In order to strengthen the supervision of information technology in the banking and insurance industry, guide banking financial institutions, insurance financial institutions and financial holding companies (hereinafter collectively referred to as financial institutions) to orderly and standardized build mobile Internet applications (hereinafter referred to as mobile applications), and improve the level of financial services, the State Administration of Financial Supervision and Administration recently issued the Notice on Strengthening the Management of Mobile Internet Applications in the Banking and Insurance Industry (hereinafter referred to as the Notice). It is understood that in recent years, mobile applications have become an important channel for financial institutions to provide online services. While improving the convenience of financial services, there are also problems such as a large number, duplicate functions, low user satisfaction and activity. The head of the relevant department of the State Administration for Financial Regulation stated that the "Notice" requires financial institutions to strengthen overall planning, incorporate mobile application management into the comprehensive risk management system, effectively control the risks caused by mobile applications, and urge financial institutions to further strengthen services and improve user experience, which is conducive to standardizing the construction and management of mobile applications in the banking and insurance industries, enhancing the security and financial service level of financial institutions' mobile applications, and building a solid defense line against information technology risks. The notice proposes 18 work requirements from four aspects. Specifically, in terms of strengthening overall management, financial institutions are required to clarify the leading department for mobile application management, establish a mobile application ledger, improve access and exit mechanisms, and control the number of mobile applications; In terms of strengthening full lifecycle management, financial institutions are required to standardize the requirements analysis, design and development, testing and verification, listing and release, monitoring and operation of mobile applications, and strengthen the compatibility and adaptability management between mobile applications and operating environments; In terms of implementing risk management responsibilities, financial institutions are required to comply with regulatory requirements such as mobile application filing, network security, data security, outsourcing management, business continuity, and personal information protection; In terms of strengthening supervision and management, it is required that the dispatched agencies of the State Administration of Financial Regulation at all levels strengthen the supervision of mobile applications. The person in charge of the relevant departments and bureaus of the State Administration of Financial Supervision introduced that the Circular regulated the mobile applications of financial institutions, including applications that provide financial services to customers, and internal management applications, as well as the small programs and official account of financial institutions operating on various Internet platforms. Financial institutions should clarify the leading management department for mobile applications, strengthen overall management, enhance collaboration between business and technology, consolidate the management responsibilities of all parties, and plan and construct comprehensive, secure, and compliant mobile applications Regarding the main responsibilities of the leading management department for mobile applications, the above-mentioned person in charge stated that financial institutions should establish a mobile application ledger, improve access and exit mechanisms, coordinate the mobile application construction plans of various business departments and branches, reasonably control the number of mobile applications, and timely optimize and integrate or terminate the operation of mobile applications with low user activity, poor experience, redundant functions, and high security and compliance risks. Financial institutions should establish a compliance review mechanism for mobile application business (including third-party cooperative business), strictly conduct business in accordance with the business scope and geographical scope specified in the license, carry out sales process traceability, information disclosure and other work in accordance with regulatory requirements, and regularly conduct business compliance inspections and audits. In addition, for the integration of mobile applications in financial institutions, the Notice requires that financial institutions should strengthen the overall management of mobile applications, establish a mobile application ledger, improve access and exit mechanisms, coordinate the mobile application construction plans of various business departments and branches, and reasonably control the number of mobile applications. Timely optimize and integrate or terminate the operation of mobile applications with low user activity, poor user experience, redundant functions, and significant security and compliance risks. Financial institutions conducting mobile application demand management should integrate similar and homogeneous business demands, so that mobile applications have relatively independent and complete business scenarios and functions. On the premise of complying with the requirements of the Notice, each financial institution may formulate integration standards according to its own situation, and carry out risk assessment, data migration, privacy protection, user notification and other management work during the integration process. Strengthening personal information protection is a requirement for financial institutions' mobile application data security responsibilities and personal information protection, as stated in the Notice. Specifically, the "Notice" clarifies the principle of "who manages business, who manages business data, and who manages data security". Financial institutions should strengthen the data management responsibilities of their business management departments and work together with their information technology departments to do a good job in business data security management. The Notice also puts forward requirements for data security in outsourcing services. Institutions should strictly control the data access rights of outsourcing service providers in accordance with the principles of "necessary knowledge" and "minimum authorization", urge them to strengthen data security management, and prevent data leakage. The head of the relevant department of the State Administration for Financial Regulation stated that financial institutions should strictly implement national laws, regulations, and regulatory requirements, establish a system for protecting personal information through mobile applications, standardize personal information management, collect personal information in accordance with the principles of "legality, legitimacy, and necessity", inform users of the purpose of collecting personal information, the use and protection of personal information, publicize complaint channel information, timely handle information leakage and privacy compliance related issues, and protect consumer rights and interests. In addition, the Notice specifies that dispatched institutions at all levels should strengthen the main responsibility of mobile application management for financial institutions within their jurisdiction, urge financial institutions within their jurisdiction to implement information technology regulatory requirements, strengthen mobile application monitoring and early warning, and regularly conduct penetration testing. Strengthen attention to risks related to mobile applications in off-site supervision and on-site inspections, increase risk vulnerability reporting efforts, and promptly urge rectification. Strengthen the punishment and accountability for illegal and irregular mobile applications of financial institutions, and hold them seriously accountable for major risk events caused by improper management, serious risk hazards, superficial risk investigation, and ineffective problem rectification. (New Society)