您的位置: 首页 » 法律资料网 » 法律法规 »

江苏省发展规划条例

作者:法律资料网时间:2024-05-10 19:55:49 浏览:8686 来源:法律资料网

江苏省发展规划条例

江苏省人大常委会

《江苏省发展规划条例》

江苏省人大常委会

苏人函〔2010〕号

关于《江苏省发展规划条例》

的备案报告

全国人大常委会：

《江苏省发展规划条例》已由江苏省第十一届人民代表大会常务委员会第十六次会议于2010年7月28日通过，现报请备案。

江苏省人民代表大会常务委员会

2010年7月28日

江苏省人民代表大会常务委员会

公告

第38号

《江苏省发展规划条例》已由江苏省第十一届人民代表大会常务委员会第十六次会议于2010年7月28日通过，现予公布，自2010年10月1日起施行。

江苏省人民代表大会常务委员会

2010年7月28日

江苏省发展规划条例

（2010年7月28日江苏省第十一届人民代表大会常务委员会第十六次会议通过）

第一章总则

第一条为了加强发展规划管理，规范发展规划编制活动，保障发展规划实施，发挥发展规划在经济社会发展中的指导和调控作用，根据有关法律、行政法规，结合本省实际，制定本条例。

第二条本省行政区域内发展规划的编制、实施和相关管理活动，适用本条例。法律、法规另有规定的，从其规定。

本条例所称发展规划，是指对一定时期、范围内的国民经济和社会发展的战略谋划与总体部署，包括国民经济和社会发展总体规划、国民经济和社会发展年度计划、专项发展规划、省主体功能区规划、省区域发展规划。

第三条发展规划的编制、实施和相关管理活动，应当坚持以人为本，促进经济社会全面协调可持续发展；坚持从实际出发，遵循自然规律、经济规律和社会发展规律；坚持统筹兼顾，推进区域之间、城乡之间的协调发展；坚持民主决策，广泛听取社会各界和公众的意见。

第四条发展规划的编制和实施实行分级分类管理。

县级以上地方人民政府应当加强对发展规划编制、实施和相关管理工作的组织领导，并将发展规划的编制和管理经费纳入本级财政预算。

县级以上地方人民政府发展规划行政主管部门具体负责发展规划的协调和相关管理工作，并依据职责拟订和组织实施有关发展规划；其他有关部门按照各自职责做好相关专项发展规划的编制和实施工作。

第五条依法批准的发展规划，是地方各级人民政府履行经济调节、市场监管、社会管理和公共服务职责的依据，应当遵守和执行。

第二章发展规划对象与内容

第六条国民经济和社会发展总体规划，是指以国民经济和社会发展为对象编制的规划，是编制其他发展规划的基本依据。规划期为五年，可以展望到十年以上。

国民经济和社会发展总体规划应当包括以下内容：

(一)上一规划期的发展情况，下一规划期的发展环境和条件；

(二)指导思想、发展战略、发展目标、发展布局和指标体系；

(三)主要任务、发展重点和相关政策；

(四)规划实施的保障措施。

指标体系应当包括预期性指标和约束性指标。各级国民经济和社会发展总体规划的约束性指标和主要预期性指标名称应当一致，指标值应当衔接。

第七条国民经济和社会发展年度计划，是指对国民经济和社会发展所作的年度安排，是国民经济和社会发展总体规划在年度中需要付诸实施的具体工作计划。计划期为一年。

国民经济和社会发展年度计划应当包括以下内容：

(一)上年度计划执行情况和本年度计划目标；

(二)本年度国民经济和社会发展的主要任务和政策措施；

(三)与本年度计划相配套的专项计划；

(四)其他需要安排的重大事项。

第八条专项发展规划，是指以国民经济和社会发展的特定领域为对象编制的规划，是国民经济和社会发展总体规划在特定领域的细化安排，是地方各级人民政府及其有关部门指导特定领域发展、审批或者核准重大建设项目、安排财政支出预算、制定相关政策的依据。专项发展规划一般与国民经济和社会发展总体规划同步编制，规划期与国民经济和社会发展总体规划相一致。

省人民政府有关部门可以在下列领域编制专项发展规划：

(一)农业、水利、能源、交通、通信等基础设施建设；

(二)土地、水、海洋、矿产等重要资源的开发利用和保护；

(三)环境保护、生态建设和防灾减灾；

(四)科技、教育、文化、体育、卫生、社会保障等公共事业和公共服务；

(五)产业发展和结构调整；

(六)体制改革和对外开放；

(七)法律、法规规定的其他领域。

市、县(市、区)人民政府可以根据情况确定编制专项发展规划的领域。

第九条省主体功能区规划，是指以不同区域的主体功能为对象编制的规划，是国民经济和社会发展总体规划等各类规划在空间开发和布局方面的基本依据。规划期一般为十年，可以展望到十年以上。

编制省主体功能区规划应当以国家主体功能区规划为依据，以省有关发展规划以及土地利用总体规划、城乡规划为支撑。

省主体功能区规划应当包括以下内容：

(一)人口分布、资源环境承载能力、开发密度和发展潜力的分析评价；

(二)划定主体功能区的原则；

(三)各类主体功能区的数量、位置和范围；

(四)各个主体功能区的功能定位、发展方向、开发时序和管制要求；

(五)规划实施的保障措施以及市、县(市、区)在推进形成主体功能区中的主要职责；

(六)配套政策。

第十条省区域发展规划，是指以跨行政区的特定区域国民经济和社会发展为对象编制的规划，是编制该区域内各级国民经济和社会发展总体规划以及年度计划、各类专项发展规划的依据。规划期一般为五年，可以展望到十年以上。

省区域发展规划应当包括以下内容：

(一)人口、经济增长、资源环境承载能力分析和预测；

(二)区域发展战略定位、总体部署和生产力布局；

(三)各类经济社会发展功能区划定；

(四)基础设施、环境保护和生态建设；

(五)规划实施的保障措施。

第三章发展规划编制与批准

第十一条发展规划的编制应当贯彻国家经济社会发展的方针政策和战略部署，符合国家和省总体发展要求，正确处理发展需要与可能、近期与远期、局部与全局的关系，做到目标明确、重点突出、措施可行。

第十二条国民经济和社会发展总体规划以及国民经济和社会发展年度计划由县级以上地方人民政府组织编制，本级人民政府发展规划行政主管部门会同有关部门负责拟订规划草案。

专项发展规划由县级以上地方人民政府有关部门依据职责组织编制；涉及多个部门职责的，由本级人民政府确定的部门会同有关部门组织编制。

省主体功能区规划由省人民政府组织市、县(市、区)人民政府编制，省人民政府发展规划行政主管部门会同有关部门负责拟订规划草案。市、县(市、区)不编制主体功能区规划。

省区域发展规划由省人民政府组织编制，省人民政府发展规划行政主管部门会同有关部门以及区域内市、县(市、区)人民政府负责拟订规划草案。

第十三条发展规划的编制应当履行前期准备、拟订草案、衔接与论证、征求意见、审核与批准、公布等程序。

第十四条除法律、法规另有规定以及国民经济和社会发展总体规划中确定的专项发展规划外，其他需要经县级以上地方人民政府批准的专项发展规划的编制，由县级以上地方人民政府有关部门向同级发展规划行政主管部门提出立项申请；发展规划行政主管部门应当对立项申请进行审核，及时提出立项计划建议，报请本级人民政府批准。

第十五条发展规划的编制应当做好基础调查、信息搜集、课题研究、重大项目论证等前期准备工作。

起草发展规划草案，应当深入调查研究，总结实践经验，充分听取本级人民政府有关部门、下级人民政府以及其他有关单位的意见，并采取多种形式，广泛征集社会公众的意见。

第十六条各级各类发展规划草案的编制，应当加强衔接协调，遵循下级发展规划服从上级发展规划，专项发展规划、省区域发展规划服从同级国民经济和社会发展总体规划，各专项发展规划互不矛盾的原则，并符合有关法律、法规的规定。

发展规划草案衔接协调的重点，应当包括经济和社会发展方向、目标任务、生产力布局要求、基础设施、重要资源开发以及政策措施等。

第十七条发展规划草案的衔接应当遵守下列规定：

(一)国民经济和社会发展总体规划草案应当与上一级人民政府的国民经济和社会发展总体规划衔接，必要时还应当与上级人民政府批准的相关规划衔接；

(二)国民经济和社会发展年度计划草案应当与上一级人民政府的国民经济和社会发展年度计划衔接；

(三)专项发展规划草案应当与本级和上一级的相关发展规划以及土地利用总体规划、城乡规划衔接；

(四)省主体功能区规划草案应当与国家主体功能区规划、省国民经济和社会发展总体规划衔接；

(五)省区域发展规划草案应当与国家和省相关发展规划以及土地利用总体规划、城乡规划衔接。

第十八条发展规划草案在报送审核或者批准前，发展规划编制机关应当将发展规划草案送有关部门征求衔接协调的意见。有关部门收到需要衔接的发展规划草案后，应当在二十个工作日内反馈书面意见。

发展规划草案在衔接中不能达成一致意见的，应当视不同情况，由同级人民政府、上一级人民政府发展规划行政主管部门或者上一级人民政府予以协调。专项发展规划草案与国民经济和社会发展总体规划相抵触或者下级发展规划与上级发展规划相抵触的，应当修改。

第十九条发展规划草案在报送审核或者批准前，发展规划编制机关应当组织发展规划专家咨询委员会或者专家咨询小组进行论证，并由专家咨询委员会或者专家咨询小组出具书面论证报告。

第二十条除法律、法规另有规定的外，发展规划草案在报送审核或者批准前，发展规划编制机关应当通过公布规划草案、举行听证会等形式，广泛听取社会公众的意见。

第二十一条国民经济和社会发展总体规划草案以及国民经济和社会发展年度计划草案在报送批准前，应当听取本级人民代表大会有关专门委员会、人民代表大会常务委员会有关工作委员会和政治协商会议有关专门委员会的意见。

第二十二条对发展规划草案在衔接协调、专家论证、征求意见等过程中提出的意见，发展规划编制机关应当进行研究，合理的予以采纳。

发展规划草案未经衔接协调、专家论证以及征求意见的，不得报送审核、批准。

第二十三条编制发展规划草案，依法需要组织环境影响评价的，发展规划编制机关应当组织环境影响评价，并编写有关环境影响篇章、说明或者报告书。

第二十四条国民经济和社会发展总体规划草案以及国民经济和社会发展年度计划草案，由县级以上地方人民政府提请本级人民代表大会审查批准。

除法律、法规另有规定外，专项发展规划草案的审核、批准，应当遵守下列规定：

（一）国民经济和社会发展总体规划中确定的专项发展规划草案，以及其他需要经县级以上地方人民政府批准的专项发展规划草案，经同级发展规划行政主管部门审核后，报送本级人民政府批准；

（二）其他专项发展规划草案，由同级发展规划行政主管部门或者其他有关部门按照各自职责批准。

省主体功能区规划草案和省区域发展规划草案，由省发展规划行政主管部门报送省人民政府批准。

第二十五条发展规划草案在报送审核、批准时，发展规划编制机关应当一并附送发展规划草案编制说明、专家论证报告以及法律、法规规定的其他文件。

发展规划草案编制说明应当载明编制过程、衔接协调、专家论证和征求意见等情况，以及衔接协调、专家论证和征求意见中未予采纳的意见及其理由。

第二十六条发展规划经批准后，除涉及国家秘密外，应当在二十个工作日内由发展规划编制机关向社会公布。

第四章发展规划实施与监督

第二十七条发展规划经批准后，发展规划编制、实施机关应当根据发展规划实施要求，及时制定实施方案，明确责任分工，确定序时进度，落实具体措施。

第二十八条县级以上地方人民政府及其有关部门应当严格遵守发展规划，在制定政策、审批或者核准投资项目、开发利用资源、安排财政支出时，不得违反发展规划的强制性和约束性规定。

不符合发展规划产业政策的建设项目，县级以上地方人民政府及其有关部门不得审批、核准和备案。

第二十九条组织发展规划实施的县级以上地方人民政府及其有关部门，应当及时协调解决发展规划实施中遇到的重大问题。

第三十条发展规划的实施中期，发展规划编制机关应当组织评估，并向原批准机关报送评估报告。

国民经济和社会发展总体规划的中期评估报告、国民经济和社会发展年度计划的半年执行情况报告，应当报送本级人民代表大会常务委员会审议。

发展规划期满后，发展规划编制机关应当组织总结评估，评估报告应当报送原批准机关备案。

第三十一条发展规划经批准后，未经法定程序不得调整或者修订。

有下列情形之一的，发展规划可以调整或者修订：

（一）上一级发展规划调整或者修订的；

（二）经过中期评估需要调整或者修订的；

（三）国家和省发展战略、发展布局进行重大调整的；

（四）经济社会情况发生重大变化的；

（五）法律、法规规定的其他情形。

调整或者修订发展规划，由发展规划编制机关提出调整或者修订方案，并经过衔接协调、专家论证以及征求意见后，按照本条例第三章的有关规定进行审核、批准和公布。

第三十二条县级以上地方人民政府及其有关部门应当加强对发展规划编制、实施的监督检查，并将发展规划实施情况纳入绩效评价与考核的内容。

监督检查情况和考核结果应当依法公开，供公众查阅和监督。

第三十三条公民、法人和其他组织认为下级发展规划与上级发展规划，以及国民经济和社会发展总体规划、国民经济和社会发展年度计划、专项发展规划、省主体功能区规划、省区域发展规划之间存在矛盾的，可以向发展规划行政主管部门提出意见；发展规划行政主管部门应当予以处理。

对违反本条例编制、实施和管理发展规划的行为，任何单位和个人有权举报、控告。有关部门在接到举报、控告后，应当及时处理并予以反馈。

第五章法律责任

第三十四条按照本条例应当编制发展规划而未编制、违反法定权限和程序编制发展规划，或者擅自调整、修订发展规划的，由发展规划批准机关责令改正；情节严重的，对负有责任的领导人员和直接责任人员依法给予行政处分。

第三十五条违反发展规划强制性、约束性规定的，由发展规划批准机关责令组织实施发展规划的责任单位改正；情节严重的，对负有责任的领导人员和直接责任人员依法给予行政处分。

第三十六条发展规划编制、实施和相关管理机关的工作人员，在组织编制和实施发展规划的工作中，徇私舞弊或者有其他渎职、失职行为的，依法给予行政处分；构成犯罪的，依法追究刑事责任。

第六章附则

第三十七条本条例自2010年10月1日起施行。

关于《江苏省发展规划条例

（草案）》的说明

省发展和改革委员会主任毛伟明

主任、副主任、秘书长、各位委员：

我受省人民政府的委托，现就《江苏省发展规划条例(草案)》

(以下简称《条例(草案)》)作如下说明：

一、立法的必要性

（一）发展规划地方立法，是贯彻落实科学发展观的客观需要

发展规划作为指导全社会经济社会发展的纲领性文件，体现了政府战略意图，是有效引导市场主体、推进科学发展的重要手段。省委、省政府历来高度重视发展规划工作，多次强调经济建设要规划先行，提出了一系列诸如“先规划后建设”、“先定位后开发”、“先试点后推广”等有针对性的工作理念和规划思路，并取得了明显成效。但是，在规划的编制和执行中也存在一些问题，比如：有的对规划工作不够重视，导致发展的空间布局混乱，出现无序建设、重复建设、脱离实际等现象；有的虽在规划编制时投入大量的人力财力物力，但规划思路不清晰，规划缺乏针对性、指导性和可操作性；有的规划执行中随意性大，随意修改规划的现象时有发生，甚至存在“换一任领导就换一套思路”的现象。因此，建立发展规划的专项法律制度，可以从制度上为贯彻落实科学发展观提供有力的保障。

（二）发展规划地方立法，填补了社会主义市场经济体系的制度空白

2002年，国家开始进行发展规划体制改革，要求“确立层次分明、功能清晰的规划体系，完善科学、民主、规范的规划编制程序，建立责任明确、有效实施的规划实施机制”。随着我国社会主义市场经济体制的建立和完善，发展规划工作与时俱进，不断改革创新，成为实施宏观调控的有效手段，对推动我国经济社会发展发挥了重要作用，国家层面也在积极推动出台发展规划的专门法律制度，江苏作为社会主义市场经济发育较为充分的省份，在全国率先制定发展规划方面的地方性法规，符合《立法法》的规定，是完善中国特色社会主义市场经济制度体系的有益探索。

（三）发展规划地方立法，是在我省宏观调控领域推进依法行政的迫切需要

编制和实施国民经济和社会发展五年规划，是国家宏观管理的一项重要制度，至今已经历11个五年规划期。但是，因为发展规划立法相对滞后，同时由于发展规划工作分散在地方各级政府及其相关部门，没有形成统筹协调的管理体系，因此难免产生各种各样的问题。比如：各级各类发展规划的功能定位、相互关系和界限模糊；规划编制程序不规范，规划审批的层级及事权交叉，规划之间缺乏良好的衔接协调机制；重编制、轻实施，约束性指标较难落实；缺乏规划实施评估机制等等，这对利用规划手段进行宏观调控产生了不利影响。因此，加强我省发展规划的法制化建设，有利于促进宏观调控手段的科学化、规范化和法制化。

（四）发展规划地方立法，有利于巩固我省发展规划体制改革和探索的成果

多年来，我省的发展规划工作一直走在全国的前列，在发展规划的体系、内容、作用、编制方法、实施机制等方面做出了很多有益探索，初步形成了一套较为完整的发展规划编制工作制度。为此，我省有基础、有条件、有必要率先将发展规划工作的成功经验和成熟做法上升为地方性法规，为“十二五”规划和今后更长时期的发展规划提供法制保障。

综上所述，为了加强对发展规划编制和实施的管理，完善发展规划体系，规范发展规划编制程序，解决当前发展规划编制和实施工作中存在的突出问题，更好地发挥发展规划的导向作用，为科学编制和有效实施发展规划提供法制保障，制定本条例是十分必要的。

二、《条例(草案)》的起草过程

2009年3月，省发展改革委成立了《江苏省发展规划条例(草案)》起草小组，在深入调研的基础上，开始着手起草工作。7月，形成《条例(草案)》(初稿)后，多次在全省发展改革系统内部征求意见，并召开了专家论证会。经反复修改，形成了《条例(草案)》(送审稿)，于2009年12月报送省政府。省政府法制办经初步修改后，书面征求了省政府所有组成部门、直属机构以及13个设区的市政府的意见，并根据有关法律、行政法规，结合我省实际，对送审稿进行了多次修改。2010年1月，省政府法制办会同省发展改革委赴南通、苏州等地进行调研，并召开了当地有关部门参加的座谈会。2月，省政府法制办两次召集省发展改革委、住房城乡建设厅就相关问题进行协调。3月，省政府法制办召开专题座谈会，研究、协调省相关部门的不同意见，在此基础上进一步消化、吸收相关意见，修改、完善有关条款，形成了《条例(草案)》(修改送审稿)，报送省政府。3月17日，省政府第45次常务会议讨论通过了《条例(草案)》，现提请省人大常委会本次会议审议。

三、需要说明的几个问题

（一）关于发展规划的概念

近年来，虽然发展规划概念已经广泛使用，但由于没有相关的法律、法规作为依据，其内涵和外延并不确定。为了较为清晰地表达发展规划包含的内容，《条例(草案)》第二条第一款规定：“本条例所称发展规划，是指国民经济和社会发展总体规划、国民经济和社会发展年度计划、专项发展规划、省级主体功能区规划和省级区域发展规划”。

（二）关于发展规划体系

在《国务院关于加强国民经济和社会发展规划编制工作的若干意见》(国发〔2005〕33号)规定三级三类规划体系的基础上，根据“十一五”规划和《国务院关于编制全国主体功能区规划的意见》(国发〔2007〕21号)的要求，同时考虑到年度计划是中长期发展规划在年度内的体现，《条例(草案)》第七条将主体功能区规划、国民经济和社会发展年度计划纳入发展规划体系，形成了由国民经济和社会发展总体规划以及年度计划、专项发展规划、省级主体功能区规划和省级区域发展规划构成的发展规划体系。为了确立定位准确、层次分明、功能清晰的发展规划体系，《条例(草案)》第八、九、十、十一、十二条分别对各类发展规划进行了定位，明确其相互之间的关系，国民经济和社会发展总体规划是最高层级的规划，是发展规划体系的核心，也是编制其他发展规划的基本依据；国民经济和社会发展年度计划是国民经济和社会发展总体规划需要付诸实施的年度安排；省级主体功能区规划是其他各类规划在空间开发和布局方面的基本依据；省级区域发展规划是编制该区域内各级国民经济和社会发展总体规划以及年度计划与各类专项发展规划的依据；专项发展规划是地方各级人民政府及其部门指导特定领域发展、审批或者核准重大建设项目、安排财政支出预算、制定相关政策的依据。

（三）关于发展规划的编制

发展规划的编制包括编制主体、编制权限和编制程序。根据《国务院关于加强国民经济和社会发展规划编制工作的若干意见》(国发〔2005〕33号)，在总结多年规划编制工作经验和遵从现行成熟做法的基础上，《条例(草案)》第十三条分别规定了各类发展规划的编制主体包括省、市、县人民政府及其有关部门。第十四条明确了编制发展规划应当履行前期准备、拟订草案、征求意见、衔接与论证、审核与批准、发布等六项主要程序，并且在第十四条第二款规定：“编制专项发展规划应当履行立项程序，法律、法规另有规定的，从其规定”。同时在第十五条细化了专项发展规划的立项程序。针对发展规划之间衔接不到位、甚至相互矛盾的问题，第十七条规定了各级各类发展规划草案应当互相衔接的原则，第十八条、第十九条具体规定了衔接程序。

（四）关于发展规划的实施与管理

为了增强发展规划的实施效果，《条例(草案)》对发展规划实施与管理作了系统规定：一是明确管理职责。第五条规定：“县级以上地方人民政府负责发展规划的编制、实施和管理工作”；“县级以上地方人民政府发展和改革部门(以下简称发展规划主管部门)负责发展规划的协调和管理工作，并依据职责拟定和组织实施有关发展规划；其他有关部门按照各自职责做好相关专项发展规划的编制、实施和管理工作”。二是明确实施规划的具体措施。第二十五条对发展规划编制部门实施规划提出了要求。同时第二十六条第二款规定：“不符合发展规划产业政策的建设项目，县级以上地方人民政府及其有关部门不得审批、核准和备案”。三是建立了规划实施评估制度。第二十八条规定对发展规划实施中期评估和总结评估。

（五）关于发展规划与城乡规划、土地利用总体规划之间的关系

目前，我国主要有三大规划体系：发展规划、城乡规划和土地利用总体规划，主管部门分别为发展改革、住房城乡建设和国土资源部门。但由于国家的规划体制尚未理顺，因此在规划编制工作中重复、交叉的情况在所难免。在《条例(草案)》制定过程中，我们本着搁置争议、回避体制问题和矛盾的原则，将调整的重点放在规范发展规划的编制、实施和管理方面。虽然《土地管理法》和《城乡规划法》明确规定国民经济和社会发展规划是土地利用总体规划、城市总体规划、镇总体规划以及乡规划和村庄规划的编制依据，但是由于规划期和规划内容的不同，他们之间还需要互相衔接和协调。因此，《条例(草案)》第十二条第四款规定：“专项发展规划应当与已经依法批准的土地利用总体规划和城乡规划的要求相衔接”；第十八条第(四)项规定：“省级区域发展规划草案在送审前，应当与国家和本省的相关发展规划以及经依法批准的土地利用总体规划、城乡规划等规划进行衔接”。

以上说明连同《条例(草案)》请一并予以审议。

关于《江苏省发展规划条例（草案）》

审议意见的报告

——2010年3月25日在省十一届人大常委会第十四次会议上

省人大财政经济委员会

主任、副主任、秘书长、各位委员：

在2009年初召开的省十一届人大二次会议期间，陈雯等10名省人大代表提出了《关于加快推进我省发展规划立法的议案》（第0039号）。大会闭幕后，省人大常委会主任会议决定将该议案交由省人大财政经济委员会审议。我委经过调查研究，于同年7月向常委会第十次会议提交了关于议案的审议结果报告，提出将该议案交由省政府办理，并建议将发展规划条例列为我省2010年的立法项目。省政府高度重视代表议案的办理工作，立即责成省发改委加快做好发展规划条例草案的起草工作。省发改委用六个月的时间完成了立法前期工作，先后对该条例草案稿进行了十多遍修改，并于3月17日提交省政府常务会议审议通过。我们认为，该条例的立法由于人大代表的推动和各方面的高度重视，得以提前正式立项，并快速推进，充分体现了民主立法的要求，省政府及其发改委和法制办做了富有成效的工作。

在立法过程中，我委提前介入，主动与省发改委和有关部门进行协调，参与了立法调研和条例草案的起草、论证、修改等工作。3月23日，省人大财政经济委员会召开第十四次全体会议，对省政府提交的条例草案进行了审议。

财政经济委员会认为，我省率先制定发展规划条例，对于提升我省发展规划综合管理水平，促进政府部门转变职能，强化宏观调控，推进我省经济社会全面、协调、可持续发展，具有重要意义。提交本次人大常委会审议的条例草案，立法指导思想、适用范围明确，发展规划体系中各级各类规划的功能和效力界定清晰，设定的主要制度和规划编制程序具有较强的针对性和可操作性。同时，财政经济委员会建议对以下内容作进一步斟酌和修改：

一、关于发展规划的概念和条例适用范围

条例草案第二条对“发展规划”的概念从外延作了表述，但缺少对内涵的界定，建议修改为：“本条例所称发展规划，是指县级以上地方人民政府对一定时期和范围国民经济和社会发展作出的战略谋划和总体部署。发展规划包括：国民经济和社会发展总体规划、国民经济和社会发展年度计划、专项发展规划、省级主体功能区规划和省级区域发展规划”。

条例草案第三条关于适用范围的表述，与第五条第二款语义重复，建议修改为：“本省行政区域内发展规划的编制、实施和管理适用本条例。法律、法规另有规定的，从其规定”。

二、关于规划体系

条例草案第十条第一款最后一句将主体功能区规划的规划期表述为“规划期一般为十年，可以展望到十年以上，并通过中期评估实行滚动调整”，其中“并通过中期评估实行滚动调整”的规定，与条例草案第二十八条、第二十九条专门规范规划中期评估和调整的内容重复，且“滚动调整”的概念含混不清，按照各章的内容定位，本章无需涉及中期评估和调整的规定，因此，建议删除第十条第一款最后一句“并通过中期评估实行滚动调整”的内容。

条例草案第十二条第二款、第三款既设置了专项发展规划编制领域的范围，还插入了专项发展规划编制主体和权限的规定，按照各章的内容定位，本章是对规划体系进行规范，不应涉及规划编制主体和权限的内容，且在第三章第十三条第四款对专项发展规划编制的主体和权限已有专门规定，因此，建议将第十二条第三款删除。此外，第十二条第二款对规划编制领域的范围列举不全、内容表述也不够准确，因此，建议将此款修改为：“下列领域可以编制专项发展规划：（一）产业发展和结构调整；（二）基础设施建设；（三）资源开发利用和保护；（四）环境保护和生态建设；（五）公共事业和公共服务；（六）体制改革和对外开放；（七）法律、法规规定的其他领域”。

三、关于规划衔接与论证

条例草案第十四条设置了规划编制应当履行衔接与论证的程序，并在第十八条对规划衔接的要求作了具体规定，但条例草案第十一条第二款第（六）项将“与已经法定程序批准的土地利用总体规划和城乡规划的协调情况”作为省级区域发展规划应当包括的内容，明显不妥，且与第十八条第（四）项的内容重复，此外，第十二条第四款“专项发展规划应当与已经依法批准的土地利用总体规划和城乡规划的要求相衔接”的内容，也与第十八条第（五）项的内容重复，因此，建议删除第十一条第二款第（六）项和第十二条第四款的内容，并将第十八条第（五）项修改为：“专项发展规划草案在送审前，应当与本级和上一级的相关发展规划以及经依法批准的土地利用总体规划、城乡规划等规划进行衔接”。

四、关于规划编制与调整、修订

条例草案第三章对编制规划的主体和程序作了规范，但缺少对规划编制要求的规范，建议增加这方面内容并单列为一条。如：规划应当体现社会主义市场经济和科学发展的要求；体现贯彻国家宏观调控政策措施和产业布局、政策的要求；突出发展战略重点，着眼促进经济发展方式转变和经济结构优化；注重综合平衡，坚持建设规模与地方财力、资源环境的支撑和承受能力相适应；正确处理改革、发展与稳定的关系；提出的目标和完成预期目标的措施应当切实可行；等等。

条例草案第十三条第二款设定的省级主体功能区规划的编制主体和权限，与市、县（市、区）人民政府的编制权限无关，因此，该款最后一句“市、县（市、区）人民政府不单独编制主体功能区规划”的表述多余，且易产生歧义，建议删除。

条例草案第二十九条规定“发展规划经过中期评估或者经济社会情势发生重大变化，需要调整或者修订的，应当按照法定程序进行调整或者修订”，其中“法定程序”的语义表述不明确，因此，建议修改为：“发展规划经过中期评估或者经济社会情势发生重大变化，需要调整或者修订的，应当按照编制规划的原审核、批准程序进行”。

五、关于规划实施情况的监督与考核

条例草案第二十六条第三款“实施发展规划的情况，应当纳入地方各级人民政府及其有关部门绩效评价与考核的重要内容”，与第三十条第一款“县级以上地方人民政府应当加强对发展规划编制、审批、实施、修订的监督检查与考核。监督检查的处理结果和考核情况应当依法公开，供公众查阅和监督”的内容重复，因此，建议将第二十六条第三款的内容调整至第三十条，并修改为：“县级以上地方人民政府及其有关部门应当加强对发展规划编制、审批、实施、调整和修订的监督检查，并将发展规划实施情况纳入绩效评价与考核的内容。监督检查情况和考核结果应当依法公开，供公众查阅和监督”。

六、关于法律责任

条例草案对依法应当编制发展规划而未编制或者违反法定权限和程序编制发展规划的行为，在第三十一条规定 “由发展规划批准机关责令改正；情节严重的，对规划编制责任单位通报批评，并对直接负责的主管人员和其他直接责任人员依法给予行政处分”，建议修改为：“由发展规划批准机关责令改正，并给予通报批评；情节严重的，对直接负责的主管人员和其他直接责任人员依法给予行政处分”。

条例草案对违反发展规划强制性、约束性规定的行为，在第三十二条规定“由规划批准机关责令组织实施规划的责任单位改正；情节严重的，对组织实施规划的责任单位通报批评，并对直接负责的主管人员和其他直接责任人员依法给予行政处分”，建议修改为：“在发展规划实施中，违反规划强制性、约束性规定的，由规划批准机关责令组织实施规划的责任单位改正，并给予通报批评；情节严重的，对直接负责的主管人员和其他直接责任人员依法给予行政处分”。

此外，条例草案中的一些文字表述还需要斟酌和修改。如，建议将第五条第三款修改为：“县级以上地方人民政府发展规划主管部门负责发展规划的协调和管理工作，……”。第八条第三款修改为：“指标体系应当包括预期性指标和约束性指标。各级国民经济和社会发展总体规划的指标体系应当保持一致”。第十条第二款修改为：“编制省级主体功能区规划应当以国家和省有关规划为依据”。第十六条第一款修改为：“编制发展规划应当做好前期准备工作。前期准备工作包括基础调查、信息搜集、课题研究、重大项目论证等内容”。第十六条第三款修改为：“国民经济和社会发展总体规划草案以及国民经济和社会发展年度计划草案在送审前，应当听取本级人民代表大会有关专门委员会、人民代表大会常务委员会有关工作委员会和政治协商会议有关专门委员会的意见”。第二十二条第一款修改为“国民经济和社会发展总体规划草案以及国民经济和社会发展年度计划草案，由县级以上地方人民政府提请本级人民代表大会审查批准”。第二十四条修改为：“发展规划经批准后，应当依法公开发布”。

以上报告，请予审议。

关于《江苏省发展规划条例（草案）》

审议结果的报告

——2010年7月26日在省十一届人大常委会第十六次会议上

省人大法制委员会副主任委员王腊生

主任、各位副主任、秘书长、各位委员：

省十一届人大常委会第十四次会议对《江苏省发展规划条例（草案）》（以下简称草案）进行了初次审议。委员们认为，为了规范发展规划编制活动，保障发展规划实施，发挥发展规划在经济社会发展中的指导和调控作用，根据我省实际制定本条例是十分必要的。同时，委员们也提出了一些修改意见和建议。会后，法工委书面征求了有关设区的市、县人大常委会和部分省人大代表、立法咨询专家的意见；在江苏人大网上全文公布了草案，公开征求社会意见；会同省人大财经委、省发展改革委到无锡、盐城、仪征进行了调研，召开了省有关部门参加的征求意见座谈会。在此基础上，对各方面的意见逐一分析研究，对草案进行了反复修改。7月5日，省人大法制委员会召开全体会议对草案进行了审议。现将审议结果报告如下：

一、关于发展规划的概念和指导原则

1、财经委认为，草案第二条第一款对发展规划的概念缺少内涵界定。因此，我们建议将草案第二条第一款修改为“本条例所称发展规划，是指对一定时期、范围内的国民经济和社会发展的战略谋划与总体部署，包括国民经济和社会发展总体规划、国民经济和社会发展年度计划、省主体功能区规划、省区域发展规划、专项发展规划”，作为草案修改稿第二条第二款。

2、为了进一步明确编制和实施发展规划的指导原则，提高发展规划的科学性，根据有的委员和代表的意见，我们建议将草案第四条修改为：“发展规划的编制、实施和相关管理活动，应当坚持以人为本，促进经济社会全面协调可持续发展；坚持因地制宜，遵循自然规律、经济规律和社会发展规律；坚持政府引导，发挥市场配置资源的基础性作用；坚持统筹兼顾，推进区域之间、城乡之间的协调发展；坚持民主决策，广泛听取社会各界和公众的意见。”

二、关于发展规划的对象和内容

1、有的委员和有的地方认为，草案第八条第三款关于指标体系应当保持一致的规定不太恰当，实际上各级的指标值不可能完全一致。因此，我们建议将其修改为：“指标体系应当包括预期性指标和约束性指标。各级国民经济和社会发展总体规划的约束性指标和主要预期性指标名称应当一致，指标值应当衔接。”

2、根据有的委员和专家的意见，我们建议在草案第十条中将省主体功能区规划界定为以区域功能为对象编制的规划，并且明确编制省主体功能区规划应当以国家主体功能区规划为依据，以省有关发展规划为支撑。

3、财经委提出，草案第十一条第二款第（六）项、第十二条第四款有关衔接协调的规定，不属于有关发展规划的内容，且在第三章有专门规定，建议删除。因此，我们建议删除草案第十一条第二款第（六）项和第十二条第四款。同时，根据省有关部门和有的地方提出的发展规划要与城乡规划、土地利用总体规划相衔接的意见，将草案第十八条第（三）项修改为：“省主体功能区规划草案应当与国家主体功能区规划、省国民经济和社会发展总体规划、省域城镇体系规划衔接”，第（五）项修改为：“专项发展规划草案应当与本级和上一级的相关发展规划以及土地利用总体规划、城乡规划衔接。”

三、关于发展规划的编制和批准

1、有的委员和财经委认为，草案对发展规划编制程序作出规定很有必要，但对发展规划编制的要求也应该有规范。因此，我们建议增加一条作为草案修改稿第十一条：“发展规划的编制应当贯彻国家经济社会发展的方针政策和战略部署，符合国家和省总体发展要求，正确处理发展需要与可能、近期与远期、局部与全局的关系，做到目标明确、重点突出、措施可行。”

2、有的地方提出，在实际工作中，国民经济和社会发展总体规划确定的专项发展规划不需要再向发展规划主管部门提出立项申请。有的委员和省有关部门提出，为了加强专项发展规划的统筹协调，需经政府批准的专项发展规划，应当履行立项申请程序。因此，我们建议将草案第十五条修改为：“除法律、法规另有规定以及国民经济和社会发展总体规划中确定的专项发展规划外，其他需要经县级以上地方人民政府批准的专项发展规划的编制，由县级以上地方人民政府有关部门向同级发展规划主管部门提出立项申请；发展规划主管部门应当对立项申请进行审核，及时提出立项计划建议，报请本级人民政府批准。”同时，删去草案第十四条第二款。

3、有的委员和专家提出，草案应当增加公众参与的内容。因此，我们建议增加一条作为草案修改稿第二十条：“除法律、法规另有规定的外，发展规划草案在报送审核或者批准前，发展规划编制机关应当通过公布规划草案、举行听证会等形式，广泛听取社会公众的意见。”

4、为了使发展规划草案的衔接协调、专家论证以及征求意见工作落到实处，保障发展规划的可行性，我们建议增加一条作为草案修改稿第二十二条：“对发展规划草案在衔接协调、专家论证、征求意见等过程中提出的意见，发展规划编制机关应当进行研究，合理的予以采纳。”“发展规划草案未经衔接协调、专家论证以及征求意见的，不得报送审核、批准。” 同时，相应删去草案第十九条、第二十条中的有关内容。

5、有的委员提出，有的专项发展规划需要报上一级人民政府批准。省有关部门提出，有的专项发展规划有关部门按照职责可以批准。因此，我们建议将草案第二十二条第三款修改为：“除法律、法规另有规定外，专项发展规划草案的审核、批准，应当遵守下列规定：（一）国民经济和社会发展总体规划中确定的专项发展规划草案，以及其他需要经县级以上地方人民政府批准的专项发展规划草案，经同级发展规划主管部门审核后，报送本级人民政府批准；(二)其他专项发展规划草案，由同级发展规划主管部门或者其他有关部门按照各自职责批准。”

四、关于发展规划的实施和监督

1、有的委员和代表认为，要增强规划管理的约束力，克服随意修改规划的现象。财经委提出，对调整或者修订发展规划，草案第二十九条规定按照“法定程序进行”过于原则。因此，为了维护发展规划的严肃性，我们建议增加两款分别作为草案修改稿第三十一条第一款、第二款：“发展规划经批准后，未经法定程序不得调整或者修订。”“有下列情形之一的，发展规划可以调整或者修订：（一）上一级发展规划调整或者修订的；（二）经过中期评估需要调整或者修订的；（三）国家和省发展战略、经济布局进行重大调整的；（四）经济社会情况发生重大变化的；（五）法律、法规规定的其他情形。”同时，将草案第二十九条修改为“调整或者修订发展规划，由发展规划编制机关提出调整或者修订方案，并经过衔接协调、专家论证以及征求意见后，按照本条例第三章的有关规定进行审核、批准和公布”，作为草案修改稿第三十一条第三款。此外，还在草案修改稿第三十四条中增加了擅自调整、修订发展规划的法律责任。

2、有的委员和代表提出，应当强化公众对发展规划的监督。因此，我们建议增加一款作为草案修改稿第三十三条第一款:“公民、法人和其他组织认为下级发展规划与上级发展规划，以及国民经济和社会发展总体规划、国民经济和社会发展年度计划、省主体功能区规划、省区域发展规划、专项发展规划之间存在矛盾的，可以向发展规划主管部门提出意见；发展规划主管部门应当予以处理。”同时，将草案第六条修改为“对违反本条例编制、实施和管理发展规划的行为，任何单位和个人有权举报、控告。有关部门在接到举报、控告后，应当及时处理并予以反馈”，作为草案修改稿第三十三条第二款。

此外，根据有关专章调整的具体内容，对有关章名作了修改；根据有的委员和代表的意见，在法律责任中明确了给予行政处分的对象为负有责任的领导人员和直接责任人员，并对草案作了部分文字、技术修改，对有关条款顺序作了相应调整。

法制委员会已按照上述修改意见提出了草案修改稿，建议本次常委会审议后通过。

以上报告和草案修改稿是否妥当，请予审议。

下载地址: 点击此处下载

返回跳至顶部

上一篇: 珠海市烟花爆竹安全管理规定
下一篇: 广西壮族自治区规范性文件制定程序规定

人民法院获取执行财产证据的构想

黑龙江省北安市人民法院韩召峰

执行工作的强制性和及时性特点，决定了财产证据调查的重要性。正确地运用法律赋予的权力，使用恰当的手段和方式，及时准确地收集证据，才能取得执行工作的主动权。目前人民法院获取执行财产证据的来源有四个方面：（1）申请人举证；（2）被执行人申报；（3）法院依法取得；（4）群众举报。
众所周知，在民事诉讼活动中，人民法院强调的是当事人举证的重要性，即“谁主张，谁举证”当事人在举证不能时，则由此而承担败诉的法律后果。但这一规定，对于在强制执行程序中是否可适用举证责任问题，即对申请执行人（债权人）被执行人（债务人）及案外人来讲是否存在举证责任问题。在实践中各有不同的看法。笔者认为当事人在执行程序中不同阶段负有不同的举证责任。申请执行人（债权人）在强制执行程序开始前、法院执行不能而需中止终结执行阶段负有限的举证责任。被执行人（债务人）案外人在整个执行过程中在查明财产阶段负有主要的举证责任。当事人靠自已的力量仍无法获取证据的，这时的调查取证工作则由人民法院执行法官来完成。
一、申请执行人财产证据的举证
目前在债权债务关系这一层次上，我国法律是绝对为债权人的利益设计和服务的。在执行程序中，债权人债务人的地位不平等，债权人对此享有强制执行请求权，该权利与诉权有一定的相似之处，都是一种请求主张，适用有关举证责任的规定。但是随着人民法院改革，要求法官处于中立地位，强调执行各种程序公正、程序在先。这就越来越显示出申请执行人举证的重要性。体现了举证不能的法律后果，那就是承担执行不能的风险。申请执行人应在诉前、诉讼阶段或执行阶段举证。
第一，诉讼保全的举证。一般案件的当事人都能积极主动向法院提供被保全人的财产，要求法院保全。但是在实际操作上仍存在一些问题。民事诉讼法第92条、第93条谈到权利人发现债务人的财产，申请法院财产保全和诉前保全时均规定：“裁定采取保全措施的应立即开始执行。”但并未规定由哪个机构来执行。《若干规定》第三条规定财产保全和先予执行裁定由审理案件的审判庭负责执行。通过实践证明审判庭负责执行存在以下几点不足：（1）审判人员不积极主动要求权利人进行财产保全。由于实行审执分开，审判员与执行员各负其职，一些该保全的案件因审判员没有告知当事人保全，最后造成执行财产无处可查。（2）在诉讼前或诉讼过程中，一个债权人申请保全，待多个债权人取得多份生效法律文书均申请分配被执行人仅有的已被保全财产。根据《若干规定》第90条，申请保全人保全的财产就不能全部实现。这样就无形增加保全人的诉讼成本，产生对执行工作的误解。（3）保全债务人到期的债权与有关法律法规不符，最高人民法院法释（1998）第10号关于对案外人的财产能否进行保全问题的批复中明确规定：对于债务人的财产，不能满足保全请求，但对案外人有到期债权人民法院可以依债权人的申请，裁定对该案外人不得对债务人清偿。该案外人对其到期债务没有异议并要求给付的，由人民法院提存财物和价款。但是人民法院不应对其财产采取保全措施。而目前实践中，只要当事人提出保全申请审判庭就裁定执行。造成财产保全裁定的结果于法无据与执行程序中的执行裁定书相互冲突。
鉴于保全的执行，笔者提出如下观点，申请执行人提出财产保全的执行，应由执行人员负责执行，也就是执行前置。执行人员提前介入。凡是当事人提出财产保全的，审判员告知权利人到执行机构办理保全手续，由执行人员负责执行，内勤人员负责编号建档，以便案件进入执行程序后及时执行。这就避免了审执脱节的现象发生。
被执行人未在生效法律文书规定的期间履行义务，申请人在向法院申请强制执行时应负有举证责任。这一条在《若干规定》第28条及民诉法第64条、第2款都作出规定。这在英美法系中称为发现程序，即一方当事人请求法院命令对方当事人或第三人把占有、保全或在他控制范围之内的与诉讼有关的书证资料，向执行法院和其他诉讼当事人披露的程序。我国台湾地区执行法中关于债务人财产的查报方面，要求债权人申请执行机关强制执行时，除应提交执行名义的证明之外，必须提供债务人可供强制执行的财产。从另一角度来看，申请人自行提供，这样符合申请人利益，申请人往往在诉讼前对被执行人的财产状况较为了解掌握。因此，在执行程序开始前申请人负有举证责任是非常有必要的。这一阶段，执行法院在立案时向申请人送达举证通知要求提供其所掌握的被执行人财产状态，包括财产名称、种类、性质、地点等情况。在举证通知书中载明若申请人在3个月内不能举证被执行人可供执行财产，人民法院依职权调查后也证实被执行人暂无财产可供执行时，同意法院裁定中止执行或向法院申请领取债权凭证。由于执行规定对执行期限作出了规定，某种程度上说更加重申请人的举证责任。特别是临近执行期限最后时间，申请人必须积极作好提供被执行人财产状况工作。否则将承担执行判决无法兑现的风险。
恢复执行启动工作的举证，若干规定第一百零四条规定，中止执行的情形消失后，执行法院可以根据当事人的申请或依职权恢复执行。依这一规定恢复执行有两种情况，一种是依职权，一种是依当事人申请。但实际操作中法院依职权恢复执行的案件只占有一小部分，一般是代表国家利益的案件，如刑事案件中的罚金、没收财产。而绝大部分案件的恢复执行是靠申请执行人发现被执行人的财产后才进行，这就要求在中止执行期间，申请人必须注意发现被执行人可供执行财产，然后法院才可以启动恢复执行程序。
值得注意的是执行程序中许多人过分强调申请执行人的举证责任，有一些申请执行人由于不能承担这样的所谓“举证责任”而被拒之法院的大门之外，有的案件也被轻易的裁定中止或终结，这种不负责任的做法与法律法规不符，一些案件申请人是无法靠自己的来举证的，如个人存款帐户帐号，单位开户银行帐号等。况且若干规定第28条也没有强制要求当事人承担不能举证的法律后果，只是规定申请执行人应当就其所了解的被执行人的财产状况或线索提供给法院。这是一条比较原则性的规定，在立法理论上被称之为倡导性条款，因此，应将执行中的举证责任同诉讼中的举证责任区别开来。
二、执行人财产申报。
若干规定第28条规定了被执行人必须如实向法院报告其财产状况。这就说明被执行人申报财产是其应尽的义务。规定中规定了被执行人向法院报告财产的内容包括：财产状况（被执行人及其家属的房屋、车辆、工资收入）、生活状况、债权债务、投资状况等。但实践当中，觉得这一条款形同虚设。首先，被执行人在判决规定的期间内未自动履行义务，这就证实了有逃避执行的心理，在法院送达执行通知书后，千方百计去转移财产，设法对抗法院执行，根本不可能主动向法院申报财产。其次，在强制执行程序中，若干规定只是规定了被执行人必须如实申报其财产状况，而没有规定不申报财产或申报不实所应承担什么样的法律后果。从而助长了被执行人轻视报告财产的心理。笔者认为，如若被执行人不能如实申报其财产状况，其法律后果应是惩罚性的。可适用民事诉讼法第一百零二条第一款第三项，若干规定第一百条的规定，视其情节予以罚款、拘留，对于情节严重的，构成犯罪可按刑法第三百一十三条和第三百一十四条的规定，依法追究被执行人的责任。相反，如果被执行人能提供证明其无财产可供执行的报告，通过法院查实，申请人的认可后，执行员可按若干规定第一百零二条第二项和民事诉讼法第二百三十四条第二百三十五条的规定，予以中止或终结执行。这样不仅提高案件的效率，而且能够消除申请人对法院中止或终结执行的误解。
三、法院依职权收集证据
在国外的立法中，对于被执行人的财产状况的查明，绝大多数是由被执行人或申请人承担的，法院或执行人员并不承担这一责任。但是在我国，在执行程序中通过当事人来收集财产证据较难。国外申请执行的期限一般当作时效来理解的，存在着中止、中断、延长的制度。而我国的执行期限规定较短，逾期不申请就丧失申请执行的权利了。如果采取完全由当事人查明财产后，再申请的做法，则很多当事人申请的机会就没有了。这就决定了主要调查取证工作仍由法院完成。被执行人报告或申报财产状况实际上多数也是在法院依职权调查中在法院的责令下进行的。然而实践中法院在执行中调查被执行人财产状况往往效果不尽如意，经常出现执行人民“跑细了腿，说破了嘴，收获甚微”的现象。这是因为在法律赋予收集证据的法官权利过弱。在执行过程中往往会遇到行政管理部门执法部门的协助，如公安、工商、审计等部门，在查处有关案件过程中收集的证据，这些也可以成为执行法院的证据来源。评估部门的评估报告，也是一种有力的执行证据。在现实工作中，对这些行政机关一般采取的方式是，向其发出“协助执行通知书”、“委托书”等。现在看来，这一习惯做法是不妥当的，应当改为“调查令”或“通知书”的方式。因为这些部门应属于配合、服从的地位，而不是监督、协助部门。所以，法院要求“协助执行”行为混淆了执法机关与业务执行机关的界线，消弱了法律的权威。因此，正确地界定其权限，合理地划分其职责是非常必要的。这样就会给法官节省更多的时间来分析证据认定证据。
法院获取证据应为当事人所无法提供的，当事人依靠自己的力量仍无法获取的。这时法院可以采取传唤、搜查等强制措施来得到。
四、群众举证
在执行程序中，由于被执行人规避执行，隐匿财产，虚报财产情况时有发生。可采取奖励的办法鼓励群众及案外人对被执行人的财产进行举报，可发布公告，网上执行，建立举报制度等。来调动群众提供被执行人财产线索的合法证据。
基于人民法院执行工作中证据取得的特殊性，要求法官在依法获取证据的同时，必须对外来的财产证据进行认真及时地审查判断。我们相信，伴随着民事强制执行法、最高人民法院关于民事诉讼证据的若干规定的出台。人民法院的执行法官将渐摆脱繁重的调查取证工作。真正地实现居中执行，实现程序在先。

Guidelines on the Risk Management of Commercial Banks’ Information Technology ——附加英文版

China Banking Regulatory Commission

Guidelines on the Risk Management of Commercial Banks’ Information Technology

Chapter I General Provisions

Article 1. Pursuant to the Law of the People’s Republic of China on Banking Regulation and Supervision, the Law of the People's Republic of China on Commercial Banks, the Regulations of the People’s Republic of China on Administration of Foreign-funded Banks, and other applicable laws and regulations, the Guidelines on the Risk Management of Commercial Banks’ Information Technology (hereinafter referred to as the Guidelines) is formulated.

Article 2. The Guidelines apply to all the commercial banks legally incorporated within the territory of the People’s Republic of China.

The Guidelines may apply to other banking institutions including policy banks, rural cooperative banks, urban credit cooperatives, rural credit cooperatives, village banks, loan companies, financial asset management companies, trust and investment companies, finance firms, financial leasing companies, automobile financial companies and money brokers.

Article 3. The term “information technology” stated in the Guidelines shall refer to the system built with computer, communication and software technologies, and employed by commercial banks to handle business transactions, operation management, and internal communication, collaborative work and controls. The term also include IT governance, IT organization structure and IT policies and procedures.

Article 4. The risk of information technology refers to the operational risk, legal risk and reputation risk that are caused by natural factor, human factor, technological loopholes or management deficiencies when using information technology.

Article 5. The objective of information system risk management is to establish an effective mechanism that can identify, measure, monitor, and control the risks of commercial banks’ information system, ensure data integrity, availability, confidentiality and consistency, provide the relevant early warning, and thereby enable commercial banks’ business innovations, uplift their capability in utilizing information technology, improve their core competitiveness and capacity for sustainable development.

Chapter II IT governance

Article 6. The legal representative of commercial bank should be responsible to ensure compliance of this guideline.

Article 7. The board of directors of commercial banks should have the following responsibilities with respect to the management of information systems:
(1) Implementing and complying with the national laws, regulations and technical standards pertaining to the management of information systems, as well as the regulatory requirements set by the China Banking Regulatory Commission (hereinafter referred to as the “CBRC”);
(2) Periodically reviewing the alignment of IT strategy with the overall business strategies and significant policies of the bank, assessing the overall effectiveness and efficiency of the IT organization.
(3) Approving IT risk management strategies and policies, understanding the major IT risks involved, setting acceptable levels for these risks, and ensuring the implementation of the measures necessary to identify, measure, monitor and control these risks.
(4) Setting high ethical and integrity standards, and establishing a culture within the bank that emphasizes and demonstrates to all levels of personnel the importance of IT risk management.
(5) Establishing an IT steering committee which consists of representatives from senior management, the IT organization, and major business units, to oversee these responsibilities and report the effectiveness of strategic IT planning, the IT budget and actual expenditure, and the overall IT performance to the board of directors and senior management periodically.
(6) Establishing IT governance structure, proper segregation of duty, clear role and responsibility, maintaining check and balances and clear reporting relationship. Strengthening IT professional staff by developing incentive program.
(7) Ensuring that there is an effective internal audit of the IT risk management carried out by operationally independent, well-trained and qualified staff. The internal audit report should be submitted directly to the IT audit committee;
(8) Submitting an annual report to the CBRC and its local offices on information system risk management that has been reviewed and approved by the board of directors ;
(9) Ensuring the appropriating funding necessary for IT risk management works;
(10) Ensuring that all employees of the bank fully understand and adhere to the IT risk management policies and procedures approved by the board of directors and the senior management, and are provided with pertinent training.
(11) Ensuring customer information, financial information, product information and core banking system of the legal entity are held independently within the territory, and complying with the regulatory on-site examination requirements of CBRC and guarding against cross-border risk.
(12) Reporting in a timely manner to the CBRC and its local offices any serious incident of information systems or unexpected event, and quickly respond to it in accordance with the contingency plan;
(13) Cooperating with the CBRC and its local offices in the supervisory inspection of the risk management of information systems, and ensure that supervisory opinions are followed up; and
(14) Performing other related IT risk management tasks.

Article 8. The head of the IT organization, commonly known as the Chief Information Officer (CIO) should report directly to the president. Roles and responsibilities of the CIO should include the following:
(1) Playing a direct role in key decisions for the business development involving the use of IT in the bank;
(2) The CIO should ensure that information systems meet the needs of the bank, and IT strategies, in particular information system development strategies, comply with the overall business strategies and IT risk management policies of the bank;
(3) The CIO should also be responsible for the establishment of an effective and efficient IT organization to carry out the IT functions of the bank. These include the IT budget and expenditure, IT risk management, IT policies, standards and procedures, IT internal controls, professional development, IT project initiatives, IT project management, information system maintenance and upgrade, IT operations, IT infrastructure, Information security, disaster recovery plan (DRP), IT outsourcing, and information system retirement;
(4) Ensuring the effectiveness of IT risk management throughout the organization including all branches.
(5) Organizing professional trainings to improve technical proficiency of staff.
(6) Performing other related IT risk management tasks.

Article 9. Commercial banks should ensure that a clear definition of the IT organization structure and documentation of all job descriptions of important positions are always in place and updated in a timely manner. Staff in each position should meet relevant requirements on professional skills and knowledge. The following risk mitigation measures should be incorporated in the management program of related staff:
(1) Verification of personal information including confirmation of personal identification issued by government, academic credentials, prior work experience, professional qualifications;
(2) Ensuring that IT staff can meet the required professional ethics by checking character reference;
(3) Signing of agreements with employees about understanding of IT policies and guidelines, non-disclosure of confidential information, authorized use of information systems, and adherence to IT policies and procedures; and
(4) Evaluation of the risk of losing key IT personnel, especially during major IT development stage or in a period of unstable IT operations, and the relevant risk mitigation measures such as staff backup arrangement and staff succession plan.

Article 10. Commercial banks should establish or designate a particular department for IT risk management. It should report directly to the CIO and the Chief Risk Officer (or risk management committee), serve as a member of the IT incident response team, and be responsible for coordinating the establishment of policies regarding IT risk management, especially the areas of information security, BCP, and compliance with the CBRC regulations, advising the business departments and IT department in implementing these policies, providing relevant compliance information, conducting on-going assessment of IT risks, and ensuring the follow-up of remediation advice, monitoring and escalating management of IT threats and non-compliance events.

Article 11. Commercial banks should establish a special IT audit role and responsibility within internal audit function, which should put in place IT audit policies and procedures, develop and execute IT audit plan.

Article 12. Commercial banks should put in place policies and procedures to protect intellectual property rights according to laws regarding intellectual properties, ensure purchase of legitimate software and hardware, prevention of the use of pirated software, and the protection of the proprietary rights of IT products developed by the bank, and ensure that these are fully understood and complied by all employees.

Article 13. Commercial banks should, in accordance with relevant laws and regulations, disclose the risk profile of their IT normatively and timely.

Chapter III IT Risk Management

Article 14. Commercial banks should formulate an IT strategy that aligns with the overall business plan of the bank, IT risk assessment plan and an IT operational plan that can ensure adequate financial resources and human resources to maintain a stable and secure IT environment.

Article 15. Commercial banks should put in place a comprehensive set of IT risk management policies that include the following areas:
(1) Information security classification policy
(2) System development, testing and maintenance policy
(3) IT operation and maintenance policy
(4) Access control policy
(5) Physical security policy
(6) Personnel security policy
(7) Business Continuity Planning and Crisis and Emergency Management procedure

Article 16. Commercial banks should maintain an ongoing risk identification and assessment process that allows the bank to pinpoint the areas of concern in its information systems, assess the potential impact of the risks on its business, rank the risks, and prioritize mitigation actions and the necessary resources (including outsourcing vendors, product vendors and service vendors).

Article 17. Commercial banks should implement a comprehensive set of risk mitigation measures complying with the IT risk management policies and commensurate with the risk assessment of the bank. These mitigation measures should include:
(1) A set of clearly documented IT risk policies, technical standards, and operational procedures, which should be communicated to the staff frequently and kept up to date in a timely manner;
(2) Areas of potential conflicts of interest should be identified, minimized, and subject to careful, independent monitoring. Also it requires that an appropriate control structure is set up to facilitate checks and balances, with control activities defined at every business level, which should include:
- Top level reviews;
- Controls over physical and logical access to data and system;
- Access granted on “need to know” and “minimum authorization” basis;
- A system of approvals and authorizations; and
- A system of verification and reconciliation.

Article 18. Commercial banks should put in place a set of ongoing risk measurement and monitoring mechanisms, which should include
(1) Pre and post-implementation review of IT projects;
(2) Benchmarks for periodic review of system performance;
(3) Reports of incidents and complaints about IT services;
(4) Reports of internal audit, external audit, and issues identified by CBRC; and
(5) Arrangement with vendors and business units for periodic review of service level agreements (SLAs).
(6) The possible impact of new development of technology and new threats to software deployed.
(7) Timely review of operational risk and management controls in operation area.
(8) Assess the risk profile on IT outsourcing projects periodically.

Article 19. Chinese commercial banks operating offshore and the foreign commercial banks in China should comply with the relevant regulatory requirements on information systems in and outside the People’s Republic of China.

Chapter IV Information Security

Article 20. Information technology department of commercial banks should oversee the establishment of an information classification and protection scheme. All employees of the bank should be made aware of the importance of ensuring information confidentiality and provided with the necessary training to fully understand the information protection procedures within their responsibilities.

Article 21. Commercial banks should put in place an information security management function to develop and maintain an ongoing information security management program, promote information security awareness, advise other IT functions on security issues, serve as the leader of IT incident response team, and report the evaluation of the information security of the bank to the IT steering committee periodically. The Information security management program should include Information security standards, strategy, an implementation plan, and an ongoing maintenance plan.
Information security policy should include the following areas:
(1) IT security policy management
(2) Organization information security
(3) Asset management
(4) Personnel security
(5) Physical and environment security
(6) Communication and operation security
(7) Access control and authentication
(8) Acquirement, development and maintenance of information system
(9) Information security event management
(10) Business continuity management
(11) Compliance

Article 22. Commercial banks should have an effective process to manage user authentication and access control. Access to data and system should be strictly limited to authorized individuals whose identity is clearly established, and their activities in the information systems should be limited to the minimum required for their legitimate business use. Appropriate user authentication mechanism commensurate with the classification of information to be accessed should be selected. Timely review and removal of user identity from the system should be implemented when user transfers to a new job or leave the commercial bank.

Article 23. Commercial banks should ensure all physical security zones, such as computer centers or data centers, network closets, areas containing confidential information or critical IT equipment, and respective accountabilities are clearly defined, and appropriate preventive, detective, and recuperative controls are put in place.

Article 24. Commercial banks should divide their networks into logical security domains (hereinafter referred to as the “domain”) with different levels of security. The following security factors have to be assessed in order to define and implement effective security controls, such as physical or logical segregation of network, network filtering, logical access control, traffic encryption, network monitoring, activity log, etc., for each domain and the whole network.
(1) criticality of the applications and user groups within the domain;
(2) Access points to the domain through various communication channels;
(3) Network protocols and ports used by the applications and network equipment deployed within the domain;
(4) Performance requirement or benchmark;
(5) Nature of the domain, i.e. production or testing, internal or external;
(6) Connectivity between various domains; and
(7) Trustworthiness of the domain.

Article 25. Commercial banks should secure the operating system and system software of all computer systems by
(1) Developing baseline security requirement for each operating system and ensuring all systems meet the baseline security requirement;
(2) Clearly defining a set of access privileges for different groups of users, namely, end-users, system development staff, computer operators, and system administrators and user administrators;
(3) Setting up a system of approval, verification, and monitoring procedures for using the highest privileged system accounts;
(4) Requiring technical staff to review available security patches, and report the patch status periodically; and
(5) Requiring technical staff to include important items such as unsuccessful logins, access to critical system files, changes made to user accounts, etc. in system logs, monitors the systems for any abnormal event manually or automatically, and report the monitoring periodically.

Article 26. Commercial banks should ensure the security of all the application systems by
(1) Clearly defining the roles and responsibilities of end-users and IT staff regarding the application security;
(2) Implementing a robust authentication method commensurate with the criticality and sensibility of the application system;
(3) Enforcing segregation of duties and dual control over critical or sensitive functions;
(4) Requiring verification of input or reconciliation of output at critical junctures;
(5) Requiring the input and output of confidential information are handled in a secure manner to prevent theft, tampering, intentional leakage, or inadvertent leakage;
(6) Ensuring system can handle exceptions in a predefined way and provide meaningful message to users when the system is forced to terminate; and
(7) Maintaining audit trail in either paper or electronic format.
(8) Requiring user administrator to monitor and review unsuccessful logins and changes to users accounts.

Article 27. Commercial banks should have a set of policies and procedures controlling the logging of activities in all production systems to support effective auditing, security forensic analysis, and fraud prevention. Logging can be implemented in different layers of software and on different computer and networking equipment, which falls into two broad categories:
(1) Transaction journals. They are generated by application software and database management system, and contain authentication attempts, modification to data, error messages, etc. Transaction journals should be kept according to the national accounting policy.
(2) System logs. They are generated by operating systems, database management system, firewalls, intrusion detection systems, and routers, etc., and contain authentication attempts, system events, network events, error messages, etc. System logs should be kept for a period scaled to the risk classification, but no less than one year.
Banks should ensure that sufficient items be included in the logs to facilitate effective internal controls, system troubleshooting, and auditing while taking appropriate measures to ensure time synchronization on all logs. Sufficient disk space should be allocated to prevent logs from being overwritten. System logs should be reviewed for any exception. The review frequency and retention period for transaction logs or database logs should be determined jointly by IT organization and pertinent business lines, and approved by the IT steering committee.

Article 28. Commercial banks should have the capacity to employ encryption technologies to mitigate the risk of losing confidential information in the information systems or during its transmission. Appropriate management processes of the encryption facilities should be put in place to ensure that
(1) Encryption facilities in use should meet national security standards or requirements;
(2) Staff in charge of encryption facilities are well trained and screened;
(3) Encryption strength is adequate to protect the confidentiality of the information; and
(4) Effective and efficient key management procedures, especially key lifecycle management and certificate lifecycle management, are in place.

Article 29. Commercial banks should put in place an effective and efficient system of securing all end-user computing equipment which include desktop personal computers (PCs), portable PCs, teller terminals, automatic teller machines (ATMs), passbook printers, debit or credit card readers, point of sale (POS) terminals, personal digital assistant (PDAs), etc and conduct periodic security checks on all equipments.

Article 30. Commercial banks should put in place a set of policies and procedures to govern the collection, processing, storage, transmission, dissemination, and disposal of customer information.

Article 31. All employees, including contract staff, should be provided with the necessary trainings to fully understand these policies procedures and the consequences of their violation. Commercial banks should adopt a zero tolerance policy against security violation.

Chapter V Application System Development, Testing and Maintenance

Article 32. Commercial banks should have the capability to identify, plan, acquire, develop, test, deploy, maintain, upgrade, and retire information systems. Policies and procedures should be in place to govern the initiation, prioritization, approval, and control of IT projects. Progress reports of major IT projects should be submitted to and reviewed by the IT steering committee periodically. Decisions involving significant change of schedule, change of key personnel, change of vendors, and major expenditures should be included in the progress report.

Article 33. Commercial banks should recognize the risks associated with IT projects, which include the possibilities of incurring various kinds of operational risk, financial losses, and opportunity costs stemming from ineffective project planning or inadequate project management controls of the bank. Therefore, appropriate project management methodologies should be adopted and implemented to control the risks associated with IT projects.

Article 34. Commercial banks should adopt and implement a system development methodology to control the life cycle of Information systems. The typical phases of system life cycle include system analysis, design, development or acquisition, testing, trial run, deployment, maintenance, and retirement. The system development methodology to be used should be commensurate with the size, nature, and complexity of the IT project, and, generally speaking, should facilitate the management of the following risks.

Article 35. Commercial banks should ensure system reliability, integrity, and maintainability by controlling system changes with a set of policies and procedures, which should include the following elements.
(1) Ensure that production systems are separated from development or testing systems;
(2) Separating the duties of managing production systems and managing development or testing systems;
(3) Prohibiting application development and maintenance staff from accessing production system under normal circumstances unless management approval is granted to perform emergency repair, and all emergency repair activities should be recorded and reviewed promptly;
(4) Promoting changes of program or system configuration from development and testing systems to production systems should be jointly approved by IT organization and business departments, properly documented, and reviewed periodically.

Article 36. Commercial banks should have in place a set of policies, standards, and procedures to ensure data integrity, confidentiality, and availability. These policies should be in accordance with data integrity amid IT development procedure.

Article 37. Commercial banks should ensure that Information system problems could be tracked, analyzed, and resolved systematically through an effective problem management process. Problems should be documented, categorized, and indexed. Support services or technical assistance from vendors, if necessary, should also be documented. Contacts and relevant contract information should be made readily available to the employees concerned. Accountability and line of command should be delineated clearly and communicated to all employees concerned, which is of utmost importance to performing emergency repair.

Article 38. Commercial banks should have a set of policies and procedures controlling the process of system upgrade. System upgrade is needed when the hardware reaches its lifespan or runs out of capacity, the underpinning software, namely, operating system, database management system, middleware, has to be upgraded, or the application software has to be upgraded. The system upgrade should be treated as a project and managed by all pertinent project management controls including user acceptance testing.

Chapter VI IT Operations

Article 39. Commercial banks should consider fully the environmental threats (e.g. proximity to natural disaster zones, dangerous or hazardous facilities or busy/major roads) when selecting the locations of their data centers. Physical and environmental controls should be implemented to monitor environmental conditions could affect adversely the operation of information processing facilities. Equipment facilities should be protected from power failures and electrical supply interference.

Article 40. In controlling access by third-party personnel (e.g. service providers) to secured areas, proper approval of access should be enforced and their activities should be closely monitored. It is important that proper screening procedures including verification and background checks, especially for sensitive technology-related jobs, are developed for permanent and temporary technical staff and contractors.

Article 41. Commercial banks should separate IT operations or computer center operations from system development and maintenance to ensure segregation of duties within the IT organization. The commercial banks should document the roles and responsibilities of data center functions.

Article 42. Commercial banks are required to retain transactional records in compliance with the national accounting policy. Procedures and technology are needed to be put in place to ensure the integrity, safekeeping and retrieval requirements of the archived data.

Article 43. Commercial banks should detail operational instructions such as computer operator tasks, job scheduling and execution in the IT operations manual. The IT operations manual should also cover the procedures and requirements for on-site and off-site backup of data and software in both the production and development environments (i.e. frequency, scope and retention periods of back-up).

Article 44. Commercial banks should have in place a problem management and processing system to respond promptly to IT operations incidents, to escalate reported incidents to relevant IT management staff and to record, analyze and keep tracks of all these incidents until rectification of the incidents with root cause analysis completed. A helpdesk function should be set up to provide front-line support to users on all technology-related problems and to direct the problems to relevant IT functions for investigation and resolution.

Article 45. Commercial banks should establish service level agreement and assess the IT service level standard attained.

Article 46. Commercial banks should implement a process to ensure that the performance of application systems is continuously monitored and exceptions are reported in a timely and comprehensive manner. The performance monitoring process should include forecasting capability to enable exceptions to be identified and corrected before they affect system performance.

Article 47. Commercial banks should carry out capacity plan to cater for business growth and transaction increases due to changes of economic conditions. Capacity plan should be extended to cover back-up systems and related facilities in addition to the production environment.

Article 48. Commercial banks should ensure the continued availability of technology related services with timely maintenance and appropriate system upgrades. Proper record keeping (including suspected and actual faults and preventive and corrective maintenance records) is necessary for effective facility and equipment maintenance.

Article 49. Commercial banks should have an effective change management process in place to ensure integrity and reliability of the production environment. Commercial banks should develop a formal change management process.

Chapter VII Business Continuity Management

Article 50. Commercial banks should have in place appropriate arrangements, having regard to the nature, scale and complexity of its business, to ensure that it can continue to function and meet its regulatory obligations in the event of an unforeseen interruption. These arrangements should be regularly updated and tested to ensure their effectiveness.

Article 51. Commercial banks should consider the likelihood and impact of a disruption to the continuity of its operation from unexpected events. This should include assessing the disruptions to which it is particularly susceptible including but not limited to:
(1) Loss of failure of internal and external resources (such as people, systems and other assets);
(2) The loss or corruption of its information; and
(3) External events (such as war, earthquake, typhoon, etc).

Article 52. Commercial bank should act to reduce both the likelihood of disruptions (including system resilience and dual processing); and the impact of disruptions (including by contingency arrangements and insurance).

Article 53. Commercial bank should document its strategy for maintaining continuity of its operations, and its plans for communicating and regularly testing the adequacy and effectiveness of this strategy. Commercial bank should establish:
(1) Formal business continuity plans that outline arrangements to reduce the impact of a short, medium and long-term disruption, including:
a) Resource requirements such as people, systems and other assets, and arrangements for obtaining these resources;
b) The recovery priorities for the commercial bank’s operations; and
c) Communication arrangements for internal and external concerned parties (including CBRC, clients and the press);
(2) Escalation and invocation plans that outline the processes for implementing the business continuity plans, together with relevant contact information;
(3) Processes to validate the integrity of information affected by the disruption;
(4) Processes to review and update (1) to (3) following changes to the commercial bank’s operations or risk profile.

Article 54. A final BCP plan and an annual drill result must be signed off by the IT Risk management, or internal auditor and IT Steering Committee.

Chapter VIII Outsourcing

Article 55. Commercial banks cannot contract out its regulatory obligations and should take reasonable care to supervise the discharge of outsourcing functions.

Article 56. Commercial banks should take particular care to manage material outsourcing arrangement (such as outsourcing of data center, IT infrastructure, etc.), and should notify CBRC when it intends to enter into material outsourcing arrangement.

Article 57. Before entering into, or significantly changing, an outsourcing arrangement, the commercial bank should:
(1) Analyze how the arrangement will fit with its organization and reporting structure; business strategy; overall risk profile; and ability to meet its regulatory obligations;
(2) Consider whether the arrangements will allow it to monitor and control its operational risk exposure relating to the outsourcing;
(3) Conduct appropriate due diligence of the service provider’s financial stability, expertise and risk assessment of the service provider, facilities and ability to cover the potential liabilities;
(4) Consider how it will ensure a smooth transition of its operations from its current arrangements to a new or changed outsourcing arrangement (including what will happen on the termination of the contract); and
(5) Consider any concentration risk implications such as the business continuity implications that may arise if a single service provider is used by several firms.

Article 58. In negotiating its contract with a service provider, the commercial bank should have regard to ( but not limited to ):
(1) Reporting and negotiation requirements it may wish to impose on the service provider;
(2) Whether sufficient access will be available to its internal auditors, external auditors and banking regulators;
(3) Information ownership rights, confidentiality agreements and Firewalls to protect client and other information (including arrangements at the termination of contract);
(4) The adequacy of any guarantees and indemnities;
(5) The extent to which the service provider must comply with the commercial bank’s polices and procedures covering IT Risk;
(6) The extent to which the service provider will provide business continuity for outsourced operations, and whether exclusive access to its resources is agreed;
(7) The need for continued availability of software following difficulty at a third party supplier;
(8) The processes for making changes to the outsourcing arrangement and the conditions under which the commercial bank or service provider can choose to change or terminate the outsourcing arrangement, such as where there is:
a) A change of ownership or control of the service provider or commercial bank; or
b) Significant change in the business operations of the service provider or commercial bank; or
c) Inadequate provision of services that may lead to the commercial bank being unable to meet its regulatory obligations.

Article 59. In implementing a relationship management framework, and drafting the service level agreement with the service provider, the commercial bank should have regarded to (but not limited to):
(1) The identification of qualitative and quantitative performance targets to assess the adequacy of service provision, to both the commercial bank and its clients, where appropriate;
(2) The evaluation of performance through service delivery reports and periodic self assessment and independent review by internal or external auditors; and
(3) Remediation action and escalation process for dealing with inadequate performance.

Article 60. The commercial bank should enhance IT related outsourcing management, in place following (not limited to ) measures to ensure data security of sensitive information such as customer information:
(1) Effectively separated from other customer information of the service provider;
(2) The related staff of service provider should be authorized on “need to know” and “minimum authorization” basis;
(3) Ensure service provider guarantee its staff for meeting the confidential requests;
(4) All outsourcing arrangements related to customer information should be identified as material outsourcing arrangements and the customers should be notified;
(5) Strictly monitor re-outsourcing actions of the service provider, and implement adequate control measures to ensure information security of the bank;
(6) Ensure all related sensitive information be refunded or deleted from the service provider’s storage when terminating the outsourcing arrangement.

Article 61. The commercial bank should ensure that it has appropriate contingency in the event of a significant loss of services from the service provider. Particular issues to consider include a significant loss of resources, turnover of key staff, or financial failure of, the service provider, and unexpected termination of the outsourcing agreement.

Article 62. All outsourcing contracts must be reviewed or signed off by IT Risk management, internal IT auditors, legal department and IT Steering Committee. There should be a process to periodically review and refine the service level agreements.

Chapter IX Internal Audit

Article 63. Depending on the nature, scale and complexity of its business, it may be appropriate for the commercial banks to delegate much of the task of monitoring the appropriateness and effectiveness of its systems and controls to an internal audit function. An internal audit function should be adequately resourced and staffed by competent individuals, be independent of the day-to-day activities of the commercial bank and have appropriate access to the bank’s records.

Article 64. The responsibilities of the internal IT audit function are:
(1) To establish, implement and maintain an audit plan to examine and evaluate the adequacy and effectiveness of the bank’s systems and internal control mechanisms and arrangements;
(2) To issue recommendations based on the result of work carried out in accordance with 1;
(3) To verify compliance with those recommendations;
(4) To carry out special audit on information technology. The term “special audit” of information technology refers to the investigation, analysis and assessment on the security incidents of the information system, or the audit performed on a special subject based on IT risk assessment result as deemed necessary by the audit department.

Article 65. Based on the nature, scale and complexity of its business, deployment of information technology and IT risk assessment, commercial banks could determine the scope and frequency of IT internal audit. However, a comprehensive IT internal audit shall be performed at a minimum once every 3 years.

Article 66. Commercial banks should engage its internal audit department and IT Risk management department when implementing system development of significant size and scale to ensure it meets the IT Risk standards of the Commercial banks.

Chapter X External Audit

Article 67. The external information technology audit of commercial banks can be carried out by certified service providers in accordance with laws, rules and regulations.

Article 68. The commercial bank should ensure IT audit service provider to review and examine bank’s hardware, software, documentation and data to identify IT risk when they are commissioned to perform the audit. Vital commercial and technical information which is protected by national laws and regulations should not be reviewed.

Article 69. Commercial bank should communicate with the service provider in depth before the audit to determine audit scope, and should not withhold the truth or do not corporate with the service provider intentionally.

Article 70. CBRC and its local offices could designate certified service providers to carry out IT audit or related review on commercial banks when needed. When carrying out audit on commercial banks, as commissioned or authorized by CBRC or its local offices, the service providers shall present the letter of authority, and carry out the audit in accordance to the scope prescribed in the letter of authority.

Article 71. Once the IT audit report produced by the service providers is reviewed and approved by CBRC or its local offices, the report will have the same legal status as if it is produced by the CBRC itself. Commercial banks should come up with a correction action plan prescribed in the report and implement the corrective actions according to the timeframe.

Article 72. Commercial banks should ensure the service providers to strictly comply with laws and regulations to keep confidential and data security of any commercial secrets and private information learnt and IT risk information when conducting the audit. The service provider should not modify copy or take away any documents provided by the commercial banks.

Chapter XI Supplementary Provisions

Article 73. Commercial banks with no board of directors should have their operating decision-making bodies perform the responsibilities of the board with regard to IT risk management specified herein.

Article 74. The China Banking Regulatory Commission supervises and regulates the IT risk management of commercial banks under its authority by law.

Article 75. The power of interpretation and modification of the Guidelines shall rest with the China Banking Regulatory Commission.

Article 76. The Guidelines shall become effective as of the date of its issuance and the former Guidelines on the Risk Management of Banking Institutions’ Information Systems shall be revoked at the same time.

北京智聚科技有限公司 Tel: 010-67123753 E-mail: kefu@infoeach.com