您的位置: 首页 » 法律资料网 » 法律论文 »
热门文章
文章排行

建设工程一方当事人被出售改制的,合同权利义务如何承继/唐湘凌

作者:法律资料网 时间:2024-07-06 12:13:16  浏览:9272   来源:法律资料网
下载地址: 点击此处下载
建设工程一方当事人被出售改制的,合同权利义务如何承继

王某与某委员会建设工程施工合同纠纷上诉案分析


一、本案要旨
本案要旨为,建设工程合同签订后,建设工程竣工验收,尚未支付工程款项的,建设方企业被售出,由买受人将所购企业重新注册为新的企业法人,所购企业法人被注销的,所购企业出售前的债务,应当由新注册的企业法人承担。原组织出售工作的政府部门,作为建设方公司的上级主管部门,系组织参与建设方公司的出售改制工作,不是法律意义上的建设方公司的权利义务承继者。
2000年4月12日,某1公司与某2公司第十九处签订一份联合建设协议书。合同签订后,某1公司于同年6月8日以内部承包的形式将陕西省延安市热电厂7号住宅楼工程分包给王某,并签订一份内部工程承包合同。某1公司属国有企业。2006年某1公司进行企业改制时,原潜江市乡镇企业管理局以主管部门的身份,组织参与了某1公司的资产出售、职工安置等全部改制工作,并将某1公司的全部资产出售给了刘某。2007年刘某用购得的某1公司的资产,新设成立了湖北新天建设工程有限公司。2010年11月10日,王某提起诉讼,请求判令某委员会立即赔偿王某在延安工地施工过程中的工程款、财产损失、人工工资损失以及借款共计93320.87元。
本案的争议焦点主要为,某委员会的诉讼主体资格是否适格。
一审法院审理认为,本案中,王某主张要求某委员会赔偿其分包上述工程期间所造成的财产、人工工资损失以及偿还借款共计93320.87元的诉讼请求,因王某未提交能够证明上述诉讼请求成立的有效证据,王某的诉讼请求因证据不足,依法不予支持。某委员会辩称“王某的诉讼请求已超过诉讼时效、某委员会诉讼主体不适格”的辩解理由,与庭审查明事实不符,依法不予采纳。
二审法院审理认为,企业售出后,买受人将所购企业重新注册为新的企业法人,所购企业法人被注销的,所购企业出售前的债务,应当由新注册的企业法人承担。如果王某与某1公司间的债务属实,王某应向湖北新天建设工程有限公司主张权利。原潜江市乡镇企业管理局只是作为某1公司的上级主管部门,组织参与了某1公司的改制工作,不是法律意义上的某1公司的权利义务承继者。由此确定某委员会不是本案的适格主体。王某向某委员会主张权利,没有法律依据,属主张对象错误。原审认定事实清楚,但适用法律错误,导致实体处理不当。

二、案件来源
湖北省潜江市人民法院(2011)潜民初字第036号;湖北省汉江市中级人民法院〔2011〕汉民二终字第54号

三、基本案情
  2000年4月12日,某1公司(以下简称某1公司)与某2公司第十九处签订一份联合建设协议书。协议约定,该公司将其承建的陕西省延安市热电厂的两栋住宅楼工程转包给某1公司承建,某1公司施工人员进场一周后基础挖完时预付部分工程款和生活费,每月25日按实际完成的工程量付款80%给某1公司,剩余20%工程款在工程竣工验收合格后10日内付清。合同签订后,某1公司于同年6月8日以内部承包的形式将陕西省延安市热电厂7号住宅楼工程分包给王某,并签订一份内部工程承包合同。合同约定某1公司的责任为负责与建设单位签订工程施工合同及做好预、结算;负责到建设单位办理工程款的拨付手续,分期按拨款额以及王某应上交的管理费标准提留管理费;组织好工程竣工验收工作等。王某的责任为负责完成某1公司与建设单位签订的该工程施工合同所规定的一切任务,王某自主经营,自负盈亏;服从某1公司的财务管理,实行专款专用,王某在保证该工程施工工程质量和进度的前提下,找某1公司结好工资帐;该工程所需的一切建材均由王某自购、材料款自付等。合同签订后,王某按约进场施工。后因多种原因该工程中途停工。王某多次要求与某1公司结算,并于2009年6月6日与潜江市乡镇企业管理局共同向潜江市人民调解委员会申请调解,但最终未达成调解协议。2010年11月10日,王某提起诉讼,请求判令某委员会立即赔偿王某在延安工地施工过程中的工程款、财产损失、人工工资损失以及借款共计93320.87元。
  2006年12月30日,原潜江市乡镇企业管理局与刘某签订一份买卖合同,刘某以280万元的价格竞得某1公司的改制资产。双方同时约定,刘某应承接某1公司除内部职工应付款以外的一切债权债务。
  2005年2月1日,原E管理局的有关职责整合并入某3委员会。2010年1月7日某3委员会的职责整合划入某委员会。
  某1公司属国有企业。2006年某1公司进行企业改制时,原潜江市乡镇企业管理局以主管部门的身份,组织参与了某1公司的资产出售、职工安置等全部改制工作,并将某1公司的全部资产出售给了刘某。2007年刘某用购得的某1公司的资产,新设成立了湖北新天建设工程有限公司。

四、法院审理
原审认为:某1公司与某2公司第十九处签订的联合建设协议书,系双方当事人真实意思表示,合同的内容亦不违反法律、行政法规的强制性规定,属有效合同,依法应予保护。某1公司将陕西省延安市热电厂工程以内部承包的形式发包给王某,该合同名为内部承包,实为建设工程分包合同。此分包合同依法应认定为有效合同,双方均应按约履行。本案中,王某主张要求某委员会赔偿其分包上述工程期间所造成的财产、人工工资损失以及偿还借款共计93320.87元的诉讼请求,因王某未提交能够证明上述诉讼请求成立的有效证据,王某的诉讼请求因证据不足,依法不予支持。某委员会辩称“王某的诉讼请求已超过诉讼时效、某委员会诉讼主体不适格”的辩解理由,与庭审查明事实不符,依法不予采纳。依照《中华人民共和国民事诉讼法》第六十四条第一款之规定,判决驳回王某的诉讼请求。案件受理费2130元,由王某负担。
  二审法院认为:本案讼争纠纷源起王某与某1公司间的建设工程分包合同,某1公司改制后,其资产由刘某购买,刘某用购得的某1公司的资产新设成立了湖北新天建设工程有限公司。《最高人民法院关于审理与企业改制相关的民事纠纷案件若干问题的规定》第二十六条规定:“企业售出后,买受人将所购企业重新注册为新的企业法人,所购企业法人被注销的,所购企业出售前的债务,应当由新注册的企业法人承担。但买卖双方另有约定,并经债权人认可的除外。”根据该规定,如果王某与某1公司间的债务属实,王某应向湖北新天建设工程有限公司主张权利。原潜江市乡镇企业管理局只是作为某1公司的上级主管部门,组织参与了某1公司的改制工作,不是法律意义上的某1公司的权利义务承继者。由此确定某委员会不是本案的适格主体。王某向某委员会主张权利,没有法律依据,属主张对象错误。原审认定事实清楚,但适用法律错误,导致实体处理不当。根据《中华人民共和国民事诉讼法》第一百零八条、第一百五十八条,《最高人民法院关于适用若干问题的意见》第188条第(三)项的规定,裁定如下:
  一、撤销湖北省潜江市人民法院(2011)潜民初字第036号民事判决;
  二、驳回王某对某委员会的起诉。
  本裁定为终审裁定。
  
五、与本案及类似案例相关的法规索引
《最高人民法院关于审理与企业改制相关的民事纠纷案件若干问题的规定》
第二十六条 企业售出后,买受人将所购企业重新注册为新的企业法人,所购企业法人被注销的,所购企业出售前的债务,应当由新注册的企业法人承担。但买卖双方另有约定,并经债权人认可的除外。


(本文为原创作品,未经作者书面授权,禁止转载)

编者注:本文摘自北京建设工程与房地产专业律师唐湘凌编著的《中国建设工程施工合同纠纷案例百案评析》。唐湘凌毕业于中国人民大学,法学硕士,从事法律职业十余年。其北京建设工程与房地产专业律师团队处理过大量涉及工程建设、房地产的法律事务,在该领域有丰富经验,欢迎委托处理该领域的法律事务(地址:北京市朝阳区东三环北路38号北京国际中心;电话:186-0190-0636,邮箱:lawyernew@163.com)。



下载地址: 点击此处下载
返回跳至顶部

南充市工业园区安全生产管理办法(试行)

四川省南充市人民政府办公室


南充市工业园区安全生产管理办法(试行)

南府办函〔2010〕7号


南充市人民政府办公室关于印发《南充市工业园区安全生产管理办法(试行)》的通知

各县(市、区)人民政府,市级有关部门:

《南充市工业园区安全生产管理办法(试行)》已经市政府同意,现予印发,请遵照执行。


二○一○年一月二十七日


南充市工业园区安全生产管理办法(试行)



第一章总 则



   第一条 为规范工业园区安全生产管理,防止和减少生产安全事故,促进经济发展,根据《中华人民共和国安全生产法》、《四川省安全生产条例》、《四川省生产经营单位安全生产责任规定》等法律法规的有关规定,结合本市实际,制定本办法。

   第二条 本市行政区域内工业园区的安全生产管理,适用本办法。

 本办法所称工业园区(以下简称园区)是指省级、市级、县(市、区)级工业园区(开发区)。

第三条 园区应当贯彻执行“安全第一、预防为主、综合治理”的方针,对园区安全生产工作进行统筹规划,统一管理。



第二章职责划分



第四条 园区实行“管委会统筹协调和管理,政府职能部门委托园区依法监察,入驻生产经营单位各负其责”的安全生产管理模式。

第五条 园区管委会应当按照“管生产必须管安全”和“属地管理”的原则,履行以下安全生产管理职责:

(一)加强对园区安全生产工作的领导,按照国、省、市有关安全生产工作的总体部署和要求,将安全生产纳入本园区经济发展总体计划,做到同步规划、同步部署、同步推进并落实奖惩;

(二)明确管委会领导、所属各部门(单位)及园区内生产经营单位的安全生产职责,建立和完善“一岗双责”、“一票否决”等安全生产责任制度,并层层分解落实;

(三)研究制定年度性、阶段性安全生产工作目标、工作思路和主要任务,部署安全生产工作,研究和协调解决有关安全生产的重大事项;

(四)健全安全生产管理机构,配齐安全管理人员,保障安全生产日常监管和宣传教育、应急救援、事故调查处理、危及公共安全的重大危险源和重大事故隐患整改等方面必需的经费投入;

(五)加强安全生产源头管理,告知企业新、改、扩建工程项目涉及的安全生产行政审批事项和安全设施“三同时”的具体申报工作,并帮助落实;

(六)定期组织开展重大节日、重点时段、重要活动期间安全生产大检查,组织或配合开展安全生产专项整治。建立事故隐患排查治理工作制度,及时排查各类事故隐患,督促整改和落实防范措施,严防生产安全事故的发生;

(七)制定园区安全生产事故应急救援预案,完善应急救援机制,组织开展应急救援演练,积极配合市、县(市、区)政府事故调查组开展事故调查,组织协调事故单位做好事故善后处理等工作;

(八)采取多种形式宣传安全生产法律法规和方针政策,对园区企业和职工群众进行安全知识教育培训,提高园区职工安全意识;

(九)指导、协调、监督、检查园区所属部门和企业的安全生产工作,组织开展安全生产目标考核,建立安全生产奖惩激励机制;

(十)法律、法规和规章规定的其他安全生产职责,以及市、县(市、区)党委、政府和市、县(市、区)安委会交办的其他安全生产工作任务。

第六条 市、县(市、区)安监、公安消防、建设、规划、质监、工商等职能部门应当认真履行法律法规和市、县(市、区)政府有关安全生产责任规定赋予的安全生产监管职责,适时开展对入园企业的安全生产监督检查,严格按照相关要求负责涉及安全生产的行政审批、审查、备案等具体工作,建立健全以下协调配合机制:

(一)建立健全安全生产委托执法备案机制。各负有园区安全监管职责的部门要将执法权书面委托给园区管委会,由园区管委会依据相关法律法规开展日常安全监管,对安全生产违法行为依法处罚,并将处罚结果报负有安全监管职责的部门备案。

(二)建立健全安全生产监管联动机制。市、县(市、区)相关职能部门到园区企业实施安全检查,应通知园区管委会安全管理机构派员参加,或在检查后及时向园区管委会通报检查结果。

(三)建立健全重大安全隐患上报机制。园区管委会及其安全管理机构在日常安全检查中发现重大安全隐患、相关企业拒不整改的,应及时向有关执法监管部门报告,并协调、配合相关执法部门予以查处。

(四)建立健全安全生产行政审批工作协调机制。市、县(市、区)有关职能部门要做好园区安全生产行政审批业务指导和服务工作,园区管委会应明确专门机构和人员负责行政审批事项的审查把关,凡经园区管委会审查人员签字、管委会盖章同意的审批事项,相关职能部门应履行签章或转报手续。园区管委会自行审查确有困难的审批事项,在园区管委会审查机构提出要求后,相关行政职能部门须派员共同做好审查把关工作。

  第七条 园区生产经营单位在生产经营活动中,应当遵守国、省、市涉及安全生产的法律、法规、标准及政策规定,服从园区管委会及其安全生产监督管理机构的管理,依法承担安全生产主体责任。



第三章机构设置



   第八条 园区应当建立由园区管委会主要负责人、分管负责人、安全生产管理机构负责人、相关管理机构负责人和所辖企业所在乡镇政府(街道办事处)相关负责人组成的安全生产委员会。

 园区安全生产委员会每月至少召开1次安全生产专题会议,传达上级安全生产工作会议精神,组织学习安全生产法律法规,通报园区安全生产工作情况,研究和协调解决园区有关安全生产的重大事项,督促落实消除事故隐患的措施。会议应当有书面记录,并形成会议纪要。

   第九条 园区应当根据安全生产工作实际,健全安全生产管理机构,落实相应的办公设施、安全检查装备和工作经费。

   第十条 安全生产管理机构应当配备与园区安全生产工作相适应的专(兼)职人员。各园区应当配备2名以上专职安全生产管理人员和适当数量的兼职人员。

  安全生产管理机构人员名单应报市、县(市、区)安全生产监督管理部门备案。

第十一条 园区安全生产管理机构在园区安委会的领导下,履行下列职责:

(一)负责园区安全生产的统一协调、管理;

(二)查验入驻企业安全生产的相关证照和安全规章制度,并建立一企一档;

(三)牵头制定和实施园区各项安全管理制度;

(四)对园区公共区域和入驻企业开展安全生产监督检查,及时消除事故隐患,并对公共设施、设备进行日常安全巡查;

(五)接受市、县(市、区)负有安全生产监督管理职责的部门委托,负责对园区企业实施简易程序的安全生产行政处罚;

(六)参与园区内新建、改建、扩建工程项目的安全设施“三同时”审查工作,督促落实建设项目安全设施与主体工程同时设计、同时施工、同时投入生产和使用;

(七)对重大危险源进行登记、建档、评估、监控,编制园区应急救援预案,定期组织应急救援演练;

(八)组织开展“安全生产月”等安全生产宣传教育活动,检查督促入驻企业安全生产宣传和教育培训工作;

(九)对入驻企业安全生产工作提供指导和服务,协助实施安全生产评估,推广安全生产先进管理经验;

(十)协调市、县(市、区)负有安全生产监督管理职责的相关部门,适时开展安全生产专项联合执法检查行动。

(十一)报告并协助调查、处理生产安全事故;

(十二)完成园区管委会和上级安监部门交办的其他安全生产工作任务。



第四章监督管理



第十二条 园区应当建立健全下列安全生产工作制度:

(一)安全生产责任制度;

(二)安全生产工作会议制度;

(三)安全生产宣传和教育培训制度;

(四)安全生产监督检查制度;

(五)事故隐患治理和重大危险源监控制度;

(六)安全生产行政审批及安全设施“三同时”制度;

(七)安全生产应急救援制度;

(八)安全生产事故报告处理制度;

(九)消防、用电、用气、职业健康、特种设备等安全管理制度;

(十)安全生产档案管理制度;

(十一)其他安全生产工作制度。

第十三条 园区管委会应当结合园区发展规划及产业导向,对入驻企业查验相关证照,审查安全生产条件,实施安全生产告知和承诺制度。

园区管委会及其安全管理机构发现新、改、扩建生产经营单位未履行安全设施 “三同时”审查手续,擅自投建的应及时予以制止,督促其依法履行相关手续。对不执行安全设施“三同时”规定,擅自投入生产的,应当报告并配合市、县(市、区)安监部门依法立案查处。对危险化学品、烟花爆竹、矿山、民用爆破器材生产、建筑施工等从业单位未办理安全生产相关行政许可从事生产经营活动的,应当及时督促其办理相关许可手续,对拒不办理的,应向负有安全生产监管职责的相关部门报告,并配合安监部门依法予以查处。

第十四条 园区管委会负责园区公共区域的安全生产管理,制定各项管理制度,保证安全生产投入。

园区厂房结构和公共设施、设备等应当符合法律、法规和标准规定的安全生产条件。

第十五条 园区安全管理机构应当对入驻企业的下列安全生产事项进行重点检查:

(一)检查督促园区内生产经营单位建立健全安全生产管理机构,按照有关规定配备安全生产管理人员;

(二)检查督促园区内生产经营单位落实安全生产主体责任,建立健全安全生产规章制度,完善各类安全操作规程并监督实施;

(三)检查督促园区生产经营单位按照《四川省生产经营单位安全生产责任规定》(四川省人民政府第216号令)全面落实各类人员安全生产责任,建立健全下列安全生产规章制度:

1.安全生产投入保障制度;

  2.新建、改建、扩建工程项目的安全论证、评价和管理制度;

  3.设施、设备综合安全管理制度以及安全设施、设备维护、保养和检修、维修制度;

  4.有较大危险、危害因素的生产经营场所、设施、设备安全管理制度;

  5.重大危险源安全管理制度;

  6.职业卫生管理制度;

  7.劳动防护用品使用和管理制度;

  8.安全生产检查及事故隐患排查、整改制度;

  9.安全生产目标管理和责任追究制度;

  10.安全生产教育培训管理考核制度;

  11.特种作业人员管理制度;

  12.现场安全管理和岗位安全生产标准化操作制度;

  13.安全生产会议管理制度;

  14.应急救援预案和应急体系管理制度;

15.生产安全事故报告和调查处理制度;

16.消防、运输、储存、防灾等其他安全生产规章制度。

(四)检查督促园区内生产经营单位加强特种设备设施安全管理,确保锅炉、压力容器、压力管道、厂内机动车辆、起重设施等特种设备设施定期检测率达到100%,并不得使用国家明令淘汰、禁止使用的工艺和设备;

(五)检查督促园区内生产经营单位主要负责人、分管负责人、安全管理人员和特种作业人员依法参加安全生产知识和管理能力的培训与考核,并持证上岗,督促园区内生产经营单位开展从业人员的安全生产教育和培训;

(六)检查督促园区内生产经营单位按照国家有关规定提取安全生产费用,用于隐患整改和改善劳动条件;督促园区内生产经营单位按照国家有关规定为从业人员配备劳动防护用品、参加工伤保险;督促园区内有关生产经营单位按规定缴纳安全生产风险抵押金。

(七)检查督促入园企业制定生产安全事故应急救援预案,并定期进行演练;

(八)通过适时组织开展安全生产大检查、同类企业交叉检查、日常巡查等方式,及时排查整改园区内重点生产经营单位的各类事故隐患,对现时难以整改的,要责成相关单位制定防范措施,并实施跟踪监督检查。

第十六条 入驻企业不得擅自改变厂房的生产使用性质、建筑结构。承包租赁活动应当符合法律法规的规定,不得将生产经营的项目及有关业务转交给不具备相应安全生产条件的单位或个人,不得将不具备相应安全生产条件的场所、设备、设施出租给他人使用,也不得租赁使用不具备相应安全生产条件的场所、设备、设施。

入驻企业将厂房、场所出租、转租或者转让,致使企业安全生产状况或危险等级发生变化的,应当事先告知园区管委会相关机构,并按企业改建的要求到安监部门履行安全设施“三同时”审查备案手续。

第十七条 园区内项目建设单位应当与施工单位签订安全生产管理协议。安全生产管理协议和施工单位及其有关施工人员、设施、设备的相关安全资质和证明,以及向建设行政主管部门履行安全报监手续等情况,应当报园区安全管理机构备案。

项目建设单位负责施工项目安全生产的协调、管理。项目建设单位和施工单位应当遵守国、省、市有关建设工程安全生产管理的相关规定。

对进入园区的其他流动作业单位的安全生产管理,参照本条前两款规定执行。

第十八条 鼓励园区管委会和入驻企业依法委托安全生产咨询服务机构提供安全生产技术、管理咨询和服务,提高安全生产管理水平。

园区管委会及其安全生产管理机构每年应适时组织市内外安全生产专家对园区内重点企业开展有针对性的隐患排查,及时发现和督促治理入园企业存在的重大事故隐患。



第五章附 则



   第十九条 各园区管委会应根据本办法的规定,结合实际情况制定实施细则,并报市、县(市、区)安监局备案。

  第二十条 本办法由南充市安全生产监督管理局负责解释。

   第二十一条 本办法自发布之日起试行。







Guidelines on the Risk Management of Commercial Banks’ Information Technology ——附加英文版

China Banking Regulatory Commission


Guidelines on the Risk Management of Commercial Banks’ Information Technology





Chapter I General Provisions

Article 1. Pursuant to the Law of the People’s Republic of China on Banking Regulation and Supervision, the Law of the People's Republic of China on Commercial Banks, the Regulations of the People’s Republic of China on Administration of Foreign-funded Banks, and other applicable laws and regulations, the Guidelines on the Risk Management of Commercial Banks’ Information Technology (hereinafter referred to as the Guidelines) is formulated.

Article 2. The Guidelines apply to all the commercial banks legally incorporated within the territory of the People’s Republic of China.

The Guidelines may apply to other banking institutions including policy banks, rural cooperative banks, urban credit cooperatives, rural credit cooperatives, village banks, loan companies, financial asset management companies, trust and investment companies, finance firms, financial leasing companies, automobile financial companies and money brokers.


Article 3. The term “information technology” stated in the Guidelines shall refer to the system built with computer, communication and software technologies, and employed by commercial banks to handle business transactions, operation management, and internal communication, collaborative work and controls. The term also include IT governance, IT organization structure and IT policies and procedures.

Article 4. The risk of information technology refers to the operational risk, legal risk and reputation risk that are caused by natural factor, human factor, technological loopholes or management deficiencies when using information technology.

Article 5. The objective of information system risk management is to establish an effective mechanism that can identify, measure, monitor, and control the risks of commercial banks’ information system, ensure data integrity, availability, confidentiality and consistency, provide the relevant early warning, and thereby enable commercial banks’ business innovations, uplift their capability in utilizing information technology, improve their core competitiveness and capacity for sustainable development.



Chapter II IT governance

Article 6. The legal representative of commercial bank should be responsible to ensure compliance of this guideline.

Article 7. The board of directors of commercial banks should have the following responsibilities with respect to the management of information systems:
(1) Implementing and complying with the national laws, regulations and technical standards pertaining to the management of information systems, as well as the regulatory requirements set by the China Banking Regulatory Commission (hereinafter referred to as the “CBRC”);
(2) Periodically reviewing the alignment of IT strategy with the overall business strategies and significant policies of the bank, assessing the overall effectiveness and efficiency of the IT organization.
(3) Approving IT risk management strategies and policies, understanding the major IT risks involved, setting acceptable levels for these risks, and ensuring the implementation of the measures necessary to identify, measure, monitor and control these risks.
(4) Setting high ethical and integrity standards, and establishing a culture within the bank that emphasizes and demonstrates to all levels of personnel the importance of IT risk management.
(5) Establishing an IT steering committee which consists of representatives from senior management, the IT organization, and major business units, to oversee these responsibilities and report the effectiveness of strategic IT planning, the IT budget and actual expenditure, and the overall IT performance to the board of directors and senior management periodically.
(6) Establishing IT governance structure, proper segregation of duty, clear role and responsibility, maintaining check and balances and clear reporting relationship. Strengthening IT professional staff by developing incentive program.
(7) Ensuring that there is an effective internal audit of the IT risk management carried out by operationally independent, well-trained and qualified staff. The internal audit report should be submitted directly to the IT audit committee;
(8) Submitting an annual report to the CBRC and its local offices on information system risk management that has been reviewed and approved by the board of directors ;
(9) Ensuring the appropriating funding necessary for IT risk management works;
(10) Ensuring that all employees of the bank fully understand and adhere to the IT risk management policies and procedures approved by the board of directors and the senior management, and are provided with pertinent training.
(11) Ensuring customer information, financial information, product information and core banking system of the legal entity are held independently within the territory, and complying with the regulatory on-site examination requirements of CBRC and guarding against cross-border risk.
(12) Reporting in a timely manner to the CBRC and its local offices any serious incident of information systems or unexpected event, and quickly respond to it in accordance with the contingency plan;
(13) Cooperating with the CBRC and its local offices in the supervisory inspection of the risk management of information systems, and ensure that supervisory opinions are followed up; and
(14) Performing other related IT risk management tasks.

Article 8. The head of the IT organization, commonly known as the Chief Information Officer (CIO) should report directly to the president. Roles and responsibilities of the CIO should include the following:
(1) Playing a direct role in key decisions for the business development involving the use of IT in the bank;
(2) The CIO should ensure that information systems meet the needs of the bank, and IT strategies, in particular information system development strategies, comply with the overall business strategies and IT risk management policies of the bank;
(3) The CIO should also be responsible for the establishment of an effective and efficient IT organization to carry out the IT functions of the bank. These include the IT budget and expenditure, IT risk management, IT policies, standards and procedures, IT internal controls, professional development, IT project initiatives, IT project management, information system maintenance and upgrade, IT operations, IT infrastructure, Information security, disaster recovery plan (DRP), IT outsourcing, and information system retirement;
(4) Ensuring the effectiveness of IT risk management throughout the organization including all branches.
(5) Organizing professional trainings to improve technical proficiency of staff.
(6) Performing other related IT risk management tasks.

Article 9. Commercial banks should ensure that a clear definition of the IT organization structure and documentation of all job descriptions of important positions are always in place and updated in a timely manner. Staff in each position should meet relevant requirements on professional skills and knowledge. The following risk mitigation measures should be incorporated in the management program of related staff:
(1) Verification of personal information including confirmation of personal identification issued by government, academic credentials, prior work experience, professional qualifications;
(2) Ensuring that IT staff can meet the required professional ethics by checking character reference;
(3) Signing of agreements with employees about understanding of IT policies and guidelines, non-disclosure of confidential information, authorized use of information systems, and adherence to IT policies and procedures; and
(4) Evaluation of the risk of losing key IT personnel, especially during major IT development stage or in a period of unstable IT operations, and the relevant risk mitigation measures such as staff backup arrangement and staff succession plan.

Article 10. Commercial banks should establish or designate a particular department for IT risk management. It should report directly to the CIO and the Chief Risk Officer (or risk management committee), serve as a member of the IT incident response team, and be responsible for coordinating the establishment of policies regarding IT risk management, especially the areas of information security, BCP, and compliance with the CBRC regulations, advising the business departments and IT department in implementing these policies, providing relevant compliance information, conducting on-going assessment of IT risks, and ensuring the follow-up of remediation advice, monitoring and escalating management of IT threats and non-compliance events.

Article 11. Commercial banks should establish a special IT audit role and responsibility within internal audit function, which should put in place IT audit policies and procedures, develop and execute IT audit plan.

Article 12. Commercial banks should put in place policies and procedures to protect intellectual property rights according to laws regarding intellectual properties, ensure purchase of legitimate software and hardware, prevention of the use of pirated software, and the protection of the proprietary rights of IT products developed by the bank, and ensure that these are fully understood and complied by all employees.

Article 13. Commercial banks should, in accordance with relevant laws and regulations, disclose the risk profile of their IT normatively and timely.


Chapter III IT Risk Management

Article 14. Commercial banks should formulate an IT strategy that aligns with the overall business plan of the bank, IT risk assessment plan and an IT operational plan that can ensure adequate financial resources and human resources to maintain a stable and secure IT environment.

Article 15. Commercial banks should put in place a comprehensive set of IT risk management policies that include the following areas:
(1) Information security classification policy
(2) System development, testing and maintenance policy
(3) IT operation and maintenance policy
(4) Access control policy
(5) Physical security policy
(6) Personnel security policy
(7) Business Continuity Planning and Crisis and Emergency Management procedure

Article 16. Commercial banks should maintain an ongoing risk identification and assessment process that allows the bank to pinpoint the areas of concern in its information systems, assess the potential impact of the risks on its business, rank the risks, and prioritize mitigation actions and the necessary resources (including outsourcing vendors, product vendors and service vendors).

Article 17. Commercial banks should implement a comprehensive set of risk mitigation measures complying with the IT risk management policies and commensurate with the risk assessment of the bank. These mitigation measures should include:
(1) A set of clearly documented IT risk policies, technical standards, and operational procedures, which should be communicated to the staff frequently and kept up to date in a timely manner;
(2) Areas of potential conflicts of interest should be identified, minimized, and subject to careful, independent monitoring. Also it requires that an appropriate control structure is set up to facilitate checks and balances, with control activities defined at every business level, which should include:
- Top level reviews;
- Controls over physical and logical access to data and system;
- Access granted on “need to know” and “minimum authorization” basis;
- A system of approvals and authorizations; and
- A system of verification and reconciliation.

Article 18. Commercial banks should put in place a set of ongoing risk measurement and monitoring mechanisms, which should include
(1) Pre and post-implementation review of IT projects;
(2) Benchmarks for periodic review of system performance;
(3) Reports of incidents and complaints about IT services;
(4) Reports of internal audit, external audit, and issues identified by CBRC; and
(5) Arrangement with vendors and business units for periodic review of service level agreements (SLAs).
(6) The possible impact of new development of technology and new threats to software deployed.
(7) Timely review of operational risk and management controls in operation area.
(8) Assess the risk profile on IT outsourcing projects periodically.

Article 19. Chinese commercial banks operating offshore and the foreign commercial banks in China should comply with the relevant regulatory requirements on information systems in and outside the People’s Republic of China.


Chapter IV Information Security

Article 20. Information technology department of commercial banks should oversee the establishment of an information classification and protection scheme. All employees of the bank should be made aware of the importance of ensuring information confidentiality and provided with the necessary training to fully understand the information protection procedures within their responsibilities.

Article 21. Commercial banks should put in place an information security management function to develop and maintain an ongoing information security management program, promote information security awareness, advise other IT functions on security issues, serve as the leader of IT incident response team, and report the evaluation of the information security of the bank to the IT steering committee periodically. The Information security management program should include Information security standards, strategy, an implementation plan, and an ongoing maintenance plan.
Information security policy should include the following areas:
(1) IT security policy management
(2) Organization information security
(3) Asset management
(4) Personnel security
(5) Physical and environment security
(6) Communication and operation security
(7) Access control and authentication
(8) Acquirement, development and maintenance of information system
(9) Information security event management
(10) Business continuity management
(11) Compliance

Article 22. Commercial banks should have an effective process to manage user authentication and access control. Access to data and system should be strictly limited to authorized individuals whose identity is clearly established, and their activities in the information systems should be limited to the minimum required for their legitimate business use. Appropriate user authentication mechanism commensurate with the classification of information to be accessed should be selected. Timely review and removal of user identity from the system should be implemented when user transfers to a new job or leave the commercial bank.

Article 23. Commercial banks should ensure all physical security zones, such as computer centers or data centers, network closets, areas containing confidential information or critical IT equipment, and respective accountabilities are clearly defined, and appropriate preventive, detective, and recuperative controls are put in place.

Article 24. Commercial banks should divide their networks into logical security domains (hereinafter referred to as the “domain”) with different levels of security. The following security factors have to be assessed in order to define and implement effective security controls, such as physical or logical segregation of network, network filtering, logical access control, traffic encryption, network monitoring, activity log, etc., for each domain and the whole network.
(1) criticality of the applications and user groups within the domain;
(2) Access points to the domain through various communication channels;
(3) Network protocols and ports used by the applications and network equipment deployed within the domain;
(4) Performance requirement or benchmark;
(5) Nature of the domain, i.e. production or testing, internal or external;
(6) Connectivity between various domains; and
(7) Trustworthiness of the domain.

Article 25. Commercial banks should secure the operating system and system software of all computer systems by
(1) Developing baseline security requirement for each operating system and ensuring all systems meet the baseline security requirement;
(2) Clearly defining a set of access privileges for different groups of users, namely, end-users, system development staff, computer operators, and system administrators and user administrators;
(3) Setting up a system of approval, verification, and monitoring procedures for using the highest privileged system accounts;
(4) Requiring technical staff to review available security patches, and report the patch status periodically; and
(5) Requiring technical staff to include important items such as unsuccessful logins, access to critical system files, changes made to user accounts, etc. in system logs, monitors the systems for any abnormal event manually or automatically, and report the monitoring periodically.

Article 26. Commercial banks should ensure the security of all the application systems by
(1) Clearly defining the roles and responsibilities of end-users and IT staff regarding the application security;
(2) Implementing a robust authentication method commensurate with the criticality and sensibility of the application system;
(3) Enforcing segregation of duties and dual control over critical or sensitive functions;
(4) Requiring verification of input or reconciliation of output at critical junctures;
(5) Requiring the input and output of confidential information are handled in a secure manner to prevent theft, tampering, intentional leakage, or inadvertent leakage;
(6) Ensuring system can handle exceptions in a predefined way and provide meaningful message to users when the system is forced to terminate; and
(7) Maintaining audit trail in either paper or electronic format.
(8) Requiring user administrator to monitor and review unsuccessful logins and changes to users accounts.

Article 27. Commercial banks should have a set of policies and procedures controlling the logging of activities in all production systems to support effective auditing, security forensic analysis, and fraud prevention. Logging can be implemented in different layers of software and on different computer and networking equipment, which falls into two broad categories:
(1) Transaction journals. They are generated by application software and database management system, and contain authentication attempts, modification to data, error messages, etc. Transaction journals should be kept according to the national accounting policy.
(2) System logs. They are generated by operating systems, database management system, firewalls, intrusion detection systems, and routers, etc., and contain authentication attempts, system events, network events, error messages, etc. System logs should be kept for a period scaled to the risk classification, but no less than one year.
Banks should ensure that sufficient items be included in the logs to facilitate effective internal controls, system troubleshooting, and auditing while taking appropriate measures to ensure time synchronization on all logs. Sufficient disk space should be allocated to prevent logs from being overwritten. System logs should be reviewed for any exception. The review frequency and retention period for transaction logs or database logs should be determined jointly by IT organization and pertinent business lines, and approved by the IT steering committee.

Article 28. Commercial banks should have the capacity to employ encryption technologies to mitigate the risk of losing confidential information in the information systems or during its transmission. Appropriate management processes of the encryption facilities should be put in place to ensure that
(1) Encryption facilities in use should meet national security standards or requirements;
(2) Staff in charge of encryption facilities are well trained and screened;
(3) Encryption strength is adequate to protect the confidentiality of the information; and
(4) Effective and efficient key management procedures, especially key lifecycle management and certificate lifecycle management, are in place.

Article 29. Commercial banks should put in place an effective and efficient system of securing all end-user computing equipment which include desktop personal computers (PCs), portable PCs, teller terminals, automatic teller machines (ATMs), passbook printers, debit or credit card readers, point of sale (POS) terminals, personal digital assistant (PDAs), etc and conduct periodic security checks on all equipments.

Article 30. Commercial banks should put in place a set of policies and procedures to govern the collection, processing, storage, transmission, dissemination, and disposal of customer information.

Article 31. All employees, including contract staff, should be provided with the necessary trainings to fully understand these policies procedures and the consequences of their violation. Commercial banks should adopt a zero tolerance policy against security violation.


Chapter V Application System Development, Testing and Maintenance

Article 32. Commercial banks should have the capability to identify, plan, acquire, develop, test, deploy, maintain, upgrade, and retire information systems. Policies and procedures should be in place to govern the initiation, prioritization, approval, and control of IT projects. Progress reports of major IT projects should be submitted to and reviewed by the IT steering committee periodically. Decisions involving significant change of schedule, change of key personnel, change of vendors, and major expenditures should be included in the progress report.

Article 33. Commercial banks should recognize the risks associated with IT projects, which include the possibilities of incurring various kinds of operational risk, financial losses, and opportunity costs stemming from ineffective project planning or inadequate project management controls of the bank. Therefore, appropriate project management methodologies should be adopted and implemented to control the risks associated with IT projects.

Article 34. Commercial banks should adopt and implement a system development methodology to control the life cycle of Information systems. The typical phases of system life cycle include system analysis, design, development or acquisition, testing, trial run, deployment, maintenance, and retirement. The system development methodology to be used should be commensurate with the size, nature, and complexity of the IT project, and, generally speaking, should facilitate the management of the following risks.

Article 35. Commercial banks should ensure system reliability, integrity, and maintainability by controlling system changes with a set of policies and procedures, which should include the following elements.
(1) Ensure that production systems are separated from development or testing systems;
(2) Separating the duties of managing production systems and managing development or testing systems;
(3) Prohibiting application development and maintenance staff from accessing production system under normal circumstances unless management approval is granted to perform emergency repair, and all emergency repair activities should be recorded and reviewed promptly;
(4) Promoting changes of program or system configuration from development and testing systems to production systems should be jointly approved by IT organization and business departments, properly documented, and reviewed periodically.

Article 36. Commercial banks should have in place a set of policies, standards, and procedures to ensure data integrity, confidentiality, and availability. These policies should be in accordance with data integrity amid IT development procedure.

Article 37. Commercial banks should ensure that Information system problems could be tracked, analyzed, and resolved systematically through an effective problem management process. Problems should be documented, categorized, and indexed. Support services or technical assistance from vendors, if necessary, should also be documented. Contacts and relevant contract information should be made readily available to the employees concerned. Accountability and line of command should be delineated clearly and communicated to all employees concerned, which is of utmost importance to performing emergency repair.

Article 38. Commercial banks should have a set of policies and procedures controlling the process of system upgrade. System upgrade is needed when the hardware reaches its lifespan or runs out of capacity, the underpinning software, namely, operating system, database management system, middleware, has to be upgraded, or the application software has to be upgraded. The system upgrade should be treated as a project and managed by all pertinent project management controls including user acceptance testing.


Chapter VI IT Operations

Article 39. Commercial banks should consider fully the environmental threats (e.g. proximity to natural disaster zones, dangerous or hazardous facilities or busy/major roads) when selecting the locations of their data centers. Physical and environmental controls should be implemented to monitor environmental conditions could affect adversely the operation of information processing facilities. Equipment facilities should be protected from power failures and electrical supply interference.

Article 40. In controlling access by third-party personnel (e.g. service providers) to secured areas, proper approval of access should be enforced and their activities should be closely monitored. It is important that proper screening procedures including verification and background checks, especially for sensitive technology-related jobs, are developed for permanent and temporary technical staff and contractors.

Article 41. Commercial banks should separate IT operations or computer center operations from system development and maintenance to ensure segregation of duties within the IT organization. The commercial banks should document the roles and responsibilities of data center functions.

Article 42. Commercial banks are required to retain transactional records in compliance with the national accounting policy. Procedures and technology are needed to be put in place to ensure the integrity, safekeeping and retrieval requirements of the archived data.



Article 43. Commercial banks should detail operational instructions such as computer operator tasks, job scheduling and execution in the IT operations manual. The IT operations manual should also cover the procedures and requirements for on-site and off-site backup of data and software in both the production and development environments (i.e. frequency, scope and retention periods of back-up).

Article 44. Commercial banks should have in place a problem management and processing system to respond promptly to IT operations incidents, to escalate reported incidents to relevant IT management staff and to record, analyze and keep tracks of all these incidents until rectification of the incidents with root cause analysis completed. A helpdesk function should be set up to provide front-line support to users on all technology-related problems and to direct the problems to relevant IT functions for investigation and resolution.

Article 45. Commercial banks should establish service level agreement and assess the IT service level standard attained.

Article 46. Commercial banks should implement a process to ensure that the performance of application systems is continuously monitored and exceptions are reported in a timely and comprehensive manner. The performance monitoring process should include forecasting capability to enable exceptions to be identified and corrected before they affect system performance.

Article 47. Commercial banks should carry out capacity plan to cater for business growth and transaction increases due to changes of economic conditions. Capacity plan should be extended to cover back-up systems and related facilities in addition to the production environment.

Article 48. Commercial banks should ensure the continued availability of technology related services with timely maintenance and appropriate system upgrades. Proper record keeping (including suspected and actual faults and preventive and corrective maintenance records) is necessary for effective facility and equipment maintenance.

Article 49. Commercial banks should have an effective change management process in place to ensure integrity and reliability of the production environment. Commercial banks should develop a formal change management process.


Chapter VII Business Continuity Management

Article 50. Commercial banks should have in place appropriate arrangements, having regard to the nature, scale and complexity of its business, to ensure that it can continue to function and meet its regulatory obligations in the event of an unforeseen interruption. These arrangements should be regularly updated and tested to ensure their effectiveness.

Article 51. Commercial banks should consider the likelihood and impact of a disruption to the continuity of its operation from unexpected events. This should include assessing the disruptions to which it is particularly susceptible including but not limited to:
(1) Loss of failure of internal and external resources (such as people, systems and other assets);
(2) The loss or corruption of its information; and
(3) External events (such as war, earthquake, typhoon, etc).

Article 52. Commercial bank should act to reduce both the likelihood of disruptions (including system resilience and dual processing); and the impact of disruptions (including by contingency arrangements and insurance).

Article 53. Commercial bank should document its strategy for maintaining continuity of its operations, and its plans for communicating and regularly testing the adequacy and effectiveness of this strategy. Commercial bank should establish:
(1) Formal business continuity plans that outline arrangements to reduce the impact of a short, medium and long-term disruption, including:
a) Resource requirements such as people, systems and other assets, and arrangements for obtaining these resources;
b) The recovery priorities for the commercial bank’s operations; and
c) Communication arrangements for internal and external concerned parties (including CBRC, clients and the press);
(2) Escalation and invocation plans that outline the processes for implementing the business continuity plans, together with relevant contact information;
(3) Processes to validate the integrity of information affected by the disruption;
(4) Processes to review and update (1) to (3) following changes to the commercial bank’s operations or risk profile.

Article 54. A final BCP plan and an annual drill result must be signed off by the IT Risk management, or internal auditor and IT Steering Committee.


Chapter VIII Outsourcing

Article 55. Commercial banks cannot contract out its regulatory obligations and should take reasonable care to supervise the discharge of outsourcing functions.

Article 56. Commercial banks should take particular care to manage material outsourcing arrangement (such as outsourcing of data center, IT infrastructure, etc.), and should notify CBRC when it intends to enter into material outsourcing arrangement.

Article 57. Before entering into, or significantly changing, an outsourcing arrangement, the commercial bank should:
(1) Analyze how the arrangement will fit with its organization and reporting structure; business strategy; overall risk profile; and ability to meet its regulatory obligations;
(2) Consider whether the arrangements will allow it to monitor and control its operational risk exposure relating to the outsourcing;
(3) Conduct appropriate due diligence of the service provider’s financial stability, expertise and risk assessment of the service provider, facilities and ability to cover the potential liabilities;
(4) Consider how it will ensure a smooth transition of its operations from its current arrangements to a new or changed outsourcing arrangement (including what will happen on the termination of the contract); and
(5) Consider any concentration risk implications such as the business continuity implications that may arise if a single service provider is used by several firms.

Article 58. In negotiating its contract with a service provider, the commercial bank should have regard to ( but not limited to ):
(1) Reporting and negotiation requirements it may wish to impose on the service provider;
(2) Whether sufficient access will be available to its internal auditors, external auditors and banking regulators;
(3) Information ownership rights, confidentiality agreements and Firewalls to protect client and other information (including arrangements at the termination of contract);
(4) The adequacy of any guarantees and indemnities;
(5) The extent to which the service provider must comply with the commercial bank’s polices and procedures covering IT Risk;
(6) The extent to which the service provider will provide business continuity for outsourced operations, and whether exclusive access to its resources is agreed;
(7) The need for continued availability of software following difficulty at a third party supplier;
(8) The processes for making changes to the outsourcing arrangement and the conditions under which the commercial bank or service provider can choose to change or terminate the outsourcing arrangement, such as where there is:
a) A change of ownership or control of the service provider or commercial bank; or
b) Significant change in the business operations of the service provider or commercial bank; or
c) Inadequate provision of services that may lead to the commercial bank being unable to meet its regulatory obligations.

Article 59. In implementing a relationship management framework, and drafting the service level agreement with the service provider, the commercial bank should have regarded to (but not limited to):
(1) The identification of qualitative and quantitative performance targets to assess the adequacy of service provision, to both the commercial bank and its clients, where appropriate;
(2) The evaluation of performance through service delivery reports and periodic self assessment and independent review by internal or external auditors; and
(3) Remediation action and escalation process for dealing with inadequate performance.

Article 60. The commercial bank should enhance IT related outsourcing management, in place following (not limited to ) measures to ensure data security of sensitive information such as customer information:
(1) Effectively separated from other customer information of the service provider;
(2) The related staff of service provider should be authorized on “need to know” and “minimum authorization” basis;
(3) Ensure service provider guarantee its staff for meeting the confidential requests;
(4) All outsourcing arrangements related to customer information should be identified as material outsourcing arrangements and the customers should be notified;
(5) Strictly monitor re-outsourcing actions of the service provider, and implement adequate control measures to ensure information security of the bank;
(6) Ensure all related sensitive information be refunded or deleted from the service provider’s storage when terminating the outsourcing arrangement.


Article 61. The commercial bank should ensure that it has appropriate contingency in the event of a significant loss of services from the service provider. Particular issues to consider include a significant loss of resources, turnover of key staff, or financial failure of, the service provider, and unexpected termination of the outsourcing agreement.

Article 62. All outsourcing contracts must be reviewed or signed off by IT Risk management, internal IT auditors, legal department and IT Steering Committee. There should be a process to periodically review and refine the service level agreements.


Chapter IX Internal Audit

Article 63. Depending on the nature, scale and complexity of its business, it may be appropriate for the commercial banks to delegate much of the task of monitoring the appropriateness and effectiveness of its systems and controls to an internal audit function. An internal audit function should be adequately resourced and staffed by competent individuals, be independent of the day-to-day activities of the commercial bank and have appropriate access to the bank’s records.

Article 64. The responsibilities of the internal IT audit function are:
(1) To establish, implement and maintain an audit plan to examine and evaluate the adequacy and effectiveness of the bank’s systems and internal control mechanisms and arrangements;
(2) To issue recommendations based on the result of work carried out in accordance with 1;
(3) To verify compliance with those recommendations;
(4) To carry out special audit on information technology. The term “special audit” of information technology refers to the investigation, analysis and assessment on the security incidents of the information system, or the audit performed on a special subject based on IT risk assessment result as deemed necessary by the audit department.

Article 65. Based on the nature, scale and complexity of its business, deployment of information technology and IT risk assessment, commercial banks could determine the scope and frequency of IT internal audit. However, a comprehensive IT internal audit shall be performed at a minimum once every 3 years.

Article 66. Commercial banks should engage its internal audit department and IT Risk management department when implementing system development of significant size and scale to ensure it meets the IT Risk standards of the Commercial banks.


Chapter X External Audit

Article 67. The external information technology audit of commercial banks can be carried out by certified service providers in accordance with laws, rules and regulations.

Article 68. The commercial bank should ensure IT audit service provider to review and examine bank’s hardware, software, documentation and data to identify IT risk when they are commissioned to perform the audit. Vital commercial and technical information which is protected by national laws and regulations should not be reviewed.

Article 69. Commercial bank should communicate with the service provider in depth before the audit to determine audit scope, and should not withhold the truth or do not corporate with the service provider intentionally.

Article 70. CBRC and its local offices could designate certified service providers to carry out IT audit or related review on commercial banks when needed. When carrying out audit on commercial banks, as commissioned or authorized by CBRC or its local offices, the service providers shall present the letter of authority, and carry out the audit in accordance to the scope prescribed in the letter of authority.

Article 71. Once the IT audit report produced by the service providers is reviewed and approved by CBRC or its local offices, the report will have the same legal status as if it is produced by the CBRC itself. Commercial banks should come up with a correction action plan prescribed in the report and implement the corrective actions according to the timeframe.

Article 72. Commercial banks should ensure the service providers to strictly comply with laws and regulations to keep confidential and data security of any commercial secrets and private information learnt and IT risk information when conducting the audit. The service provider should not modify copy or take away any documents provided by the commercial banks.


Chapter XI Supplementary Provisions

Article 73. Commercial banks with no board of directors should have their operating decision-making bodies perform the responsibilities of the board with regard to IT risk management specified herein.

Article 74. The China Banking Regulatory Commission supervises and regulates the IT risk management of commercial banks under its authority by law.

Article 75. The power of interpretation and modification of the Guidelines shall rest with the China Banking Regulatory Commission.

Article 76. The Guidelines shall become effective as of the date of its issuance and the former Guidelines on the Risk Management of Banking Institutions’ Information Systems shall be revoked at the same time.