Decision No. 105/QD-UBCK dated February 26, 2013 of the State Securities Commission on promulgating the regulation guiding the setting up and operation of the risk management system for securities companies

THE MINISTRY OF FINANCE
THE STATE SECURITIES COMMISSION

Decision No. 105/QD-UBCK dated February 26, 2013 of the State Securities Commission on promulgating the regulation guiding the setting up and operation of the risk management system for securities companies

Pursuant to the Law on Securities, of June 29, 2006;

Pursuant to the Law amending and supplementing a number of articles of Law on Securities, of November 24, 2010;

Pursuant to the Decree No. 58/2012/ND-CP dated July 20, 2012 of the Government stipulating in detail and guiding the implementation of a number of articles of the securities Law and the law amending and supplementing a number of articles of securities Law

Pursuant to the Decision No. 112/2009/QD-TTg dated September 11, 2009, of the Prime Minister defining the functions, tasks, powers and organizational structure of the State Securities Commission of the Ministry of Finance;

Pursuant to the Circular No. 210/2012/TT-BTC dated November 30, 2012 of the Ministry of Finance guiding the establishment and operation of securities companies;

At the proposal of Director of Securities Business Management Department,

DECIDES:

Article 1.To promulgate together with this Decision the Regulation on guiding the setting up and operation of the risk management system for securities companies.

Article 2.This Decision takes effect on the day of its signing.

Article 3.The Chief of office, Director of Securities Business Management Department, securities companies and relevant parties shall implement this Decision.

The Chairperson of the State Securities Commission

Vu Bang

REGULATION

GUIDING THE SETTING UP AND OPERATION OF THE RISK MANAGEMENT SYSTEM FOR SECURITIES COMPANIES

(Issued with the Decision No. 105/QD-UBCK dated February 26, 2013 of the Chairperson of State Securities Commission)

Chapter 1.

GENERAL PROVISIONS

Article 1. Scope and subjects of regulation

1. Scope of regulation: This Regulation guides the setting up and operation of the risk management system in activities of securities companies.

2. Subjects of regulation: Securities companies and organizations as well as individuals relating to the risk management system in activities of securities companies.

Article 2. Interpretation of terms

In this Regulation, the following terms are construed as follows:

1.Risks mean eventsthat are not sure to happen in business activities, cause disadvantageous influences to business target implementation of securities companies.

2.Market risks mean risksthat change values of assets being owned under disadvantageous directions.

3.Payment risks mean risksthat happen when partners fail to pay on time or cannot transfer assets on time as committed.

4.Liquidity risks mean risksthat happen when securities companies cannot pay their matured financial obligations or cannot change financial instruments into cash with a rational value in short term due to lack of liquidity in market.

5.Operational risks mean risksthat happen because of technical defects, faults in system and professional process, personal faults during doing professional activities or because of lack of business capital arising from expenses, losses from investment activities or due to other objective reasons.

6.Legal risks mean riskthat arise from the non-compliance of legal provisions relating to business activities, and from the contract cancellation because the contract is illegal, fall beyond power, have lacked terms or incomplete standards, or due to other reasons.

7.Risk-concentrated situationmeans situation that mainly concentrate on one or some key risks of which damages can cause bad and serious effects to financial situation and uninterrupted operation capability of securities companies.

8.Risk level means level of damagesthat calculate in money if risk happens.

9.Risk limit means capital amountthat must be allocated in order to respond the risk which can cause maximum damage at a level that all company or each business division can bear in a defined time and confidence level.

10.Ability of risk acceptancemeans ability in use of equity capital, (estimated) expected profits and available financial resources for covering at all time for all key risks and inherent potential damages that are accepted by a securities company.

11.Key: The key level is defined in correlation with structure, scale and complex nature of each securities company. The key level of a risk or an activity depends on its impacting level at the present and in the future for income or capital of a securities company.

12.Risk situationmeans value part of asset or debt impacted by a specific risk type.

13.Urgent situationincludes unexpected or irregular situations that can cause key damages on finance, human resource, material facilities and ask securities companies must immediately have actions to respond.

Chapter 2.

PRINCIPLES OF RISK MANAGEMENT

Article 3. Principles of risk management in securities companies

1. Securities companies must set up and operate a risk management system in conformity with their business activity conditions, at least meeting provisions in this Regulation.

2. The risk management system of securities companies must include a complete organizational structure, a unified operation mechanism and a set of risk management process that handles at least five types of key risk as follows: market risk, payment risk, liquidity risk, operational risk and legal risk. Besides that, securities companies must manage the risk-concentrated situation in association with key risks. The risk management system of a securities company must ensure the following elements:

a) The supervision of Control Board, Internal Audit Board and Internal control system;

b) A clear and transparent strategic on risk management that is shown through risk policies in long term and in each specific stage and approved by Board of Directors or Members Council or owner of company;

c) Plan to carry out passed by sufficient policies and process;

d) Regular management, inspection, reviewing of General Directors, (Directors);

e) Fully promulgating and carrying out policies, process on risk management and risk limits, setting up suitable activities of risk management information.

3. A risk management system set up must assure for a securities company to have ability to define risks, to measure risks, to monitor risks, to report on risks and to effectively handle key risks, concurrently to meet fully its obligations on compliance at all time points.

4. Securities companies must ensure for the risk management to be implemented in independence, objective, honesty, consistency and must be presented in writing.

5. Securities companies must ensure that professional divisions and risk management division are organized separately and independent with together, and the managers of professional divisions are not concurrently manager of risk management division and vice versa.

Article 4. Principles of internal guidance on risk management in securities companies

1. The risk management system in a securities company must be operated on the basis of internal guidance in writing (such as set of process, policies, etc).

2. The internal guides must be presented clearly for all relevant individuals to understand their task and duties and may describe in details, specifically on relevant risk management process. Securities companies must regularly review and update these internal guides.

3. The internal guides must ensure for state management agencies, internal audit agencies, internal control agencies and control board to understand risk management activities of a company.

4. The internal guides at least must have the following contents:

a) Organizational structure and description of functions, tasks, mechanism of decentralization on decision authorization and responsibility;

b) Risk policies, risk limit, process in defining risks, measuring risks, monitoring risks, report and exchange of risk information and handling of risk;

c) Principles must ensure obligation in compliance of law provisions.

Article 5. Principles in storage of dossiers, documents

1. All dossiers, documents, reports, records of meetings, resolutions of Board of Directors or Members Council or decision of owner of company, reports on risk, decisions of General Director (Director) and other documents related to risk management must be stored fully and available to supply for state management agencies at their request.

2. The storing duration of documents specified in clause 1 this Article shall comply with law regulations.

Article 6. Emergency plan

1. Securities companies must formulate emergency plan for emergency cases that may happen aiming to ensure continuity in their business activities.

2. General Directors, (Directors) shall formulate, regularly review emergency plan. An emergency plan must be approved by Board of Directors or Members Council or owner of company.

Chapter 3.

THE RISK MANAGEMENT SYSTEM

Article 7. Responsibilities of Board of Directors or Members Council or owner of company

1. Board of Directors or Members Council or owner of Securities Company must establish a little board of risk management or appoint a member in charge of risk management in order to support them in implementation of roles specified in this Article.

2. Board of Directors or Members Council or owner of securities company assign right for General Director (Director) to carry out activities of risk management according to risk policies and risk limit approved by them.

3. Board of Directors or Members Council or owner of Securities Company must implement at least the following jobs in activities of risk management:

a) Annually reviewing and approving for risk policies and limit;

b) Directing to timely handle problems in risk management on the basis of reports of General Director (Director), risk management division and other divisions related to activities of risk management;

c) Inspecting, assessing fully the effectiveness and enforcement of the risk management division.

4. Meetings of Board of Directors or Members Council or owner of Securities Company with General Director (Director), the risk management division must be made into records.

Article 8. Responsibilities of General Director (Director)

1. General Director (Director) must establish a risk management division that is independent with other professional divisions. Appointment and dismiss of head of risk management division of General Director (Director) must be accepted by Board of Directors or Members Council or owner of company.

2. General Director (Director) is responsible before Board of Directors or Members Council or owner of Securities Company for carrying out risk policies and limit which are approved by Board of Directors or Members Council or owner of Securities Company.

3. General Director (Director) implements the following tasks:

a) Formulating risk policies and limit, submitting them to Board of Directors or Members Council or owner of Securities Company for approval;

b) Formulating standards of risk management;

c) Quarterly, reporting Board of Directors or Members Council or owner of Securities Company for implementation of risk management, assessment on suitability of risk management, risk limit, process of risk management;

d) Ensuring the risk management system to be understood and operated with consistency from top to bottom in securities company and to be conformable with risk policies and limit which have been approved by Board of Directors or Members Council or owner of Securities Company;

dd) Formulating and carrying out processes on risk management in conformity with risk policies and risk limit, risk suffering capability of securities company;

e) Ensuring that risk management processes and risk management division are set up and organized fully, clearly, with fully human and financial resources;

g) Reporting the key risk situation to Board of Directors or Members Council or owner of company.

Article 9. Responsibilities of risk management division

1. Regularly monitor, assess and measure risks of Securities Company.

2. Reviewing, adjusting models of assessment and assessment system for financial instruments used by business professional divisions.

3. Proposing policies on risk management to General Director (Director).

4. Proposing risk limit for professional division.

5. Assessing the risk level and risk-concentrated situation, damages actually arise and damages estimated by risk management division.

6. Following up in order to assure for actual implementation of policies on risk management, risk limit, process of risk management which are approved by Board of Directors or Members Council or owner of Securities Company;

7. Making monthly reports on risk management in scope of functions and tasks in order to report to General Director (Director).

8. Head of risk management division implements monitoring and assessing daily risk situation of Securities Company.

Article 10. Risk management role at professional divisions

Chiefs of professional divisions in a securities company must abide by and daily implement risk management.

Chapter 4.

POLICIES, MECHANISMS OF RISK MANAGEMENT

Article 11. Policies of risk management

Annually, securities companies must formulate and adopt risk policies to do as basis of regular risk management activities.

1. Risk policies must be implemented and reviewed regularly after Board of Directors or Members Council or owner of Securities Company has approved and passed proposal of General Director (Director).

2. Risk policies must assure for key risks to be detected early and controlled fully and reported timely to Board of Directors or Members Council or owner of Securities Company;

3. Risk policies are formulated on the basis of the following elements:

a) Operational strategy of company;

b) Company’s ability of risk acceptance;

c) Financial instruments suffering risks;

d) Quality of internal control procedures;

dd) Ability of risk control and perfect of risk management system and relevant procedures;

e) Professional extent in risk management;

g) Risk management activities in the past;

d) Legal provisions;

i) Other problems relating to risk management.

5. A risk policy must comprise of at least following contents:

a) Organizational structure of risk management system in Securities Company. Tasks and responsibilities of divisions, individuals in risk management system, requirement on separating between functions and tasks must be ensured in accordance with regulation;

b) Methods to define and measure risks;

c) Methods to define the risk limit;

d) Mechanism to handle violations on risk limit and exceptions for risk policy and risk management process;

dd) Management information system, report forms and process, mechanism of report in service of operation of risk management system;

a) Mechanism of decentralization in approval of risk limit.

Article 12. Risk limit

1. Depend on nature of risk type, a securities company must have method to define risk limit in its business activities, the risk limit applied to business profession divisions, individuals participating in risk transactions.

2. A securities company may allocate capital to meet operational demand of company and of each business professional division based on strategic objectives of its business activities. Concurrently, the capital allocation must be in risk limit on the basis of following principles:

a) The capital allocation must be approved by Board of Directors or Members Council or owner of Securities Company on the basis of proposal of General Director (Director);

b) General Director (Director) must supervise and control risk limits in order to ensure that business activities of company not exceed the acceptable risk level;

c) The risk management division has main responsibility and coordinates with business professional divisions in calculation of risk limits, makes out plans on capital allocation, reports them to General Director (Director).

3. Securities companies must ensure principle that no activity is permitted to perform before risk limit is defined.

4. Securities companies must ensure that relevant divisions and individuals clearly understand the risk limits, process of risk limit management forced to comply and activities which those divisions and individuals are permitted to perform.

Article 13. Risk limit management

1. Securities companies must formulate process on risk limit management;

2. A process on risk limit management must include methods of calculation, methods of allocation and supervision implementation.

a) Risk limit is defined by qualitative method and quantitative method. In which, prioritize to use quantitative method. The correlation among risks must be defined, too;

b) Defining and allocation of risk limit may be performed on the basis of business professional divisions, or on the basis of product types, length of terms, extent of a concentrated holding position, or difference on risk factor or demand of each securities company;

c) After defining risk limits, securities companies must continue assessing on ration ability in order to implement necessary adjustments. Adjustment of risk limit must be passed by Board of Directors or Members Council or owner of company.

Chapter 5.

THE RISK MANAGEMENT PROCESS

Article 14. General principles

1. A risk management process of a securities company includes content on defining risks, measuring risks, monitoring risks, reports and handling of risk.

2. Securities companies must set up a risk management information system servicing for implementation of risk management process.

Article 15. Defining risks

1. Securities companies must provide process on defining risks in writing;

2. Main risks that a securities company may meet are market risks, payment risks, liquidity risks, legal risks, operational risks, concentrated risks and other risks under classification of each securities company.

Article 16. Measuring risks

1. Securities companies must formulate and use suitable methods to measure risks in order to do as basis for risk management.

2. Securities companies may use qualitative method or quantitative method corresponding to different risk types.

Article 17. Monitoring risks

1. Securities companies must provide a written process on monitoring risk management in order to facilitate for application of handling measures, as well as understanding and assessment of implementation after putting those handling measures into implementation.

2. The intensive and wide level or frequency of operation on monitoring risks must correspond with importance of risks, impact of response measure and content of control method which were passed by company for risk management.

Article 18. Risk reports

Securities companies must provide a written process on reporting risks, ensure that all lacks and mistakes will be detected through process of monitoring risks and must be reported.

Article 19. Handling of risks

1. A securities company must provide a written process on handling of each risk which it faces.

2. After assessing and summarizing risks, securities companies must apply suitable handling measures for risks which have met.

3. Necessary steps to select and implement the risk-handling measures:

a) Defining available measures to respond;

b) Assessing pros and cons of each handling measure, in which analyze benefit expenses, analyze budget use;

c) Formulating plans to handle, in which include responsibility to implement plan, progress of implementation, estimated results, planning and consideration of financial resources and procedures of assessment;

d) Implementing plan on handling: After handling risks, if there are still risks which have not calculated or mentioned similar procedures must be repeated until risks lay in an acceptable level.

4. Available measures to handle risks as follows:

a) Risk prevention: Application of measures to prevent any activity that can cause risk;

b) Risk reduction: Application of measures to reduce impacts of risks or capability of happening risks;

c) Risk share: Transfer all or a part of risks to other subject;

d) Risk acceptance: No measure to change probability and impact of risks.

Chapter 6.

REPORT REGIME

Article 20. Report regime

1. Securities companies must report to State Securities Commission before January 31 and July 30 of each year, regarding risk management activities according to report form specified in Annex promulgated together with this Regulation.

2. Securities companies must report to State Securities Commission before January 31 each year, regarding risk policy that has been approved by Board of Directors or Members Council or owner of Securities Company;

Chapter 7.

ORGANIZATION OF IPLEMENTATION

Article 21. Organization of implementation

1. This Regulation takes effect on the day of its signing. On the basis of this guide, securities companies must set up and operate a suitable risk management system in order to ensure effectively preventing and limiting damages caused by risks.

2. The chairperson of State Securities Commission shall decide amendment and supplementation of this Regulation.

* Appendices are not translated herein.