节点文献
我国商业银行信息科技风险监管研究
A Study on the Regulation of China’s Commercial Banks’ Information Technology Risk
【作者】 汪轶;
【导师】 谢平;
【作者基本信息】 西南财经大学 , 金融学, 2011, 博士
【摘要】 现代科学技术的迅猛发展,深刻影响和改变着现代金融业的发展和运行模式。尤其是,现代商业银行对信息技术高度依赖,从业务电子化到管理信息化,从数据大集中到信息集成系统,从前端营业柜台直至战略管理层,信息科技几乎渗透到商业银行的方方面面,已经成为现代商业银行正常经营运转的基础设施,极大地提高了商业银行的经营效率,是商业银行核心竞争力的重要构成要素。但是伴随着银行信息化程度的不断提高,伴随信息科技与银行业务融合度越来越高,信息科技风险事件频繁发生。据BIS统计(2002,2003a),商业银行90%以上的金融风险事件都与信息科技间接相关,50%以上的已经报告的损失事件与信息科技间接相关。从商业银行经营管理来看,现代银行业机构信息技术架构庞大、设施复杂、所涉及的内容繁多,综合了应用系统、操作系统、网络、数据库、软件、硬件等技术以及管理等方面内容,其中任何缺陷及不可抗力因素都会影响商业银行的正常运行;从商业银行外部监管来看,信息科技的安全性、可靠性和有效性直接关系商业银行的安全稳健运行,同时可能引发系统性风险,导致金融体系无法正常运转,甚至危及一国金融经济稳定。因此,目前商业银行信息科技风险已经成为全世界各国金融监管部门关注的焦点。在我国,当前商业银行信息科技化建设正处于高速发展时期,较之于传统的银行风险及其监管,国内对商业银行信息科技风险监管的认识较少,理论研究也不够,实践中对于商业银行信息科技风险的管理和监管均较为滞后。在此背景下,笔者作为一名监管从业者试图吸收借鉴国际现行重要准则,对商业银行信息科技风险监管进行系统的理论分析,同时结合其核心要素和重点内容进行专门研究,以期提升对商业银行信息科技风险的理论认识,同时推动我国商业银行监管机构的监管实践更加科学高效。论文第一部分为基础理论分析。首先从经济学视角结合商业银行信息化理论,对于商业银行信息科技应用进行理论研究。分析发现信息科技有效降低了商业银行的运营成本,推动商业银行信息生产功能和风险管理功能的完善和扩展,并成为商业银行维护客户关系的重要手段。分析表明信息科技已构成商业银行正常运转的基础设施,是其内在组成的一部分,改变和延伸了商业银行的职能。基于这个前提,论文分析了商业银行信息科技风险的内涵和外延,指出其内在的运行机理、特征。其次,论文进一步从信息科技风险对传统金融理论,如金融市场失灵理论、金融脆弱性理论、消费者保护理论和巴塞尔全面风险监管理论带来的冲击及其新的表现形式和要求,论证了信息科技风险监管的理论根源及其外在的要求。基础理论分析表明,信息科技风险放大了商业银行的外部性效应和金融脆弱性,加大了内部信息不对称,扩展了消费者保护的内涵和外延,对传统金融监管理论和实践提出了挑战。因此,对信息科技风险的监管,必须借鉴国际经验构建具有指导性的监管标准,对信息科技风险进行科学计量,构建全面风险评级体系评价商业银行的信息科技风险管理能力,并对信息科技风险重要领域进行专项研究。论文第二部分分别从国际监管标准和国际监管实践两个角度回答信息科技风险“需要什么样的监管”这一问题。结合国际公认的操作指引,如COBIT信息科技管理标准和巴塞尔操作风险管理指导原则,提出了专门的信息科技风险管理指导原则;并对国外发达国家和新兴市场经济国家的信息科技风险监管进行了国际比较和经验借鉴研究从监管理念、组织架构、监管手段和法律法规制度环境等诸方面,形成了完整系统的国际实践比较研究。第三部分旨在解决“如何监管”的问题,论文对信息科技风险计量、信息科技风险监管评级体系及信息科技风险监管的两个重点领域问题进行研究。信息科技风险计量问题一直以来各国金融监管当局面临的重大监管难题。鉴于巴塞尔新资本协议将信息科技风险纳入操作风险进行管理,论文首先借鉴巴塞尔新资本协议操作风险计量方法,对信息科技风险计量进行了初步探讨其次对信息科技风险中的信息安全风险的VaR计量方法进行了研究,构建了完整的计量方法和评估案例,这为监管资本的计提以及实际监管措施实施提供了依据。在信息科技风险评级方面,论文对国际通行的URSIT评级标准进行了研究,并以此为基础构建了我国商业银行信息科技风险监管评级体系。其特点在于:首先,评级指标的选择主要依据2009年银监会公布的《商业银行信息科技风险监管指引》,既满足合规性要求,同时又宜于操作,便于监管机构的采用;其次,对所有指标都设计了检查问题,并汇总设计了检查评分表,使监管机构可以通过检查方式对商业银行进行打分评价;第三,笔者通过调研和座谈的方法,邀请了监管机构与商业银行内部专家参与,科学合理地确定了各类指标的权重,从而使评级体系更具操作性。在银行IT外包监管方面,论文首先从理论上分析了商业银行IT外包理论,考察其内在的形成机理及风险来源;其次,系统考察了国际发达国家的外包监管实践,比较分析;最后,根据我国当前商业银行IT外包监管中存在的问题,如过分强调银行的风险管理职责、未将信息技术服务商作为直接监管对象的现状,分析研究提出“从银行监管到服务商监管”的理念,这也是我国商业银行IT外包监管的主要方向,同时提出了国内服务商监管的监管标准。在业务连续性监管方面,论文首先运用商业银行业务连续性理论对于这一问题的起源、内涵与标准进行研究分析。其次,对商业银行业务连续性监管的核心问题,即商业银行BCP开发与演练进行专门研究。最后,结合对美国、新加坡、香港的监管实践的考察,论文提出了我国商业银行业务连续性监管检查标准。检查标准包括两个层面——管理层面的检查和技术层面的检查,在我国尚未出台专门的业务连续性监管指引的情况下对业务连续性监管工作具有一定参考价值。论文最后结合我国商业银行信息科技风险监管现实,提出了完善我国商业银行信息科技风险监管的政策建议,涵盖了信息科技风险监管体系建设和信息科技风险重点领域监管两大方面,重点强调:第一,应将信息科技风险纳入银行全面风险监管范畴,对信息科技风险进行单独评级并最终将信息科技风险纳入监管资本要求;第二,以立法方式明确对IT外包技术服务商的监管权力,将外包监管的对象由银行延伸至服务商;第三,研究出台“业务连续性”专项监管指引,引导商业银行制定适应各自特点的业务连续性规划并开展应急演练;第四,通过建立信息技术实验室和加强对新技术的专题研究等方式,探索以更先进的技术手段来监管信息技术风险;第五,培养和储备信息科技监管专业人才,鼓励监管人员获取CISA和CISSP等专业资质。
【Abstract】 The rapid development of modern technology has changed the roadmap and operation of financial industry. Information technology (IT) has been playing an increasingly important role in banking industry. From front desks to senior management, electronic banking to management information system, IT has become an integral part of infrastructure that sustains banks’operation and improves banks’efficiency greatly, and therefore turned into an key part of banks’ core competitiveness. However, with the increasing application of IT system, IT risk events happen frequently. According to BIS statistics (2002,2003a), over 90% of risk events and over 50% of the reported loss events are related to information technology, respectively.On the side of bank management, banks are characterized by their complex and complicated IT frameworks and equipments which integrate operational system, application system, database, intranet, and etc, and any deficiencies of them or force majeure may impact the sound operation of the whole bank. On the side of bank supervision, IT risk has been the supervisory focus for supervisors worldwide since IT is vital to banks’operation and deficiencies of it may cause systemic risks and negatively impact the financial and economic stability.In China, IT infrastructure of banks is in the process of rapid development. Compared to traditional risk categories, the IT risk management and supervision lag behinds due to limited knowledge and less focus. Therefore, as a regulator, the author intends to make systemic analysis on IT risk supervision in light of international principles and conducts special research on its core areas, so as to enhance the theoretical research and the supervision of IT risks.Part I of the thesis is basic theoretical analysis. Firstly, the thesis uses economics analytical methods to study IT application and finds out the application of IT makes contributions to operational costs reducing, information exchange and risk management improvement, and becomes am important tool for customer maintenance. Theoretical analysis also shows that IT has become an indispensable part of banks’infrastructure, changed and extended the functions of banks. Secondly, the thesis demonstrates the theoretical and practical basis of IT risk supervision by studying the impact of IT risk on traditional financial theories, such as the theory of Market Break Down、the theory of Financial Fragility and the theory of Consumer Protect.Basic theoretical analysis indicates that IT risk magnifies the externalities and financial fragility of commercial banks, sharpens the internal information asymmetry and brings challenges for traditional financial supervisory theory and practice. Therefore, supervisory guidelines should be developed by drawing from international practices to measure IT risk, construct comprehensive risk rating system to assess IT risk management capacities of commercial banks and conduct special research on key areas of IT risk.PartⅡprovides responses to the question of what kind of supervision is needed from the perspective of international supervisory standards and practices and work out principles for IT risk management at the basis of studying internationally accepted guidelines, such as COBIT and Basel principles for operational risk management. In addition, the thesis conducts a complete comparative analysis of international supervisory practices covering supervisory ideas, organizational structures, supervisory approaches and institutional settings.PartⅢaims to address the problem of "how shall we supervise" and conducts research on IT risk measurement and supervision. IT risk measurement has always been a difficult problem for supervisors. The BaselⅢincorporates IT risk into operational risk. Drawing from BaselⅢ, the thesis makes analysis on IT risk measurement, studies the VaR for information safety risk within IT risk, and provides a complete measuring method and cases for study, and thus lays down basis for regulatory capital requirement for IT risk.With regard to IT risk rating, drawing from international standard of URSIT, the thesis builds an IT rating system. Firstly, the rating indicators is in line with the Guidelines on IT risk supervision of commercial banks issued by the CBRC in 2009, and thus not only meet the compliance requirements, but are also convenient for regulators. Secondly, examination questions are designed for all indicators and a comprehensive score card is also designed, which enable supervisors to assess and assign rating to banks through examinations. Thirdly, the author assigns appropriate weighting to each indicators based on careful research and discussions with banks and supervisors.With regard to the supervision of IT outsourcing, the thesis makes analysis of the sources of IT outsourcing risk and studies international practices on IT outsourcing supervision. As the current supervision focuses on bank risk management and do not cover IT service provider, the thesis suggests that extending supervision from banks to cover IT service provider is the and design the pattern and procedures on the supervision of IT service provider.With regard to the supervision on business continuity, the thesis discusses the development and drill of business continuity plans of commercial banks and designs examination procedures of business continuity for commercial banks comprising procedures for management exanimation and technology, which is of some value in the absence of special guidelines on business continuity.Finally, this thesis takes into account the current supervisory practice of IT risk and provides policy recommendations for enhancing IT risk supervision of the banking sector, which can be summarized as follows:1) IT risk should be integrated into the bank’s overall risk management, be assessed and assigned rating separately and subject to regulatory capital requirement; 2) supervision should be extended to cover technical service providers by giving regulators legal authorities; 3) guidelines on business continuity should be made for guiding commercial banks to develop business continuity plans and conduct emergency drills; 4) more advanced techniques and instruments should be developed to supervise IT risk by establishing IT laboratories and strengthening research on new technology; 5) the specialist expertise for IT risk of regulatory authorities should be enhanced by cultivating and attracting IT risk experts and encouraging them to obtain professional qualifications such as CISA and CISSP.