According to the Circular of Risk Management Guidelines for Outsourcing by Banking Financial Institutions issued by the China Banking Regulatory Commission (now known as the China Banking and Insurance Regulatory Commission or "CBIRC") (Yin Jian Fa [2010] No. 44), a bank must sign a written contract with its outsourcing service provider. The contract should contain certain terms and conditions required by the CBIRC, and in particular requires the following from the outsourcing service provider:

• Periodically reporting on the outsourcing services to the bank
• Promptly reporting of any emergency to the bank
• Cooperating with the bank in any CBIRC investigation
• Keeping the services and customer information safe and confidential
• Not carrying out any activity in the name of the bank, etc.

The outsourcing contract must also prohibit subcontracting of major aspects of the outsourcing activities to a subcontractor outside the service provider's group, and make the service provider responsible for its permitted subcontractor's performance.

Further requirements apply to IT outsourcing by banks. Under the Guidelines for the Information Technology Risk Management of Commercial Banks (Yin Jian Fa [2009] No. 19) and the Circular of the General Office of the CBIRC on Issuing the Measures for the Supervision and Administration of IT Outsourcing Risks of Banking and Insurance Institutions (Yin Bao Jian Ban Fa [2021] No. 141), a contract between an institution and its outsourcing service provider must be tailored to the particular services, risk assessment and due diligence investigation results, and must have certain minimum content, including the following:

• Details of and arrangements for the services
• Compliance with internal controls and laws and regulations
• Service continuity
• Risk assessments, monitoring, inspections, audits and cooperation (by and with both the institution and the CBIRC)
• Provisions dealing with amendment, termination and transmission
• Intellectual property arrangements
• Provisions on resource guarantees
• Service requirements on security, confidentiality and protection of consumers' rights and interests
• Dispute resolution mechanisms and breach/indemnity clauses
• Reporting mechanisms

Additionally, subcontracting of IT outsourcing services by a service provider to a third party is generally prohibited, unless the service provider undertakes the following in the service contract:

• It will not subcontract or subcontract in disguise the main outsourced services to any third party.
• In the case of permitted subcontracting, it will do the following:
  • Be responsible for the services rendered by the subcontractor and ensure that the subcontractor will strictly comply with the requirements in the contract entered between the bank and the vendor.
  • Monitor the subcontractor and report to and obtain approval from the bank in respect of any engagement or change of subcontractor.

Finally, in the case of cloud outsourcing, a financial institution is considered to have entrusted a cloud service provider to host data as an entrusted data processor. According to Article 21 of the PRC Personal Information Protection Law, the financial institution must agree with the cloud service provider on the purposes, duration, means of personal information processing, the categories of personal information involved, the data protection measures, and other relevant rights and obligations of the parties, to enable the financial institution to monitor the cloud service provider's personal information processing activities. In terms of data other than personal information, the draft Regulations on Network Data Security Management publicized by the Cyberspace Administration of China on 14 November 2021 have proposed similar requirements on the financial institution as a "data processor" in China.

In the case of disputes over the outsourcing contract, under Circular of the General Office of the CBIRC on Issuing the Measures for the Supervision and Administration of IT Outsourcing Risks of Banking and Insurance Institutions (Yin Bao Jian Ban Fa [2021] No. 141), jurisdiction generally lies with the Chinese courts or arbitration institutions. PRC law (as the governing law) will apply.