Home Legal Normative Documents Finance - Banking
Search
Advanced Search
Advanced search for legal documents
Filter by Reset

Please log in to a subscriber account to use this function.

Don’t have an account? Register here

Circular 83/2025/TT-NHNN internal control system of commercial banks and foreign bank branches

  • Summary
  • Content
  • Status
  • Vietnamese
  • Download
Save

Please log in to use this function

Send link to email

Please log in to use this function

Error message
Font size:
Send link to email
Error message
Circular 83/2025/TT-NHNN internal control system of commercial banks and foreign bank branches
* Required information
Content *
Send

ATTRIBUTE

Circular No. 83/2025/TT-NHNN dated December 31, 2025 of the State Bank of Vietnam providing for the internal control system of commercial banks and foreign bank branches
Issuing body: State Bank of VietnamEffective date:
Known

Please log in to a subscriber account to use this function.

Don’t have an account? Register here

Official number:83/2025/tt-nhnnSigner:Doan Thai Son
Type:CircularExpiry date:Updating
Issuing date:31/12/2025Effect status:
Known

Please log in to a subscriber account to use this function.

Don’t have an account? Register here

Fields:Finance - Banking
For more details, click here.
Download files here.
LuatVietnam.vn is the SOLE distributor of English translations of Official Gazette published by the Vietnam News Agency
Effect status: Known

THE STATE BANK OF VIETNAM

____________

No. 83/2025/TT-NHNN

THE SOCIALIST REPUBLIC OF VIETNAM
Independence – Freedom – Happiness

_______________________

Hanoi, December 31, 2025

CIRCULAR

Providing for the internal control system of commercial banks

and foreign bank branches

 

 
 
 

 

 

Pursuant to the Law on the State Bank of Vietnam No. 46/2010/QH12;

Pursuant to the Law on Credit Institutions No. 32/2024/QH15, which was amended and supplemented by Law No. 96/2025/QH15;

Pursuant to the Government’s Decree No. 26/2025/ND-CP defining the functions, tasks, powers and organizational structure of the State Bank of Vietnam;

At the proposal of the Director of the Department of Banking System Safety;

The Governor of the State Bank of Vietnam promulgates the Circular providing for the internal control system of commercial banks and foreign bank branches.

 

Chapter I
GENERAL PROVISIONS

 

Article 1. Scope of regulation

1. This Circular provides for the internal control system of commercial banks and foreign bank branches (below collectively referred to as banks).

2. Commercial banks under special control are not required to comply with the provisions of Section 9, Chapter III of this Circular.

Article 2. Subjects of application

1. Commercial banks.

2. Foreign bank branches.

Article 3. Interpretation of terms

In this Circular, the terms below are construed as follows:

1. Control activities mean the supervision, monitoring, inspection and self-control by individuals and units in the performance of banking operations in accordance with mechanisms, policies, processes, internal regulations and professional ethical standards in order to comply with the law, control conflicts of interest, promptly detect and handle violations, and establish and maintain the bank’s control culture. Control activities include supervision by senior management and internal control.

2. Senior management includes the Board of Directors, the Members’ Council; the Supervisory Board; and the General Director (Director).

3. Risk management (risk governance) means the identification, measurement, monitoring and control of risks in the bank’s operations.

4. Control culture means the corporate culture values of a bank that reflect a unified awareness of the importance of control activities and risk management so that the Board of Directors, the Members’ Council, the Supervisory Board, the General Director (Director), and individuals and units of the bank proactively identify, monitor and control risks in their operations and in the bank’s operations.

5. Conflict of interest means a situation in which an individual or unit makes decisions within its competence that create interests which are inappropriate or contrary to the interests of the bank.

6. Internal capital adequacy assessment means the bank’s self-assessment of capital adequacy to ensure compliance with regulations of the State Bank of Vietnam (below referred to as the State Bank) on capital adequacy ratios and the provisions of this Circular.

7. Economic capital means the level of capital determined by the bank on the basis of calculating the capital necessary to cover material risks and to ensure capital adequacy ratios under adverse scenarios.

8. Stress testing means a forward-looking risk management tool used to assess the potential impact of adverse developments and changes, thereby determining the bank’s risk-bearing capacity.

9. Risk means the possibility of loss (financial loss, non-financial loss) or the possibility of adverse outcomes that may negatively affect the bank’s income, capital or liquidity. Types of risk include credit risk, market risk, operational risk, liquidity risk, concentration risk, interest rate risk in the banking book, model risk, reputational risk, strategic risk, and other risks that must be managed in banking operations.

10. Risk appetite means the level of risk that a bank is willing to accept in the course of implementing its business strategy, expressed through the ratios and indicators prescribed at Point a, Clause 2, Article 19 of this Circular.

11. Risk position means the level of risk of a bank at a given time, reflected through values after conversion according to risk weights of risk-weighted assets, risk-weighted liabilities and risk-weighted off-balance-sheet items.

12. Material activities mean activities determined by the bank in accordance with its internal regulations on the basis of quantitative criteria (such as own capital, total assets, income and expenses) and qualitative criteria.

13. Material risks include:

a) Credit risk, market risk, operational risk, liquidity risk, concentration risk, and interest rate risk in the banking book;

b) Other risks as prescribed in the bank’s internal regulations.

14. Credit risk includes:

a) Customer credit risk means the risk arising from a customer’s failure or inability to perform in part or in full its debt repayment obligations under a contract or agreement with the bank.

A customer means an individual or a legal entity (including a credit institution or a foreign bank branch) having credit or deposit relations with the bank.

b) Counterparty credit risk means the risk arising from a counterparty’s failure or inability to perform in part or in full its payment obligations before or upon maturity in proprietary trading transactions; repurchase and reverse repurchase transactions; derivative transactions for hedging purposes; transactions of buying and selling foreign currencies, gold or financial assets for the purpose of serving the needs of customers and counterparties; and transactions entered into to offset these transactions.

A counterparty means an individual, a credit institution, a foreign bank branch, or another legal entity having transactions with the bank, including proprietary trading transactions; repurchase and reverse repurchase transactions; derivative transactions for hedging purposes; transactions of buying and selling foreign currencies, gold or financial assets for the purpose of serving the needs of customers and counterparties; and transactions entered into to offset these transactions.

15. Market risk means the risk arising from adverse movements in interest rates, exchange rates, gold prices, securities prices and commodity prices in the market, including:

a) Interest rate risk means the risk arising from adverse movements in market interest rates affecting the value of valuable papers, interest-bearing financial instruments and interest rate derivatives in the bank’s trading book;

b) Foreign exchange risk means the risk arising from adverse movements in exchange rates or gold prices in the market when the bank maintains foreign currency positions or gold positions;

c) Equity price risk means the risk arising from adverse movements in equity prices in the market affecting the value of shares and derivative securities in the bank’s trading book;

d) Commodity price risk means the risk arising from adverse movements in commodity prices in the market affecting the value of commodity derivatives and the value of products in spot transactions exposed to commodity price risk of the bank.

16. Operational risk means the risk arising from inadequate or defective mechanisms, policies, processes or internal regulations; from human factors; from system errors or failures; or from external events. Operational risk includes legal risk and excludes reputational risk and strategic risk.

17. Legal risk means the risk that the bank may incur penalties (including financial and non-financial liabilities) arising from violations of laws or from breaches of obligations or agreements with related parties.

18. Reputational risk means the risk arising from negative reactions of customers, counterparties, shareholders, investors or the public regarding the reputation of the bank.

19. Strategic risk means the risk arising from the bank’s absence of a strategy or from an ineffective strategy in responding in a timely manner to changes in the business environment, thereby reducing its ability to implement its business strategy and achieve its profit objectives.

20. Liquidity risk means the risk that:

a) The bank is unable to perform its financial obligations when due;

b) The bank is able to perform its financial obligations when due but must incur costs higher than the average market cost as prescribed in its internal regulations.

21. Concentration risk means the risk arising from the bank’s business activities being concentrated on a single customer; a customer and its related persons; or one or several customers, counterparties, products, transactions or economic sectors to a degree that significantly affects the bank’s income or risk position in accordance with its internal regulations.

22. Interest rate risk in the banking book means the risk arising from adverse movements in interest rates affecting the banking book position, thereby impacting the bank’s capital and income. Interest rate risk in the banking book includes:

a) Gap risk arising from mismatches in the timing of interest rate repricing or mismatches in maturities between assets and liabilities (including off-balance-sheet items) in the banking book;

b) Basis risk arising from differences between interest rates used to reprice assets and liabilities (including off-balance-sheet items) with the same maturity;

c) Option risk arising from the exercise of automatic options or behavioural options attached to assets and liabilities (including off-balance-sheet items) in the banking book, resulting in changes in value and timing of cash flows, including:

(i) Automatic option risk arising when changes in interest rates lead to the certain exercise of options in accordance with contractual terms;

(ii) Behavioural option risk arising when changes in interest rates may alter customer behaviour.

23. Model means a method, system or quantitative approach (which uses assumptions, techniques, theories of mathematics, statistics, economics, finance and expert judgment) to transform input data into output results used in the bank’s operations.

24. Model risk means the risk arising from model errors during the model development stage, model implementation stage, or from the use of inappropriate models.

25. Model lifecycle includes at least the following stages:

a) Model development (including development of new models and modification of existing models);

b) Model implementation;

c) Model use and application (below referred to as model use);

d) Model monitoring and supervision;

dd) Model validation.

26. Risk decision means a decision made by a competent level of the bank that gives rise to risk or changes the bank’s risk position.

27. Credit risk decision means a risk decision of the bank in credit activities in accordance with its internal regulations, including at least: decisions on credit extension; decisions on credit limits; decisions on credit extension beyond limits; decisions on debt rescheduling; and decisions on debt reclassification.

28. Problem credit exposure means a credit exposure classified into debt group 2 or higher in accordance with regulations of the State Bank on asset classification in the operations of commercial banks, non-bank credit institutions and foreign bank branches, and other credit exposures identified as problem credit exposures in accordance with the bank’s internal regulations.

29. Outsourcing activity means the bank’s written agreement to hire an individual, organization, credit institution or another foreign bank branch (below referred to as a third party) to process data; conduct customer identification; or perform one or several steps of the bank’s operational processes (excluding risk decisions of the bank) on behalf of the bank in accordance with law.

30. Internal auditor means a person who performs internal audit within the internal audit function of the bank.

31. Parent bank means a foreign bank having a branch licensed to operate in Vietnam.

32. Trading book means the portfolio recording positions of:

a) Proprietary trading transactions;

b) Transactions for underwriting financial instruments;

c) Derivative transactions for hedging proprietary trading transactions of the bank;

d) Transactions of buying and selling foreign currencies, gold or financial assets to serve the needs of customers and counterparties, and transactions entered into to offset these transactions.

33. Banking book means the portfolio recording positions of:

a) Repurchase and reverse repurchase transactions;

b) Derivative transactions for hedging items in the Statement of Financial Position (including off-balance-sheet items) of the bank, except for transactions classified into the trading book as prescribed at Points a and c, Clause 32 of this Article;

c) Transactions of buying and selling financial assets for liquidity reserve purposes;

d) Remaining transactions not included in the trading book of the bank.

34. Proprietary trading transaction means a transaction of purchase, sale or exchange conducted by the bank or a subsidiary of a commercial bank in accordance with law for the purpose of purchase, sale or exchange within a period not exceeding one year to earn profits from market price differences for the bank with respect to financial instruments, including:

a) Financial instruments in the money market;

b) Currencies (including gold);

c) Securities in the capital market;

d) Derivative products;

dd) Other financial instruments traded in official markets.

35. Repurchase agreement (Repo) means a transaction in which one party sells and transfers ownership of a financial asset to another party and simultaneously commits to repurchase and receive back ownership of that financial asset after a specified period at a predetermined price.

36. Reverse repurchase agreement (Reverse Repo) means a transaction in which one party purchases and receives transfer of ownership of a financial asset from another party and simultaneously commits to resell and transfer ownership of that financial asset after a specified period at a predetermined price, including term purchase transactions of negotiable instruments and other valuable papers in accordance with regulations of the State Bank on discount operations of credit institutions and foreign bank branches with customers.

Article 4. Requirements for the internal control system

1. The internal control system of a bank shall satisfy the following requirements:

a) Complying with the provisions of the Law on Credit Institutions and its amending and supplementing documents (below referred to as the Law on Credit Institutions), this Circular and other relevant legal documents; handling and implementing remedial measures in accordance with the requirements and recommendations of the State Bank, independent audit organizations and other competent authorities;

b) Being commensurate with the size, nature and level of complexity of the bank’s business operations;

c) Having adequate financial, human and information system resources to ensure the effectiveness of the internal control system;

d) Establishing and maintaining the bank’s control culture;

dd) Having a management information system that complies with the provisions of the Law on Credit Institutions, Article 8 of this Circular and other relevant laws, ensuring the reliability, completeness and timeliness of management information.

2. The internal control system of a bank shall have three independent lines of defense as follows:

a) The first line of defense consists of risk-taking units, including revenue-generating units, units implementing risk decisions, units allocating risk limits to each specific business activity and operational activity; and other risk-taking units. The first line of defense has the function of identifying risks, implementing control measures, monitoring and mitigating risks;

b) The second line of defense consists of at least the compliance function and the risk management function. The second line of defense has the function of formulating risk management policies and internal regulations on risk management; measuring, monitoring and controlling risks on a bank-wide basis and ensuring compliance with laws;

c) The third line of defense has the function of internal audit, performed by the internal audit function in accordance with the Law on Credit Institutions and this Circular;

d) With respect to model risk management, the bank shall have three independent lines of defense in accordance with Clause 7, Article 56 of this Circular.

3. Opinions expressed and conclusions reached in meetings of the Board of Directors, the Members’ Council; the Supervisory Board; committees or councils as prescribed in this Circular concerning the internal control system shall be recorded in writing.

Article 5. Mechanisms, policies, processes and internal regulations

1. Requirements for the mechanisms, policies, processes and internal regulations of a bank:

a) Complying with the provisions of this Circular and other relevant laws;

b) Ensuring that the delegation of decision-making competence is based on the level of reliability of the competent level and the capacity of the individuals and units performing the tasks. Decision-making competence must be expressed through criteria relating to the size and level of complexity of transactions, risk limits, other limits and criteria in accordance with the bank’s internal regulations;

c) Prescribing the functions and duties of individuals and units from the lowest level to the highest level in all transactions and operational processes of the bank in accordance with the following principles:

(i) Members of the Board of Directors and members of the Members’ Council shall not participate in the review and approval of risk decisions falling within the functions and duties of the General Director (Director). In cases where a member of the Board of Directors or a member of the Members’ Council concurrently holds the position of General Director (Director), the bank must implement control measures to ensure that no conflict of interest arises and that independent oversight is maintained;

(ii) Members of the Board of Directors and members of the Members’ Council shall not concurrently hold other titles or positions in that commercial bank, except for the position of General Director (Director) as prescribed in the Law on Credit Institutions, and titles or positions in the Risk Handling Council and committees established by the Board of Directors or the Members’ Council;

(iii) With respect to credit exposures subject to approval or decision by the Board of Directors or the Members’ Council as prescribed in Articles 70, 74 and 79 of the Law on Credit Institutions, the commercial bank shall fully implement the credit extension process as applicable to credit exposures not falling under such competence of the Board of Directors or the Members’ Council and such exposures must be proposed and submitted to the Board of Directors or the Members’ Council by the General Director (Director) or a Deputy General Director (Deputy Director) authorized by the General Director (Director);

(iv) Clearly separating functions and duties in transactions and operational processes in order to prevent and control conflicts of interest; ensuring that no individual dominates an entire transaction or operational process; not assigning to the same individual tasks that may give rise to conflicts of interest; and establishing control principles before, during and after the execution of transactions and operational processes;

(v) Having independent individuals within the same unit or individuals from units independent from other units to conduct periodic and ad hoc inspections in accordance with the bank’s internal regulations;

(vi) In cases where the implementation of Points c(iv) and c(v) of this Clause still gives rise to risks of conflicts of interest or violations of internal regulations, the bank shall identify the causes, implement measures to minimize risks in its operations to the maximum extent possible, and conduct strict monitoring and more frequent independent assessments;

d) Clearly delegating responsibilities for asset management (including financial assets and tangible assets) to each individual and unit based on the value of the assets or other specific limits as prescribed in the bank’s internal policies. The scope of delegation includes receipt, safekeeping, transportation, inspection and inventory of assets;

dd) Ensuring that professional ethical standards (except professional ethical standards applicable to members of the Supervisory Board and internal auditors) are issued by the Board of Directors or the Members’ Council of the commercial bank, or by the General Director (Director) of the foreign bank branch, in accordance with the following principles:

(i) Officers and employees at all levels shall perform their assigned duties and competence honestly for the benefit of the bank; and shall not abuse their position or title, or use information, trade secrets, business opportunities or assets of the bank for personal gain or to the detriment of the bank’s interests;

(ii) Individuals and units shall promptly report to the competent level upon detecting violations prescribed at Point dd(i) of this Clause and other violations of internal regulations or laws;

e) Being periodically reviewed in accordance with the bank’s regulations and being amended and supplemented to ensure compliance with laws;

g) Internal regulations on control activities of the head office over branches and dependent units shall at least prescribe the functions, duties, reporting mechanisms, salaries, rewards, disciplinary measures, staff rotation and other mechanisms applicable to individuals and units performing control activities at branches and dependent units;

h) Internal regulations on risk management comply with Article 18 of this Circular;

i) Internal regulations on internal audit comply with Article 68 of this Circular;

k) Internal regulations on internal reporting ensure that such regulations specify the data cut-off date for report preparation; the deadline for completion of reports; the individuals and units responsible for preparing, approving and receiving reports; and the responsibility for handling proposals and recommendations in the reports (if any).

2. Issuing competence of a commercial bank:

a) The Board of Directors and the Members’ Council shall issue regulations on the organization, governance and operation of the commercial bank, except for matters falling within the competence of the General Meeting of Shareholders or the owner;

b) The Supervisory Board shall issue its internal regulations;

c) The General Director (Director) shall issue internal rules and regulations; operational processes and procedures for operating the business management system and the management information system (below referred to as internal processes), except for matters falling within the competence of the General Meeting of Shareholders, the owner, the Board of Directors, the Members’ Council or the Supervisory Board.

3. Issuing competence of a foreign bank branch: The General Director (Director) shall issue internal rules, internal regulations and internal processes of the foreign bank branch in accordance with regulations of the parent bank or apply internal regulations issued by the parent bank.

Article 6. Organizational structure for implementing the internal control system

1. The organizational structure for implementing the internal control system at a commercial bank includes: the Board of Directors, the Members’ Council; the Supervisory Board; the General Director (Director); and individuals and units prescribed in this Article.

2. The Board of Directors and the Members’ Council of a commercial bank shall have duties and competence as prescribed in the Law on Credit Institutions and this Circular.

a) The Board of Directors and the Members’ Council shall establish committees in accordance with Clause 5, Article 50 of the Law on Credit Institutions. The organizational structure, functions and duties of the Risk Management Committee and the Human Resources Committee shall comply with regulations of the State Bank and ensure that more than one half (1/2) of the voting members of each committee are non-executive members.

b) The Board of Directors and the Members’ Council may establish other committees (if necessary).

3. The Supervisory Board shall have duties and competence as prescribed in the Law on Credit Institutions and this Circular. The Supervisory Board shall prescribe the organizational structure, functions, duties and competence of the internal audit function in accordance with the Law on Credit Institutions and this Circular.

4. The General Director (Director) of a commercial bank shall have duties and competence as prescribed in the Law on Credit Institutions and this Circular. The General Director (Director) shall have committees and supporting units as follows:

a) The Risk Committee shall have the duty to propose and advise the General Director (Director) on risk management matters prescribed at Point a, Clause 5, Article 25 of this Circular; and implement the matters prescribed at Point b, Clause 5, Article 25 of this Circular. The Risk Committee consists of a Chairperson who is a dedicated executive in charge of risk management at the head office (not being the General Director (Director)), having experience, knowledge and professional qualifications in risk management, and other members from relevant units in accordance with the internal regulations of the commercial bank. The General Director (Director) shall decide on the working regulations of the Risk Committee, which shall at least include its functions, duties, decision-making mechanism and meeting mechanism (periodic meetings at least once every quarter and ad hoc meetings);

b) The Asset/Liability Committee (ALCO) shall have the duty to propose and advise the General Director (Director) on asset/liability management matters prescribed in Clause 3, Article 25 of this Circular. The ALCO consists of a Chairperson who is the General Director (Director) or another executive at the head office, and other members from relevant units in accordance with the internal regulations of the commercial bank. The General Director (Director) shall decide on the working regulations of the ALCO, which shall at least include its functions, duties, decision-making mechanism and meeting mechanism (periodic meetings at least once every quarter and ad hoc meetings);

c) The Capital Management Committee shall have the duty to propose and advise the General Director (Director) on matters relating to the implementation of the internal capital adequacy assessment prescribed in Clause 4, Article 25 of this Circular. The Capital Management Committee consists of a Chairperson who is the General Director (Director) or another executive in charge of finance at the head office, having experience, knowledge and professional qualifications in accounting and finance, and other members from relevant units in accordance with the internal regulations of the commercial bank. The General Director (Director) shall decide on the working regulations of the Capital Management Committee, which shall at least include its functions, duties, decision-making mechanism and meeting mechanism (periodic meetings at least once every six months and ad hoc meetings);

d) The compliance function shall have functions and duties decided by the General Director (Director) depending on the size, nature and level of complexity of the business operations, ensuring independence and absence of conflicts of interest, and shall at least include the duties prescribed in Clause 3, Article 14 of this Circular;

dd) The risk management function shall have functions and duties decided by the General Director (Director), and shall at least include the duties and responsibilities prescribed in Clause 5, Article 25 of this Circular;

e) The bank may establish a credit approval committee (if necessary). The General Director (Director) shall decide on the working regulations of the credit approval committee, which shall at least include the functions, duties and responsibilities of its members, decision-making mechanism and meeting mechanism. The Chairperson of this committee shall be the General Director (Director) or a Deputy General Director (Deputy Director) authorized by the General Director (Director);

g) The bank may establish other committees (if necessary). The General Director (Director) shall decide on the working regulations of such committees, which shall at least include their functions, duties, decision-making mechanism and meeting mechanism (periodic and ad hoc).

5. Other individuals and units within the organizational structure of a commercial bank shall have functions and duties relating to the implementation of the internal control system.

6. The organizational structure of the internal control system at a foreign bank branch includes:

a) The General Director (Director) shall have duties and competence as prescribed in the Law on Credit Institutions and this Circular;

b) The compliance function shall have functions and duties decided by the General Director (Director) depending on the size, nature and level of complexity of the business operations, ensuring independence and absence of conflicts of interest, and shall at least include the duties prescribed in Clause 3, Article 14 of this Circular;

c) The risk management function shall have functions and duties decided by the General Director (Director) depending on the size, nature and level of complexity of the business operations, and shall at least include the duties and responsibilities prescribed at Point b, Clause 7, Article 25 of this Circular;

d) Other individuals and units within the organizational structure of the foreign bank branch shall have functions and duties relating to the implementation of the internal control system;

dd) The organizational structure, duties, competence and responsibilities of the internal audit function and internal auditors of the foreign bank branch shall be implemented in accordance with regulations of the parent bank.

Article 7. Implementation of the internal control system

A bank shall implement the internal control system through:

1. Control activities prescribed in Chapter II of this Circular.

2. Risk management activities prescribed in Chapter III of this Circular.

3. Internal audit prescribed in Chapter IV of this Circular.

Article 8. Management information system

1. A bank shall establish a management information system to collect, process, store and provide information for management, administration and decision-making in banking operations.

2. The management information system of a bank shall at least include:

a) An organizational structure for managing and operating the management information system, and internal regulations on the responsibilities of individuals and units in managing, operating and using the management information system;

b) Processes for collecting, processing, storing and providing information;

c) Data serving management, administration and decision-making in the bank’s operations, including risk data managed in accordance with Article 24 of this Circular;

d) Internal reports (at least internal reports on control activities, risk management, internal capital adequacy assessment and internal audit) and other management information sent, received and processed in accordance with the bank’s internal regulations;

dd) Information technology infrastructure (hardware and software) appropriate to the requirements of the management information system;

e) Backup systems to ensure that data and information are stored and used safely, effectively and without interruption.

3. The management information system shall ensure that:

a) Data and information are complete, accurate and timely, meeting the bank’s management requirements as prescribed in this Circular and the bank’s internal regulations; input data and information sources shall be verified for reliability;

b) Data and information security and confidentiality are ensured in accordance with laws and the bank’s internal regulations;

c) The Board of Directors, the Members’ Council, the parent bank, the Supervisory Board, the General Director (Director), and relevant individuals and units are provided with complete and timely information to perform their functions, duties and competence;

d) There is a mechanism for timely reporting to competent levels of the bank on violations of laws, internal regulations and professional ethical standards by individuals and units, ensuring information confidentiality and protection of information providers;

dd) It is reviewed and reassessed at least annually and on an ad hoc basis; and upgraded and updated regularly in accordance with management information needs, the size, structure and level of complexity of the bank’s business operations, ensuring compliance with laws and the bank’s internal regulations.

Article 9. Reporting to the State Bank on the internal control system

1. A bank shall prepare and submit to the State Bank (the State Bank’s Regional Branch according to the entities subject to micro-prudential inspection and supervision; the Credit Institution Supervision Department; the Inspectorate of the State Bank) reports on the internal control system in accordance with Clauses 2, 3 and 4 of this Article. In cases where a report is found to be incomplete, erroneous, inaccurate or requiring clarification, the State Bank shall request the bank to report, provide explanations or work directly in accordance with regulations on banking supervision procedures.

2. Reports on the internal control system shall include:

a) An annual report on the results of self-inspection and assessment of control activities in accordance with Appendix I issued together with this Circular;

b) An annual report on risk management in accordance with Appendix II issued together with this Circular;

c) An annual report on the internal capital adequacy assessment in accordance with Appendix III issued together with this Circular;

d) An annual report on internal audit in accordance with Appendix IV issued together with this Circular, and ad hoc reports on internal audit.

3. Time limits for submission of reports:

a) For the reports prescribed at Points a, b and c, Clause 2 of this Article: Within 90 days from the end of the financial year, the bank shall submit the report for that financial year;

b) For the report prescribed at Point d, Clause 2 of this Article:

(i) Within 60 days from the end of the financial year, a commercial bank shall submit the internal audit report for that financial year;

(ii) Within 60 days from the end of the financial year, a foreign bank branch shall submit the internal audit report for that financial year. In cases where no internal audit is conducted during the financial year, the foreign bank branch is not required to submit a report;

(iii) Within 07 working days from the completion of an ad hoc internal audit, the bank shall submit the ad hoc internal audit report.

4. Competence for approval of reports:

a) The Board of Directors and the Members’ Council shall be responsible for approving the report prescribed at Point a, Clause 2 of this Article;

b) The Supervisory Board shall be responsible for approving the report prescribed at Point d, Clause 2 of this Article;

c) The General Director (Director) of a commercial bank shall be responsible for approving the reports prescribed at Points b and c, Clause 2 of this Article;

d) The General Director (Director) of a foreign bank branch shall be responsible for approving the reports prescribed at Points a, b and c, Clause 2 of this Article.

5. The reports on the internal control system prescribed at Clause 2 of this Article shall update limitations and newly arising risks of the internal control system throughout the bank.

6. The reports prescribed at Clause 2 of this Article shall be submitted to the State Bank in one of the following forms:

a) Submitted directly to the State Bank;

b) Sent via postal services;

c) Submitted online (if any).

Article 10. Retention of dossiers and documents on the internal control system

1. A bank shall issue internal regulations on the management and retention of dossiers and documents relating to the internal control system.

2. The management and retention of dossiers and documents relating to the internal control system of a bank shall ensure that:

a) Compliance with the provisions of laws and regulations of the State Bank on retention periods of dossiers and archived documents in the banking sector;

b) Full retention for provision upon request of internal audit, independent audit organizations and competent authorities during internal audit, independent audit, inspection and supervision.

 

Chapter II

CONTROL ACTIVITIES

 

Article 11. Requirements for control activities

1. Control activities shall be implemented with respect to all operations, operational processes, individuals and units of the bank, ensuring compliance with the provisions of this Circular and the bank’s internal regulations.

2. Accounting shall comply with regulations on accounting standards and accounting regimes; financial statements shall be aggregated, prepared and submitted in accordance with law and the bank’s internal regulations. Accounting shall be inspected and reconciled to ensure timely detection and handling of errors and shall be reported to competent levels in accordance with the bank’s internal regulations.

3. Measures shall be in place to prevent and promptly handle misconduct and acts in breach of laws and internal regulations within the bank.

4. Human resources shall be allocated in a manner commensurate with the nature and level of complexity of each business activity and control activity, including contingency staffing plans in cases where employees are absent, as well as recruitment, rotation and appointment processes in order to maintain the effectiveness of control activities and continuity of operations.

5. Control activities of the head office of a commercial bank over its branches and dependent units shall ensure that:

a) The head office is able to supervise and control transactions and operations of branches and dependent units, including supervision and control through individuals or units performing control activities with respect to such branches and dependent units;

b) The head office shall decide on functions, duties, reporting mechanisms, salaries, rewards, disciplinary measures, staff rotation and other mechanisms applicable to individuals or units performing control activities;

c) Individuals and units performing control activities with respect to branches and dependent units shall ensure independence and absence of conflicts of interest with other individuals and units of such branches and dependent units.

6. On an annual and ad hoc basis, the bank shall prepare internal reports on control activities and submit them to competent levels in accordance with the bank’s internal regulations. Internal reports on control activities shall include an assessment of control activities in accordance with the contents prescribed in this Article and other contents as prescribed in the bank’s internal regulations.

7. The bank shall have regulations on control activities applicable to activities conducted by electronic means, ensuring compliance with the provisions of this Circular and relevant laws.

Article 12. Supervision by senior management

1. Supervision by senior management shall comply with the requirements prescribed in Article 11 of this Circular.

2. Supervision by senior management at a commercial bank shall be implemented as follows:

a) The Board of Directors and the Members’ Council shall supervise the General Director (Director) in implementing the provisions of Clause 2, Article 14 and Clause 2, Article 25 of this Circular;

b) The Supervisory Board of the commercial bank shall supervise the internal audit function in implementing the provisions of Article 71 and Clauses 1, 2 and 3, Article 72 of this Circular;

c) The General Director (Director) of the commercial bank shall supervise individuals and units in implementing the provisions of Clauses 3 and 4, Article 14 and Clauses 3, 4, 5 and 6, Article 25 of this Circular.

3. The General Director (Director) of a foreign bank branch shall:

a) Supervise individuals and units in implementing the provisions of Clauses 3 and 5, Article 14 and Point b, Clause 7, Article 25 of this Circular;

b) Supervise individuals and units in accordance with regulations of the parent bank in the performance of internal audit.

Article 13. Internal control

1. Internal control shall comply with the requirements prescribed in Article 11 of this Circular.

2. Internal control of a bank shall be implemented through self-control activities of individuals and units within operational processes and through activities of individuals and units having the function of monitoring and inspecting other individuals and units in compliance with mechanisms, policies, processes, internal regulations and laws.

Article 14. Responsibilities of the Board of Directors, the Members’ Council, the General Director (Director), and individuals and units in control activities

1. The Board of Directors and the Members’ Council of a commercial bank shall perform functions and duties related to control activities in accordance with this Circular and the bank’s internal regulations.

2. The General Director (Director) of the bank shall be responsible for organizing the implementation of:

a) Control activities within his/her competence;

b) The operation and maintenance of the management information system to ensure compliance with the requirements prescribed in Article 8 of this Circular;

c) The maintenance of the control culture prescribed in Clause 4, Article 3 of this Circular and professional ethical standards prescribed in Clause 1, Article 5 of this Circular;

d) The handling of violations of internal regulations and professional ethical standards (except for professional ethical standards of members of the Supervisory Board and internal auditors); and the referral to competent authorities for timely handling of acts in breach of laws;

dd) Other matters as prescribed by the bank.

3. The compliance function of the bank shall have at least the following duties:

a) Acting as the focal point for identifying compliance matters relating to the bank’s operations in accordance with law;

b) Periodically assessing internal regulations in accordance with the bank’s regulations for their appropriateness and compliance with law and proposing amendments and supplements (if necessary);

c) Assessing regulations on the functions and powers of the compliance function in order to propose amendments and supplements (if necessary);

d) Reporting to the General Director (Director) on:

(i) The status of compliance with law on a periodic and ad hoc basis;

(ii) Serious violations of compliance with law and changes in relevant legal provisions in accordance with the bank’s internal regulations;

(iii) The remediation of internal control deficiencies (if any);

dd) Directly reporting to the Board of Directors, the Members’ Council or the parent bank in necessary cases (including cases where the General Director (Director) commits serious violations) in accordance with the bank’s internal regulations;

e) Monitoring and inspecting individuals and units in their compliance with laws, mechanisms, policies, processes and internal regulations;

g) Assisting relevant units in developing and reviewing internal regulations to ensure compliance with law; coordinating in handling difficulties related to compliance with law in accordance with the bank’s internal regulations; and notifying relevant units of changes in relevant legal provisions in accordance with the bank’s internal regulations.

4. Other individuals and units of a commercial bank shall be responsible for:

a) Implementing internal regulations on internal control and maintaining the control culture; and complying with professional ethical standards (except for professional ethical standards of members of the Supervisory Board and internal auditors);

b) Operating, assessing, upgrading and updating the management information system in accordance with the bank’s internal regulations to ensure compliance with the requirements prescribed in Article 8 of this Circular;

c) Performing other matters as prescribed by the commercial bank.

5. Other individuals and units of a foreign bank branch shall be responsible for:

a) Implementing internal regulations on internal control and maintaining the control culture; and complying with professional ethical standards (except for professional ethical standards of internal auditors);

b) Performing other matters as prescribed by the foreign bank branch.

Article 15. Control activities in credit extension

1. Control activities in credit extension of a bank shall comply with the requirements prescribed in Article 11 of this Circular.

2. Credit extension, except as prescribed in Clause 3 of this Article, shall be subject to control of conflicts of interest through the principle that individuals or units performing credit appraisal functions shall be independent from individuals or units performing the following functions:

a) Approving credit decisions;

b) Controlling credit risk limits; managing problem credit exposures; making provisions for credit risk and using provisions to handle credit risk;

c) Performing customer relationship in accordance with the bank’s internal regulations.

3. A bank organizing credit approval by electronic means shall control conflicts of interest through the principle of segregation of responsibilities among individuals and units responsible for developing, establishing and operating information systems serving the stages of credit appraisal and credit decision-making. In cases where risks arise, the bank shall have mechanisms to identify responsible individuals and units and to promptly handle arising issues and risks to ensure effectiveness and safety in organizing credit approval by electronic means.

Article 16. Control activities in proprietary trading transactions

1. Control activities in proprietary trading transactions of a bank shall comply with the requirements prescribed in Article 11 of this Circular.

2. Proprietary trading transactions shall be controlled to ensure at least the following principles:

a) Having dedicated individuals and units to conduct proprietary trading transactions, ensuring independence from individuals and units controlling proprietary trading transactions and individuals and units performing settlement of proprietary trading transactions; and clearly defining the competence of individuals and units conducting proprietary trading transactions;

b) Proprietary trading transactions shall be conducted within prescribed limits; commitments for execution of transactions (including cases of cancellation of transactions or amendment or supplementation of transaction terms) and accounting and bookkeeping of proprietary trading transactions shall comply with relevant laws applicable to such proprietary trading transactions;

c) Information, documents and records relating to proprietary trading transactions shall be fully and promptly provided to individuals and units controlling proprietary trading transactions;

d) Having internal processes for conducting proprietary trading transactions in accordance with Clause 3 of this Article and internal processes for settlement of proprietary trading transactions in accordance with Clause 4 of this Article.

3. Internal processes for conducting proprietary trading transactions shall at least ensure that:

a) Traders shall conduct transactions only within the assigned types of transactions, counterparties, competence and transaction limits;

b) In cases where proprietary trading transactions are conducted by telephone, conversations relating to such transactions conducted by traders shall be recorded and retained for at least 02 months from the date of the conversation. In cases where proprietary trading transactions are conducted through computer systems, traders shall enter proprietary trading transaction data into the internal transaction management system using their own trader codes. The computer system shall automatically record the transaction date and time and proprietary trading transaction identification number and shall not allow traders to modify such information;

c) Prices in proprietary trading transactions shall be independently verified to ensure consistency with market prices (if any).

4. Internal processes for settlement of proprietary trading transactions shall meet the following requirements:

a) Individuals and units performing settlement of proprietary trading transactions shall send and receive transaction confirmations for executed proprietary trading transactions in forms consistent with law (including monitoring and checking customers’ transaction confirmations and notifying customers if confirmations are not received or are incomplete or erroneous);

b) The contents of transaction confirmations shall include transaction terms and transaction information. In cases where proprietary trading transactions are conducted through brokers, transaction confirmations shall include information on the brokers;

c) Differences detected during settlement shall be promptly handled by the units performing settlement of proprietary trading transactions.

 

Chapter III

RISK MANAGEMENT ACTIVITIES

 

Section 1. GENERAL PROVISIONS ON RISK MANAGEMENT ACTIVITIES

 

Article 17. Requirements for risk management

1. A bank shall implement risk management to ensure the following requirements:

a) Managing risks in the bank’s operations in accordance with this Circular and the bank’s internal regulations;

b) Fully identifying, appropriately measuring and regularly monitoring risks in order to promptly prevent and mitigate material risks. The measurement prescribed in this Point shall apply at a minimum to the types of material risks prescribed at Point a, Clause 13, Article 3 of this Circular;

c) Controlling the risk position to ensure compliance with risk limits;

d) Having an information system for risk management, in which data shall ensure compliance with the requirements prescribed in Article 24 of this Circular;

dd) Risk decisions shall be transparent, clear and consistent with risk management policies and risk limits;

e) Clearly defining the competence for approving and implementing minimum preventive measures for each type of material risk.

2. For a commercial bank having subsidiaries, the commercial bank shall direct and supervise through its capital representatives to ensure that risk management of the subsidiaries is consistent with the risk management policies of the commercial bank and to ensure that the commercial bank maintains the minimum consolidated capital adequacy ratio in accordance with regulations of the State Bank.

Article 18. Internal regulations on risk management activities

1. A bank shall have internal regulations on risk management activities, which shall at least include the following contents:

a) The development, issuance and implementation of risk management policies;

b) The development, issuance and implementation of risk limits for at least each type of material risk prescribed at Point a, Clause 13, Article 3 of this Circular (including methods for establishing risk limits; individuals and units responsible for establishing risk limits; allocation of risk limits; and handling of violations in cases of breaches of risk limits);

c) The identification, measurement, monitoring and control of risks for at least each type of material risk prescribed at Point a, Clause 13, Article 3 of this Circular;

d) Internal reporting mechanisms on risk management;

dd) Risk management for new products and activities in new markets;

e) Stress testing;

g) Risk data management;

h) The internal capital adequacy assessment process;

i) Other necessary contents in accordance with management requirements for each type of material risk.

2. Internal regulations on risk management shall ensure the following principles:

a) Internal regulations shall be developed in alignment with the bank’s business strategy, control culture, human resources, information technology infrastructure conditions and management information system;

b) Risk positions and violations relating to risk management shall be promptly and fully reported to the Board of Directors, the Members’ Council, the Supervisory Board and the parent bank; and mechanisms shall be in place for handling violations relating to risk management.

Article 19. Risk management policies

1. Risk management policies of a commercial bank shall be issued, amended and supplemented by the Board of Directors or the Members’ Council. The competence to issue, amend and supplement risk management policies of a foreign bank branch shall be exercised in accordance with regulations of the parent bank.

2. Risk management policies shall at least include the following contents:

a) Risk appetite, including:

(i) Target capital adequacy ratio;

(ii) Income indicators: Return on Equity (ROE), Risk Adjusted Return on Capital (RAROC);

(iii) Other risk indicators and (qualitative) risk acceptance levels as prescribed in the bank’s internal regulations;

b) A list of material risks;

c) Risk management strategies for each material risk.

3. Risk management policies shall ensure the following requirements:

a) Being formulated for a period of at least 03 years but not exceeding the subsequent 05 years, and being periodically reviewed at least once a year and subject to ad hoc review as prescribed by the commercial bank or the parent bank in order to make timely adjustments in case of changes in the business or legal environment;

b) Being consistent with the interests of shareholders, owners and capital-contributing members of the commercial bank and the parent bank in accordance with law;

c) Being consistent with the level of own capital and the availability of sources for increasing own capital;

d) Ensuring continuity and inheritance in order to maintain feasibility across economic cycles.

Article 20. Risk limits

1. Risk limits of a commercial bank shall be issued, amended and supplemented by the General Director (Director). The competence to issue, amend and supplement risk limits of a foreign bank branch shall be exercised in accordance with regulations of the parent bank.

2. Risk limits shall ensure:

a) Complying with regulations on restrictions to ensure safety in the operations of credit institutions and foreign bank branches as prescribed in the Law on Credit Institutions and regulations of the State Bank;

b) Establishing risk limits to control material risks arising as prescribed at Point a, Clause 13, Article 3 of this Circular;

c) Being consistent with the risk appetite, risk management strategies and total risk-weighted assets allocated to such risks;

d) Being reviewed and reassessed (amended or supplemented, if necessary) at least once a year or upon occurrence of major changes affecting the risk position in accordance with the bank’s internal regulations. In cases where risk limits of a commercial bank are amended or supplemented in a more relaxed direction, the General Director (Director) shall report to the Board of Directors or the Members’ Council after such adjustment;

dd) Being disseminated to relevant individuals and units.

3. In cases where an activity, transaction or product is subject to different risk limits for different types of risks, the bank shall apply the more prudent risk limit.

Article 21. Risk management for new products and activities in new markets

1. Risk management for new products and activities in new markets relating to permitted business activities of a bank shall ensure the following requirements:

a) Having internal regulations prescribing criteria for determining new products and activities in new markets;

b) Having processes for providing new products and conducting activities in new markets, ensuring the following principles:

(i) For a commercial bank, the Board of Directors or the Members’ Council shall approve the policy on provision of new products and activities in new markets on the basis of a proposal from the General Director (Director). The General Director (Director) shall approve the plan for provision of new products and activities in new markets;

(ii) For a foreign bank branch, approval of the policy and plan for provision of new products and activities in new markets shall be carried out in accordance with regulations of the parent bank.

2. The plan for provision of new products and activities in new markets shall be appraised by the risk management function in terms of risks and risk management measures, and shall clearly specify, at a minimum, the following contents:

a) The scope and duration of pilot provision of new products and activities in new markets, on the basis of assessment of risks that may arise from such provision and activities and their impact on own capital and income, in order to ensure consistency with the bank’s risk control capacity;

b) The official commencement time for provision of new products and activities in new markets, on the basis of assessment of pilot results against the bank’s risk management targets.

3. Upon official provision of new products and activities in new markets, the bank shall issue regulations and processes on provision of new products and activities in new markets and shall manage material risks of such new products and activities.

Article 22. Identification, measurement, monitoring and control of risks

1. Risk identification: A bank shall identify material risks in transactions, products, activities and operational processes, identify potential sources of risks and determine causes of risks.

2. Risk measurement:

a) A bank shall measure the level of risks on the basis of determining short-term and long-term impacts of such risks on the bank’s income, capital and liquidity;

b) Risk measurement shall ensure timeliness and shall be conducted at least by methods or models. Risk measurement methods and models shall be periodically tested and assessed for accuracy and appropriateness in accordance with the bank’s internal regulations. Data used in risk measurement methods and models shall comply with the provisions of Clause 1, Article 24 of this Circular.

3. Risk monitoring: A bank shall monitor risk positions and timely assess and provide early warning of potential breaches of risk limits and restrictions to ensure safety in operations.

4. Risk control:

a) A bank shall control risk positions, transactions and activities in accordance with corresponding risk limits;

b) A bank shall implement preventive, mitigating and timely handling measures for risks to ensure compliance with risk limits and restrictions to ensure safety in operations and shall have mechanisms to supervise and inspect the implementation of such measures.

Article 23. Stress testing

1. A bank shall conduct capital stress testing and conduct stress testing for at least the following material risks:

a) Credit risk;

b) Market risk;

c) Interest rate risk in the banking book;

d) Liquidity risk.

2. A bank shall issue internal regulations on stress testing, which shall at least include the following contents:

a) Types of stress testing as prescribed in Clause 1 of this Article and the primary objectives of conducting stress testing;

b) Frequency of conducting stress testing;

c) Determination of the scope of the bank’s activities and on-balance sheet and off-balance sheet positions for conducting stress testing;

d) Methodology for stress testing, which shall at least include: scope of assumptions; list of risk factors; scenarios (if any); models (if any); data used in stress testing; and use of stress testing results;

dd) Procedures (including procedures for reviewing stress testing results and reporting stress testing results) and responsibilities of parties involved in the stress testing process.

3. A bank shall select at least one of the following methods for conducting stress testing for credit risk and market risk:

a) Sensitivity analysis: Assessing the impact of a change in one or a group of closely related risk factors while holding other risk factors constant. The sensitivity analysis method shall consider at least 02 levels of severity that may occur;

b) Scenario analysis: Assessing the impact of simultaneous changes in multiple risk factors under plausible scenarios, based on historical events and hypothetical events that are clearly defined and consistent. Scenarios shall be determined as plausible on the basis of analysis of past events and forecasts of macroeconomic developments, taking into account material risks arising in the operations of banks. The scenario analysis method shall develop at least 02 scenarios, including a normal operating scenario and an adverse scenario that may occur, consistent with the purpose of conducting stress testing;

c) Reverse stress testing: Conducting on the basis of the assumption that the bank experiences a severe adverse event (such as breach of the minimum capital adequacy ratio requirement, breach of other safety ratios or other adverse impacts) and identifying events and factors leading to such event.

4. The method for stress testing for liquidity risk (liquidity stress testing) shall comply with Article 48 of this Circular; stress testing for interest rate risk in the banking book shall comply with Article 54 of this Circular; and capital stress testing shall comply with Article 60 of this Circular.

5. A bank shall conduct stress testing with the following frequency:

a) Liquidity stress testing at least quarterly and whenever events occur that may have a serious impact on the bank’s liquidity;

b) Stress testing for credit risk and stress testing for market risk at least annually;

c) Stress testing for interest rate risk in the banking book at least quarterly;

d) Capital stress testing at least annually and whenever events occur that may have a serious impact on the bank’s capital adequacy.

6. Based on stress testing results, a bank shall:

a) Assess its ability to comply with safety ratios and other restrictions to ensure safety in operations of the bank relating to the types of stress testing prescribed in Clause 1 of this Article;

b) Use stress testing results to develop or amend business plans, business strategies, risk management policies, contingency plans and remediation plans as prescribed in the Law on Credit Institutions, where necessary;

c) Develop contingency plans in accordance with Clause 4, Article 48 of this Circular (for liquidity stress testing results);

d) Calculate economic capital to determine target capital as prescribed in Section 9 of this Chapter (for capital stress testing results).

Article 24. Risk data management

Risk data shall be used for implementation of risk management activities as prescribed in this Chapter. A bank shall manage risk data in accordance with its internal regulations and shall at least ensure the following requirements:

1. Risk data shall ensure accuracy and integrity, including consistency of data concepts, and shall have internal reporting channels and remediation plans for poor data quality (if any).

2. A bank shall collect and aggregate risk data, which shall at least include all risk data relating to material risks.

3. A bank shall have the capability to aggregate risk data for risk management activities in a rapid and timely manner.

4. A bank shall have the capability to aggregate risk data to meet requirements of different types of risk management reports.

Article 25. Responsibilities of the Board of Directors, the Members’ Council, the General Director (Director), and individuals and units regarding risk management activities

1. The Board of Directors and the Members’ Council of a commercial bank shall perform functions and duties relating to risk management activities in accordance with this Circular and the bank’s internal regulations.

2. The General Director (Director) of a commercial bank shall be responsible for:

a) Developing and organizing implementation of risk management policies;

b) Organizing implementation of the internal capital adequacy assessment process;

c) Performing other matters as prescribed by the commercial bank.

3. Individuals and units responsible for Asset/Liability management of a commercial bank shall be responsible for:

a) Managing the asset–liability balance effectively in alignment with risk management policies

b) Reviewing and proposing capital mobilization plans, capital utilization plans, and principles for establishing internal funds transfer pricing;

c) Developing interest rate frameworks and pricing frameworks for other products to manage financial assets and financial liabilities;

d) Controlling business activities to ensure compliance with liquidity risk limits, interest rate risk limits in the banking book, and total assets calculated based on interest rate risk in the banking book;

dd) Performing other matters as prescribed by the commercial bank.

4. Individuals and units responsible for the internal capital adequacy assessment process of a commercial bank shall be responsible for:

a) Conducting the internal capital adequacy assessment;

b) Performing other matters as prescribed by the commercial bank.

5. The risk management function of a commercial bank shall have the following duties and responsibilities:

a) Assisting the Risk Committee in proposing and advising the General Director (Director) on:

(i) Developing, implementing, evaluating and proposing adjustments to risk management policies as prescribed in Clause 3, Article 19 of this Circular for submission to the Board of Directors or the Members’ Council for decision;

(ii) Developing, implementing and allocating risk limits;

(iii) Conducting self-assessment of risk management and proposing to the Board of Directors or the Members’ Council measures for handling and remediation;

b) Assisting the Risk Committee in monitoring risk positions against risk limits in order to provide warnings and early identification of risks and potential breaches of risk limits;

c) Coordinating with the first line of defense to fully identify and monitor risks arising;

d) Developing and applying methods for risk assessment and measurement;

dd) Controlling, preventing and proposing measures to mitigate risks arising;

e) Participating in risk-related matters in the process of making risk decisions corresponding to each level of competence in accordance with the bank’s internal regulations;

g) Developing methodology and establishing scenarios for stress testing in coordination with the business function, the compliance function and other relevant units;

h) Preparing internal reports on risk management in accordance with the internal regulations of the commercial bank;

i) Directly reporting to the Board of Directors or the Members’ Council on matters relating to risk management where necessary in accordance with the internal regulations of the commercial bank;

k) Performing other matters as prescribed by the commercial bank.

6. Other individuals and units of a commercial bank relating to risk management shall perform their responsibilities in accordance with the bank’s internal regulations on risk management.

7. For a foreign bank branch:

a) The General Director (Director) of the foreign bank branch shall perform functions and duties relating to risk management activities in accordance with regulations of the parent bank;

b) The risk management function and other individuals and units of the foreign bank branch relating to risk management shall have the following duties and responsibilities:

(i) Implementing risk management and conducting the internal capital adequacy assessment process;

(ii) Performing other matters as prescribed by the foreign bank branch.

 

Section 2. CREDIT RISK MANAGEMENT

 

Article 26. Requirements and strategies for credit risk management, and credit risk limits

1. Credit risk management shall be implemented throughout the process of review, appraisal, decision-making and management of credit extension, ensuring compliance with regulations of the State Bank and relevant laws.

2. A bank shall issue a credit risk management strategy, which shall at least include the following contents:

a) Objectives relating to credit quality (at a minimum including target non-performing loan ratio and target non-performing credit extension ratio) by product, customer and economic sector; profitability and growth in credit extension activities;

b) An approach ensuring inheritance and continuity, whereby the credit risk management strategy shall take into account economic cycle factors and expected impacts on the credit extension portfolio;

c) Principles for determining credit risk compensation costs in interest rate calculation methods and credit product pricing according to the level of credit risk of customers;

d) Principles for application of credit risk mitigation measures (including competence to approve credit risk mitigation measures);

dd) Principles for conducting stress testing for credit risk.

3. A bank shall establish credit risk limits, which shall at least include credit extension limits by product, customer, economic sector and form of collateral.

Article 27. Internal credit rating system

1. A bank shall have an internal credit rating system in accordance with regulations of the State Bank on classification of assets in operations of commercial banks, non-bank credit institutions and foreign bank branches, as a basis for measurement of credit risk, provision of information on the credit extension portfolio and credit risk management.

2. The internal credit rating system shall at least ensure the following requirements:

a) Having criteria for assessing customers’ debt repayment capacity (including consideration of macro-level socio-economic factors and business environment factors affecting customers’ repayment capacity);

b) Having an information system for operation of the internal credit rating system;

c) The internal credit rating system shall be assessed at least annually by individuals or units independent from those developing and using the internal credit rating system, as a basis for review, amendment and supplementation (if necessary);

d) Having adequate information on the internal credit rating system to be provided upon request of internal audit, independent audit organizations and other competent authorities when conducting audit, inspection, examination and supervision.

Article 28. Measurement, monitoring and control of credit risk

1. A bank shall use methods or models, or both methods and models, to measure credit risk.

2. A bank shall monitor and control credit risk, ensuring at least the following:

a) Classifying debts, making provisions for credit risk, using provisions to handle credit risk, monitoring debt classification results and assessing adequacy of provisions in accordance with law;

b) Monitoring and assessing credit risk for each credit exposure and for the entire credit extension portfolio, and implementing measures where credit quality deteriorates;

c) Controlling actual credit risk positions against allocated credit risk limits for each credit exposure and credit extension portfolio, ensuring compliance with credit extension limits in accordance with law;

d) Conducting off-site supervision and on-site inspection of customers to monitor and control credit risk. For small-value credit exposures, the bank shall implement inspection and supervision measures in accordance with regulations of the State Bank on inspection and supervision of small-value credit exposures. The frequency of inspection and supervision shall comply with the bank’s internal regulations;

dd) Developing and implementing assessment criteria and methods for determining the level of deterioration in credit quality of each credit exposure and credit extension portfolio, and establishing early warning mechanisms where there is a risk of deterioration in customers’ credit quality.

Article 29. Credit appraisal

1. A bank shall conduct credit appraisal ensuring at least the following:

a) Appraisal of customers’ satisfaction of conditions for credit extension;

b) Identification of related persons of customers who are subject to provision of information on related persons in accordance with laws on credit extension; determination of the total outstanding credit exposure (including the outstanding credit exposure currently requested) of the customer, and of the customer together with related persons subject to provision of information on related persons in accordance with laws on credit extension;

c) Use of customer rating results, including ratings at other credit institutions and foreign bank branches (if any);

d) Assessment of completeness of dossiers, legal status of collateral and recoverability from disposal of collateral in cases of secured credit extension;

dd) Appraisal of the guarantor’s ability to perform committed obligations for guaranteed credit exposures.

2. During the appraisal process, in cases where information channels other than the bank’s internal sources are used in relation to customers, the bank shall verify the quality of information and the independence of such information channels from the credit recipient.

Article 30. Credit risk decisions

Credit risk decisions made by a bank shall ensure the following:

1. Decision-making competence and cases requiring escalation to a higher level of competence for decision-making shall be determined based on quantitative and qualitative criteria.

2. In cases where decisions are made under a committee mechanism, the committee shall prepare minutes of decision or an equivalent form, clearly stating the reasons for approving or not approving the decision and fully recording opinions of committee members. Committee members shall be responsible for their decisions.

3. Information provided for decision-making shall be adequate and commensurate with the scale and type of credit extension. Regulations on the list of information forming the basis for decision-making shall be assessed by the risk management function to ensure effective implementation of credit risk management.

Article 31. Management of credit extension

1. A bank shall manage credit extension to ensure the following requirements:

a) Clearly prescribing responsibilities and competence of individuals and units in preparation and retention of credit files to ensure completeness of credit files in accordance with law;

b) Disbursement in accordance with the purpose of use of funds and the type of credit extension;

c) Inspection and supervision of credit exposures after disbursement shall ensure the following principles:

(i) Inspecting and supervising use of loan funds in accordance with law and agreements in the credit extension contract between the bank and the customer;

(ii) Assessing factors affecting the customer’s debt repayment capacity;

(iii) Managing collateral in cases of secured credit extension in accordance with Article 33 of this Circular;

(iv) Monitoring repayment schedules, reminding customers to fulfill repayment obligations when due, and promptly reporting to competent levels in cases where customers are at risk of failing or delaying fulfillment of repayment obligations.

2. A bank shall retain credit files, information on customers’ ability to perform repayment obligations, customers’ repayment history and other relevant information in accordance with law.

Article 32. Management of problem credit exposures

1. A bank shall manage problem credit exposures in order to implement timely handling measures.

2. Management of problem credit exposures shall at least include:

 

a) Having internal regulations clearly prescribing criteria and methods for identifying problem credit exposures;

b) Strengthening assessment of customers’ debt repayment capacity and recoverability from collateral;

c) Implementing handling measures and restructuring of problem credit exposures, and recovery plans;

d) Strengthening monitoring, supervision and debt recovery;

dd) Determining responsibilities in order to take measures against individuals and units related to non-performing loans (if any).

Article 33. Collateral management

1. A bank shall have internal regulations on collateral management, which shall at least include:

a) Clearly identifying types of collateral accepted by the bank in compliance with law;

b) Methods for determining asset value in accordance with laws on valuation or hiring qualified valuation organizations to determine the value of collateral as a basis for collateral management, determination of eligible collateral for deduction and applicable haircuts when making provisions in accordance with law;

c) Periodic or ad hoc assessment of volatility in collateral value under the principle that collateral with greater value volatility shall be assessed more frequently;

d) Receipt and safekeeping of collateral.

2. A bank shall manage collateral in accordance with its internal regulations and relevant laws.

Article 34. Internal reporting on credit risk

1. On a periodic basis at least quarterly or on an ad hoc basis, a bank shall prepare internal reports on credit risk as prescribed in Clause 2 of this Article.

2. Internal reports on credit risk shall at least include the following contents:

a) Credit quality of credit exposures and the credit extension portfolio by customer segment and economic sector;

b) Problem credit exposures and handling measures for such problem credit exposures;

c) Customers and economic sectors with actual outstanding credit balances exceeding credit risk limits prescribed in Clause 3, Article 26 of this Circular (if any) and control measures;

d) Value of collateral and collateral portfolio by each type of collateral as prescribed in Article 33 of this Circular;

dd) Status of provisioning and use of provisions to handle credit risk;

e) Results of stress testing for credit risk during the reporting period (if any);

g) Early warning of potential breaches of credit risk limits and restrictions;

h) Violations relating to credit risk management and reasons for such violations;

i) Proposals and recommendations on credit risk management to the report recipients;

k) Results of handling and remediation in response to requirements and recommendations of internal audit, the State Bank, independent audit organizations and other competent authorities (if any).

 

Section 3. MARKET RISK MANAGEMENT

 

Article 35. Market risk management strategy and market risk limits

1. A bank shall issue a market risk management strategy, which shall at least include the following contents:

a) Market risk positions of the trading book subject to market risk hedging;

b) Principles for market risk management under normal conditions and under conditions of significant volatility in securities prices, commodity prices, exchange rates, gold prices and interest rates in accordance with the bank’s internal regulations;

c) Principles for application of market risk mitigation measures (including competence to approve market risk mitigation measures);

d) Principles for conducting stress testing for market risk.

2. A bank shall establish market risk limits, which shall at least include:

a) Interest rate risk limits, including interest rate risk limits for trading product portfolios, stop-loss limits and limits on total interest rate risk position in the trading book;

b) Foreign exchange risk limits, including limits on total net long foreign currency position, total net short foreign currency position, gold position and stop-loss limits;

c) Commodity price risk limits, including limits for trading product portfolios and stop-loss limits;

d) Trading limits for traders.

Article 36. Measurement, monitoring and control of market risk

1. A bank shall have methods or models, or both methods and models, to measure market risk for interest rate risk, foreign exchange risk, equity price risk and commodity price risk. Measurement shall at least ensure that:

a) Market risk is measured in relation to each financial asset, financial liability and off-balance sheet item;

b) Parameters and assumptions are validated and adjusted based on comparison with actual developments (if any) and results obtained from such methods and models;

c) In cases where a bank applies mark-to-model valuation, the pricing model shall ensure the following requirements:

(i) Fully assessing factors affecting the value of proprietary trading transactions and the value of underlying assets;

(ii) Being estimated on the basis of market information and data collected from reliable sources. Market information and data shall be independently assessed for reliability and appropriateness in accordance with the bank’s internal regulations;

(iii) Being reviewed and assessed at least annually or on an ad hoc basis to identify limitations of the pricing model for appropriate adjustment.

2. A bank shall monitor and control market risk for interest rate risk, foreign exchange risk, equity price risk and commodity price risk, ensuring at least the following:

a) Monitoring market risk positions in relation to each financial asset, financial liability and off-balance sheet item;

b) Providing early warning of potential breaches of market risk limits;

c) Regularly assessing actual market risk positions (including market risk hedging transactions) and timely adjusting market risk limits (if necessary) to ensure compliance with the bank’s market risk limits;

d) Adjustments to market risk limits shall be promptly notified to relevant individuals and units for conducting proprietary trading transactions and market risk control.

Article 37. Internal reporting on market risk

1. No later than the next working day (T), a bank shall prepare an internal report on market risk relating to the trading book of the preceding working day (T-1), which shall at least include:

a) Total market risk position during the day;

b) Findings from control activities relating to proprietary trading transactions;

c) Actual profit (loss) and projected mark-to-market profit (loss) of proprietary trading transactions;

d) Intraday trading limits and utilization of such limits as of the end of the trading day.

2. On a periodic basis at least every 06 months or on an ad hoc basis, a bank shall prepare an internal report on market risk, which shall at least include:

a) Total market risk position compared with market risk limits as at the reporting date;

b) Results of review and assessment of methods and models for measuring and monitoring market risk (if any);

c) Actual profit (loss) and projected mark-to-market profit (loss) of proprietary trading transactions;

d) Violations relating to market risk management and reasons for such violations (if any);

dd) Abnormal cases in proprietary trading activities and changes in key assumptions of market risk measurement methods;

e) Results of stress testing for market risk during the reporting period (if any);

g) Proposals and recommendations on market risk management to the report recipients;

h) Results of handling and remediation in response to requirements and recommendations of internal audit, the State Bank, independent audit organizations and other competent authorities (if any).

 

Section 4. OPERATIONAL RISK MANAGEMENT

 

Article 38. Operational risk management strategy and operational risk limits

1. A bank shall issue an operational risk management strategy, which shall at least include:

a) Principles for implementation of operational risk management;

b) Principles for the use of outsourcing, insurance and technology applications, including identification, assessment and monitoring of risks arising from third parties;

c) Cases requiring business continuity plans, which shall at least include:

(i) Loss of important documents and databases;

(ii) Failure of information technology systems;

(iii) Force majeure events (war, natural disasters, epidemics, fire and explosion, etc.);

d) Principles for conducting operational risk assessment through hypothetical scenarios (Scenario Analysis) in order to proactively identify weaknesses, prepare response measures and ensure business continuity in cases where the bank applies the method prescribed at Point e, Clause 3, Article 39 of this Circular.

2. A bank shall establish operational risk limits, which shall at least include:

a) Limits on the level of financial loss for each case prescribed in Clause 2, Article 39 of this Circular according to the 06 categories prescribed in Clause 3 of this Article;

b) Limits on the level of non-financial loss (including reputational impact and legal obligations).

3. A bank shall classify activities into the following 06 categories for operational risk management:

a) Interest income-generating activities and similar income;

b) Interest expense-incurring activities and similar expenses;

c) Service activities;

d) Foreign exchange trading activities;

dd) Trading in trading securities and investment securities;

e) Other activities.

Article 39. Identification, measurement, monitoring and control of operational risk

1. A bank shall comprehensively identify operational risk in all transactions, products, activities, operational processes, information systems and risks arising from third parties.

2. Identification of operational risk shall be conducted for the following cases:

a) Internal fraud arising from acts of deception, misappropriation of assets or violations of internal strategies, policies and regulations involving at least one individual of the bank (including acts committed for personal gain such as improper performance of duties, exceeding competence, theft and misuse of internal information);

b) External fraud arising from acts of deception or misappropriation of assets committed by external parties without assistance or collusion of individuals or units of the bank (including theft, robbery, forgery of bank cards or banking documents, unauthorized access to information systems to appropriate data or funds);

c) Employment and workplace safety policies inconsistent with employment contracts and laws on labor, occupational health and workplace safety;

d) Products, services and methods of delivery inconsistent with regulations or customer rights (including breaches of customer information confidentiality, violations of anti-money laundering regulations and provision of products or services beyond competence);

dd) Damage to or loss of assets, tools or equipment due to force majeure events, human actions or other events;

e) Business disruption due to failures of information technology infrastructure;

g) Deficiencies in transaction processes, transaction control and transaction management;

h) Other cases as prescribed in the bank’s internal regulations.

3. A bank shall apply at least two of the following tools to assess and measure operational risk for the cases prescribed in Clause 2 of this Article according to the 06 categories prescribed in Clause 3, Article 38 of this Circular:

a) Event management to identify, analyze and manage operational risk events on an end-to-end basis; and to provide input information for operational risk self-assessment and assessment of control effectiveness;

b) Internal and external loss data collection and analysis to determine internal losses;

c) Risk Control Self Assessment (RCSA) to determine the effectiveness of control activities for operational risk before and after control;

d) Control Monitoring and Assurance Framework to assess, review, continuously monitor and test control activities appropriate to each type of operational risk and business activity;

dd) Risk and Performance Indicators to monitor factors impacting operational risk and identify weaknesses and potential losses;

e) Scenario Analysis to identify sources of operational risk and control and mitigation requirements under potential scenarios and events;

g) Benchmarking and Comparative Analysis to compare results of different risk measurement and management tools within the bank and with other banks in order to better understand the operational risk profile;

h) Business Process Mapping (BPM) to determine the level of operational risk of each operational process, the overall operational risk of operational processes and interrelationships among such risks;

i) Use of Audit Findings from internal audit and independent audit to assess control effectiveness and implement preventive and remedial measures for operational risk.

4. A bank shall monitor and control operational risk through control activities prescribed in this Circular and other measures in accordance with its internal regulations. In cases where actual losses exceed operational risk limits, the bank shall implement enhanced measures to control and mitigate such operational risk in the future.

Article 40. Operational risk management in outsourcing activities

1. A bank shall manage operational risk in outsourcing activities through:

a) Management of outsourcing activities in accordance with Clause 2 of this Article;

b) Identification, measurement, monitoring and control of operational risk arising from outsourcing activities in accordance with Article 39 of this Circular.

2. Management of outsourcing activities shall at least include:

a) Determining the scope of outsourcing activities and the level of dependence on third parties;

b) Allocating competence for approval and decision-making with respect to outsourcing activities;

c) Assessing the capability of third parties to meet the requirements and objectives of outsourcing activities before entering into an outsourcing contract; and assessing contract performance capability of third parties throughout the contract term;

d) Ensuring that outsourcing contracts are strict and comprehensive, protecting ownership rights, confidentiality of databases and customer information, and the bank’s right to terminate the outsourcing contract. Outsourcing contracts shall at least include: the level and scope of outsourcing activities; specific rights and obligations of the bank and the third party; and dispute resolution clauses in accordance with law;

dd) Establishing, or requiring third parties to establish, business continuity plans for outsourcing activities in accordance with Article 43 of this Circular;

e) Establishing mechanisms for the bank to supervise third parties during the outsourcing term.

3. A bank shall manage third-party risks arising from outsourcing activities to ensure at least the following:

a) The bank shall monitor outsourcing contracts, at minimum including the following contents: materiality of the agreement; substitutability of the services provided by the third party; list of contingent providers; whether confidential or proprietary information is shared; and service location;

b) The bank shall conduct a comprehensive assessment of risks that may arise from outsourcing activities before entering into the contract;

c) The bank shall monitor risks arising from outsourcing activities and periodically reporting to competent levels in accordance with the bank’s internal regulations;

d) The bank shall develop and periodically review and update business continuity plans, including recovery measures to ensure uninterrupted operations in the event of incidents in outsourcing activities.

4. A bank shall ensure that outsourcing activities do not alter its responsibility for fulfilling its obligations to relevant parties.

Article 41. Operational risk management in technology application

1. A bank shall manage operational risk in the application of technology to internal operations and customer transactions (hereinafter referred to as “technology application”) through:

a) Management of technology application in accordance with Clause 2 of this Article;

b) Identification, measurement, monitoring and control of operational risk arising in technology application in accordance with Article 39 of this Circular, ensuring at least the following:

(i) Identification of potential operational risk relating to internal and external network systems, hardware, software, applications, transaction interfaces, operations and human factors;

(ii) Measurement of risks based on estimation of losses arising from operational risk events affecting business activities;

(iii) Monitoring and assessment of the ability to maintain stable operations against potential operational risk in technology application;

(iv) Control and implementation of operational risk mitigation measures (if necessary) in technology application activities.

2. Management of technology application by a bank shall at least ensure:

a) Issuance of regulations on technology application management, at minimum including:

(i) Scope of management of technology application, at minimum covering information systems;

(ii) Duties, responsibilities and competence of individuals and units responsible for managing technology application;

(iii) Effective management in cases of incidents or changes in technology application;

(iv) Authentication systems ensuring confidentiality of customer information, transaction security and safety of the bank’s information systems;

b) Compliance with regulations of the State Bank on electronic transactions; safety and security in provision of online banking services; and relevant laws.

Article 42. Purchase of insurance to mitigate operational risk losses

1. A bank may purchase insurance to mitigate losses arising from operational risk in accordance with law, ensuring consistency with its financial capacity and loss-absorbing capacity.

2. A bank shall not use the purchase of insurance as a substitute for operational risk management.

3. When purchasing insurance, a bank shall assess the financial capacity and reputation of the insurer in performing the insurance contract.

4. A bank shall periodically assess the effectiveness of insurance in mitigating operational risk losses.

Article 43. Business continuity plans

1. A bank shall develop, approve, maintain and periodically update a business continuity plan (BCP) in the cases prescribed at Point c, Clause 1, Article 38 of this Circular to ensure the ability to respond, recover and continue business operations and provision of banking activities in situations of severe disruption, consistent with the bank’s risk appetite, financial capacity and business orientation.

2. The business continuity plan shall at least meet the following requirements:

a) Clearly defining competence to activate the business continuity plan and roles and responsibilities of relevant individuals and units in implementing the Plan;

b) Being appropriate to the nature and scale of the bank’s operations;

c) Identifying critical activities, products, services and key operational processes that must be prioritized for continuity;

d) Having contingency arrangements for personnel, alternate work locations, information systems and essential infrastructure;

dd) Ensuring timely and effective coordination and information exchange internally and with supervisory authorities, customers and key counterparties in disruption scenarios;

e) Having measures to mitigate losses and adverse impacts arising from incidents or business interruption;

g) Ensuring restoration of disrupted business operations to normal status within required timeframes;

h) Being reviewed and tested or exercised at least annually or upon material changes in the operating environment, technology or organizational structure to assess effectiveness of the business continuity plan and adjust it (where necessary).

Article 44. Internal reporting on operational risk

1. On a periodic basis at least every 06 months or on an ad hoc basis, a bank shall prepare internal reports on operational risk as prescribed in Clause 2 of this Article.

2. Internal reports on operational risk shall at least include the following contents:

a) Status of implementation of the operational risk management strategy and compliance with operational risk limits;

b) Operational risk events arising during the reporting period and the reasons therefor;

c) Operational risk loss data classified according to the 06 categories prescribed in Clause 3, Article 38 of this Circular, and loss handling measures (if any);

d) Development and enhancement of the business continuity plan; activation, results of testing and exercises, and results of review of such plan (if any);

dd) External events and impacts affecting the bank’s operational risk;

e) Operational risk measurement tools and changes thereto (if any);

g) Status of outsourcing activities and operational risk management relating to outsourcing;

h) Changes in technology application (if any) and status of operational risk management in technology application;

i) Proposals and recommendations on operational risk management;

k) Results of handling and remediation in response to requirements and recommendations of internal audit, the State Bank, independent audit organizations and other competent authorities (if any).

 

Section 5. LIQUIDITY RISK MANAGEMENT

 

Article 45. Requirements and strategies for liquidity risk management, and liquidity risk limits

1. Liquidity risk management of a bank shall at least meet the following requirements:

a) Maintaining sufficient high-quality liquid assets (HQLA) in accordance with regulations of the State Bank to meet liquidity needs under normal operating conditions and under adverse liquidity conditions (including determination of losses and costs when accessing market liquidity);

b) Identifying the cost of meeting liquidity needs and liquidity risk in internal funds transfer pricing and performance assessment of key business activities (including both on-balance sheet and off-balance sheet activities).

2. A bank shall issue a liquidity risk management strategy, which shall at least include:

a) Principles for liquidity management, including at minimum the provisions prescribed in Article 46 of this Circular;

b) Strategy for diversification of funding sources and funding tenors to enhance liability stability and support daily liquidity;

c) Principles for conducting liquidity stress testing.

3. A bank shall establish liquidity risk limits, including:

a) Liquidity risk limits to ensure compliance with laws on:

(i) Liquidity coverage ratio;

(ii) Loan-to-deposit ratio and the maximum ratio of short-term funding used for medium- and long-term lending (for banks subject to such ratio);

(iii) Other ratios as prescribed by law (for banks subject to such ratios);

b) Other liquidity risk limits as prescribed in the bank’s internal regulations in accordance with Article 20 of this Circular.

Article 46. Liquidity management

1. A bank shall implement liquidity management in respect of:

a) Scope covering:

(i) The commercial bank;

(ii) Branches of the commercial bank in accordance with the bank’s internal regulations;

(iii) Foreign bank branches;

b) Vietnamese dong and United States dollars (including United States dollars and other foreign currencies converted into United States dollars), and other foreign currencies (where necessary).

2. Liquidity management by a bank shall at least include:

a) Intraday liquidity management: Monitoring liquidity positions; identifying funding sources and the ability to mobilize such funding to ensure liquidity; forecasting situations that may cause abnormal liquidity fluctuations and implementing handling measures;

b) Management of high-quality liquid assets based on market value and convertibility into cash to meet liquidity requirements under normal market conditions and stressed liquidity conditions;

c) Management of funding sources to ensure statistical tracking of deposits and other indicators in compliance with regulations of the State Bank on prudential limits and safety ratios in banking operations and indicators prescribed in the bank’s internal regulations;

d) Cash flow management to determine cash flow mismatches through comparison of cash outflows and cash inflows, ensuring compliance with regulations of the State Bank on prudential limits and safety ratios in banking operations and other liquidity ratios as prescribed in the bank’s internal regulations;

dd) Management of liquidity sources to ensure assessment of the ability to access liquidity sources to meet future liquidity needs under normal market conditions and stressed liquidity conditions.

Article 47. Identification, measurement, monitoring and control of liquidity risk

1. Identification of liquidity risk by a bank shall ensure that:

a) It is conducted on the basis of analysis of liquidity needs, liquidity sources of each business activity, the asset/liability structure and cash flows of on-balance sheet and off-balance sheet items, and the ability to access market liquidity;

b) Liquidity risk arising from credit risk, market risk, operational risk, reputational risk and other risks is identified.

2. A bank shall have liquidity risk measurement tools at minimum for:

a) Future cash flows of assets/liabilities;

b) Unexpected liquidity needs and cases where off-balance sheet obligations must be fulfilled;

c) Transaction currencies;

d) Correspondent banking, custody and settlement activities.

3. A bank shall monitor and control liquidity risk to ensure at least that:

a) Liquidity risk positions are monitored and controlled to ensure compliance with liquidity risk limits;

b) Early warning indicators of liquidity risk are established to enable measures addressing temporary and long-term liquidity shortfalls.

Article 48. Liquidity stress testing

1. When conducting liquidity stress testing, a bank shall have methodologies for calculating the impact of assumptions to ensure assessment of its ability to fulfill obligations and commitments and comply with liquidity risk limits. Assumptions and methodologies for impact calculation shall be reviewed and self-assessed.

2. A bank shall apply at least the following three scenarios when conducting liquidity stress testing:

a) Bank-specific scenario: Assuming a liquidity crisis affecting the bank while liquidity in the overall banking system remains stable (such as deterioration of asset quality, significant increase in liabilities, severe decline in high-quality liquid assets, widening liquidity gap, downgrade of the bank’s credit rating, cyber or information attacks on the bank, etc.);

b) System-wide scenario: Assuming a widespread financial crisis that may affect multiple banks or the entire banking system (such as macroeconomic shocks or financial market disruptions, etc.);

c) Combined scenario: A scenario combining elements of a bank-specific event and a system-wide event, assuming a bank-specific crisis that spreads to the banking system.

3. The scenarios prescribed in Clause 2 of this Article shall include a set of risk factors relating to assets, liabilities and off-balance sheet commitments. Analysis of risk factors shall at minimum consider:

a) Currency types (Vietnamese dong and United States dollars (including United States dollars and other foreign currencies converted into United States dollars), and other foreign currencies (if any)) of assets, liabilities and off-balance sheet commitments to reflect currency convertibility;

b) The bank’s obligation to repurchase debts or perform other obligations to mitigate reputational risk;

c) Actual run-off rates of liabilities during periods of heightened stress;

d) Degree of funding concentration;

dd) Loss or significant reduction in the ability to attract funding from key depositors or other creditors of the bank (including the interbank market).

4. Based on results of liquidity stress testing, a bank shall develop a contingency funding plan in cases where liquidity requirements are not met, which shall at minimum include:

a) Identifying liquidity crisis situations and trigger events for activation of the contingency funding plan;

b) Clearly determining the competence to activate the contingency funding plan and the roles and responsibilities of relevant individuals and units in implementing the plan;

c) Clearly identifying contingent funding sources, including the amount of funds that may be mobilized, their availability, conditions for utilization, reliability and expected mobilization timeframe of such sources;

d) Ensuring timely and effective reporting and information exchange internally and externally (including with the State Bank and other competent authorities) during implementation of the contingency funding plan;

dd) Periodically reviewing and adjusting the contingency funding plan (if necessary).

Article 49. Internal reporting on liquidity risk

1. On a periodic basis at least quarterly or on an ad hoc basis, a bank shall prepare internal reports on liquidity risk as prescribed in Clause 2 of this Article.

2. Internal reports on liquidity risk shall at least include:

a) Assessment of the bank’s credit rating indicators and liquidity conditions in the market;

b) Structure of the asset balance sheet; new funding products; depositor segments; deposit tenors and deposit interest rates;

c) Liquidity sources; cash flow mismatches; funding tenors; and compliance with liquidity risk limits;

d) Results of liquidity stress testing during the reporting period (if any);

dd) Proposals and recommendations on liquidity risk management to the report recipients;

e) Results of handling and remediation in response to requirements and recommendations of internal audit, the State Bank, independent audit organizations and other competent authorities (if any).

 

Section 6. CONCENTRATION RISK MANAGEMENT

 

Article 50. Concentration risk management strategy and concentration risk limits

1. A bank shall issue a concentration risk management strategy applicable at minimum to:

a) Credit extension activities;

b) Proprietary trading activities.

2. The concentration risk management strategy shall at least include:

a) For credit extension activities:

(i) Principles for determining credit concentration limits by credit product, customer and economic sector;

(ii) Criteria for identifying related parties of customers in accordance with law;

(iii) Principles for determining the degree of diversification and the degree of interrelationship among credit products and economic sectors;

b) For proprietary trading activities:

(i) Principles for determining concentration limits for proprietary trading by counterparty and trading product;

(ii) Criteria for determining proprietary trading portfolios subject to proprietary trading concentration limits to ensure diversification and interrelationship levels in accordance with the bank’s regulations.

3. A bank shall establish concentration risk limits, at minimum including:

a) For credit extension activities:

(i) Credit exposure limits for a single customer and for a customer and its related parties relative to own capital and growth in outstanding credit balance;

(ii) Credit exposure limits by product and economic sector relative to total outstanding credit balance;

b) For proprietary trading activities: Trading limits by counterparty and trading product relative to total proprietary trading outstanding balance.

Article 51. Identification, measurement, monitoring and control of concentration risk

1. A bank shall identify concentration risk at minimum in credit extension activities and proprietary trading activities, including:

a) Items recognized as on-balance sheet items and off-balance sheet items of the bank;

b) Items not yet recognized in accordance with laws on accounting.

2. A bank shall measure concentration risk on the basis of assessing the level of impact on income from each credit extension activity and proprietary trading activity exposed to concentration risk.

3. A bank shall monitor and control concentration risk as follows:

a) Monitoring and reviewing outstanding credit exposures and proprietary trading balances against concentration risk limits; providing early warning for credit exposures and proprietary trading transactions approaching concentration risk limits;

b) Implementing timely measures for cases exceeding concentration risk limits.

Article 52. Internal reporting on concentration risk

1. On a periodic basis at least every 06 months or on an ad hoc basis, a bank shall prepare internal reports on concentration risk as prescribed in Clause 2 of this Article.

2. Internal reports on concentration risk shall at least include:

a) Credit structure by product, customer type and economic sector;

b) Structure of proprietary trading portfolios by counterparty and trading product;

c) Status of compliance with concentration risk limits and reasons for breaches (if any);

d) Proposals and recommendations on concentration risk management to the report recipients;

dd) Results of handling and remediation in response to requirements and recommendations of internal audit, the State Bank, independent audit organizations and other competent authorities (if any).

 

Section 7. INTEREST RATE RISK IN THE BANKING BOOK (IRRBB)

 

Article 53. IRRBB management strategy and IRRBB limits

1. A bank shall issue an IRRBB management strategy, which shall at minimum include:

a) Principles for IRRBB management at least in accordance with the following metrics:

(i) Repricing gap profile, being the difference between the value of interest rate-sensitive assets (including off-balance sheet items) and interest rate-sensitive liabilities (including off-balance sheet items) by the date of rate reset or repricing;

(ii) Metrics measuring the impact of interest rate changes, including Change in Net Interest Income (∆NII) and Change in Economic Value of Equity (∆EVE). Calculation of these two metrics shall be conducted in accordance with Appendix V promulgated together with this Circular;

b) Principles for applying IRRBB mitigation measures (including competence to approve IRRBB mitigation measures).

2. A bank shall establish IRRBB limits, including at minimum:

a) Limits on changes in net interest income resulting from interest rate changes;

b) Limits on changes in the economic value of equity resulting from interest rate changes.

Article 54. Identification, measurement, monitoring and control of IRRBB

1. A bank shall identify, measure, monitor and control IRRBB to ensure at minimum the following requirements:

a) Having procedures for, and conducting, identification, measurement, monitoring and control of IRRBB at least quarterly and on an ad hoc basis in accordance with the bank’s internal regulations;

b) Individuals or units responsible for measuring, monitoring and controlling IRRBB shall be independent from business units generating IRRBB.

2. Identification of IRRBB shall determine causes and factors giving rise to IRRBB (including new risks arising from implementation of IRRBB mitigation activities).

3. Measurement of IRRBB shall ensure:

a) Having measurement methodologies consistent with the IRRBB management principles prescribed at Point a, Clause 1, Article 53 of this Circular;

b) Conducting IRRBB stress testing through measurement of the impact of interest rate changes based on the metrics prescribed at Point a(ii), Clause 1, Article 53 of this Circular;

c) Measuring IRRBB by each currency where the total value of assets or total liabilities denominated in such currency accounts for 5% or more of the bank’s total banking book assets;

d) Recording and retaining assumptions and changes in assumptions used in IRRBB measurement.

4. Monitoring and control of IRRBB shall ensure:

a) Monitoring rate reset dates and repricing dates of interest rate-sensitive assets, liabilities and off-balance sheet items. In cases where maturity dates or repricing dates cannot be determined, the bank may apply assumptions, which shall be approved by competent levels in accordance with the bank’s internal regulations;

b) IRRBB positions comply with IRRBB limits;

c) Providing early warning of cases approaching IRRBB limits and implementing timely measures for cases exceeding IRRBB limits.

Article 55. Internal reporting on IRRBB

1. On a periodic basis at least quarterly or on an ad hoc basis, a bank shall prepare internal reports on IRRBB as prescribed in Clause 2 of this Article.

2. Internal reports on IRRBB shall at minimum include:

a) Repricing gap profile as prescribed at Point a(i), Clause 1, Article 53 of this Circular;

b) Change in net interest income and Change in economic value of equity as prescribed at Point a(ii), Clause 1, Article 53 of this Circular (results of stress testing);

c) Compliance with IRRBB limits;

d) IRRBB mitigation measures applied during the reporting period and results of implementation thereof;

dd) Proposals and recommendations on IRRBB management to the report recipients;

e) Results of handling and remediation in response to requirements and recommendations of internal audit, the State Bank, independent audit organizations and other competent authorities (if any).

 

Section 8. MODEL RISK MANAGEMENT

 

Article 56. Requirements for model risk management

1. A bank shall determine a model inventory subject to management in accordance with its internal regulations; and periodically rank and classify models into high-, medium- and low-risk models based on factors (such as materiality, complexity, intended use, model quality, etc.) in accordance with the bank’s internal regulations. From the time the bank implements the transitional phase to the Internal Ratings-Based (IRB) approach in accordance with regulations of the State Bank on capital adequacy for banks, models used in the IRB approach shall be classified as high-risk models.

2. A bank shall implement model risk management in accordance with this Section, at minimum covering the high-risk models prescribed in Clause 1 of this Article.

3. A bank shall manage medium- and low-risk models in accordance with its internal regulations.

4. In cases where a bank internally develops models (including outsourcing activities relating to models), model risk management shall be aligned with the stages of the model lifecycle and shall at minimum ensure the following requirements:

a) During the model development stage, the bank shall determine the intended use, expected scope of application and assess input data quality (at minimum accuracy and completeness) in accordance with its internal regulations;

b) During the model implementation stage (including user acceptance testing), the bank shall ensure consistency with the approved model development results; where inconsistencies arise, such changes shall be re-approved by competent levels and retained in the model documentation;

c) During model use, the bank shall ensure:

(i) The model is used for its intended purpose and within its defined scope;

(ii) Overrides of model inputs and outputs (such as input entry, output being disregarded, modified or reversed, etc.) are managed, at minimum including cases subject to override; overrides shall be approved by competent levels, documented and assessed;

(iii) Feedback from users (if any) is addressed;

d) The bank shall monitor and oversee models, including assessment of the effectiveness of model use;

dd) The bank shall conduct model validation at minimum including: pre-use validation; validation upon material changes as determined in accordance with the bank’s internal regulations; and periodic validation at least annually. Model validation results shall include an assessment report on the model’s ability to meet its initial objectives and its actual effectiveness in use.

5. In cases where a bank acquires models (including models provided by the parent bank), the bank shall implement management measures at minimum ensuring the following requirements:

a) Requiring the vendor or parent bank to provide relevant model information for purposes of model assessment and use;

b) Assessing the effectiveness of model use in accordance with the bank’s regulations.

6. A bank shall establish and manage model documentation for at least the models prescribed in Clause 2 of this Article (including models in use, adjusted models and discontinued models).

7. With regard to model risk management, the bank shall maintain three independent lines of defense as follows:

a) The first line of defense: individuals or units performing model development, implementation and use functions, and identifying, implementing control, monitoring and risk mitigation measures;

b) The second line of defense: individuals or units performing model validation; developing risk management policies and internal regulations on risk management; and monitoring and controlling risk bank-wide and compliance with law;

c) The third line of defense: individuals or units performing internal audit functions.

Article 57. Identification, monitoring and control of model risk

1. Identification of model risk shall determine causes giving rise to model risk.

2. Monitoring and control of model risk shall be conducted to implement preventive, mitigation and risk handling measures, and remedial actions in respect of model limitations (if any).

Article 58. Internal reporting on model risk

1. On a periodic basis at least annually or on an ad hoc basis, a bank shall prepare internal reports on model risk as prescribed in Clause 2 of this Article.

2. Internal reports on model risk shall at minimum include:

a) The bank’s model inventory subject to management, including high-risk models (models used in the IRB approach and other high-risk models), medium-risk models and low-risk models;

b) The inventory of models adjusted and models discontinued during the reporting period;

c) Status of model development (including outsourced model development), implementation and use (including acquired models);

d) Results of periodic or ad hoc model validation (if any);

dd) Proposals and recommendations on model risk management to the report recipients;

e) Results of handling and remediation in response to requirements and recommendations of internal audit, the State Bank, independent audit organizations and other competent authorities (if any).

 

Section 9. INTERNAL CAPITAL ADEQUACY ASSESSMENT

 

Article 59. Requirements and contents of the Internal Capital Adequacy Assessment Process (ICAAP)

1. The ICAAP shall ensure:

a) Compliance with regulations of the State Bank on the capital adequacy ratio (CAR);

b) Maintenance of the target capital adequacy ratio under both normal operating scenarios and adverse scenarios;

c) Consistency with the bank’s risk appetite and developments of material risks;

d) Serving as a basis for formulation and adjustment of the bank’s business plan;

dd) Implementation at least annually and on an ad hoc basis when there are changes in the business environment or other factors that may affect risks or capital resources, resulting in failure to meet the target capital level.

2. A bank shall conduct ICAAP for a period of at least 03 years but not exceeding 05 subsequent years, in accordance with the following steps:

a) Measuring risks of material risk types and determining economic capital in line with the business plan in accordance with Appendix VI promulgated together with this Circular;

b) Conducting capital stress testing to determine total risk-weighted assets (RWA) of material risks and economic capital under adverse scenarios;

c) Determining target capital and projected own funds in accordance with Appendix VI promulgated together with this Circular;

d) Developing a capital plan;

dd) Monitoring capital adequacy in order to manage capital relative to target capital and adjust the capital plan (where necessary);

e) Reviewing the ICAAP process.

Article 60. Capital stress testing

1. A bank shall develop 02 scenarios: a normal operating scenario and an adverse scenario, with at minimum assumptions on interest rates, exchange rates, gold prices and credit quality, and shall apply methodologies to calculate the impact of such assumptions on total RWA by each risk type and on the capital adequacy ratio, ensuring at minimum:

a) Calculating the impact of interest rate assumptions on total RWA for operational risk, market risk (interest rate risk) and interest rate risk in the banking book;

b) Calculating the impact of exchange rate and gold price assumptions on total RWA for operational risk and market risk (foreign exchange risk where Foreign exchange or gold positions arise);

c) Calculating the impact of credit quality assumptions on total RWA for operational risk, credit risk and concentration risk.

2. A bank shall review and assess the appropriateness of assumptions and methodologies used to calculate the impact of such assumptions on the capital adequacy ratio in accordance with its internal regulations.

Article 61. Capital planning

1. A bank shall develop a capital plan including at minimum:

a) A capital increase plan in case projected own funds fail to meet target capital, including:

(i) Sources for increasing tier 1 capital and tier 2 capital, ensuring feasibility and compliance with law;

(ii) Timeline and roadmap for implementation of the capital increase plan;

b) A dividend distribution and profit allocation policy ensuring that, after distribution, projected own funds are not lower than target capital;

c) Allocation of target capital across total RWA for material risks as a basis for determining risk limits;

d) Early warning thresholds for total RWA of each material risk to monitor and supervise compliance with allocated RWA for each risk type as prescribed at Point c of this Clause and to implement timely corrective measures.

2. The capital plan of a commercial bank shall be approved by the Board of Directors or the Members’ Council upon proposal of the General Director (Director).

3. The capital plan of a foreign bank branch shall be implemented in accordance with regulations of the parent bank.

Article 62. Review of the ICAAP

1. The ICAAP shall be reviewed at least annually or on an ad hoc basis by a unit independent from the unit responsible for developing and implementing the ICAAP.

2. The ICAAP review shall at minimum include:

a) The reasonableness of the internal ICAAP framework (including organizational structure, functions and responsibilities of individuals and units conducting ICAAP);

b) Consistency between risk appetite and the business plan, and between total RWA and risk limits;

c) Accuracy and completeness of input data;

d) Reasonableness of assumptions used in capital stress testing scenarios;

dd) Feasibility of the capital increase plan;

e) Proposals and recommendations to competent levels regarding ICAAP (if any).

Article 63. Internal reporting on ICAAP

1. On an annual basis, a bank shall prepare an internal ICAAP report in accordance with Clause 2 of this Article.

2. The internal ICAAP report shall at minimum include the following contents:

a) Target capital and economic capital;

b) Results of capital stress testing;

c) The capital plan;

d) Results of capital allocation;

dd) Results of review of the ICAAP as prescribed in Article 62 of this Circular;

e) Results of handling and remediation in response to requirements and recommendations of internal audit, the State Bank, independent audit organizations and other competent authorities (if any).

 

Chapter IV

INTERNAL AUDIT

 

Article 64. Principles of internal audit

1. Principle of independence:

a) Internal auditors and the internal audit function shall not concurrently perform work or duties (except those prescribed at Points a and b, Clause 7, Article 56 of this Circular) of individuals or units belonging to the first line of defense or the second line of defense;

b) The internal audit function shall not be subject to any direction or interference from individuals or units belonging to the first or second line of defense;

c) An internal auditor shall not perform audits of:

(i) Internal regulations on internal audit developed by that internal auditor;

(ii) Units or departments where the head of such unit or department is a related person of that internal auditor;

(iii) Activities or departments for which that internal auditor performed functions or assumed responsibility within 03 years from the date he/she ceased performing or assuming responsibility for such activities or departments;

d) Criteria for determining salary levels and other benefits for positions within the internal audit function shall be separated from the business results and operational results of units or departments belonging to the first and second lines of defense.

2. Principle of objectivity:

a) Audit findings in internal audit reports shall be carefully analyzed and based on collected data and information;

b) Internal auditors shall act with integrity when reporting and evaluating during the internal audit process;

c) Internal auditors have the right and obligation to report to competent levels on matters relating to objectivity in the performance of internal audit.

3. Principle of professionalism:

a) The internal audit function shall have at least one internal auditor responsible for auditing information technology infrastructure and technology applications (hereinafter referred to as “IT auditor”);

b) Internal auditors shall meet the standards prescribed in Article 66 of this Circular.

4. The internal audit function shall implement control measures to ensure compliance with the principles prescribed in Clauses 1, 2 and 3 of this Article during the internal audit process (including preparation and submission of internal audit reports). The Chief Internal Auditor shall promptly report to the Supervisory Board upon detecting violations or risks of violations of the principles prescribed in Clauses 1, 2 and 3 of this Article.

Article 65. Coordination mechanism

1. A commercial bank shall establish coordination mechanisms among:

a) The Board of Directors, the Members’ Council and the Supervisory Board, and the internal audit function in accordance with Clause 2 of this Article;

b) The General Director (Director), units belonging to the first line of defense and the second line of defense, and the Supervisory Board and the internal audit function in accordance with Clause 3 of this Article.

2. The coordination mechanism among the Board of Directors, the Members’ Council, the Supervisory Board and the internal audit function of a commercial bank shall ensure:

a) The Board of Directors and the Members’ Council coordinate with the internal audit function when internal audit reviews the oversight of senior management over the Board of Directors and the Members’ Council;

b) The Board of Directors and the Members’ Council implement recommendations of the Supervisory Board addressed to them in the internal audit report (if any) and notify the Supervisory Board of the results of implementation of such recommendations.

3. The coordination mechanism among the General Director (Director), units belonging to the first line of defense and the second line of defense, and the Supervisory Board and the internal audit function of a commercial bank shall ensure:

a) The General Director (Director) shall:

(i) Coordinate with the internal audit function when internal audit reviews the oversight of senior management over the General Director (Director);

(ii) Direct the risk management function and other relevant units to provide full risk information to enable the internal audit function to prepare the internal audit plan;

(iii) Receive internal audit reports, organize the implementation of recommendations of the Supervisory Board addressed to the General Director (Director) in the internal audit report (if any), and report to the Supervisory Board on the results of implementation of such recommendations;

b) Units belonging to the first and second lines of defense shall:

(i) Provide complete, truthful and accurate information, documents and dossiers as required by the internal audit function during internal audit;

(ii) Promptly notify the internal audit function upon detecting limitations, violations, losses or risks of losses;

(iii) Facilitate the internal audit function to perform internal audit.

4. A foreign bank branch shall establish a coordination mechanism among the General Director (Director), units belonging to the first and second lines of defense, and the internal audit function of the foreign bank branch.

Article 66. Standards applicable to members of the Supervisory Board and internal auditors

1. Members of the Supervisory Board of a commercial bank shall satisfy the standards and conditions prescribed by the Law on Credit Institutions.

2. A commercial bank shall establish standards applicable to internal auditors meeting the following requirements:

a) For internal auditors:

(i) Holding at least a university degree in economics, business administration, law, accounting, auditing, mathematics and statistics, or other disciplines relevant to audit requirements;

(ii) Having at least 02 years of direct working experience in banking, finance, accounting, auditing or other fields relevant to audit requirements for internal auditors, and at least 03 years for the Chief Internal Auditor;

b) For IT auditors:

(i) Holding at least a university degree in information technology or other disciplines relevant to audit requirements;

(ii) Having at least 02 years of working experience in information technology.

3. Standards applicable to internal auditors of foreign bank branches shall be implemented in accordance with regulations of the parent bank.

Article 67. Professional ethical standards of members of the Supervisory Board and internal auditors

1. Professional ethical standards of members of the Supervisory Board and internal auditors (including the Chief Internal Auditor and other positions within the internal audit function) of a commercial bank shall at minimum include the following principles:

a) Integrity: Performing assigned duties in a straightforward and honest manner;

b) Objectivity: Performing assigned duties objectively, making fair assessments without regard to personal interests or the interests of others;

c) Confidentiality: Complying with information confidentiality requirements in accordance with law and the internal regulations of the commercial bank;

d) Responsibility: Performing assigned duties in a timely manner and ensuring quality;

dd) Due professional care: Performing assigned duties prudently based on assessment of the following factors:

(i) The complexity and significance of matters subject to internal audit;

(ii) The likelihood of significant errors arising during the internal audit process.

2. Professional ethical standards of internal auditors of a foreign bank branch shall be implemented in accordance with regulations of the parent bank.

Article 68. Internal regulations on internal audit

Internal regulations of the Supervisory Board of a commercial bank shall include provisions on internal audit, at minimum covering:

1. Organizational structure, functions, powers and responsibilities of the internal audit function as prescribed in Clause 3, Article 6, and Articles 71 and 72 of this Circular; standards applicable to internal auditors as prescribed in Article 66 of this Circular; professional ethical standards of members of the Supervisory Board and internal auditors as prescribed in Article 67 of this Circular.

2. Criteria for determining risk levels, materiality levels and frequency of internal audit of activities, processes and units as prescribed at Points a and b, Clause 2, Article 69 of this Circular; and internal audit contents as prescribed in Article 70 of this Circular.

3. Procedures for preparing and implementing the internal audit plan.

4. Review and assessment of internal audit regulations; and handling of recommendations on internal audit made by the State Bank, independent audit organizations and other competent authorities.

5. Provisions on hiring of external experts or organizations to perform internal audit.

6. Internal reporting regime on internal audit as prescribed in Article 73 of this Circular.

Article 69. Internal audit plan

1. Internal audit of a commercial bank shall be conducted on an annual basis and on an ad hoc basis in accordance with internal regulations of the Supervisory Board.

2. The annual internal audit plan of a commercial bank shall be issued by the Supervisory Board upon proposal of the Chief Internal Auditor after consultation with the Board of Directors, the Members’ Council and the General Director (Director). Preparation of the internal audit plan shall ensure:

a) Risk-based principle: Activities, processes and units shall be assessed for risk level (high, medium and low) in accordance with internal regulations of the Supervisory Board. High-risk activities, processes and units shall be prioritized in terms of resources, audited first and audited at least once annually;

b) Comprehensiveness: All activities, processes and units shall be subject to internal audit. Activities, processes and units determined as material in accordance with internal regulations of the Supervisory Board shall be audited at least once annually;

c) Allocation of contingency resources and time for conducting ad hoc internal audits;

d) The annual internal audit plan shall be adjusted when there are material changes in operational scale, risk profile or internal audit resources in accordance with internal regulations of the Supervisory Board.

3. The annual internal audit plan of a commercial bank shall be issued before December 15 of the preceding year and shall at minimum include: audit scope, audit subjects, audit objectives, audit timeline, audit resources (including hiring of external experts or organizations) for internal audit and other contents as prescribed by the commercial bank.

4. The internal audit plan of a foreign bank branch shall be decided by the parent bank.

5. Within 10 working days from the date of issuance, amendment or supplementation, the bank shall submit the internal audit plan to the State Bank (the State Bank’s Regional Branch according to the entities subject to micro-prudential supervision; the Credit Institution Supervision Department).

Article 70. Internal audit contents

1. Internal audit of a commercial bank shall be conducted in accordance with Article 58 of the Law on Credit Institutions based on the following contents:

a) Independently and objectively examining and assessing compliance with mechanisms, policies, processes and internal regulations of the Board of Directors, the Members’ Council, the General Director (Director), and individuals and units in control activities and risk management activities, including identification of limitations and their causes;

b) Independently and objectively reviewing and assessing the appropriateness and legal compliance of mechanisms, policies, processes and internal regulations in control activities and risk management activities, including identification of limitations and their causes;

c) Proposing and recommending to competent levels and relevant units measures to address identified limitations;

d) Other contents in accordance with internal regulations of the internal audit function.

2. The scope of internal audit of a foreign bank branch shall be implemented in accordance with regulations of the parent bank.

Article 71. Powers of the internal audit function

The internal audit function of a commercial bank shall have the following powers:

1. Being provided with necessary resources (human resources, financial resources, assets and other tools).

2. Being provided with information, documents and dossiers necessary for internal audit, including documents and minutes of meetings of the Board of Directors, the Members’ Council and the General Director (Director).

3. Interviewing individuals on matters related to internal audit; and recommending competent levels in accordance with the internal regulations of the commercial bank to take actions against acts of non-cooperation by individuals or units during the internal audit process.

4. Attending internal meetings in accordance with the Charter and internal regulations of the commercial bank.

5. Other powers in accordance with internal regulations of the Supervisory Board.

Article 72. Responsibilities of the Supervisory Board, the internal audit function and internal auditors

1. The Supervisory Board of a commercial bank shall perform functions and duties relating to internal audit in accordance with this Circular and its internal regulations, including at minimum:

a) Supervising and evaluating compliance with professional ethical standards by members of the Supervisory Board and internal auditors;

b) Supervising and evaluating the internal audit function and the Chief Internal Auditor in the performance of their functions and duties. The Supervisory Board may hire an external organization with relevant expertise to assess the quality of the internal audit function.

2. The internal audit function of a commercial bank shall have duties and responsibilities including at minimum:

a) Conducting internal audit of the head office, branches and other affiliated units of the commercial bank;

b) Reviewing and self-assessing the effectiveness of internal audit;

c) Developing and reviewing for submission to the Supervisory Board for issuance, amendment or supplementation:

(i) Professional ethical standards of members of the Supervisory Board and internal auditors as prescribed in Article 67 of this Circular;

(ii) Internal regulations of the Supervisory Board;

(iii) The internal audit plan;

d) Monitoring and evaluating implementation of recommendations of the Supervisory Board addressed to the Board of Directors, the Members’ Council, the General Director (Director), individuals and units;

dd) Handling and remedying matters in response to requirements and recommendations of the State Bank, independent audit organizations and other competent authorities in relation to internal audit;

e) Preparing internal audit reports in accordance with Point d, Clause 2, Article 9 and Article 73 of this Circular;

g) Maintaining confidentiality of documents and information in accordance with law and internal regulations of the commercial bank;

h) Being accountable to the Supervisory Board for performance of assigned duties.

3. Responsibilities of internal auditors of a commercial bank shall include at minimum:

a) Performing the responsibilities prescribed at Points g and h, Clause 2 of this Article;

b) Being accountable before law and before the Chief Internal Auditor for assigned audit duties.

4. The internal audit function and internal auditors of a foreign bank branch shall be responsible for:

a) Conducting internal audit;

b) Handling and remedying matters in response to requirements and recommendations of the State Bank, independent audit organizations and other competent authorities in relation to internal audit;

c) Performing other duties in accordance with regulations of the parent bank.

Article 73. Internal reporting on internal audit

1. A commercial bank shall prepare internal audit reports in accordance with Clauses 2 and 3 of this Article, and an internal audit self-assessment report in accordance with Clause 4 of this Article, as follows:

a) Upon completion of an internal audit, the internal audit function shall submit the internal audit report to the Supervisory Board for approval before sending it to the Board of Directors, the Members’ Council and the General Director (Director) in accordance with internal regulations of the Supervisory Board of the commercial bank;

b) Within 30 days from the end of the financial year, the internal audit function shall submit to the Supervisory Board the internal audit self-assessment report in accordance with internal regulations of the Supervisory Board.

2. The contents of an annual internal audit report shall at minimum include:

a) Status of implementation of the audit scope and contents during the financial year;

b) Compliance with mechanisms, policies, processes and internal regulations of the Board of Directors, the Members’ Council, the General Director (Director), and individuals and units;

c) Appropriateness and legal compliance of mechanisms, policies, processes and internal regulations in control activities and risk management activities;

d) Limitations identified during the internal audit and recommendations to competent levels and relevant units.

3. The contents of an ad hoc internal audit report shall at minimum include:

a) Scope and contents of the ad hoc audit;

b) Results of the ad hoc audit;

c) Limitations identified during the ad hoc internal audit and recommendations to competent levels and relevant units.

4. The contents of an annual internal audit self-assessment report shall at minimum include:

a) Assessment of the performance of internal audit duties; review and reassessment (including proposals for amendment and supplementation) of internal regulations of the Supervisory Board; and proposals and recommendations (if any);

b) Status of implementation of recommendations of the Board of Directors, the Members’ Council, the General Director (Director), and individuals and units relating to internal audit;

c) Results of handling and remediation in response to requirements and recommendations of the State Bank, independent audit organizations and other competent authorities in relation to internal audit (if any).

5. Internal reporting on internal audit of a foreign bank branch shall be implemented in accordance with regulations of the parent bank.

 

Chapter V

IMPLEMENTATION PROVISIONS

 

Article 74. Effect

1. This Circular shall take effect from July 01, 2026, except for the provisions prescribed in Clauses 2, 3 and 4 of this Article.

2. No later than January 01, 2028, banks shall implement:

a) Credit risk stress testing and market risk stress testing in accordance with Article 23 of this Circular;

b) Risk data management in accordance with Article 24 of this Circular.

3. The provisions on model risk management shall be implemented as follows:

a) For banks that have implemented the transitional phase to the Internal Ratings-Based (IRB) approach in accordance with regulations of the State Bank on capital adequacy for banks prior to July 01, 2026, such banks shall implement model risk management for models used in the IRB approach in accordance with Section 8, Chapter III of this Circular from July 01, 2026;

b) For banks implementing the transitional phase to the IRB approach in accordance with regulations of the State Bank on capital adequacy for banks from July 01, 2026, such banks shall implement model risk management for models used in the IRB approach in accordance with Section 8, Chapter III of this Circular from the date of commencement of the transitional phase;

c) No later than January 01, 2028, banks (including those prescribed at Points a and b of this Clause) shall implement model risk management in accordance with Section 8, Chapter III of this Circular.

4. The determination of limits, measurement and stress testing of IRRBB shall be implemented as follows:

a) From July 01, 2026 to December 31, 2027, banks may determine limits, measure and conduct IRRBB stress testing based on either the Change in Net Interest Income metric or the Change in Economic Value of Equity metric, except as prescribed at Point b of this Clause;

b) No later than January 01, 2028, banks shall determine limits, measure and conduct IRRBB stress testing based on both the Change in Net Interest Income metric and the Change in Economic Value of Equity metric in accordance with this Circular.

5. In cases where a bank implements the provisions prescribed in Clause 2, Clause 3 and Point b, Clause 4 of this Article prior to January 01, 2028, the bank shall notify the State Bank (the State Bank’s Regional Branch according to the entities subject to micro-prudential supervision; the Credit Institution Supervision Department; and the Inspectorate of the State Bank) within 10 days from the date of implementation.

6. From July 01, 2026, this Circular shall repeal the following documents:

a) Circular No. 13/2018/TT-NHNN dated May 18, 2018 of the Governor of the State Bank of Vietnam providing for the internal control system of commercial banks and foreign bank branches;

b) Circular No. 40/2018/TT-NHNN dated December 28, 2018 of the Governor of the State Bank of Vietnam amending and supplementing a number of articles of Circular No. 13/2018/TT-NHNN dated May 18, 2018;

c) Article 3 of Circular No. 09/2024/TT-NHNN dated June 28, 2024 of the Governor of the State Bank of Vietnam amending and supplementing a number of articles of Circulars prescribing prudential limits and ratios in operations and the internal control system of credit institutions and foreign bank branches.

Article 75. Organization of implementation

Heads of units under the State Bank of Vietnam, banks and relevant organizations and individuals shall be responsible for implementation of this Circular./.

 

For the Governor

The Deputy Governor

DOAN THAI SON

* All Appendices are not translated herein.

Please log in to a subscriber account to see the full text. Don’t have an account? Register here
Please log in to a subscriber account to see the full text. Don’t have an account? Register here
Processing, please wait...
LuatVietnam.vn is the SOLE distributor of English translations of Official Gazette published by the Vietnam News Agency

VIETNAMESE DOCUMENTS

Circular 83/2025/TT-NHNN PDF (Original)

This utility is available to subscribers only. Please log in to a subscriber account to download. Don’t have an account? Register here

Circular 83/2025/TT-NHNN DOC (Word)

This utility is available to subscribers only. Please log in to a subscriber account to download. Don’t have an account? Register here

Circular 83/2025/TT-NHNN DOC (Word)

This utility is available to subscribers only. Please log in to a subscriber account to download. Don’t have an account? Register here

Circular 83/2025/TT-NHNN DOC (Word)

This utility is available to subscribers only. Please log in to a subscriber account to download. Don’t have an account? Register here

Circular 83/2025/TT-NHNN DOC (Word)

This utility is available to subscribers only. Please log in to a subscriber account to download. Don’t have an account? Register here

Circular 83/2025/TT-NHNN DOC (Word)

This utility is available to subscribers only. Please log in to a subscriber account to download. Don’t have an account? Register here

Circular 83/2025/TT-NHNN DOC (Word)

This utility is available to subscribers only. Please log in to a subscriber account to download. Don’t have an account? Register here

Circular 83/2025/TT-NHNN DOC (Word)

This utility is available to subscribers only. Please log in to a subscriber account to download. Don’t have an account? Register here

ENGLISH DOCUMENTS

LuatVietnam's translation
Circular 83/2025/TT-NHNN DOC (Word)

This utility is available to subscribers only. Please log in to a subscriber account to download. Don’t have an account? Register here

Circular 83/2025/TT-NHNN PDF

This utility is available to subscribers only. Please log in to a subscriber account to download. Don’t have an account? Register here

* Note: To view documents downloaded from LuatVietnam.vn, please install DOC, DOCX and PDF file readers
For further support, please call 19006192

SAME CATEGORY

Circular No. 139/2025/TT-BTC dated December 30, 2025 of the Ministry of Finance amending and supplementing a number of articles of the Minister of Finance’s Circular No. 57/2021/TT-BTC dated July 12, 2021, providing the roadmap of restructuring the stock trading market, bond trading market, derivatives trading market, and trading market for other types of securities, amended and supplemented under the Minister of Finance’s Circular No. 69/2023/TT-BTC dated November 15, 2023

Circular No. 139/2025/TT-BTC dated December 30, 2025 of the Ministry of Finance amending and supplementing a number of articles of the Minister of Finance’s Circular No. 57/2021/TT-BTC dated July 12, 2021, providing the roadmap of restructuring the stock trading market, bond trading market, derivatives trading market, and trading market for other types of securities, amended and supplemented under the Minister of Finance’s Circular No. 69/2023/TT-BTC dated November 15, 2023

Finance - Banking, Securities

Forgot password
Enter your account name to recover your password.
Send
Select folder
+ Add folder Save
Back Add folder
loading
PERSONAL DATA PROTECTION POLICY
Last updated