THE STATE BANK OF VIETNAM
Circular No. 13/2018/TT-NHNN dated May 18, 2018 of the State Bank of Vietnam on internal control systems of commercial banks and foreign banks branches
Pursuant to the Law on the State Bank of Vietnam dated June 16, 2010;
Pursuant to the Law on Credit Institutions dated June 16, 2010 and the Law on Amendments to some Articles of the Law On Credit Institutions dated November 20, 2017;
Pursuant to the Government’s Decree No. 16/2017/ND-CP dated February 17, 2017 defining the functions, tasks, powers and organizational structure of the State Bank of Vietnam;
At the request of the Chief Bank Inspector and Overseer;
The State Bank of Vietnam promulgates a Circular on internal control systems of commercial banks and foreign banks’ branches.
Chapter I
GENERAL PROVISIONS
Article 1. Scopeof adjustment
This Circular regulates internal control systems of commercial banks and foreign banks’ branches.
Article 2.Subjects of application
1.Commercial banks, including: State-owned commercial banks, joint stock commercial banks, joint-venture banks, wholly foreign-owned banks.
2.Foreign banks’ branches.
Article 3. Definitions
For the purpose of this Circular, the terms below shall be construed as follows:
1.Aninternal control systemis a combination of mechanisms, policies, processes, internal regulations, and organizational structures of a commercial bank or a foreign bank’s branch which follows the regulations of the Law on Credit Institutions, this Circular and other relevant regulations of law and is implemented for control, prevention, detection and handling of risks, fulfilling the set requirements. The internal control system carries out senior management oversight, internal control, risk management, internal capital adequacy assessment and internal audit.
2.Senior management oversightis carried out by the Board of Directors, Member’s Council, Director General (Director) and parent bank in internal control, risk management, internal capital adequacy assessment and by Control Boards of the commercial bank, the parent bank, the Director General (Director) and the foreign bank’s branch in internal audit.
3.Internal controlis inspection and oversight of individuals and departments in implementation of mechanisms, policies, internal regulations, work ethics and control culture in order to control conflict of interest and risks, ensuring that the activities of the commercial bank or the foreign bank s branch fulfill the set requirements as well as comply with the law.
4.Risk managementis identification, measurement, monitoring and control of risks in thecommercial bank’s/foreign bank’s branch s operation.
5.Internal capital adequacy assessmentis self-assessment of capital adequacy in order to ensure compliance with the State Bank’s regulations on capital safety ratio and fulfill the commercial bank’s/foreign bank’s branch’s set requirements.
6.Control cultureis the cultural value of a commercial bank/foreign bank’s branch showing unity in awareness of risk control and management among the Board of Directors, Members Council, Control Board, Director General (Director), individuals and departments. The control culture is created from work ethics, internal regulations and reward/disciplinary schemes in order to encourage individuals and departments to actively identify and control risks in their own activities as well as the commercial bank’s/foreign bank’s branch’s.
7.Economic capitalis the capital level designated by the commercial bank/foreign bank’s branch, based on calculation of necessary capital for addressing material risks and maintaining the capital safety ratio in stress scenarios.
8.Astress testis an assessment of volatility s and unfavorable developments’ impact on the capital safety ratio and liquidity in various scenarios in order to determine the commercial bank’s/foreign bank’s branch’s risk resistance.
9.Riskis the probability of loss (financial or non-financial), causing decrease in the commercial bank’s/foreign banks’ branch’s own capital and income, hence decreasing the capital safety ratio or hindering the bank from achieving its business goals.
10.Risk appetiteis the risk level commercial banks and foreign banks’ branches are willing to take during implementation of their business strategies, indicated by ratios and criteria specified in Point a, Clause 2, Article 24 of this Circular.
11.Risk positionis a commercial bank’s/foreign banks’ branch’s risk assets, liabilities and off-balance sheet items.
12.Material activitiesare activities designated by a commercial bank/foreign bank’s branch, based on the scale of that activity compared to one of the financial indicators (equity, total assets, income, costs or other financial criteria) in accordance with the bank’s internal regulations.
13.Material risks include:
a) Credit risk, operational risk, market risk and interest rate risk in the banking book (IRRBB) as specified in the State Bank’s regulations on capital safety ratio in commercial banks and foreign banks’ branches;
b) Liquidity risk, concentration risk;
c) Other risks arising from material activities.
14.Liquidity riskis caused by:
a) The commercial bank’s/foreign bank’s branch’s inability to fulfill debt obligations at maturity; or
b) The commercial bank/foreign bank’s branch being able to fulfill debt obligations at maturity, but at higher costs than the average market costs, as specified in the bank’s internal regulations.
15.Concentration riskis the risk caused by the business of a commercial bank/foreign bank’s branch focusing on a customer (including related parties), partner, product, transaction, sector, economic field, currency to the point of causing significant impact to income and risk position, as specified in the bank’s internal regulations.
16.Conflict of interestis a situation where an individual or department makes decisions within their competence that are not appropriate for or go against interests of the commercial bank/foreign bank’s branch.
17.Risk-bearing decisionsare decisions of the commercial bank’s/foreign bank’s branch’s competent level that create risks or changing the bank’s risk position.
18.Credit risk-bearing decisionsare risk-bearing decisions of a commercial bank/foreign bank’s branch in credit activities, including at least: credit extension decisions; credit limit decisions; limit-exceeding loan decisions; loan term restructuring decisions; loan group transfer decisions.
19.Credit extensions requiring attention,with the minimum amount regulated by commercial banks or foreign banks’ branches are loans belonging to loan group 2 or above, as specified in the State Bank’s regulations on classification of assets, ratio and method of establishment of provisions for credit losses and use of provisions for credit losses.
20.Outsourcingis the commercial bank/foreign bank’s branch (hereinafter referred to as the client) making an agreement in writing (an outsourcing contract) on hiring another enterprise, credit institution or foreign bank’s branch (hereinafter referred to as the contractor) to carry out one or multiple activities (including data processing or some steps of the business process) in the bank’s stead, in accordance with the law.
21.Internal auditorsare persons who carry out internal audits and belong to internal audit departments of commercial banks and foreign banks’ branches.
22.Parent banksare foreign banks that have branches approved to operate in Vietnam.
Article 4. Application of related legal documents
The internal control systems of commercial banks and foreign banks’ branches shall act in accordance with regulations specified in the Law on Credit Institutions, this Circular and other related legal documents.
Article 5. Requirements for internal control systems
1.The internal control system of a commercial bank/foreign bank’s branch must fulfill the following requirements:
a) Requirements stated in Clause 2, Article 40 of the Law on Credit Institutions;
b) Appropriate for the scale, conditions and complexity of the commercial bank’s/foreign bank’s branch’s business activities;
c) Have sufficient financial, human and IT resources in order to ensure the internal control system’s effectiveness;
d) Create and maintain a control culture and work ethics for the commercial bank/foreign bank’s branch.
2.The commercial bank/foreign bank’s branch must have internal regulations in compliance with Article 93 of the Law on Credit Institutions, in which the following requirements must be met:
a) Compliant to regulations of this Circular and related regulations of law;
b) Competence to promulgate:
(i) In the case of commercial banks: The Board of Directors or the Members Council promulgates regulations on the bank s organization, management and activities, except matters that belong to the Shareholders’ Council and owner; the Control Board promulgates its own internal regulations; the Director General (Director) promulgates work regulations, processes and procedures (hereinafter referred to as the internal process);
(ii) In the case of foreign banks’ branches: The Director General (Director) promulgates the branch’s internal regulations in accordance with the parent bank’s regulations or uses the internal regulations promulgated by the parent bank;
c) Fulfill the requirements and contents of control activities specified in Article 14, Clauses 1 and 2, Article 15 of this Circular;
d) Subject to regular assessments specified in this Circular and the commercial bank’s/foreign bank’s branch’s regulations on appropriateness of and compliance with the law, and make amendments if needed.
3.The internal control system must have three lines of defense as follows:
a)The first line of defensehas the functions of risk identification, control and minimization, carried out by the following departments:
(i) Business departments (also including product development), other revenue-generating departments; departments responsible for making risk-bearing decisions;
(ii) Departments responsible for risk limit allocation, risk management and risk minimization (affiliated with a business department or independent) in each type of transaction and business activity;
(iii) Human resource department, accounting department;
b) The second line of defense has the functions of formulating risk management policies and internal regulations on risk management, measuring and monitoring risk in accordance with regulations of law, carried out by the following departments:
(i) Departments conforming to the regulations in Article 18 of this Circular;
(ii) The risk management department specified in Article 22 of this Circular;
c) Thethird line of defensehas the function of internal audit, carried out by the internal audit department specified in the Law on Credit Institutions and this Circular.
4.Discussions (both agreements and disagreements) and conclusions on the internal control system in meetings held by the Board of Directors, Members Council, Control Board, Risk Management Committee, Human Resource Committee, Risk Committee, Capital Management Committee, Asset-Liability Committee (ALCO) must be recorded in writing.
5.Independent assessment of the internal control system is carried out in accordance with the State Bank’s regulations on independent audit in commercial banks and foreign banks’ branches.
Article 6. Retention of internal control records and documents
1.Commercial banks and foreign bank branches must have internal regulations on management and retention of the internal control system’s records and documents.
2.Management and retention of internal control system documents in commercial banks and foreign bank branches must:
a) Comply with regulations of law and the State Bank’s regulations on retention of records and documents in banking;
b) Fully retain records and documents in order to provide them upon request of internal auditors, independent auditing organizations, authorities with competence in internal audit, independent audit, inspection and oversight.
Article 7. Submission of internal control reports to the State Bank
1.The commercial bank/foreign bank’s branch must produce internal control reports and submit them to the State Bank (the Bank Inspection and Oversight Authority) as specified in Clauses 2, 3 and 4 of this Article.
2.The internal control report includes:
a) Annual self-inspection and self-assessment results, as specified in Appendix 1 issued together with this Circular;
b) Annual risk management report, as specified in Appendix 2 issued together with this Circular;
c) Annual internal capital adequacy assessment report, as specified in Appendix 4 issued together with this Circular;
d) Annual internal audit report, as specified in Appendix 5 issued together with this Circular, alongside unscheduled internal audit report.
3.Report submission period:
a) In the case of reports mentioned in Points a, b and c, Clause 2 of this Article: The commercial bank/foreign bank s branch shall submit the fiscal year’s report within 45 days after the end of that fiscal year.
b) In the case of reports mentioned in Points d, Clause 2 of this Article:
(i) The commercial bank shall submit the fiscal year’s internal audit report within 60 days after the end of that fiscal year.
(ii) The foreign bank’s branch shall submit the fiscal year’s internal audit report within 60 days after the internal audit’s date of completion. No submission is required if there is no internal audit in that fiscal year;
(ii) The commercial bank/foreign bank’s branch shall submit the unscheduled internal audit report within 07 working days after the unscheduled internal audit’s date of completion.
4.The internal control report mentioned in Clause 2 of this Article must update the problems,limitationsand risks that recently arose in the internal control system of the whole commercial bank, including the departments of the headquarters, branches and other affiliates specified in the State Bank s regulations on commercial banks’ operational networks (hereinafter referred to as other affiliates) and foreign bank s branch.
Chapter II
SENIOR MANAGEMENT OVERSIGHT
Article 8. Requirements for senior management oversight
1.In the case of commercial banks, the organizational structure, tasks and powers of the Board of Directors, Members Council, Control Board, Director General (Director) shall be in accordance with regulations of the Law on Credit Institutions and this Circular.
2.In the case of foreign banks’ branches, the organizational structure, tasks and powers of the senior management oversight shall be in accordance with the parent bank s regulations, ensuring that the Director General (Director) carries out senior oversight.
3.Ensure that internal control, risk management, internal capital adequacy assessment and internal audit are carried out effectively and fulfill the set requirements.
4.Fully grasps the commercial bank’s/foreign bank s branch’s risk position and state of risk management policy implementation.
5.There are loss prevention and handling measures which are carried out in a timely manner, in order to increase efficiency and safety in the commercial bank’s/foreign bank s branch’s operation.
Article 9. Organizational structure of a commercial bank’s senior management oversight
1.The oversight structure of a commercial bank’s Board of Directors/Members’ Council must have:
a) The Risk Management Committee and Human Resource Committee, as specified in the State Bank’s regulations on license issuance, organization and operations of commercial banks/foreign banks’ branches and each committee must have at least half of its voting members not part of management;
b) Other committees (if necessary) to help the Board of Directors/Members’ Council carry out senior management oversight.
2.The Control Board’s oversight structure shall be in accordance with regulations of the Law on Credit Institutions and the Control Board’s internal regulations.
3.The Director General (Director) must establish the Risk Committee, ALCO and Capital Management Committee to act as advisors, as specified in Clauses 2 and 3, Article 11 and Clause 2, Article 12 of this Circular, and have the following organizational structures:
a) The Risk Committee: The chairman is a member of headquarters management (not the Director General (Director)) who specializes in risk management, has experience, knowledge and professional capacity in risk management and the other members belong to related departments specified in the commercial bank’s internal regulations;
b) The ALCO: The chairman is the Director General (Director) or a member of headquarters management and the other members belong to related departments specified in the commercial bank’s internal regulations;
c) The capital management committee: The chairman is the Director General (Director) or a person in headquarters management who specializes in finance, has experience, knowledge and professional capacity in finance and accounting, and the other members belong to related departments specified in the commercial bank’s internal regulations;
d) The committees work regulations are promulgated by the Director General (Director), including at least the committees’ functions, tasks alongside the number, function and tasks of members; decision-making mechanisms; scheduled meetings (at least once per week for the Risk Committee and ALCO and at least semiannual for the Capital Management Committee); unscheduled meetings and other contents.
Article 10. Senior management oversight for internal control
1.The Board of Directors/Members’ Council of the commercial bank oversees the Director General (Director):
a) Carrying out control, operation and maintenance of the management information system and information exchange mechanism;
b) Maintaining the commercial bank’s control culture specified in Clause 6, Article 3 of this Circular and work ethics specified in Clause 3, Article 15 of this Circular;
c) Rectifying problems andlimitationsin internal control upon request from the State Bank, independent auditing firms and other relevant authorities;
d) Taking action against violations of law, internal regulations and work ethics;
dd) Other contents specified by the Board of Directors/Members Council.
2.The commercial bank s Director General (Director) oversees individuals and departments:
a) Implementing internal regulations on internal control, maintaining control culture; assessing implementation of work ethics (not including those of Control Board members and internal auditors);
b) Operating the management information system, assessing its accuracy, adequacy, punctuality and appropriateness, upgrading and perfecting that system, fulfilling the requirements in Article 20 of this Circular;
c) Acting as directed by the Board of Directors/Members’ Council in rectification of problems andlimitationsin internal control upon request from the State Bank, independent auditing firms and other relevant authorities;
d) Carrying self-assessment of internal control’s effectiveness on an annual basis or unscheduled, including at least:
(i) Self-inspection and self-assessment of implementation of internal control regulations in each unit and department, in each management and professional activity;
(ii) Review and evaluate internal regulations on internal control;
(iii) Suggesting measures for rectification of problems andlimitationsin internal control to the Board of Directors/Members’ Council;
dd) Other contents specified by the commercial bank.
3.The foreign bank s branch’s Director General (Director) oversees individuals and departments in accordance with the parent bank’s regulations:
a) Carrying out internal control;
b) Rectifying problems andlimitationsin internal control upon request from the State Bank, independent auditing firms and other relevant authorities.
Article 11. Senior management oversight for risk management
1.The commercial bank’s Board of Directors/Members’ Council, based on the Risk Committee’s advice and proposals, oversees the Director General (Director):
a) Formulating and organizing implementation of risk management policies;
b) Rectifying problems andlimitationsin risk management upon request from the State Bank, independent auditing firms and other relevant authorities;
c) Other contents specified by the Board of Directors/Members Council.
2.The commercial bank’s Director General (Director), based on the Risk Committee’s advice and proposals, oversees individuals and departments:
a) Creating processes of risk management policy formulation and implementation;
b) Implementing risk management policies and assessing them in accordance with Clause 3, Article 24 of this article in order to suggest policy adjustments to the Board of Directors/Members’ Council;
c) Creating and implementing risk limits, proposing risk limit allocation by business and professional activities; implementing handling measures in case of failure to comply with risk limits;
d) Acting as directed by the Board of Directors/Members’ Council in rectification of problems andlimitationsin risk management upon request from the State Bank, independent auditing firms and other relevant authorities;
dd) Carrying out self-inspection and self-assessment of risk management and suggesting rectifying measures to the Board of Directors/Members’ Council.
e) Other contents specified by the commercial bank.
3.The commercial bank’s Director General (Director) oversees individuals and departments carrying out asset-liability management, based on the Risk Committee’s advice and proposals, as follows:
a) Manage the balance sheet effectively and in accordance with the risk management policies;
b) Review and propose capital-raising plans, capital-use plans, principles of internal funds transfer pricing;
c) Create the interest rate frame and price frame for other products for managing financial assets and liabilities;
d) Control business activities so that they comply with the liquidity risk limit, IRRBB limit, total assets calculated from IRRBB;
dd) Other contents specified by the commercial bank.
4.The foreign bank s branch’s Director General (Director) oversees individuals and departments in accordance with the parent bank’s regulations:
a) Carrying out risk management;
b) Rectifying problems andlimitationsin risk management upon request from the State Bank, independent auditing firms and other relevant authorities.
Article 12. Senior management oversight for internal capital adequacy assessment
1.The Board of Directors/Members’ Council of the commercial bank oversees the Director General (Director):
a) Organizing internal capital adequacy assessment;
b) Rectifying problems and drawbacks in internal capital adequacy assessment upon request from the State Bank, independent auditing firms and other relevant authorities;
c) Other contents specified by the Board of Directors/Members Council.
2.The commercial bank’s Director General (Director), based on the Capital Management Committee’s advice and proposals, oversees and directs individuals and departments to:
a) Carry out internal capital adequacy assessment;
b) Act as directed by the Board of Directors/Members’ Council in rectification of problems andlimitationsin internal capital adequacy assessment upon request from the State Bank, independent auditing firms and other relevant authorities;
c) Other contents specified by the commercial bank.
3.The foreign bank s branch’s Director General (Director) oversees individuals and departments in accordance with the parent bank’s regulations:
a) Carry out internal capital adequacy assessment;
b) Rectifying problems andlimitationsin internal capital adequacy assessment upon request from the State Bank, independent auditing firms and other relevant authorities.
Article 13. Senior management oversight for internal audit
1.The commercial bank’s Control Board oversees internal audit as follows:
a) Oversee and assess the Control Board members’ and internal auditors implementation of work ethics;
b) Oversee the internal audit department:
(i) Carrying out internal audit;
(ii) Reviewing and assessing internal audit’s effectiveness and the Chief Internal Auditor s task results;
(iii) Rectifying problems andlimitationsin internal control upon request from the State Bank, independent auditing firms and other relevant authorities.
c) Other contents specified by the Control Board.
2.The foreign bank s branch’s Director General (Director) oversees individuals and departments in accordance with the parent bank’s regulations:
a) Carrying out internal audit;
b) Rectifying problems andlimitationsin internal control upon request from the State Bank, independent auditing firms and other relevant authorities.
Chapter III
INTERNAL CONTROL
Article 14. Requirements for internal control
1.Internal control applies to all activities, business processes and departments of the commercial bank (including the headquarters, branches and other affiliates) or foreign bank s branch and must fulfill the following requirements:
a) The commercial bank’s/foreign bank s branch’s activities must comply with regulations of law;
b) Control conflict of interest; detect and take action against violations in a timely manner;
c) Increase awareness of the roles and responsibilities of individuals and departments in internal control in order to build and maintain the commercial bank’s/foreign bank s branch’s control culture.
2.Internal control is conducted through control activities, the information exchange mechanism and the management information system.
Article 15. Control activities
1.The commercial bank’s/foreign bank s branch’s control activities shall be carried out at least as follows:
a) Allocation of competence to approve must be based on prestige of the competent level and capacity of the executing individual/department. The competence to approve must be displayed by transaction scale and risk limit criteria, alongside other limits specified in the commercial bank’s/foreign bank s branch’s internal regulations;
b) The commercial bank’s (including the headquarters, branches and other affiliates) or foreign bank s branch’s regulations on functions and tasks of individuals/departments at all levels and in all types of transactions must apply the following principles:
(i) Members of the Board of Directors/Members’ Council shall not participate in review and approval of risk-bearing decisions which belong to the functions and tasks of the Director General (Director), unless the Director General (Director) is one of those members;
(ii) Divide the functions and tasks among transactions and business processes in order to avoid or control, prevent conflict of interest; an individual shall not be in control of a whole transaction or its process; an individual shall not be given tasks that give rise to conflict of interest;
(iii) There are independent individuals within a department, or belong to departments which are independent from each other in order to carry out scheduled and unscheduled inspections as specified in the commercial bank’s/foreign bank s branch’s internal regulations;
(iv) If conflict of interest or violation against internal regulations still occurs despite implementation of regulations specified in Points b(ii) and b(iii), the commercial bank/foreign bank s branch must identify the cause, have measures for minimization of operational risk , carry out tight surveillance and independent assessment more frequently;
c) Allocation of each individual’s/department’s management duties (also including receiving and delivering, storage, transport, inspection, inventory) for assets (including both financial and material assets) must be based on asset value or other specific limits specified in the commercial bank’s/foreign bank s branch’s internal regulations;
d) Bookkeeping complies with accounting standards and regulations; compile, produce and send financial reports in accordance with regulations of law and internal regulations of the commercial bank/foreign bank s branch. Bookkeeping must be inspected and compared in order to detect and rectify errors in a timely manner and must be reported to competent level as specified in the commercial bank’s/foreign bank s branch’s internal regulations;
dd) Have measures for prevention of and taking action against violations of law and internal regulations of the commercial bank (including the headquarters, branches and other affiliates) or foreign bank s branch;
e) Human resources allocation must be appropriate for each business and control activity (including substitutes for absent managers and employees, recruitment, manager transfer and appointment).
2.Controls activities in the commercial bank’s headquarters, branches and other affiliates must ensure that:
a) The headquarters is able to oversee and control transactions and activities of the branches and other affiliates, also including oversight and control through individuals and departments carrying out control activities in those branches and affiliates;
b) There are regulations on functions, tasks, report mechanism, reward/discipline, manager transfer and other mechanisms in order to ensure independence and that the branch’s/other affiliate’s individual/department carrying out control activities does not have conflict of interest with other individuals/departments of the same branch/other affiliate;
c) There are mechanisms that allow clients to search, check and compare transactions carried out in the commercial bank’s branches/other affiliates to those carried out in the headquarters.
3.Work ethics (except those applied to Control Board members and internal auditors) must be promulgated by the Board of Directors/Members’ Council of the commercial bank or the Director General (Director) of the foreign bank s branch, applying the following principles:
a) Managers and employees at all levels carry out tasks within their competence honestly and for the commercial bank’s/foreign bank s branch’s benefits; do not abuse their positions, use the bank s information, secrets, business opportunities and property for self-profit or damaging the bank s benefits.
b) Individuals and departments have the responsibility to report to the competent level in a timely after discovering any of the acts mentioned in Point a of this Clause, as well as violations against internal regulations and regulations of law.
4.On an annual basis or unscheduled, the commercial bank/foreign bank s branch shall produce internal reports on internal control and send them to the competent level as specified in the bank s internal regulations. The internal report on internal control includes assessment of control activities following the contents specified in Clauses 1, 2 and 3 of this Article and other contents specified in the bank‘s internal regulations.
Article 16. Control activities for credit extensions
1.Control activities for the commercial bank’s/foreign bank s branch’s credit extensions must comply with Clauses 1 and 2, Article 15 of this Circular.
2.Credit extensions must have conflict of interest controlled, based on the principle that the individual/department doing credit appraisal is independent with individuals/departments doing:
a) Customer relations;
b) Reappraisal (if any);
c) Credit extension approval;
d) Credit risk limit control; management of credit extensions requiring attention; ratio and method of establishment of provisions for credit losses and use of provisions for credit losses.
Article 17. Control activities for proprietary transactions
1.Control activities for the commercial bank’s/foreign bank s branch’s proprietary transactions must comply with Clauses 1 and 2, Article 15 of this Circular.
2.Control of proprietary transactions must at least applies the following principles:
a) There is a unit assigned to conduct proprietary transactions (hereinafter referred to as proprietary transaction unit); allocate specific competence of individuals and departments in the proprietary transaction unit; the transactor /transaction department must be independent from individuals/divisions that control or make payments for proprietary transactions;
b) Proprietary transactions are conducted within the specified limits and transaction commitments (also including transaction cancellation, the term s of transaction s changes and additions) and the proprietary transaction s bookkeeping and accounting shall comply with relevant regulations of law;
c) Information, documents and records of proprietary transactions shall be provided sufficiently and punctually to individuals/departments controlling proprietary transactions;
dd) There is an internal process for conducting proprietary transactions as specified in Clause 3 of this Article and an internal process for proprietary transaction payments as specified in Clause 4 of this Article.
3.The internal process for conducting proprietary transaction must fulfill the following requirements:
a) The transactor can only conduct transaction within his/her designated transaction type, partner and competence;
b) If the proprietary transaction is conducted via telephone, all conversations of that transaction must be recorded and archived for at least two months from the call date. If the proprietary transaction is conducted via computer, the transactor is only allowed to input transaction data to the internal transaction management system using his/her own transactor number. The computer system shall automatically input date, time and number of the proprietary transactions and prohibit the transactor from changing those details;
c) The proprietary transaction’s price must be independently inspected to ensure that it fits the market price.
4.The internal process for proprietary transaction payments must fulfill the following requirements:
a) The individual/department making proprietary transaction payments sends and receives confirmations of conducted proprietary transactions, using confirmation methods that comply with regulations of law (also including monitoring and inspecting confirmation of customers transactions, notifying the customers of failure to receive confirmation or the confirmation’s insufficient details or errors);
b) The transaction confirmation’s contents include the transaction terms and details. If the proprietary transaction is conducted through a broker, the confirmation must have that broker’s details;
c) The department making proprietary transaction payments must rectify any discrepancy found during the payment process.
Article 18. Compliance department
1.Depending on the business activity’s scale, condition and complexity, the commercial bank/foreign bank s branch decides on the organizational structure, tasks and powers of the compliance department to ensure that the department is independent and has no conflict of interest.
2.The compliance department’s tasks and powers are decided by the Director General (Director) of the commercial bank/foreign bank s branch and must include at least the following tasks:
a) Help the Director General (Director):
(i) Implement the regulations specified in Point d, Clause 2, Article 5 of this Circular;
(ii) Report serious violations against regulations of law and changes in relevant regulations of law to the Board of Directors/Members’ Council/parent bank/Control Board, as specified in the commercial bank’s/foreign bank s branch’s internal regulations;
(iii) Review and assess regulations on tasks and powers of the compliance department in order to inform the Director General (Director) of any necessary amendments;
b) Report the state of compliance with regulations of law to the Director General (Director), scheduled or unscheduled; notify the Director General (Director) and related departments of changes in relevant regulations as specified in the commercial bank’s/foreign bank s branch’s internal regulations;
c) Support the related departments in internal policy creation and review, ensuring compliance with regulations of law; deal with any complication that arises during such compliance as specified in the commercial bank’s/foreign bank s branch’s internal regulations.
Article 19. Information exchange mechanism
1.The commercial bank/foreign bank s branch must have an information exchange mechanism, allowing notification, dissemination and propagation of the internal control system to every individual at every level and in every department, hence raising awareness of policies, processes and business goals, enabling those individuals to do well in their responsibilities, tasks and powers.
2.The information exchange mechanism shall be implemented through the management information system and other information exchange mechanisms decided by the commercial bank/foreign bank s branch.
3.The information exchange mechanism must apply the following principles:
a) Information on objectives, strategies, policies and processes shall be passed on from upper to lower levels, and to related individuals/divisions;
b) Information on the internal control system and operational results shall be passed on from lower to upper levels (also including the Board of Directors, Members’ Council, parent bank, Control Board, Director General (Director)) and from the commercial bank’s branches and other affiliates to the headquarters so that the commercial bank/foreign bank s branch can fully grasps its risk positions and business situation.
c) Information on new products, operations in new markets, loss, frauds and the risk of loss/fraud shall be passed on from the risk management and internal audit departments, alongside other related departments, in a timely manner;
d) There is a mechanism for direct, independent and punctual report to competent level on violations against the law, internal regulations and work ethics committed by individuals and divisions in charge of information security and protection for information providers;
dd) The frequency of information exchange must be directly proportional to the risk level.
Article 20. Management information system
1.The commercial bank/foreign bank s branch must have a management information system for providing information and internal reports to the Board of Directors, Members’ Council, parent bank, Control Board, Director General (Director) as well as related individuals and division in order for them to carry out their functions and tasks in compliance with this Circular’s regulations.
2.The management information system includes at least:
a) Internal reports (including at least those on internal control, risk management, internal capital adequacy assessment and internal audit as specified in Clause 4 Article 15, Articles 37, 40, 47, 52, 55, 58, 63 and 72 of this Circular) and other management information specified in the commercial bank’s/foreign bank s branch’s internal regulations;
b) The organizational and management structure, as well as operation of the management information system, which specify the responsibilities of related individuals and divisions for using the management information system;
c) Information collection, processing, archive, and provision; producing, sending, receiving and processing reports;
d) Appropriate information technology infrastructure.
3.The management information system must:
a) Support implementation of the information exchange mechanism as specified in Clauses 1 and 3, Article 19 of this Circular;
b) Provide sufficient, accurate information and data, hence fulfilling, in a timely manner the management requirements specified in this Article and the commercial bank’s/foreign bank s branch’s internal regulations; the sources of information and data must be verified;
c) Provide updates on the commercial bank’s/foreign bank s branch’s state of compliance with regulations of law and internal regulations
d) Ensure security of information and data; backup systems must available to ensure that the archive and use of information is safe, efficient and free from interruptions;
dd) Be subject to reviews and reassessments either unscheduled or at least on an annual basis; regularly upgraded and updated in order to meet the demand for management information, scale structure and complexity of the commercial bank’s/foreign bank s branch’s business activities.
Chapter IV
RISK MANAGEMENT
Section 1. GENERAL PROVISIONS FOR RISK MANAGEMENT
Article 21. Requirements for risk management
1.The commercial bank/foreign bank s branch must fulfill the following requirements while carrying out risk management:
a) Manage the material risks of the bank’s business activities;
b) Identify fully, measure accurately, monitor frequently in order to prevent in a timely manner and minimize material risk;
c) Control the risk position, ensuring compliance to the risk limits;
d) The risk-bearing decisions must be clear, transparent and complies with risk management policies and risk limits.
2.If a commercial bank has subsidiaries, the bank must direct and oversee the subsidiaries’ risk management in accordance with the bank’s risk management policies, through the capital share’s representative.
Article 22. Risk management department
1.Depending on the business activity’s scale, condition and complexity, the commercial bank decides the structure of risk management department, which is part of the second line of defense and has at least the following functions:
a) Help the Risk Committee:
(i) Propose and give advice on the contents of Clause 2, Article 11 of this Circular;
(ii) Monitor the risk position relative to the risk limit for early risk detection and warning, alongside the likelihood of violation against the risk limit;
b) Cooperate with the first line of defense in full identification and monitoring incurred risks;
c) Create and apply risk assessment/measurement methods and models;
d) Control, prevent and propose measures for minimizing incurred risks;
dd) Participate in risk-related contents during the process of risk-bearing decision make, respective to each competence level, as specified in the commercial bank’s/foreign bank s branch’s internal regulations;
e) Write stress test reports as specified in Point a, Clause 2, Article 28 of this Circular, in cooperation with business and compliance departments as well as other related departments;
g) Produce internal reports on risk management as specified in the commercial bank’s internal regulations.
2.The risk management department of the foreign bank s branch shall have its organizational structure, functions and tasks decided by the parent bank.
Article 23. Internal regulations on risk management
1.The internal regulations on the commercial bank’s/foreign bank s branch’s internal system mentioned in Clause 2, Article 5 of this Circular must have internal regulations on risk management, which have at least the following contents:
a) Formulation, promulgation and implementation of risk management policies;
b) Creation, promulgation and imposition of risk limit for each type of material risk (also including risk limit creation methods, the individuals and divisions tasked with risk limit creation, risk limit allocation and actions against risk limit violations);
c) Risk identification, measurement, monitoring and control for each type of material risk (also including risk measurement/control methods and models);
d) Stress test;
dd) Mechanism for internal report on risk management;
e) Risk management for new products/operations in new markets;
g) Other necessary contents according to management requirements for each type of material risk.
2.The internal regulations on risk management must apply the following principles:
a) Appropriate for the business strategies, control culture, human resources, information technology infrastructure and management information system of the commercial bank/foreign bank s branch;
b) The risk positions and risk management violations must be reported sufficiently and punctually to the Board of Directors, Members’ Council, Control Board or parent bank; there must be a mechanism for taking action against risk management violations.
Article 24. Risk management policies
1.The commercial bank’s risk management policies are promulgated and amended by the Board of Directors/Members’ Council. The competence to promulgate and amend the foreign bank s branch’s risk management policies shall comply with the parent bank’s regulations.
2.Risk management policies must include at least the following contents:
a) Risk appetite, including:
(i) The capital safety ratio target;
(ii) Income criteria: Return on Equity (ROE) and Risk-Adjusted Return on Capital (RAROC);
(iii) Other criteria specified in the internal regulations of the commercial bank/foreign bank s branch;
b) The list of material risks specified in this Circular;
c) Risk management policies for each material risk.
3.Risk management policies must fulfill the following requirements:
a) Created for between 3 and 5 years of application, undergoes both scheduled (at least once per year) and unscheduled assessment as specified by the commercial bank so that make timely adjustments in case of changes in the business and legal environment in order to fulfill risk management goals;
b) Suitable for the interests of the commercial bank’s/parent bank’s shareholders, owners and contributors of capital, as specified in the regulations of law;
c) Suitable for the own capital level and the existing levels of its sources;
d) Have inheritance and continuity in order to ensure feasibility through the economic cycles.
Article 25. Risk limits
1.The commercial bank’s risk limit is issued and amended (including risk limit adjustment) by the Director General (Director). The competence to promulgate and amend the foreign bank s branch’s risk limit shall comply with the parent bank’s regulations.
2.The risk limit must:
a) Comply with regulations on restrictions specified in the Law on Credit Institutions and the State Bank’s regulations in to ensure safety of the credit institution’s/foreign bank s branch’s operations;
b) Have limits on material risks;
c) Comply with the risk appetite, risk management strategies and the total risk assets allocated to that risk;
d) Be sufficient and specific in order to control risks coming from business activities and departments participating in risk-bearing transactions;
dd) Be reviewed and reassessed (adjusted if necessary) at least once per year or when a major change affects the risk position, as specified in the commercial bank/foreign bank s branch’s internal regulations. In case of raising the commercial bank’s risk limit, the Director General (Director) must notify the Board of Directors/Members’ Council of that adjustment;
e) Be disseminated to the related individuals and departments.
3.If an activity, transaction or product has different limits for different risks, the commercial bank/foreign bank s branch must apply the more conservative risk limit.
Article 26. Risk management for new products and operations in new markets
1.Risk management for new products/operations in new markets (within permitted business activities) must fulfill the following requirements:
a) There are criteria for determination of new products/operations in new markets;
b) There is a process for provision of new products/operations in new markets, applying the following principles:
(i) In the commercial bank, the Board of Directors/Members’ Council approves policies on provision of new products/operations in new markets, based on the Director General’s (Director’s) proposal. The Director General (Director) approves plans for provision of new products/operations in new markets;
(ii) In the foreign bank s branch, approval for policies on and plans for provision of new products/operations in new markets is done as specified in the parent bank’s regulations.
2.The plan for provision of new products/operations in new markets must be appraised by the risk management department on risks, risk management measures and must have at least the following contents:
a) The scale and trial period of provision of new products/operations in new markets, based on assessment of risks coming from those activities as well as the way affect equity and income in order to ensure their suitability for the commercial bank’s/foreign bank s branch’s risk management capabilities;
b) The official time for provision of new products/operations in new markets is based on the trial’s results compared with the set risk management criteria of the commercial bank/foreign bank s branch.
3.When the provision of new products/operations in new markets become official, the commercial bank/foreign bank s branch must promulgate new regulations on and processes for those activities and carry out material risk management for those activities.
Article 27. Risk identification, measurement, monitoring and control
1.Risk identification:
The commercial bank/foreign bank s branch must identify material risks and interaction between those risks in transactions, products, activities and business processes, risk probability and cause of risk.
2.Risk measurement:
a) The commercial bank/foreign bank s branch measures the risk level, based on determination of that risk’s short-term and long-term effects on the bank’s income, capital safety ratio and business goal achievement;
b) Risk measurement is conducted using methods and models (also including the internal credit rating system). Those methods and models must be regularly inspected and assessed on their accuracy and appropriateness as specified by the commercial bank’s/local bank branch’s internal regulations. The data used in risk measurement methods and models must have reliability and inspectability;
c) Risk measurement must be carried out accurately and in a timely manner in order to monitor and control risk effectively.
3.Risk monitoring:
a) The commercial bank/foreign bank s branch must monitor the risk position, carry out timely assessments and give early warnings about the possibility on violations against risk limits and restrictions in order to ensure operational safety;
b) Internal reports on risk monitoring must be timely produced, accurate, complete and sent to related individuals and departments.
4.Risk control:
a) The commercial bank/foreign bank s branch must control risk positions, transactions and activities according to their respective risk limits;
b) The commercial bank/foreign bank s branch must have measures for prevention, minimization and timely handling of risk to ensure compliance to the risk limits and restrictions, hence ensuring operational safety, and have mechanisms for oversight and inspection of those measures implementation.
Article 28. Stress tests
1.The commercial bank/foreign bank s branch shall conduct stress tests with the following frequencies:
a) Liquidity stress tests shall be conducted both on a biannual basis and unscheduled
b) Capital stress tests shall be conducted both on an annual basis and unscheduled.
2.The stress test is conducted as follows:
a) Construct at least two scenarios (business as usual scenario and stress scenario) for the upcoming stress test. The chosen scenarios likelihood must be based on analyses of past events and macroeconomic forecasts;
b) Calculate the hypothetical effects on liquidity and capital safety ratio in each scenario;
c) Produce stress test reports (including quantitative data as well as qualitative assessment and analyses).
3.Based on the stress test results, the commercial bank/foreign bank s branch must:
a) Assess the state of compliance with the solvency ratio, loan-to-deposit ratio, medium and long-term loan on short-term capital ratio, as well as other restrictions in order to ensure operational safety, as specified in the bank’s internal regulations;
b) Formulate backup plans in case of failure to fulfill liquidity requirements;
c) Calculate economic capital in the stress scenario to determine the capital target.
Section 2. CREDIT RISK MANAGEMENT
Article 29. Requirements for credit risk management, credit risk management strategies and limits
1. Credit risk management is carried out throughout the credit review, appraisal, approval and management processes, in compliance with the State Bank s regulations and related regulations of law.
2.Credit risk management strategies must include at least the following contents:
a) Non-performing loan and bate credit extension proportion rate targets, sorted by customer, industry and economic sector;
b) Principles of determining provisions for credit losses in the interest calculation method, credit product pricing based on the customer’s credit risk level;
c) The principles of implementation of credit risk minimization measures (also including competence to approve credit risk minimization measures)
3.The credit risk limits include at least:
a) Credit extension limit for each customer demographic, industry and economic sector based on the customer’s creditworthiness and the business/economic sector’s credit risk;
b) Credit extension limit for each product and security measure based on their respective credit risks.
Article 30. Internal credit rating system
1.The commercial bank/foreign bank s branch must have an internal credit rating system, as specified in the State Bank’s regulations on classification of assets, ratio and method of establishment of provisions for credit losses and use of provisions for credit losses in the banking activity of credit institutions and foreign banks’ branches.
2.The internal credit system must fulfill the following requirements:
a) The rating system s criteria must be quantified in order to assess the customer’s probability of default (also including social and macroeconomic conditions, as well as business environment affecting the customer’s solvency);
b) There are database and data management methods for credit risk quantification as required;
c) The internal credit system’s results must be independently assessed;
There is sufficient information on the internal credit rating system to be provided upon request of the internal audit department, independent auditing firms and other relevant authorities during the processes of internal audit, inspection, oversight and independent audit.
Article 31. Credit risk measurement, monitoring and control
1.The commercial bank/foreign bank s branch must use the internal credit rating system, as well as loss measurement methods and models for credit risk measurement.
2.The commercial bank/foreign bank s branch must monitor and control credit risk of each credit extension and the entire credit extension portfolio, and have handling measures in case of decline in credit quality, fulfilling at least the following requirements:
a) Monitor the credit extension s debt classification results;
b) Assess adequacy of provisions for credit losses as specified by the State Bank s regulations;
c) Control the actual credit risk position in order to comply with credit extension limit and credit risk limit as specified in the regulations of law and the commercial bank’s/foreign bank s branch’s internal regulations.
3.Credit risk monitoring and control must at least include the following:
a) Roles and responsibilities of individuals and departments that monitor and control credit risk;
b) Debt classification, establishment and use of provisions for credit losses;
c) Assess and monitor credit risk of each credit extension and credit extension portfolio;
d) Control credit risk in accordance with the allocated credit risk for each credit extension and credit extension portfolio, including: The lowest frequency of long-distance control and on-site inspection for each customer, in order to collect information for monitoring credit risk;
dd) Assessment criteria and methods for determining the degree of credit quality decline in each credit extension and credit extension portfolio; early-warning mechanism for credit quality decline.
Article 32. Credit extension appraisal
1.The commercial bank/foreign bank s branch carry out credit extension appraisal, which must at least have the following contents:
a) Identify the customer’s affiliated person, the total balance of credit extended to the customer and his/her affiliate;
b) Base on the customer’s credit rating (if available), also including ratings from other credit institutions and foreign banks’ branches;
c) Assess the profile’s adequacy, legal status and recallability of collateral in the case of credit extensions with collateral;
d) Appraise the ability to fulfill obligations and commitments of the guarantor in the case of credit extension with guarantee from a third party.
2.During appraisal, if any line of communication with customers other than the commercial bank’s/foreign bank s branch is used, the bank must inspect the line of communication’s information quality and independence from the party receiving credit extension.
Article 33. Approval of credit risk-bearing decisions
The commercial bank/foreign bank s branch shall approve risk-bearing decisions as follows:
1.The competence to approve credit risk-bearing decisions and cases requiring higher competence’s approval must be determined by quantitative and qualitative criteria.
2.In the case of approval by committee, the approval committee must have the record of approval or any equivalent, which clearly states the reason for approval or rejection and include committee members’ opinions either in the record or its appendix.The approval committee members must be responsible for their decisions.
3.The information provided for approval of credit risk-bearing decisions must be sufficient and appropriate for the scale and type of credit extension. The regulations on list of information to be used as basis for approval of credit risk-bearing decisions must be assessed by the risk management department in order to ensure credit risk management’s effectiveness.
Article 34. Credit management
1.The commercial bank/foreign bank s branch must fulfill the following requirements while carrying out credit management:
a) There are specific regulations on responsibilities and competence of individuals and departments in creation and retention of credit records, ensuring sufficient credit records as specified in the regulations of law;
b) Disbursement is appropriate for the capital use and type of credit extension;
c) Oversight on credit extensions after disbursement must apply the following principles:
(i) Inspect loan use and implementation of other terms of the customer’s credit extension contract;
(ii) Assess factors affecting the customer’s solvency;
(iii) Carry out collateral management as specified in Article 36 of this Circular;
(iv) Monitor the repayment schedule, remind the customers of their obligation to repay by deadlines, notify the competent level in a timely manner when the customer has the risk of failure to repay or late repayment.
2.The commercial bank/foreign bank s branch must retain credit records, information on solvency and repayment history of customers and other relevant information as specified in the regulations of law.
Article 35. Management of credit extensions requiring attention
1.The commercial bank/foreign bank s branch must manage credit extensions requiring attention in order to implement handling measures in a timely manner.
2.Management of credit extensions requiring attention must fulfill the following requirements:
a) There are specific regulations on criteria and methods of identifying credit extensions requiring attention;
b) Step up assessment of customers’ solvency and ability to collect using security measures;
c) There are measures for handling and restructuring credit extensions requiring attention, as well as debt collection plans;
d) Step up debt monitoring, oversight and collection;
dd) Determine responsibilities of individuals and departments related to nonperforming credit extensions (if any) in order to implement appropriate measures.
Article 36. Management of collateral
The commercial bank/foreign bank s branch must fulfill the following requirements while carrying out management of collateral:
1.Determine the types of asset that the commercial bank/foreign bank s branch approves to be collateral, in compliance with the regulations of law.
2.Use the bank’s asset valuation method, as specified in the regulations of law on pricing, or hire a firm that has the function of price appraisal to determine each asset type’s market value, recall value and liquidation/processing period, which serve as basis for management of collateral as specified in the commercial bank’s/foreign bank s branch’s internal regulations; determine the asset’s eligibility for deduction and deduction rate during establishment of risk provisions as specified in the State Bank’s regulations.
3.Carry out scheduled or unscheduled assessment of collateral as specified in the commercial bank’s/foreign bank s branch’s internal regulations, and assets having higher price volatility shall be subject to more frequent assessments.
4.There are regulations on receiving and safe preservation of collateral.
Article 37. Internal credit risk reports
1.Either unscheduled or at least on a quarterly basis, the commercial bank/foreign bank s branch shall produce internal credit risk reports as specified in Clause 2 of this Article.
2.The internal credit risk report must include at least the following contents:
a) Quality of credit extensions credit extension portfolios by customer, industry and economic sector;
b) Credit extensions requiring attention and measures for handling them;
c) Customers, businesses and economic sectors having outstanding loan balances exceeding the credit risk limits mentioned in Point a, Clause 3, Article 29 of this Circular;
d) Value of collateral and collateral portfolios by type;
dd) The state of establishment and use of provisions for credit losses;
e) Early warning about violations against credit risk limits and restrictions;
g) Violations in credit risk management and their causes;
h) Proposals and requests about credit risk management and the levels they are submitted to;
b) The state of fulfillment of requests from internal audit, the State Bank, independent auditing firms and other relevant authorities on credit risk management.
Section 3. MARKET RISK MANAGEMENT
Article 38. Market risk management strategies and limits
1.Market risk management strategies must include at least the following contents:
a) The required risk position in the accounting book;
b) Principles of market risk management in normal conditions and in case of high volatility in security price, commodity price, exchange rate and interest rate as specified in the commercial bank’s/foreign bank s branch’s internal regulations;
c) Principles of implementing market risk prevention measures (detailing market risk prevention instruments and competence to approve market risk prevention measures).
2.The market risk limits include at least:
a) Interest rate risk limit Interest rate risk limit for transacted product portfolio, limit for transactors, loss recovery limit, the total risk position limit in the accounting book;
b) Foreign exchange risk limit: Positive foreign exchange position limit; negative foreign exchange position limit; limit for transactors; loss recovery limit;
c) Proprietary share price limit for security companies that are commercial banks’ subsidiaries;
d) Commodity price risk limit: limit for transacted product portfolios; limit for transactors; loss recovery limit.
Article 39. Market risk measurement, monitoring and control
1.The commercial bank/foreign bank s branch measures, monitor and control market risk as follows:
a) The individual and division measuring, monitoring and controlling market risk must be independent from the proprietary transaction unit;
b) There are information technology infrastructure and database for market risk measurement, monitoring and control;
c) Allocate specific competence to approve, implement market risk prevention measures;
d) If the commercial bank/foreign bank s branch employs the mark-to-model method specified in the State Bank’s regulations on capital safety ratio in commercial banks and foreign banks’ branches, the model must fulfill the following requirements:
(i) Fully assess factors affecting values of proprietary transactions and underlying assets;
(ii) Estimation is based on information and data from trusted sources. Market information and data must be independently assessed on their reliability and appropriateness as specified in the commercial bank’s/foreign bank s branch’s internal regulations;
(iii) Subject to unscheduled or scheduled (at least on an annual basis) reviews and assessments in order to determine the model s accuracy and limitations, so that appropriate adjustments can be made.
2.The method and model for market risk measurement and monitoring based on interest rate, exchange rate, share price and commodity price risks must fulfill the following requirements:
a) Measure and monitor the market risk position associated with each financial asset, liability and off-balance item;
b) Parameters and assumptions must be inspected and adjusted, based on comparisons between the result of the method/model and actual events.
3.Market risk control must fulfill the following conditions:
a) Give early warnings about probability of violation against market risk limit;
b) At the end of each transaction date, the commercial bank/foreign bank s branch must assess compliance to market risk limit, based on the actual market risk position (also including market risk-prevention transactions) and adjust the market limit if necessary;
c) Adjustments to market risk limit must be timely informed to the transactor, transacting unit as well as related individuals and divisions in order to carry out proprietary transactions and market risk control for the next transaction date.
Article 40. Internal market risk reports
1.By the end of the working day, the commercial bank/foreign bank s branch shall produce the daily report on market risk in the accounting book, including at least the following contents:
a) The total risk position of the day;
b) Discoveries made by control activities for proprietary transactions;
c) Actual and projected earnings (losses) of proprietary transactions based on market prices;
d) The day’s transaction limits and the state of employing those limits until the end of transaction date.
2.On at least a semiannual basis, the commercial bank/foreign bank s branch shall produce internal market risk reports, which include at least the following contents:
a) The total market risk position compared to the market risk limit at the time the report is produced;
b) Results of review and assessment of methods and models for market risk measurement and monitoring (if any);
c) Actual and projected earnings (losses) of proprietary transactions based on market prices;
g) Violations in market risk management and their causes (if any);
dd) Extraordinary cases during proprietary transactions, changes to main assumptions of market risk measurement methods;
e) Proposals and requests about market risk management and the levels they are submitted to;
b) The state of compliance with requests related to market risk management and proprietary activities from internal audit, the State Bank, independent auditing firms and other relevant authorities.
Section 4. OPERATIONAL RISK MANAGEMENT
Article 41. Operational risk management strategies and limits
1.Operational risk management strategies must include at least the following contents:
a) Principles of operational risk management;
b) Principles of outsourcing, insurance purchasing and technology application;
c) Cases that require plans to sustain operations, including at least:
(i) Loss of important documents and database;
(ii) Breakdown of the information technology system;
(iii) Force majeure (war, act of God, fire, etc.)
2.The operational risk limits include at least:
a) Financial loss limit for each case mentioned in Clause 2, Article 42 of this Circular sorted by 6 business groups specified in the State Bank’s regulations on capital safety ratio in commercial banks and foreign banks’ branches;
b) Non-financial loss limits (also including prestige, reputation, legal obligations)
Article 42. Operational risk identification, measurement, monitoring and control
1.The commercial bank/foreign bank s branch much fully identify operational risk in all of its products, business activities, business processes, information technology system and other management systems.
2.Operational risk identification shall be carried out for the following cases:
a) Internal fraud, caused by swindling and appropriating property, violation against strategies, policies and internal regulations related to at least one individual of the commercial bank/foreign bank s branch (also including ultra vires acts, theft and abuse of internal information for one s own gain);
b) External fraud caused by swindling and appropriating property, committed by outsiders without assistance from or collusion with the commercial bank s/foreign bank s branch’s individuals and departments (also including theft and forgery of bank cards and documents, breaking into the information technology in order to steal data and money);
c) Labor and workplace safety policies are not appropriate for labor contracts, the regulations of law on labor, health protection and workplace safety;
d) Involuntary violations related to customers, product provision processes and product properties while carrying out assigned customer-related functions and tasks within competence (also including violations against customer information security and anti-laundering regulations, as well as provision of products and service against regulations);
dd) Damage to or loss of property, tools and equipment due to force majeure, human factor and other events;
e) Interruption to business activities due to breakdown of the information technology system;
g) Limitations and drawbacks of transaction processes, control and management;
h) Other cases specified in the internal regulations of the commercial bank/foreign bank s branch;
3.The commercial bank/foreign bank s branch shall have operational risk measuring tools, using quantification of loss for cases mentioned in Clause 2 of this Article, sorted by 6 business groups specified in the State Bank’s regulations on capital safety ratio in commercial banks and foreign banks’ branches, applying at least two of the following methods:
a) Use audit findings, both internal and independent;
b) Collect and analyze internal and external loss data in order to determine loss, both internal and the whole bank system’s.
c) Carry out operational risk control self-assessment in order to determine effectiveness of control activities for operational risk before and after control;
d) Employs business process mapping in order to determine operational risk level in each business process, the common operational risk of those processes and the relation between those risks;
dd) Use risk and performance indicators in order to monitor factors affecting operational risk and identify latent limitations,problems and losses;
e) Analyze scenarios in order to identify the sources of operational risk and set requirements for operational risk minimization and control in possible scenarios and events.
4.The commercial bank/foreign bank s branch carry out operational risk control through control activities specified in Article 15 of this Circular as well as other measures specified in the bank’s internal regulations. If the actual loss exceeds the operational risk limit, the bank must have strengthening measures in order to control and minimize that operational risk in the future.
Article 43. Risk management for outsourcing
1.Operational risk management for outsourcing is carried out as follows:
a) Manage outsourcing as specified in Clause 2 of this Article;
b) Identify, measure, monitor and control operational risk arising from outsourcing as specified by Article 42 of this Circular.
2.Outsourcing management shall include at least:
a) Determination of outsourcing scope;
b) Allocation of competence to approve and decide in outsourcing;
c) Assessment of the contractor’s capability to fulfill the set outsourcing requirements and objectives before signing the outsourcing contract; assessment of the contractor s capability during execution of the contract;
d) Principles of negotiating outsourcing contracts, which must be detailed, sufficient, protect the ownership and security of database, customer information and the right to end the contract; scope and scale of outsourcing, the commercial bank s/foreign bank s branch’s and contractor’s specific responsibilities and terms of dispute resolution;
dd) Plans to sustain outsourcing operations (formulated by the bank or the contractor), as specified in Article 46 of this Circular.
Article 44. Risk management for technology application
1.The commercial bank /commercial bank carries out risk management for application of digital, online, automatic and mobile transactions as well as other technologies (hereinafter referred to as technology application) as follows:
a) Manage technology application as specified in Clause 2 of this Article;
b) Identify, measure, monitor and control operational risk arising from technology application as specified by Article 42 of this Circular, including at least the following contents:
(i) Identify the probability of operational risk related to the internal and external networks, hardware, software, applications, transaction interfaces, operations and human factors;
(ii) Measure risks based on estimates of losses when operational risks occur in business activities;
(iii) Monitor and assess the operational sustainability in the face of operational risk in technology application;
(iv) Control and implement measures for minimization of operational risk in technology application (if necessary) in order to ensure that the operational risk is not exceeded.
2.The commercial bank/foreign bank s branch must fulfill the following requirements while carrying out technology application:
a) There are regulations on management of technology application, including at least the following:
(i) The information technology system’s and database’s minimum scope of technology application management;
(ii) Tasks, responsibilities and powers of individuals and departments managing technology application;
(iii) Efficient management in case of breakdown or change of technology;
(iv) The verification system that ensures customers information security, safety of transactions and the information technology system;
b) Compliance with the State Bank’s regulations on digital transactions in banking; safety and security of the information technology system for provision of online banking services as well as other regulations of law.
Article 45. Insurance for minimization of loss coming from operational risk
1.The commercial bank/foreign bank s branch is allowed to purchase insurance for minimization of loss coming from operational risk as specified in the regulations of law, suitable for the bank s financial capabilities and loss recovery.
2.The commercial bank/foreign bank s branch that do not purchase insurance for the aforementioned purpose must assess the minimization of losses coming from operational risk’s effectiveness, assess the insurance provider’s capability in executing insurance contracts as well as other new risks (if any).
Article 46. Plans to sustain operations
1.The commercial bank/foreign bank s branch must have plans to sustain operations for the cases specified in Point c, Clause 1, Article 41 of this Circular.
2.The plan to sustain operations must at least fulfill the following requirements:
a) Suitable for the commercial bank’s/foreign bank s branch’s properties and operational scope;
b) There are backup systems for human resources, information technology system and database;
c) There are measures for minimizing loss coming from disruption;
d) Be able to restore disrupted business activities back to the normal state within the requested time limit;
dd) Be reviewed and tested at least on an annual basis in order to determine the effectiveness of the plan to sustain operations and make adjustments if necessary.
Article 47. Internal operational risk reports
1.Either unscheduled or at least on a semiannual basis, the commercial bank/foreign bank s branch shall produce internal operational risk reports as specified in Clause 2 of this Article.
2.The internal operational risk report must include at least the following contents:
a) The state of implementing operational risk management and compliance with operational risk limit;
b) Operational risks that arose during the reporting period and their causes;
c) Loss caused by operational risk, sorted by 6 business groups specified in the State Bank s regulations on capital safety ratio in commercial banks and foreign banks’ branches, alongside measures for loss recovery and sustaining operations (if any);
d) External events and factors influencing the commercial bank’s/foreign bank s branch’s operational risk;
dd) Changes to methods of operational risk measurement;
e)The state of outsourcing and its operational risk management;
g) Changes to technology application (if any) and the state of its operational risk management;
h) Proposals and requests about operational risk management;
b) The state of fulfillment of requests from internal audit, the State Bank, independent auditing firms and other relevant authorities about operational risk management.
Section 5. LIQUIDITY RISK MANAGEMENT
Article 48. Liquidity risk management’s requirements, strategies and limits
1.Liquidity risk management must fulfill at least the following requirements:
a) Maintain sufficient high-liquidity assets in order to meet the commercial bank’s/foreign bank s branch’s liquidity needs in both business-as-usual and liquidity stress scenarios (also including determination of losses and costs of meeting liquidity in the market);
b) Carry out liquidity management as specified in Article 49 of this Circular;
c) Be able to determine costs of meeting liquidity needs and liquidity risk in internal capital pricing, assessing results of material business activities (applied to both on- and off-balance items).
2.Liquidity risk management strategies must include at least the following contents:
a) Principles of liquidity management;
b) Strategies to diversify sources and terms of mobilized capital in order increase stability of liabilities and support daily liquidity;
c) Principles of liquidity stress test.
3.Liquidity risk limits include:
a) Risk limits for ensuring the regulations of law on solvency ratio, loan-to-deposit ratio and medium and long-term loan on short-term capital ratio;
b) Other limits specified in the internal regulations of the commercial bank/foreign bank s branch;
Article 49. Liquidity management
1.The commercial bank/foreign bank s branch manages liquidity for:
a) The commercial bank alongside its branches and other affiliates, the foreign bank s branch;
b) Vietnamese Dong and foreign currencies (at least US Dollar, also including other currencies converted to USD).
2.Liquidity risk management must include at least the following contents:
a) Manage liquidity within the day by monitoring that day’s liquidity, identifying sources of capital as well as the ability to mobilize those sources to maintain the day’s liquidity, forecasting events that can drastically change such liquidity and propose handling measures;
b) Manage high-liquidity assets, based on market values, and their convertibility to cash for meeting liquidity requirements in both normal conditions and a low-liquidity market;
c) Manage sources of mobilized capital by keeping statistics on the average demand deposit balance in a timespan of at least 30 days, core deposit balance and other indices for mobilized sources of capital as specified in the commercial bank’s/foreign bank s branch’s internal regulations;
d) Manage the cash flow by creating a term chart for the following day and specific timeframes (1 week, 1 month, 3 months, 6 months and 1 year) to determine the cash flow gap by comparing the inflows and outflows, in compliance with the State Bank s regulations on prudential limits and ratios for commercial bank’s/foreign bank s branch’s operations and other liquidity rations specified in the bank’s internal regulations;
dd) Manage liquidity sources by assessing those sources accessibility in order to meet future liquidity needs in both normal conditions and a low-liquidity market.
Article 50. Liquidity risk identification, measurement, monitoring and control
1.Liquidity risk identification must fulfill the following requirements:
a) Carried out based on analysis of liquidity needs, liquidity source of each business activity, Asset-Liability structure, on- and off-balance cash flows and liquidity’s accessibility in the market;
b) Identify liquidity risk coming from credit risk, market risk, operational risk, reputational risk, etc.
2.Measuring and monitoring liquidity must at least fulfill the following requirements:
a) There are appropriate tools for liquidity measurement, which includes at least the following:
(i) Future cash flows of both assets and liabilities;
(ii) Extraordinary liquidity needs and cases that require fulfilling off-balance obligations;
(iii) Transaction currency;
(iv) Activities of the bank’s agencies, deposits and payments;
b) Monitor the compliance with solvency ratio, loan-to-deposit ratio, medium and long-term loan on short-term capital ratio and other liquidity ratios (if any).
3.Liquidity risk control must ensure that:
a) The liquidity risk position complies with liquidity risk limits;
b) There are criteria for early warning about liquidity risk so that there are measures for handling temporary and long-term lack of liquidity.
Article 51. Liquidity stress tests
1.The commercial bank/foreign bank s branch must have methods for calculating the impact of assumptions in order to assess the ability to fulfill obligations and commitments, as well as compliance to liquidity risk limits. Assumptions and methods for calculating the impact of assumptions on liquidity must be reviewed and assessed on its suitability.
2.The stress scenario mentioned in Point a, Clause 2, Article 28 of this Circular must have at least assumptions about deposits and credit quality.
3.The backup plan mentioned inPoint b, Clause 3, Article 28 of this Circular must at least have the following contents: expected measures for handling sources of capital, capital use and future cash flows, fulfilling the requirements specified in Clause 1 of this Article.
Article 52. Internal liquidity risk reports
1.Either unscheduled or at least on a quarterly basis, the commercial bank/foreign bank s branch shall produce internal liquidity risk reports specified in Clause 2 of this Article.
2.The internal liquidity risk report must include at least the following contents:
a) Appraisal of the commercial bank’s/foreign bank s branch’s credit rating and the market’s state of liquidity;
b) The structure of the balance sheet; new capital-mobilizing products; depositors; deposit terms and interest rates;
c) Liquidity sources, cash flow gaps, terms of capital, state of compliance with liquidity risk limits;
d) Results of liquidity stress tests (if any) in the reporting period;
dd) Proposals and requests about liquidity risk management and the levels they are submitted to;
e) The state of fulfillment of requests from internal audit, the State Bank, independent auditing firms and other relevant authorities on liquidity risk management.
Section 6. CONCENTRATION RISK MANAGEMENT
Article 53. Concentration risk management strategies and limits
1.Concentration risk management strategies shall be at least applied to:
a) Credit extensions;
b) Proprietary transactions.
2.Concentration risk management strategies must include at least the following contents:
a) In the case of credit extensions:
(i) Principles of determining credit concentration limits, sorted by credit product, customer, industry and economic sector;
(ii) Criteria for identifying a customer’s affiliated person, in accordance with the regulations of law;
(iii) Principles of determining diversibility and degree of interaction between credit products, industries and economic sector;
b) In the case of proprietary transactions:
(i) Principles of determining proprietary transaction concentration limits, sorted by transaction partner, transaction product and type of currency;
(ii) Criteria for determining proprietary transaction portfolios in order to impose proprietary transaction concentration limits, ensuring diversibility and degree of interaction as specified in the commercial bank s/foreign bank s branch’s regulations.
3.The concentration risk limits include at least:
a) In the case of credit extensions:
(i) Credit extension limit for one customer, or customer and affiliated person compared to the total loan balance;
(ii) Credit concentration limits for credit products, industries and economic sectors, based on the ratios of those entities’ loan balances to the total loan balance;
b) In the case of proprietary transactions: transaction concentration limits for transaction partners, transaction products and types of currency based on the ratios of those entities’ balances on the total proprietary transaction balance.
Article 54. Concentration risk identification, measurement and control
1.The commercial bank/foreign bank s branch must identify concentration risk at least in credit extensions and proprietary transactions, including:
a) The commercial bank’s/foreign bank s branch’s on- and off-balance items;
b) Unaccounted items specified in the regulations of law on accounting.
2.The commercial bank/foreign bank s branch measures concentration risk based on assessment of each concentration risk-bearing credit extension’s and proprietary transaction’s influence on income.
3.The commercial bank/foreign bank s branch shall control concentration risk as follows:
a) Monitor and check credit balance and proprietary transaction balance by concentration risk limits; give early warning about balances and transactions that nearly exceed the concentration risk limits;
b) Implement measures for handling cases that exceed the concentration risk limits in a timely manner.
Article 55. Internal concentration risk reports
1.Either unscheduled or at least on a semiannual basis, the commercial bank/foreign bank s branch shall produce internal concentration risk reports specified in Clause 2 of this Article.
2.The internal concentration risk report must include at least the following contents:
a) Credit structure sorted by credit product, customer, industry and economic sector;
b) Proprietary transaction portfolio structure sorted by transaction partner, customer, industry and economic sector;
c) The state of imposition of concentration risk limits; reasons for exceeding such risks (if any);
d) Proposals and requests about concentration risk management and the levels they are submitted to;
dd) The state of fulfillment of requests from internal audit, the State Bank, independent auditing firms and other relevant authorities about concentration risk management.
Section 7. MANAGEMENT OF INTEREST RATE RISK IN THE BANKING BOOK (IRRBB)
Article 56. IRRBB management strategies and limits
1.IRRBB management strategies must include at least the following contents:
a) Principles of IRRBB management, which employ at least the following indices:
(i) Repricing gap profile: the difference between the values of interest-bearing financial assets and interest-bearing financial liabilities at the time of new interest rate or repricing;
(ii) At least one of the following indices shall be employed to measure the influence of change in interest rate:
-Change in Net Interest Income - ΔNII: caused by change in interest rates of financial assets and liabilities, as well as interest-bearing off-balance sheet items;
-Change in Economic Value of Equity - ΔEVE: change in net value of income from financial assets and expense from financial liabilities when change in interest rate occurs;
b) Principles of using IRRBB prevention tools (including competence to approve those tools).
2.IRRBB risk limits must include at least:
The limit on difference between the values of main interest-bearing financial assets and main interest-bearing financial liabilities with the same time of new interest rate or repricing;
b) The limit on change in net interest income and/or change in economic value of equity caused by change in interest rate according to the IRRBB management strategies.
Article 57. IRRBB identification, measurement, monitoring and control
1.The commercial bank/foreign bank s branch shall identify, measure, monitor and control IRRBB in accordance with the following requirements:
a) There are processes of IRRBB identification, measurement, monitoring and control, both unscheduled and scheduled (at least on a quarterly basis), as specified in the commercial bank’s/foreign bank s branch’s internal regulations.
b) Departments responsible for IRRBB identification, measurement, monitoring and control must be independent from business departments that generate IRRBB;
c) There are information technology infrastructure and database in order to measure, monitor, control and produce internal reports on IRRBB.
2.In order to identify IRRBB, its cause must be determined (also including risk arising from IRRBB prevention activities).
3.IRRBB measurement and monitoring must fulfill the following requirements:
a) Keep track of the times for new interest rate assignment and repricing of the financial assets and liabilities;
b) There are IRRBB measurement methods in compliance with the IRRBB management principles specified in Point a, Clause 1, Article 56 of this Circular and based on capital stress tests specified in Article 60 of this Circular;
c) Carry out measurements on interest-bearing items, both on- and off- balance sheets, items accounted in Vietnamese Dong or foreign currency whose value is at least 5% of the commercial bank’s/foreign bank s branch’s total assets;
d) Keep track of the times for new interest rate assignment and repricing of the financial assets and liabilities. If the maturity or the time for new interest rate assignment cannot be identified, the commercial bank/foreign bank s branch can use assumptions, which must be approved beforehand by the competent level as specified in the bank’s internal regulations.
4.IRRBB control must fulfill the following requirements:
a) The position of IRRBB complies with the IRRBB limits;
b) There are early warnings about cases that nearly exceed the IRRBB limits and measures for handling cases that exceed those limits in a timely manner.
Article 58. Internal IRRBB reports
1. Either unscheduled or at least on a quarterly basis, the commercial bank/foreign bank s branch shall produce internal IRRBB reports specified in Clause 2 of this Article.
2.The internal IRRBB report must include at least the following contents:
a) The interest rate gap, change in net interest income and change in economic value of equity (if available);
b) The state of compliance with IRRBB limits;
c) IRRBB prevention tools and the results of their implementation;
d) Proposals and requests about IRRBB management and the levels they are submitted to;
dd) The state of fulfillment of requests from internal audit, the State Bank, independent auditing firms and other relevant authorities about IRRBB management.
Chapter V
INTERNAL CAPITAL ADEQUACY ASSESSMENT
Article 59. Requirements for and contents of internal capital adequacy assessment
1.Internal capital adequacy assessment must:
a) Comply with the State Bank s regulations on capital safety ratio;
b) Maintain the capital safety ratio target in both business-as-usual and stress scenarios;
c) Be suitable for the risk appetite and based on the developments of material risks;
d) Be used as basis for formulating and adjusting the commercial bank’s/foreign bank s branch’s business plans;
dd) Be carried out at least on an annual basis, and also unscheduled when there are changes to the business environment, factors affecting risks and sources of capital that cause failure to meet the risk appetite’s capital criteria.
2.The commercial bank/foreign bank s branch carry out internal capital adequacy assessment for between 3 and 5 years, involving the following steps:
a) Measure material risks and determine economic capital in accordance with the business plan, as specified in the guidelines provided by Appendix 3 issued together with this Article;
b) Conduct capital stress tests in order to determine economic capital in stress scenarios;
c) Determine the capital target and own capital as specified in the guidelines provided by Appendix 3 issued together with this Article;
d) Formulate capital plans;
dd) Oversee capital adequacy in order to manage capital in accordance with the capital target and make adjustments to the plan if necessary;
e) Review the process of internal capital adequacy assessment.
Article 60. Capital tress tests
1.The commercial bank/foreign bank s branch shall create stress scenarios as specified in Point a, Clause 2, Article 28 of this Circular, which include at least assumptions on interest rate, exchange rate and credit quality. There must be methods for calculating those assumptions’ influence on the capital safety ratio, as detailed below:
a) For interest rate assumptions: Calculate the influence on capital safety ratio, based on the respective change in total asset calculated from operational risk, market risk (interest rate risk), IRRBB according to the interest rate assumption;
b) For exchange rate assumptions: Calculate the influence on capital safety ratio, based on the respective change in total asset calculated from operational risk, market risk (exchange rate risk) according to the interest rate assumption;
c) For credit quality assumptions: Calculate the influence on capital safety ratio, based on the respective change in total asset calculated from operational risk, credit risk according to the credit quality assumption;
2.Assumptions and calculations of their influences on the capital safety ratio mentioned in Clause 1 of this Article must be reviewed and self-assessed on suitability for the commercial bank’s/foreign bank s branch’s internal regulations.
Article 61. Formulation of capital plans
1.The commercial bank/foreign bank s branch must formulate capital plans, which at least include the following contents:
a) The plan to raise capital when own capital fails to meet capital target, in particular:
(i) Sources for raising 1st- and 2nd-tier capital which are achievable and compliant to the regulations of law;
(ii) Timeframe and roadmap to carry out the capital-raising plan;
b) Policies on dividends and profit sharing, ensuring that the target capital is met when own capital is expected to meet the capital target;
c) Allocation of capital target by total assets calculated from risk for risk materials in order to serve as basis for determination of risk limits;
d) Early-warning limits for monitoring and overseeing the compliance to total assets calculated from allocated risks so that measures can be implemented in a timely manner.
2.The commercial bank’s capital plans are approved by the Board of Directors/Members’ Council at the request of the Director General (Director). The foreign bank s branch’s capital plans are carried out as specified in the parent bank’s regulations.
Article 62. Internal capital adequacy assessment process review
1.The internal capital adequacy assessment process must be reviewed at least on an annual basis (or unscheduled) by a department independent from the department creating and implementing that process.
2.Internal capital adequacy assessment process review must include at least the following contents:
a) The logicality of the internal regulations on internal capital adequacy assessment (also including organizational structure, functions and tasks of individuals and departments);
b) The risk appetite’s compatibility with business plans and total assets calculated from risk s compatibility with risk limits;
c) Data s inaccuracy and sufficiency;
d) Logicality of assumptions used in capital stress test scenarios;
dd) Feasibility of capital-raising plans’
e) Proposals submitted to the competent level for internal capital adequacy assessment (if any).
Article 63. Internal reports on internal capital adequacy assessment
1.On an annual basis, the commercial bank/foreign bank s branch shall produce internal reports on internal capital adequacy assessment as specified in Clause 2 of this Article.
2.The internal report on internal capital adequacy assessment must include at least the following contents:
a) Capital target, economic capital;
b) Capital stress test results;
c) Capital plan;
d) Capital allocation results;
dd) The results of the internal capital adequacy assessment process review specified in Article 62 of this Circular;
dd) The state of fulfillment of requests from internal audit, the State Bank, independent auditing firms and other relevant authorities about internal capital adequacy assessment.
Chapter VI
INTERNAL AUDIT
Article 64. Principles of internal audit
1.The principles of internal audit are:
a) Independence:
(i) The internal auditor and internal audit department must not undertake the tasks of individuals and departments belonging to the first and second lines of defense;
(ii) Internal audit must not be subject to control and intervention from individuals and departments belonging to the first and second lines of defense;
(iii) An Internal auditor must not audit:
-Internal regulations on and plans for internal audit which are formulated by that internal auditor;
-The unit/department whose head is related to that internal auditor;
-Activities or departments which that internal carried out or was in charge of within 3 years after the auditor s involvement with those activities or department ended.;
(iv) The criteria for creating pay levels of the Chief Internal Auditor and internal auditors must be separated from the business and operational results of the units and departments belonging to the first and second lines of defense;
b) Impartiality:
(i) Findings in the internal audit report must be carefully analyzed, based on collected data and information;
(ii) The internal auditor must be honest in reporting and assessment during the internal audit process;
(iii) The internal auditor has the right and duty to notify the competent level of problems related to impartiality during the internal audit process;
c) Professionalism:
(i) The internal audit department shall have at least one internal auditor for auditing information technology and application of technology (hereinafter referred to as technology auditor);
(ii) The internal auditor must meet the requirements specified in Article 66 of this Circular.
2.Internal audit must have measures for inspection of compliance to the principles mentioned in Clause 1 of this Article during internal audit processes (also including producing and submitting internal audit reports). The Chief Internal Auditor shall punctually notify the Control Board of violations or risks of violation against the principles mentioned in Clause 1 of this Article.
Article 65. Mechanisms for cooperation
1.The commercial bank must have mechanisms for operation between:
a) The Board of Directors/Members’ Council and the Control Board, internal audit department as specified in Clause 2 of this Article;
b) The Director General (Director), departments belonging to the first and second lines of defense and the Control Board, internal audit department as specified in Clause 3 of this Article;
2.The mechanism for cooperation between the Board of Directors/Members’ Council and the Control Board, internal audit department of the commercial bank must ensure that:
a) The Board of Directors/Members’ Council cooperate with the internal audit department during internal audit for senior management oversight on the Board of Directors/Members’ Council;
b) The Board of Directors/Members’ Council carry out the Control Board’s requeststo theBoard of Directors/Members’ Council in the internal audit reports (if any) and notify the Control Board of the results of those requests’ fulfillment.
3.The mechanism for cooperation between the Director General (Director), departments belonging to the first and second lines of defense and the Control Board, internal audit department must ensure that:
a) The Director General (Director):
(i) Cooperates with the internal audit department during internal audit for senior management oversight on the Director General (Director);
(ii) Direct the risk management department and related departments to provide sufficient information on risks so that the internal audit department can formulate internal auditing plans;
(iii) Receives internal reports on internal audit, organize fulfillment of the Control Board’s request to the Director General (Director) in the internal audit reports (if any) and notify the Control Board of the fulfillment’s results;
b) The departments belonging to the first and second line of defense:
(i) Provide sufficient, authentic, accurate information, documents and records upon request of the internal audit department during the internal audit process;
(ii) Notify of problems, violations, losses or risks of loss the internal audit department in a timely manner;
(iii) Facilitate the internal audit department’s internal auditing work.
4.The foreign bank s branch must have a mechanism for cooperation between the Director General (Director) and the bank’s internal audit department.
Article 66. Standards of Control Board members and internal auditors
1.The commercial bank’s Control Board members must fulfill all standards and requirements specified in the Law on Credit Institutions.
2.The commercial bank must have standards of internal auditors, which include the following:
a) Bachelor degree (or above) in one of the following disciplines: economics, business administration, law or accounting; bachelor degree (or above) in information technology or any other discipline that is suitable for technology accounting;
b) At least two years of experience in working directly in the banking, financial, accounting or audit industry in the case of internal auditors, and three years in the case of Chief Internal Auditors; at least two years of experience in working in the information technology industry in the case of technology auditors.
3.The foreign bank s branch’s standards of internal auditors shall be in accordance with the parent bank’s regulations.
Article 67. Work ethics of Control Board members and internal auditors
1.The work ethics of Control Board Members and internal auditors (also including the Chief Internal Auditor and other positions in the internal audit department) of the commercial bank must at least include the following principles:
a) Integrity: work in a straightforward and honest manner;
b) Impartiality: carry outtheassigned tasks impartially, assess fairly, not out his/her own or anyone else’s interest;
c) Security: c) Comply with the regulations of law and the commercial bank’s/foreign bank s branch’s internal regulations on information security;
d) Responsibility: carry out the assigned tasks in a timely manner and with quality;
dd) Prudence: carry out the assigned tasks with prudence and take the following factors into consideration:
(i) Complexity and importance of the internal audit’s subject;
(ii) Probability of serious errors during the internal audit process.
2.The foreign bank s branch’s work ethics of internal auditors shall be in accordance with the parent bank’s regulations.
Article 68. Organizational structure, tasks, powers and responsibilities of the internal audit department
1.The organizational structure, tasks, powers and responsibilities of the internal audit department are decided by the Control Board as specified in the Law on Credit Institutions and this Circular.
2.The tasks of the commercial bank’s internal audit department include at least the following:
a) Carry out internal audit for the headquarters, branches and other affiliates of the commercial bank;
b) Create, review and submit to the Control Board for promulgation and amendment:
(i) Work ethics of Control Board members and internal auditors mentioned in Clause 1, Article 67 of this Circular;
(ii) The Control Board s internal regulations;
(iii) Internal audit plans;
c) Monitor and assess fulfillment of the Control Board’s requests for the Board of Directors, Members’ Council, Director General (Director), individuals and divisions;
dd) Fulfill requests of the State Bank, independent auditing firms and other relevant authorities about internal audit.
dd) Produce internal audit reports as specified in Point d, Clause 2, Article 7 and Article 72 of this Circular.
3.The powers of the commercial bank’s internal audit department include at least the following:
a) Be provided with necessary resources (manpower, finance, assets and other tools);
b) Be provided with information, documents and records which are necessary for internal auditing work, also including meeting records and documents of the Board of Directors, Members’ Council and Director General (Director);
c) Interview individuals about contents related to internal audit; request the competent level (as specified in the commercial bank’s internal regulations) for action against any uncooperative individual or department during the internal audit process;
d) Participate in internal meetings as specified in the Statutes and internal regulations of the commercial bank.
4.The responsibilities of the commercial bank’s internal audit department and internal auditors include at least the following:
a) Secure documents and information as specified by the regulations of law and the commercial bank’s internal regulations;
b) Answer to the Control Board about the assigned tasks;
c) The internal auditor takes legal responsibility for and answers to the Chief Internal Auditor about the assigned auditing tasks.
5.The organizational structure, tasks, powers and responsibilities of the foreign bank s branch’s internal audit department and internal auditors shall be in accordance with the parent bank’s regulations.
Article 69. Internal regulations of internal audit
The internal regulations of the commercial bank’s Control Board must have at least the following contents regarding internal audit:
1.The internal audit department’s organizational structure, tasks and powers, as specified in Article 68 of this Circular; standards of Control Board members and internal auditors, as specified in Article 66 of this Circular; work ethics of Control Board members and internal auditors, as specified in Article 67 of this Circular.
2.Criteria for determining risk level and material level alongside internal audit frequency of activities, processes and departments, as specified in Point a and b, Clause 2, Article 70 of this Circular; internal audit contents, as specified in Article 71 of this Circular.
3.The internal audit plan formulation and implementation processes.
4.Review and assessment of internal audit regulations; handling of requests from the State Bank, independent auditing firms and other relevant authorities on internal audit.
5.Regulations on hiring external specialists and firms for internal audit.
6.Regulations on internal reports on internal audit, as specified in Article 72 of this Circular.
Article 70. Internal audit plans
1.The commercial bank’s internal audit is carried out both unscheduled and on an annual basis, as specified in the Control Board s internal regulations.
2.The commercial bank’s annual internal audit plans are issued by the Control Board upon the Chief Internal Auditor’s request after consulting the Board of Directors/Members’ Council and the Director General (Director). Formulation of the internal audit must fulfill the following requirements:
a) Principles of orientation based on risk: Activities, processes and departments must be assessed on risk level (high, medium and low) as specified in the Control Board’s internal regulations. Resources shall be concentrated on high-risk activities, processes and departments, with audits being prioritized on them and carried out at least once a year;
b) Comprehensiveness: All activities, processes and departments must be internally audited. Activities, processes and departments with material level specified in the Control Board s regulations must be audited at least once a year;
c) There are reserves of resources and time for unscheduled internal audits;
d) The annual audit plan must be adjusted when there are material changes in the scale of operation, risk position or internal audit resources as specified by the Control Board’s internal regulations.
3.The commercial bank’s annual internal audit plan must be issued before December 15 of the previous year and include: scope, subject, objectives, time and resources (also including hiring external specialists and firms) of internal audit alongside other contents specified by the bank.
4.Theforeign bank s branch’s internal audit plans shall be decided by the parent bank.
5.Within 10 days from the date of issue or amendment, the commercial bank/foreign bank s branch shall submit its internal audit plan to the State Bank (the Bank Inspection and Oversight Authority).
Article 71. Internal audit contents
1.The commercial bank’s internal audit is carried out in accordance with Clause 2, Article 41 of the Law on Credit Institutions and has the following contents:
a) Independent inspection and assessment of compliance with mechanisms, policies, internal regulations on senior management oversight, internal control, risk management and internal capital adequacy assessment of the Board of Directors, Members’ Council, Director General (Director), individuals and departments, also including identification of problems, limitation and their causes;
b) Independent review and assessment of suitability and compliance with the regulations of law of mechanisms, policies, internal regulations on senior management oversight, internal control, risk management and internal capital adequacy assessment, also including identification of problems, limitation and their causes;
c) Proposals and requests to the competent levels and relevant departments for addressing problems and limitations;
d) Other contents specified in the internal audit department’s internal regulations.
2.The foreign bank s branch’s internal audit contents shall be in accordance with the parent bank’s regulations.
Article 72. Internal reports on internal audit
1.The commercial bank must report internal audit results as specified in Clause 2 of this Article and report self-assessment of internal audit results as specified in Clause 3 of this Article, specifically:
a) After the end of internal audit, the internal audit department presents the report on internal audit results to the commercial bank’s Control Board for approval and submission to the Board of Directors, Members’ Council and Director General (Director) as specified in the Control Board’s internal regulations;
b) Within 30 days from the previous fiscal year’s last date, the internal audit department presents the report on self-assessment of internal audit results to the Control Board, as specified in the Control Board’s internal regulations.
2.The contents of the report on internal audit results (both annual and unscheduled) include the following:
a) The state of audit scope’s and contents implementation in the fiscal year;
b) Compliance with mechanisms, policies, internal regulations on senior management oversight, internal control, risk management and internal capital adequacy assessment of the Board of Directors, Members’ Council, Director General (Director), individuals and departments;
c) Suitability and compliance with the regulations of law of mechanisms, policies, internal regulations on senior management oversight, internal control, risk management and internal capital adequacy assessment;
d) Problems and limitations discovered during internal audit and requests to competent levels and relevant departments;
dd) Other contents.
3.The report on self-assessment of internal audit results shall have the following contents:
a) Assessment of internal audit execution results in the reporting year; review and reassessment (including amendment suggestions) of the Control Board’s internal regulations; proposals and requests (if any);
b) The state of fulfillment of the Board of Directors’, Members’ Council’s, Director General’s (Director’s), individuals’ and departments’ requests about internal audit in the reporting year;
c) The state of fulfillment of the State Bank’s, independent auditing firms’ and other relevant authorities’ requests about internal audit in the reporting year;
d) Other contents.
4.The foreign bank s branch’s contents of internal reports on internal audit shall be in accordance with the parent bank’s regulations.
Chapter VII:
IMPLEMENTATION PROVISIONS
Article 73. Effect
1.This Circular takes effect on January 01, 2019 except Clause 2 of this Article.
2.The commercial bank and foreign bank s branch shall implement the regulations on internal capital adequacy assessment mentioned in Chapter V of this Circular from January 1, 2021.
3.Amend a number of Articles of the State Bank Governor’s Circular No. 44/2011/TT-NHNN dated December 29, 2011 providing for internal control system and internal auditing of credit institutions and foreign bank branches as follows:
a) Article 1 shall be changed to:
“This Circular regulates internal control and internal audit systems of credit institutions (except commercial banks and foreign banks’ branches)”.
b) Change the phrase “credit institutions/foreign banks’ branches” to “credit institutions” in the State Bank Governor’s Circular No. 44/2011/TT-NHNN dated December 29, 2011 providing for internal control system and internal auditing of credit institutions and foreign bank branches.
Article 74. Implementationprovisions
The Chief of Office, Chief Bank Inspector and Overseer, heads of units affiliated with the State Bank; Directors of the State Bank s provincial branches; commercial banks and foreign banks’ branches’ Chairpersons of the Board of Directors and Members’ Councils and Director Generals (Directors) have the responsibility to organize implementation of this Circular./.
For the Governor
The Deputy Governor
Nguyen Dong Tien.
Vietnamese
Circular 13/2018/TT-NHNN DOC (Word)
Circular 13/2018/TT-NHNN PDF (Original)
