Circular 70/2022/TT-BTC risk management, internal control, internal audit of insurance enterprises

CIRCULAR

Providing for risk management, internal control and internal audit of insurance enterprises, reinsurance enterprises, branches of foreign non-life insurance enterprises, and branches of foreign reinsurance enterprises^[1]

Pursuant to the June 16, 2022 Law on Insurance Business;

Pursuant to the June 17, 2020 Law on Enterprises;

Pursuant to the Government’s Decree No. 87/2017/ND-CP of July 26, 2017, defining the functions, tasks, powers and organizational structure of the Ministry of Finance;

At the proposal of the Director of the Insurance Supervisory Authority;

The Minister of Finance promulgates the Circular providing for risk management, internal control and internal audit of insurance enterprises, reinsurance enterprises, branches of foreign non-life insurance enterprises, and branches of foreign reinsurance enterprises.

Chapter I

GENERAL PROVISIONS

Article 1. Scope of regulation

This Circular specifies Article 84, Article 85 and Clauses 1 and 2, Article 86 of the Law on Insurance Business.

Article 2. Subjects of application

1. Life insurance enterprises, non-life insurance enterprises and health insurance enterprises (below referred to as insurance enterprises), and reinsurance enterprises.

2. Branches of foreign non-life insurance enterprises and branches of foreign reinsurance enterprises (below referred to as foreign branches).

3. Organizations and individuals involved in risk management, internal control and internal audit of insurance enterprises, reinsurance enterprises and foreign branches.

Article 3. Interpretation of terms

In this Circular, the terms below shall be construed as follows:

1. Parent company of a foreign branch is a foreign non-life insurance enterprise or a foreign reinsurance enterprise with a branch in Vietnam.

2. Risk is the possibility of loss (financial loss and non-financial loss) that reduces income and equity, leading to a decrease in capital adequacy ratio or limiting the ability to achieve business objectives of insurance enterprises, reinsurance enterprises and foreign branches.

3. Risk appetite is the ability that an insurance enterprise, a reinsurance enterprise or a foreign branch is willing to accept different types of risks and the level of each type of risk in line with business strategies and financial capacity of the insurance enterprise, reinsurance enterprise or foreign branch.

4. Risk limit is the threshold of each type of risk that an individual or a division of an insurance enterprise, a reinsurance enterprise or a foreign branch can undertake at each time and for each business process.

5. Material risks include groups of insurance risks, market risks, operational risks, counterparty risks and other risks assessed by insurance enterprises, reinsurance enterprises and foreign branches as having a material impact on financial prudence  and operational efficiency of insurance enterprises, reinsurance enterprises and foreign branches.

6. Insurance risks are risks arising from fluctuations in technical factors related to insurance actuary and technical reserves, including:

a/ Actuarial risk: The establishment of inappropriate actuarial assumptions results in the calculated premiums being insufficient to cover the insurance benefits committed during the term of insurance contracts and offset operating expenses of insurance enterprises, reinsurance enterprises and foreign branches. Actuarial assumptions include: mortality risk ratio, longevity risk ratio, indemnity rate, expense ratio, investment rate, and contract cancellation rate, and other assumptions used in actuarial models;

b/ Claims reserve risk for non-life insurance: The claims reserves are insufficient to pay indemnities for the liability portion of non-life insurance enterprises or branches of foreign non-life insurance enterprises;

c/ Disaster risk: The risk occurs when the actual indemnity rate is high, exceeding the actuarial assumptions due to epidemics or disasters.

7. Market risks are risks arising from the investment market for investment and business activities of insurance enterprises, reinsurance enterprises and foreign branches, including:

a/ Risks related to adverse fluctuations of interest rates in the market for the value of valuable papers, interest-bearing financial instruments, derivatives, and investment assets of insurance enterprises, reinsurance enterprises and foreign branches;

b/ Risks related to adverse fluctuations in exchange rates in the market concerning assumption of reinsurance, retrocession and foreign investment;

c/ Risks related to adverse fluctuations of stock prices in the market to the value of stocks or value of derivative securities of insurance enterprises, reinsurance enterprises and foreign branches;

d/ Disproportionate risks regarding the term of investment assets and liability commitments in insurance contracts of insurance enterprises, reinsurance enterprises and foreign branches.

8. Operational risks are risks arising from the establishment and implementation of operational processes of insurance enterprises, reinsurance enterprises and foreign branches, including:

a/ Risks related to inadequacy of, and non-compliance with, established internal regulations and business processes of insurance enterprises, reinsurance enterprises and foreign branches;

b/ Legal risks;

c/ Risks related to inadequacy and inappropriateness of established provisions on underwriting activities, leading to an increase in the proportion of high-risk insurance participants;

d/ Risks related to the unsuitability of designed insurance benefits to the market;

dd/ Risks related to employee and workplace safety policies;

e/ Risks related to the outsourced activities failing to meet quality requirements or outsourced partners failing to perform the obligations under the outsourcing contracts;

g/ Risks related to information technology systems, confidentiality of personal data and cyber security;

h/ Risks related to business interruption;

i/ Fraud risks;

k/ Other risks related to the operation of insurance enterprises, reinsurance enterprises and foreign branches.

9. Counterparty risk is the risk related to the counterparty’s failure to fulfill payment commitments for investment activities and reinsurance activities of insurance enterprises, reinsurance enterprises and foreign branches.

10. Liquidity risk is the risk that an insurance enterprise, a reinsurance enterprise or a foreign branch does not have enough money to pay for its due payables.

11. Risk management is the identification, measurement, monitoring and control of risks in the operation of insurance enterprises, reinsurance enterprises and foreign branches.

12. Risk management culture is the cultural value of an insurance enterprise, a reinsurance enterprise or a foreign branch, demonstrating the unified awareness about the importance of risk management activities of the Board of Directors, Members’ Council, General Director (Director) and individuals and divisions in the insurance enterprise, reinsurance enterprise or foreign branch.

Chapter II

SPECIFIC PROVISIONS

Section 1

RISK MANAGEMENT

Article 4. Organization of risk management

1. Every insurance enterprise, reinsurance enterprise and foreign branch shall organize risk management with 3 independent lines of defense as follows:

a/ First line of defense: professional divisions, which are the divisions that directly identify, receive, assess, control, report on, and monitor risks arising in business activities;

b/ Second line of defense: risk management division, compliance control division and other divisions with the function of controlling risks for the operation of divisions of the first line of defense;

c/ Third line of defense: internal audit division.

2. Depending on the size, conditions and complexity of its business activities, an insurance enterprise, a reinsurance enterprise or a foreign branch shall formulate the organizational structure of the second line of defense, ensuring that the following tasks are fully completed:

a/ Advising the General Director (Director) in issuing internal regulations on risk management;

b/ Coordinating with professional divisions of the first line of defense in identifying and monitoring arising material risks;

c/ Developing and using risk assessment and measurement models to warn and early identify risks and dangers of violating risk limits; proposing measures for controlling, preventing and mitigating risks (if any);

d/ Developing scenarios to test the stress of the insurance enterprise, reinsurance enterprise or foreign branch;

dd/ Reporting on a quarterly, annual and unscheduled basis to the General Director (Director) on the risk management situation of the insurance enterprise, reinsurance enterprise or foreign branch; promptly reporting to the Board of Directors or Members’ Council of the insurance enterprise or reinsurance enterprise or to the parent company of the foreign branch in case of detecting risks that are likely to seriously affect financial prudence and operational efficiency. A quarterly report must be sent within 30 days after the end of the quarter and an annual report, within 90 days after the year ends.

Article 5. Policies and internal regulations on risk management

Insurance enterprises, reinsurance enterprises and foreign branches shall formulate risk management policies and internal regulations on risk management as follows:

1. Risk management policies of insurance enterprises, reinsurance enterprises and foreign branches must comply with Point c, Clause 2, Article 86 of the Law on Insurance Business.

2. The internal regulations on risk management must include the following contents:

a/ Functions, tasks, decentralization mechanism, decision-making authority and responsibility of individuals and divisions in risk management activities of insurance enterprises, reinsurance enterprises and foreign branches;

b/ The process of identifying, measuring, monitoring and supervising risks related to material risks; reporting on information exchange, feedback on changes to, and treatment of, risks;

c/ Specific risk limits for each type of material risks and related risks and the correlation between those risks. Risk limits must ensure compliance with risk appetite and internal regulations on risk management; be re-evaluated at least once a year and when there are major changes affecting the risks in the operation of insurance enterprises, reinsurance enterprises and foreign branches;

d/ Measures for controlling risks arising from business activities and controlling individuals and divisions involved in such activities;

dd/ The stress test in conformity with Article 7 of this Circular.

e/ Contingency plans for emergency circumstances to ensure continuity in business operations of insurance enterprises, reinsurance enterprises and foreign branches. This plan must be approved by the Board of Directors or Members’ Council of the insurance enterprise or reinsurance enterprise or by the parent company of the foreign branch;

g/ Mechanism on internal reporting on risk management.

Article 6. Identification, measurement, monitoring and control of risks

Insurance enterprises, reinsurance enterprises and foreign branches shall identify, measure, monitor and control risks in a timely and accurate manner according to the following provisions:

1. To identify material risks insurance enterprises, reinsurance enterprises and foreign branches are likely to face in the course of conducting business operations.

2. To measure levels of risks on the basis of determining the impacts of such risks on the operation, capital and solvency of insurance enterprises, reinsurance enterprises and foreign branches. The risk measurement shall be carried out by methods and models. Risk measurement methods and models shall be inspected and evaluated on a periodical basis in terms of accuracy and rationality under internal regulations of insurance enterprises, reinsurance enterprises and foreign branches. Data used in risk measurement methods and models must be reliable and testable.

3. To monitor risk status and timely evaluate and give early warnings about the possibility of breaching risk limits, and restrict possible risks to ensure safe operation; to formulate internal reports on risk monitoring and send them to related individuals and divisions.

4. To control the performance of business processes based on corresponding risk limits; to conduct stress test in accordance with Article 7 of this Circular, and take measures to prevent, mitigate and timely deal with risks in order to ensure compliance with risk limits.

Article 7. Stress test

1. Every year, insurance enterprises, reinsurance enterprises and foreign branches shall conduct stress test regarding capital and solvency in accordance with Clause 2 of this Article.

2. The stress test shall be conducted as follows:

a/ Preparing at least 2 scenarios, including 1 scenario with normal operation conditions, and 1 scenario with adverse developments regarding risk ratios, investment activities, operating costs, and other factors as evaluated by insurance enterprises, reinsurance enterprises and foreign branches. Selected scenarios shall be made for at least 5 subsequent fiscal years and formulated on the basis of analyzing statistics and operation status of insurance enterprises, reinsurance enterprises and foreign branches, and forecasts of macroeconomic developments;

b/ Calculating the impacts of assumptions on the criteria of capital, solvency margin and financial prudence of insurance enterprises, reinsurance enterprises and foreign branches under each scenario (including quantitative analysis and qualitative analysis).

3. Based on stress test results, insurance enterprises, reinsurance enterprises and foreign branches shall identify measures to maintain their business operations upon occurrence of adverse developments (if any).

Article 8. Risk management reports

1. A risk management report of an insurance enterprise, a reinsurance enterprise or a foreign branch must have the following contents:

a/ Evaluation of the adequacy of risk management activities, determination of financial resources necessary for business management within the risk acceptance capacity, and business plans of the insurance enterprise, reinsurance enterprise or foreign branch;

b/ Detailed evaluation of each type of material risks of the insurance enterprise, reinsurance enterprise or foreign branch and operating risk changes;

c/ Method of managing each type of material risks of the insurance enterprise, reinsurance enterprise or foreign branch;

d/ Stress test results and analysis of the possibility to maintain operation in unfavorable circumstances for business operations.

2. Every year, insurance enterprises, reinsurance enterprises and foreign branches shall make risk management reports and hand-deliver or send them by post or online to the Ministry of Finance as guided by the latter within 90 days after the end of a fiscal year. Risk management reports shall be made according to the form provided in the Appendix to this Circular.

Article 9. Management information systems

1. Insurance enterprises, reinsurance enterprises and foreign branches shall establish management information systems to provide information and internal reports to the Boards of Directors or Members’ Councils of insurance enterprises or reinsurance enterprises, parent companies of foreign branches, Directors General (Directors) and related individuals and divisions for them to perform their functions and tasks, ensuring compliance with this Circular.

2. An information management system of an insurance enterprise, a reinsurance enterprise or a foreign branch must at least include:

a/ Internal reports, meeting minutes and resolutions of the Board of Directors or Members’ Council of the insurance enterprise or reinsurance enterprise or decisions of the parent company of the foreign branch, decisions of the Director General (Directors), and other management information under regulations of the insurance enterprise, reinsurance enterprise or foreign branch. Internal reports must at least include risk management reports; internal audit reports, and reports of the compliance control division;

b/ Organization of management and operation of the information management system, which must specify responsibilities of related individuals and divisions in the use of the system;

c/ Collection, processing, storage and provision of information; formulation, sending, receipt and processing of reports;

d/ Information technology infrastructure facilities meeting the requirements specified at Points c and d, Clause 3 of this Article.

3. Management information systems must:

a/ Provide information and data in an adequate, accurate and prompt manner, meeting the requirements of risk management, internal control and internal audit activities of insurance enterprises, reinsurance enterprises and foreign branches;

b/ Update information on compliance with law and internal regulations of insurance enterprises, reinsurance enterprises and foreign branches;

c/ Ensure confidentiality and security of information and data and have standby information systems to secure the safe, effective and uninterrupted storage and use of information;

d/ Be reviewed, re-evaluated, upgraded and updated on a frequent and timely basis to meet the demand for management information and suit the scale, structure and complexity of business operations of insurance enterprises, reinsurance enterprises and foreign branches.

Article 10. Risk management culture

1. Insurance enterprises, reinsurance enterprises and foreign branches shall build risk management culture through issuing and applying their own professional ethical standards, internal regulations on risk management, and commendation and disciplining regimes.

2. The code of professional ethics of an insurance enterprise, a reinsurance enterprise or a foreign branch must adhere to the following principles:

a/ Employees shall honestly perform their assigned tasks and competence for the sake of the insurance enterprise, reinsurance enterprise or foreign branch; and refrain from taking advantage of their positions or information of the insurance enterprise, reinsurance enterprise or foreign branch to seek personal benefits or cause harms to the interests of the insurance enterprise, reinsurance enterprise or foreign branch;

b/ Individuals and divisions shall promptly report to competent authorities when detecting acts of violating Point a of this Clause and violations of law or internal regulations of the insurance enterprise, reinsurance enterprise or foreign branch.

3. Internal regulations on risk management must comply with Clause 2, Article 5 of this Circular.

4. Commendation and disciplining regimes must adhere to the principles of accuracy, publicity, transparency, fairness, and promptness. The commendation and disciplining shall be carried out according to evaluation based on assigned functions and tasks of each division and individual of insurance enterprises, reinsurance enterprises and foreign branches.

Section 2

INTERNAL CONTROL

Article 11. Requirements on business processes

1. In order to ensure performance of internal control activities, insurance enterprises, reinsurance enterprises and foreign branches shall establish business processes, which must at least include the process for ratemaking and insurance product development; marketing and underwriting process; process for indemnity and payout making; reinsurance process and internal control process.

2. Business processes must ensure that the decentralization and approval authority are clear and conformable with functions and tasks of related individuals and divisions; the approval authority shall be defined based on the scale of transactions, risk limits and other limits as stated in internal regulations of insurance enterprises, reinsurance enterprises and foreign branches.

Article 12. Internal control activities

Internal control activities must adhere to the following principles:

1. Internal control shall be conducted for all operations and business processes as well as divisions of insurance enterprises, reinsurance enterprises and foreign branches.

2. The compliance control division must be independent from business divisions.

3. An employee of an insurance enterprise, a reinsurance enterprise or a foreign branch may not concurrently assume the positions and tasks involving contradictory or overlapped purposes or benefits.

4. Employees may not use information of insurance enterprises, reinsurance enterprises and foreign branches for their personal purposes; and may not conceal violations of law and internal regulations of insurance enterprises, reinsurance enterprises and foreign branches.

5. Cross-monitoring shall be carried out in implementation of business processes.

6. The financial information system serving internal control activities must be truthful, rational, adequate, accurate and prompt.

Article 13. Tasks of compliance control divisions

Tasks of the compliance control division of an insurance enterprise, a reinsurance enterprise or a foreign branch:

1. To give advice to the Director General (Director) or a competent authority before the latter issues the internal control process.

2. To carry out annual and unscheduled examination and review of the compliance with law, regulations, internal processes and professional ethical standards by individuals and business divisions.

3. To assist related divisions in formulating and reviewing internal regulations in order to ensure compliance with law; to propose and improve processes and internal regulations.

4. To formulate and send to the Director General (Director) quarterly, annual and unscheduled reports on individuals’ and business divisions’ compliance with law, regulations, internal processes and professional ethical standards, and propose modification and supplementation of business processes (if deeming it necessary). Quarterly reports shall be sent within 30 days from the end of a quarter, and annual reports, within 90 days from the end of a year.

5. To promptly report to the Board of Directors or Members’ Council of the insurance enterprise or reinsurance enterprise or to the parent company of the foreign branch in case of detecting violations in compliance with law which are committed by the insurance enterprise, reinsurance enterprise or foreign branch.

Section 3

INTERNAL AUDIT

Article 14. Tasks of internal audit

Tasks of internal audit include:

1. Auditing the compliance with law, internal processes and regulations of insurance enterprises, reinsurance enterprises and foreign branches.

2. Auditing the safety and efficiency in the management and use of capital, assets and resources of insurance enterprises, reinsurance enterprises and foreign branches.

3. Auditing the accuracy, truthfulness and efficiency of financial information control process and the preparation of financial statements.

4. Auditing the adequacy, accuracy and safety of information technology systems and software.

5. Conducting other audits at the request of Boards of Directors or Members’ Councils of insurance enterprises, reinsurance enterprises and parent companies of foreign branches.

Article 15. Principles of internal audit

1. Independence:

a/ The organization and operation of internal audit divisions must be independent from divisions of the first line and second line of defense;

b/ Internal auditors may not concurrently perform jobs in divisions of the first line and second line of defense;

c/ Internal audit shall not be subject to any interventions in the course of determining the scope and contents of audit and making evaluations of, and reports on, audit results.

2. Objectivity:

a/ Internal auditors must ensure objectivity, truthfulness, fairness and unbiased attitude;

b/ Notes in internal audit reports shall be prudently analyzed and based on collected data and information;

c/ Internal auditors who are in charge of formulating internal regulations and policies, procedures and processes may not conduct audits concerning these internal regulations and policies, procedures and processes;

d/ Internal auditors may not participate in auditing operations and divisions they are in charge of or manage within 2 years from the date of issuance of decisions relieving them from conducting such operations or managing such divisions;

dd/ Internal auditors shall promptly report to heads of internal audit divisions on matters that are likely to affect objectivity in the course of conducting internal audit. If detecting that an internal auditor may fail to comply with the principle of objectivity in internal audit activities, the head of the internal audit division shall report thereon to the Board of Directors or the Members’ Council of the insurance enterprise or reinsurance enterprise or to the parent company of the foreign branch for appropriate solutions;

e/ Task performance results of heads of internal audit divisions must be regularly examined, reviewed and evaluated by Boards of Directors or Members’ Councils of insurance enterprises and reinsurance enterprises and parent companies of foreign branches.

3. Internal auditors shall comply with law and bear responsibility before law for internal audit activities within their assigned tasks.

Article 16. Internal audit regulations and processes

1. Insurance enterprises, reinsurance enterprises and foreign branches shall promulgate internal audit regulations and processes.

2. An internal audit regulation of an insurance enterprise, a reinsurance enterprise or a foreign branch must have the following contents:

a/ Objectives and scope of operation, position, tasks, powers and responsibilities of the internal audit division in the insurance enterprise, reinsurance enterprise or foreign branch and its relationship with other divisions;

b/ Basic principles, requirements on professional qualifications, assurance of quality of internal audit, and other related contents.  

3. An internal audit process must provide detailed guidelines on the following contents:

a/ Methods for risk assessment and classification of risk levels (low, medium and high) serving as grounds for formulating internal audit plans;

b/ Methods of formulating annual internal audit plans; methods of performing audit jobs, making and sending audit reports, and monitoring the implementation of post-audit recommendations;

c/ Methods of archive of internal audit records and documents.

Article 17. Internal audit plans

1. Internal audit divisions shall formulate and implement annual internal audit plans, which must state the scope of audit, auditees, audit objectives and period, and allocation of resources.

2. Divisions and lines of high-risk level as evaluated by insurance enterprises, reinsurance enterprises or foreign branches must be included in annual audit plans.

3. When formulating internal audit plans, internal audit divisions must ensure sufficient time for unscheduled audits upon request.

Article 18. Powers and responsibilities of internal audit divisions

1. While performing their tasks, internal audit divisions have the following rights:

a/ To be promptly provided with sufficient information, documents and records necessary for internal audit;

b/ To access and consider all business processes and assets when conducting internal audit;

c/ To contact and interview all employees of insurance enterprises, reinsurance enterprises and foreign branches about matters related to audited contents;

d/ To receive internal audit-related documents and minutes of meetings of Boards of Directors or Members’ Councils of insurance enterprises or reinsurance enterprises or parent companies of foreign branches.

2. Internal audit divisions have the following responsibilities:

a/ To keep confidential documents and information in accordance with current regulations, charters and internal regulations on internal audit of insurance enterprises, reinsurance enterprises and foreign branches;

b/ When detecting serious violations or finding high-potential risks that are likely to adversely impact the operation of insurance enterprises, reinsurance enterprises or foreign branches in the course of conducting audit, to promptly report thereon to Boards of Directors or Members’ Councils of insurance enterprises or reinsurance enterprises or parent companies of foreign branches and Directors General (Directors);

c/ To promptly formulate, complete and send an audit report to Boards of Directors or  Members’ Councils of insurance enterprises or reinsurance enterprises or parent companies of foreign branches, Directors General (Directors) and the audited divisions after the end of every audit;

d/ To supervise, evaluate and monitor the correction, remediation and improvement regarding the matters on which they have made notes and recommendations;

dd/ To notify Boards of Directors or  Members’ Councils of insurance enterprises or reinsurance enterprises or parent companies of foreign branches in case the shortcomings stated in audit reports are not promptly redressed and remedied;

e/ To archive records and documents of internal audits in the form of text in sequence so as to facilitate the use of these records and documents by competent individuals and organizations.

Article 19. Responsibilities of audited divisions

1. To promptly provide sufficient information, documents and records at the request of internal audit divisions to serve internal audit.

2.  To promptly notify internal audit divisions of signs of violations and risks that are likely to impact the operation of insurance enterprises, reinsurance enterprises and foreign branches.

3. To promptly implement recommendations in internal audit reports and directions of Boards of Directors or Members’ Councils of insurance enterprises or reinsurance enterprises or parent companies of foreign branches or Directors General (Directors), if any.

Article 20. Internal audit reports

1. Internal audit divisions shall submit an internal audit report to Boards of Directors or Members’ Council of insurance enterprises or reinsurance enterprises or parent companies of foreign branches within 90 days after the end of every audit.

2. An internal audit report must clearly state:

a/ The contents and scope of the audit;

b/ Evaluations of and conclusions on the audited contents and grounds for making these evaluations and conclusions;

c/ Shortcomings, violations and explanatory opinions of the auditee;

d/ Recommendations on measures to remedy errors and handle violations; measures to improve business processes, risk management policies and organizational structure of the concerned insurance enterprise, reinsurance enterprise or foreign branch (if any).

Section 4

RESPONSIBILITIES OF BOARDS OF DIRECTORS, MEMBERS’ COUNCILS, PARENT COMPANIES OF FOREIGN BRANCHES AND DIRECTORS GENERAL (DIRECTORS)

Article 21. Responsibilities of Boards of Directors, Members’ Councils and parent companies of foreign branches

The Board of Directors or Members’ Council of an insurance enterprise or a reinsurance enterprise and the parent company of a foreign branch shall:

1. Decide on the organizational structure of the insurance enterprise, reinsurance enterprise or foreign branch to implement risk management and internal control and perform internal audits.

2. Issue risk management policies in each period; principles of implementing internal control; and the internal audit process of the insurance enterprise, reinsurance enterprise or foreign branch.

3. Approve internal regulations on risk management before they are issued by the Director General (Director); approve and adjust annual internal audit plans.

4. Direct and supervise the Director General (Director) in:

a/ Redressing and remedying shortcomings and limitations in risk management and implementing requests and recommendations of independent audit firms, the internal audit division and competent agencies;

b/ Handling violations and breaches of professional ethics and internal regulations committed by related individuals and divisions.

5. Boards of Directors and Members’ Councils of insurance enterprises and reinsurance enterprises shall approve risk management reports of their enterprises before reporting them to the Ministry of Finance. The competence to approve risk management reports of foreign branches before they are reported to the Ministry of Finance must comply with operation regulations of foreign branches and regulations of their parent companies.

Article 22. Responsibilities of Directors General (Directors)

The Director General (Director) of an insurance enterprise, a reinsurance enterprise or a foreign branch shall:

1. Issue business processes (including also the internal audit process), professional ethical standards, internal regulations on risk management, and regimes on commendation and disciplining; allocate risk limits for each business process and line.

2. Organize internal control and risk management as specified in Sections 1 and 2 of this Chapter.

3. Examine and evaluate internal control and risk management and decide on adjustment and remedial solutions (if necessary).

4. Organize the operation and improvement of the management information system.

5. Direct divisions of the first line and second line of defense to work with the internal audit division under internal audit regulations of the insurance enterprise, reinsurance enterprise or foreign branch.

6. Direct the implementation of recommendations in internal audit reports and follow directions of the Board of Directors or Members’ Council (if any), notify implementation results to the internal audit division.

Chapter III

IMPLEMENTATION PROVISIONS

Article 23. Effect

1. This Circular takes effect on January 1, 2023.

2. Any difficulties and problems arising in the course of implementation of this Circular should be promptly reported to the Ministry of Finance for consideration and settlement.-

For the Minister of Finance
Deputy Minister
CAO ANH TUAN