.jpg)
30 July, 2018
The China Banking and Insurance Regulatory Commission (“CBIRC”) adopted the Guidelines on Data Governance of Banking Financial Institutions (“Guidelines”) on May 21, 2018. The Guidelines aim to standardize and provide guidance on the management, quality control and use of data by banking financial institutions. The Criteria for Good Quality Management of Regulatory Statistics of Banks (Implementation for Trial) (Yin Bao Jian Fa [2018] No. 22) was repealed on the same day. The major requirements of the Guidelines are summarized as follows.
I. Scope of Application
The Guidelines apply to banking financial institutions established in the People's Republic of China, including commercial banks, rural credit cooperatives that accept public deposits, policy banks and the China Development Bank, as well as branches of foreign banks and other financial institutions supervised by the banking regulator.
Data governance under the Guidelines refers to the dynamic processes of a banking financial institution that specify the duties of the board of directors, the board of supervisors, senior management and internal departments. Data governance includes the establishment of the organizational structure and the formulation and implementation of systems, processes and methods, ensuring the consistent management of data and efficient operation thereof, and ensuring that the use of data is optimized in business operations. This covers a range of aspects including the allocation of responsibility, system set-up, quality control, data value mining, and supervision and management relating to the data governance of banking financial institutions.
II. Clarifying the Data Governance Structure
The Guidelines require banking financial institutions to incorporate data governance into their corporate governance, to establish multi-level and interconnected operating mechanisms and to encourage the establishment of a data culture. The board of directors should formulate data strategies, review significant events relating to data governance, and take ultimate responsibility for data governance. Senior management should be responsible for establishing and implementing systems for data governance, accountability and incentives and data quality control and should report to the board of directors on a regular basis. A board of supervisors should be responsible for the supervision and appraisal of the performance of data governance duties by the board of directors and senior management. Banking financial institutions should determine and authorize a designated department to lead and take charge of data governance systems, to coordinate and supervise the data management operating mechanism, and should appoint chief data officers as appropriate.
III. Establishing a Data Management System
The Guidelines require the establishment of a comprehensive and effective data management system, in order to (1) formulate a management system and a business system for regulatory statistics, which should also be filed with the banking regulatory authorities; (2) establish a standardized plan to cover all data; (3) establish an information system that can be adapted to the requirements of the submission system of regulated data ; (4) strengthen the coordinated management of data collection, and specify processes and standards for data exchange between systems; (5) establish data security strategies and standards, and protect personal information and privacy; (6) strengthen the coordinated management of data and materials, and ensure data compatibility; (7) establish data contingency plans; (8) establish a self-evaluation mechanism for data governance; (9) establish accountability and inspection mechanisms.
IV. Establishing Data Quality Control Mechanism
Banking financial institutions should establish quality control mechanisms to ensure the authenticity, accuracy, continuity, integrity and timeliness of data. The quality control mechanisms are required to: (1) increase the supervision for the management of data sources; (2) establish a data quality monitoring system to the entire life cycle of data; (3) introduce an onsite, regular data quality inspection system, conducted not less than once a year; (4) establish a data quality examination and appraisal system; (5) establish a data quality correction mechanism; (6) ensure consistency between the indicators submitted to regulator and those disclosed to external parties; and (7) establish a quality control system for regulatory data.
V. Fully Utilizing Data Value
The Guidelines require that banking financial institutions should fully optimize data value and strengthen the use of data across various activities, including risk management, business management and internal control. Specifically, banking financial institutions should ensure that data is used in order to: continuously improve risk management methods; improve data aggregation capability; improve the quality of risk reporting; optimize risk pricing systems; acquire an accurate understanding of customer needs and provide specific products and services; improve operating efficiency and reduce operating costs; achieve business innovation; and improve the effectiveness of internal control. The Guidelines also require that banking financial institutions should make full assessments of the impact of mergers and acquisitions and asset stripping on its data governance capability, and include relevant data management requirements as part of their assessment standards when promoting new products and services.
VI. Our Observation
The Guidelines require banking financial institutions to strengthen their data governance, strengthen data quality control, and maximize data value. Banking financial institutions should update their internal data compliance and governance systems according to the Guidelines, and with full consideration of the Cybersecurity Law and its supporting regulations and national standards. Compared with other industries, data collection and processing by banking financial institutions is more sensitive and is subject to stricter regulatory requirements. The Guidelines have put forward increased requirements for data protection by banking financial institutions, and also has some elements of significance to other industries.
