domeet webmaster

The China Banking and Insurance Regulatory Commission puts forward comprehensive requirements for the informatization of insurance intermediary institutions.

On January 12, the China Banking Regulatory Commission published the “Measures for the Supervision of Informatization of Insurance Intermediaries” (hereinafter referred to as “Measures”), which includes general provisions, basic requirements, and information systems , Information Security, Supervision and Management, Supplementary Provisions, 6 Chapters and 36 Articles. The “Measures” will come into effect on February 1, 2021.

It can be seen that in recent years, the insurance industry has continued to develop healthily. The number of insurance intermediaries has continued to increase, and the market position has continued to improve. However, the management level of insurance intermediaries Relatively lagging behind the degree of compliance, some insurance intermediaries have problems such as incomplete information governance, improper information system construction, and imperfect information security mechanisms. Informatization capabilities and levels have become an issue that affects the compliance and healthy development of insurance intermediaries. Short board.

The informatization work of insurance intermediary institutions mentioned in the “Measures” refers to the application of modern information technologies such as computers, communications, and networks to business processing and operation by insurance intermediaries. In terms of management and internal control, the work carried out for the purpose of continuously improving operational efficiency, optimizing internal resource allocation and improving risk prevention. Among them, the informatization work of part-time insurance agency only refers to the informatization work related to the part-time insurance agency business.

As far as the applicable objects are concerned, both professional insurance intermediaries and part-time insurance agencies should follow the requirements of the Measures. However, in the process of soliciting opinions, some units proposed that considering the characteristics of multiple, scattered, and small part-time institutions (especially car dealers, travel agencies, etc.), it is recommended to reduce the requirements for part-time institutions or to regulate the objects not to include part-time institutions .

The person in charge of the relevant department of the China Banking and Insurance Regulatory Commission said that after research, it is believed that although part-time institutions are only engaged in insurance agency business, their business links and involved Consumers’ personal information is basically the same as that of professional institutions, and small and medium-sized part-time institutions are often inferior to professional institutions in terms of insurance agency business management, financial management, and management of practitioners, and they need to strengthen supervision. Therefore, part-time institutions should cooperate with insurance agencies in terms of insurance agency business. Professional institutions maintain consistent informatization work requirements.

According to the “Measures”, insurance intermediaries should independently carry out informatization work. The important informatization mechanisms, facilities and management of insurance intermediaries should remain independent and complete, and be effectively isolated from related enterprises (including shareholders, shareholding enterprises, and other related enterprises), and strictly regulate the access, use, transfer, and transfer of information systems and data. Copying and other acts shall not disclose data information such as insurance policies and personal information to affiliated companies in violation of regulations.

On the information system, the “Measures” clearly stated that insurance intermediary legal entities should establish matching business management, financial management, and personnel management information based on their business scale and development needs system.

Currently, the business information interaction between some insurance intermediaries and cooperative insurance companies is irregular and opaque, business processes are difficult to trace, and regulatory data submission is inaccurate and untimely. The “Measures” put forward requirements for data connection between insurance intermediaries, insurance companies, and regulatory agencies, and regulate the information interaction between insurance intermediaries, insurance companies, and regulatory agencies, so that insurance companies and insurance intermediary agencies have standardized and transparent business information interactions. , Traceability, promote insurance intermediary institutions to improve their management level, enhance the operating efficiency of the insurance intermediary market, improve the quality of insurance intermediary supervision data and the timeliness of submission, and enhance the effectiveness of supervision.

The information system can be constructed by insurance companies in the form of independent development, cooperative development, customized development, outsourcing development, and purchase of cloud services. Where informationization matters are outsourced to affiliated enterprises, effective management shall be implemented in accordance with the outsourcing requirements of the Measures. Insurance intermediary agencies can use the same set of information systems with affiliated companies on the premise of ensuring data security and independence.

At the same time, the “Measures” also pointed out that insurance intermediaries should reasonably determine the access rights of information systems in accordance with the principle of least functions and least authority, and check them regularly to ensure user rights and work Responsibilities match. Strictly control system access rights, and prohibit unauthorized viewing and downloading of data. Strictly control the modification of data through the background of the system, and prior approval, in-event monitoring, and post-event traces are required for modification.

The “Measures” clarify that insurance intermediaries should establish and improve information security management systems, deploy and implement information security such as border protection, virus protection, intrusion detection, data backup, and disaster recovery. Measures to ensure business continuity and data security. Insurance intermediaries should take reliable measures for data storage and backup, and regularly carry out backup data recovery verification. The system data should be kept for at least five years, and the system log should be kept for at least six months.

It is worth noting that the “Measures” stipulates that insurance intermediaries that do not meet the requirements of the “Measures” shall be deemed to have failed to meet Article 7 of the “Regulations on the Supervision of Insurance Agents” , Articles 12 and 18, Articles 7 and 16 of the Regulations on the Supervision of Insurance Brokers, and Articles 16 and 18 of the Regulations on the Supervision of Insurance Adjusters. Insurance intermediary business.

Attached with the supervision measures for the informatization work of insurance intermediaries

Chapter One General Provisions

First The article is to strengthen the supervision of insurance intermediaries, improve the informatization work and management level of insurance intermediaries, and promote the high-quality development of the insurance intermediary industry, in accordance with the “Insurance Law of the People’s Republic of China”, “Network Security Law of the People’s Republic of China”, “Regulations on the Supervision of Insurance Agents” The Regulations on the Supervision of Insurance Brokers, the Regulations on the Supervision of Insurance Adjusters, and other laws and administrative regulations formulate these Measures.

Article 2 These Measures are applicable to insurance intermediary institutions legally established within the territory of the People’s Republic of China.

Article 3 “Insurance intermediary agencies” in these Measures refers to insurance agents (excluding personal agents), insurance brokers and insurance adjusters, including legal persons Institutions and branches. Insurance agents (excluding personal agents) include professional insurance agencies and insurance agencies.

The informatization work of insurance intermediary institutions mentioned in these Measures refers to the application of modern information technologies such as computers, communications, and networks to business processing, business management, and In terms of internal control, the work carried out for the purpose of continuously improving operational efficiency, optimizing internal resource allocation and improving risk prevention. Among them, the informatization work of part-time insurance agency only refers to the informatization work related to the part-time insurance agency business.

The informatization emergencies mentioned in these Measures refer to the failure of information systems or informatization infrastructure and cyber attacks, resulting in the operation of insurance intermediaries in the same province Businesses in outlets or electronic channels were interrupted for more than 3 hours, or business outlets or electronic channels in two or more provinces were interrupted for more than 30 minutes; or due to online fraud or other information security incidents, insurance intermediaries or customers lost 10 million yuan in funds The above may cause major social impact; or insurance intermediaries have lost or leaked a large amount of important data or customer information, etc., which have caused or may cause major losses and serious impacts.

Article 4 The informatization work of insurance intermediary institutions shall comply with the laws and administrative regulations of the People’s Republic of China and the regulatory requirements of the China Banking and Insurance Regulatory Commission (hereinafter referred to as the China Banking and Insurance Regulatory Commission).

Information work of insurance intermediaries should follow the unity of safety, reliability and effectiveness, the technical route and business development direction, and the information systemThe principle of matching management needs.

Article 5 Insurance intermediary agencies are the main body responsible for the informatization work of this institution, and the legal representative or main person in charge of the insurance intermediary agencies shall bear the primary responsibility for the informatization work of this institution.

Article 6 The China Banking and Insurance Regulatory Commission and its dispatched agencies shall supervise and manage the informatization work of insurance intermediary agencies in accordance with the law.

Chapter 2 Basic Requirements

Article 7 Insurance intermediary agencies shall perform the following informationization duties:

(1) Implement national laws, administrative regulations, technical standards and the supervision system of the China Banking and Insurance Regulatory Commission for network security and informatization.

(2) Formulate the organization’s informatization work plan to ensure consistency with the overall business plan.

(3) Develop an informatization work system and establish an informatization management mechanism with reasonable division of labor, clear responsibilities, and clear reporting relationships.

(4) Prepare an informatization budget to ensure the funds required for informatization work.

(5) Carry out the informatization construction of the institution to ensure a complete grasp of the management power of the institution’s information system and data.

(6) Formulate emergency plans for information emergencies of the institution, organize emergency drills, report in time, respond quickly and deal with information emergencies that occur in the institution .

(7) Cooperate with the supervision and inspection of the informatization work carried out by the China Banking and Insurance Regulatory Commission and its dispatched agencies, truthfully provide relevant documents and materials, and make rectifications in accordance with the regulatory opinions.

(8) Carry out informatization training to strengthen the informatization awareness, information security awareness and software legalization awareness of the personnel of the organization.

(9) Other informatization duties specified by the China Banking and Insurance Regulatory Commission.

Article 8 Insurance intermediary agencies shall independently carry out informatization work. If the informatization work is related to related enterprises (including shareholders, shareholding enterprises, and other related enterprises), the insuranceIntermediary agencies should clarify their informatization work responsibilities with affiliated companies, and each assume responsibility for information security management. The important informatization mechanisms, facilities and management of insurance intermediaries should remain independent and complete, and be effectively isolated from related facilities of related companies, strictly regulate the access, use, transfer, and copying of information systems and data, and must not disclose insurance policies to related companies in violation of regulations , Personal information and other data information. Important informatization mechanisms and facilities include, but are not limited to, informatization governance and planning, business, finance, personnel and other important information systems and their data.

Information matters are outsourced to affiliated enterprises, and effective management shall be implemented in accordance with the outsourcing requirements of these Measures.

Article 9 An insurance intermediary legal person institution shall appoint a senior manager to be responsible for the information management of the legal person institution and its branches.

Article 10 An insurance intermediary legal person institution shall set up an informatization department or an informatization post, and there shall be no less than one official staff responsible for informatization. Branches should have formal staff to assist legal entities in carrying out informatization work.

Article 11 The legal person institution that applies for the insurance intermediary business shall carry out informatization construction in accordance with these Measures, and report to the dispatched office of the China Banking and Insurance Regulatory Commission where the institution’s business license is registered. Informatization work report, the content of the report shall include informatization management mechanism and system status, information system meeting the requirements of Article 17 of these Measures, information system procurement contract or intellectual property certificate, etc.

The establishment of branches of insurance intermediary institutions, insurance intermediary legal person institutions or their provincial branches shall report to the branch office of the China Banking and Insurance Regulatory Commission where the branch’s business license is registered Report on the informatization work of the branch.

Article 12 Insurance intermediary legal person institutions shall strengthen the informatization management of their branches. Unless otherwise provided by laws, administrative regulations and the supervision system of the China Banking and Insurance Regulatory Commission, legal person institutions and branches shall Organizations should use the same information system. Legal person institutions shall urge branches to enter operating data in a timely manner, and manage and monitor the operating conditions of each branch through the information system.

Article 13 Insurance intermediary institutions shall, in accordance with regulatory requirements, report regulatory matters and submit regulatory data to the China Banking and Insurance Regulatory Commission and its dispatched institutions in a timely manner through the relevant information system of insurance intermediary supervision.

Article 14 In the event of an information emergency, an insurance intermediary institution shall follow the information of the China Banking and Insurance Regulatory CommissionThe relevant provisions of the emergency information report shall be reported to the dispatched office of the China Banking and Insurance Regulatory Commission where the business license is registered within 24 hours. After an information-based emergency that is particularly serious and may cause serious social impact, insurance intermediary agencies should report relevant information by telephone within 30 minutes and report information in writing within 1 hour.

Article 15 Insurance intermediaries shall use genuine software and prohibit copying, dissemination or use of unauthorized software. Take effective measures to protect the information system of this institution with independent intellectual property rights, and effectively improve the awareness of software legalization and intellectual property protection.

Article 16 Insurance intermediaries shall actively track, research, and apply emerging information technologies, actively promote business innovation and service innovation under the premise of preventing risks, and enhance core competition force.

Chapter III Information System

Article 17 Insurance intermediary legal person institutions shall be based on business scale and development Need to establish matching information systems such as business management, financial management, and personnel management, and meet the following requirements:

(1) The business management system can record and manage business agreements , Insurance business details, customer information, relevant certificates and other business conditions, etc.

(2) The financial management system can record and manage the financial general ledger, account details, accounts receivable and payable, accounting statements, invoices, etc.

(3) The personnel management system can record and manage the basic information of insurance intermediary practitioners, entry and resignation, employment contracts, practice registration, human compensation, training, rewards and punishments, etc. .

(4) The data of the business management, financial management and personnel management systems can be matched and mutually verified.

(5) Realize system intercommunication, business interconnection and data connection with cooperative insurance companies through technical means.

(6) Able to generate data files that meet regulatory requirements, and realize data docking with insurance intermediary supervision related information systems through technical means.

(7) Able to operate the organization according to the dimensions of cooperative institutions, branches, business categories, business channels, insurance types, revenue and expenditure calibers, regions, and timeThe situation is summarized and analyzed.

(8) It has the function of user authority management, which can configure the data addition, deletion, modification and viewing authority for users according to different roles.

(9) With log management function, it can record user operation behavior and operation time.

(10) Follow the relevant industry standards and technical specifications issued by the National Standardization Administration and the China Banking and Insurance Regulatory Commission.

Article 18 Insurance intermediary agencies may construct information systems in the form of independent development, cooperative development, customized development, outsourcing development, and purchase of cloud services.

Insurance intermediary agencies shall fully understand and effectively control the risks related to informatization construction. No matter how the information system is built, insurance intermediary agencies shall abide by these Measures and undertake Information security management responsibility.

Article 19 If an outsourcing model of cooperative development, customized development, outsourcing development and purchase of cloud services is adopted to construct an information system, insurance intermediary agencies shall identify and analyze information technology outsourcing Risk, strengthen the qualification review of outsourcing service providers, strengthen the risk management of outsourcing services, standardize the terms of outsourcing contracts, clarify the scope of outsourcing, responsibility boundaries, security and confidentiality, and personal information protection responsibilities, and take effective measures to ensure the safety and continuous of data and information systems Controllable. Insurance intermediaries should improve their independent research and development capabilities and gradually reduce their dependence on outsourcing service providers.

Article 20 Insurance intermediary agencies shall reasonably determine the access rights of information systems in accordance with the principle of least functions and least authority, and check them regularly to ensure that user rights match their job responsibilities. Strictly control system access rights, and prohibit unauthorized viewing and downloading of data. Strictly control the modification of data through the background of the system, and prior approval, in-event monitoring, and post-event traces are required for modification.

Article 21 An insurance intermediary institution shall use the information system to comprehensively, accurately and completely record and manage business, financial, and personnel information to ensure that the information system records management data Consistent with real business operations.

Insurance intermediary agencies should enter the business details into the information system within 3 working days from the date when each insurance business link occurs. If financial and personnel matters are also involved Synchronously complete the entry of financial and personnel details.

Article 22 When an insurance intermediary conducts information system production, changes or data migration, it shall organize risk assessments, prepare implementation plans, formulate system rollbacks and emergency response plans, carry out drills, tests and Training, prudential implementation, and effectiveness verification after the implementation is completed.

Chapter 4 Information Security

Article 23 Insurance intermediary agencies shall establish and improve information security management systems, deploy and implement information security measures such as border protection, virus protection, intrusion detection, data backup, and disaster recovery to ensure business continuity and data security.

Article 24 Insurance intermediary agencies shall reasonably determine the security level of information systems in accordance with national cybersecurity level protection regulations, and perform protection in accordance with national cybersecurity level protection standards to obtain corresponding National cybersecurity level protection certification.

Article 25 Insurance intermediaries shall take protective measures for important data to ensure that data is collected, stored, transmitted, used, and provided Security in the process of, backup, restoration and destruction, legal use of data, strict prevention of data leakage, tampering and damage, and protection of the integrity, confidentiality and availability of data. Insurance intermediaries should take reliable measures for data storage and backup, and regularly carry out backup data recovery verification. System data should be kept for at least five years, and system logs should be kept for at least six months.