The Circular of Risk Management Guidelines for Outsourcing by Banking Financial Institutions issued by the China Banking Regulatory Commission (now known as the China Banking and Insurance Regulatory Commission or "CBIRC") (Yin Jian Fa [2010] No. 44, "Circular 44") applies to outsourcing. According to Circular 44, if a banking financial institution established in China engages a service provider to continuously conduct certain business activities that fall within the scope of the bank's own responsibilities, such engagement is considered "outsourcing." Therefore, engaging a cloud service vendor for data storage and processing could be viewed as "outsourcing" under Circular 44.
The Circular of the CBIRC on Issuing the Measures for the Supervision and Administration of IT Outsourcing Risks of Banking and Insurance Institutions (Yin Bao Jian Ban Fa [2021] No. 141) applies to "IT outsourcing" as a special category of "outsourcing." This is defined to broadly cover, among other things, hosting or operation and maintenance of data centers (server rooms) and other physical environments, data processing and data utilization activities, other business outsourcing activities, and IT activities in collaboration with third parties that involve processing important data or customers' personal information with banking and insurance institutions. Engaging a cloud service vendor for data storage and processing and hosting of server rooms is a common form of IT outsourcing in China. While the circular only directly applies to commercial banks and other banking financial institutions, insurance group (holding) companies, insurance companies, insurance asset management companies and financial asset management companies incorporated in China, the rules and requirements thereunder apply similarly to other financial institutions regulated by the CBIRC and its local counterparts.