safety management of a Key Information System. However, the Measures have not further defined the “independent implementation” and the level of control that the entrusting party shall ensure. The Measures also provide the matters for the Operation Institutions and the Special Business Servicing Institutions to focus on when selecting an IT Servicing Institution, including whether the domicile of the IT Servicing Institution is within the territory of China, whether the IT Servicing Institution, its controlling shareholder, de facto controller or an affiliate controlled by it has any record of material violation of laws and regulations related to the securities and futures business activities in the most recent one year. The Measures illustrate the prohibitive requirements on the engagement of an IT Servicing Institution to provide information technology services; for instance, the Measures prohibit any IT Servicing Institution from engaging in any business operation related to the same securities and funds business activities when providing information technology services to an Operation Institution or Special Business Servicing Institution.
Reporting Obligations
Under the Measures, the CSRC and its dispatched agencies are the regulatory departments, and the Securities Association of China, the AMAC and the stock exchanges are the self-discipline regulatory organizations. The obligations of reporting to the regulatory departments prescribed by the Measures include the obligations of filing, regular reporting and reporting under special circumstances. For instance, an Operation Institution and a Special Business Servicing Institution shall file with the CSRC when conducting any of the three businesses: establishing a new Critical Information Infrastructure, using an information system related to the securities or funds transactions that is bought from an external party or such information system is constructed by an entrusted external party, or providing connectivity to an external information system. The Measures provide the annual obligations of reporting of the Operation Institutions and the Special Business Servicing Institutions, and require the IT Servicing Institutions to regularly submit materials as required by the CSRC. The Measures stipulate the obligation of reporting of the Special Business Servicing Institutions when incurring any system failure incidents and the obligation of reporting of the IT Servicing Institutions under any circumstances that might affect the normal and continuous business operation.
For further information, please contact:
Natasha (Qing) Xie, Partner, Jun He
xieq@junhe.com
