THE STATE BANK OF VIETNAM ________ No. 14/2023/TT-NHNN | THE SOCIALIST REPUBLIC OF VIETNAM Independence - Freedom - Happiness ________________ Hanoi, November 20, 2023 |
CIRCULAR
On internal control systems of non-bank financial institutions
_______________
Pursuant to the Law on the State Bank of Vietnam dated June 16, 2010;
Pursuant to the Law on Credit Institutions dated June 16, 2010; the Law dated November 20, 2017, Amending and Supplementing a Number of Articles of the Law on Credit Institutions;
Pursuant to the Government's Decree No. 102/2022/ND-CP dated December 12, 2022, defining the functions, duties, powers and organizational structure of the State Bank of Vietnam;
At the request of the Chief Inspector of the Banking Supervision Agency;
The State Bank of Vietnam hereby promulgates the Circular on internal control systems of non-bank financial institutions.
Chapter I
GENERAL PROVISIONS
Article 1. Scope of regulation
This Circular provides for the internal control systems of non-bank financial institutions.
Article 2. Subjects of application
1. Non-bank financial institutions encompass finance companies and leasing companies.
2. Institutions and individuals related to the internal control systems of non-bank financial institutions.
Article 3. Interpretation of terms
In this Circular, the terms below are construed as follows:
1. Internal control system means a combination of mechanisms, policies, processes, internal regulations, and organizational structures of a non-bank financial institution which follows the regulations of the Law on Credit Institutions, this Circular and other relevant regulations of law and is implemented for control, prevention, detection and handling of risks, fulfilling the set requirements. The internal control system carries out senior management oversight, internal control, risk management, internal capital adequacy assessment and internal audit.
2. Senior management oversight means supervision carried out by the Board of Directors, Member’s Council, Chief Executive Officer (Director) in internal control and risk management, and by Board of Supervisors of the non-bank financial institution in internal audit.
3. Internal control means inspection and supervision of individuals and departments in implementation of mechanisms, policies, internal regulations, work ethics and control culture in order to control conflict of interest and risks.
4. Risk management means identification, monitoring and control of risks in the non-bank financial institution.
5. Control culture means the cultural value of a non-bank financial institution showing unity in awareness of risk control and management among the Board of Directors, Members' Council, Board of Supervisors, Chief Executive Officer (Director), individuals and departments. The control culture is constituted by work ethics, internal regulations and reward/disciplinary schemes in order to encourage individuals and departments to actively identify and control risks in their own operations as well as the non-bank financial institution’s activities.
6. Risk means the probability of loss (financial or non-financial), causing decrease in the non-bank financial institution’s own capital and income, hence decreasing the capital safety ratio or hindering the non-bank financial institution from achieving its business goals.
7. Risk position means a non-bank financial institution’s risk assets, liabilities and off-balance sheet items.
8. Credit risks include:
a) Credit risk means the risk resulting from the customer's failure or inability to perform part or all of debt obligations under the contract or agreement with non-bank financial institutions, unless otherwise specified at Point b of this Clause. In this case, customers (including credit institutions and foreign bank branches) establish relations with non-bank financial institutions in receiving credit extensions (including credit extended under entrustment) and deposits and issuing corporate bonds;
b) Counterparty credit risk means the risk resulting from the counterparty's failure or inability to perform part or all of debt obligations before or when due in proprietary trading transactions; repo and reverse repo transactions; transactions of derivative products to prevent risks; trade of foreign currencies and financial assets on the demand of customers and such counterparty. In this case, the counterparty (including credit institutions and foreign bank branches) enter into transactions with non-bank financial institutions in proprietary trading transactions; repo and reverse repo transactions; transactions of derivative products to prevent risks; trade of foreign currencies and financial assets on the demand of customers and such counterparty.
9. Operational risk means the risk resulting from inadequate or erroneous internal regulations, human factors, errors, system failures or other external factors causing financial losses and non-financial adverse impacts on the non-bank financial institutions (including legal risks). Operational risks do not include:
a) Reputational risk means the risk that cause customers, partners, shareholders, investors or the public to form negative view to the reputation of non-bank financial institutions;
b) Strategic risk is the risk the risk resulting from a non-bank financial institution’s strategy or policy for response to changes in the business environment, or lack thereof, resulting in the reduced ability to achieve its business strategies and profit goals.
10. Conflict of interest means a situation where an individual or department makes decisions within their competence that are not appropriate for or go against interests of the non-bank financial institution.
11. Risk-bearing decisions mean decisions of the non-bank financial institution’s competent level that create risks or changing the non-bank financial institution's risk position.
12. Credit risk-bearing decisions mean risk-bearing decisions in credit activities, including at least: credit extension decisions; credit limit decisions; limit-exceeding loan decisions; loan term restructuring decisions; loan group transfer decisions.
13. Credit extensions requiring attention, with the minimum amount regulated by non-bank financial institutions mean loans belonging to loan group 2 or above as defined by the State Bank of Vietnam, as specified in the State Bank’s regulations on classification of assets, ratio and method of establishment of provisions for credit losses and use of provisions for credit losses in the activities of credit institutions and branches of foreign banks.
14. Outsourcing means the non-bank financial institution making an agreement in writing on hiring another organization, enterprise, credit institution or foreign bank’s branch (hereinafter referred to as the contractor) to carry out one or multiple activities (including data processing or some steps of the business process) in such non-bank financial institution's stead, in accordance with the law.
15. Internal auditors mean persons who carry out internal audits and belong to internal audit departments of non-bank financial institutions.
Article 4. Requirements for internal control systems
1. The internal control system of a non-bank financial institution must fulfill the following requirements:
a) Requirements for internal control systems specified in the Law on Credit Institutions;
b) Appropriate for the scale, conditions and complexity of the non-bank financial institution’s business activities;
c) Have sufficient financial, human and information technology resources in order to ensure the internal control system’s effectiveness;
d) Create and maintain a control culture and work ethics for the non-bank financial institution.
2. Non-bank financial institutions must adopt internal regulations in line with the Law on Credit Institutions, which must ensure:
a) Compliance with regulations of this Circular and related law regulations;
b) The Board of Directors or the Members' Council promulgates regulations on the non-bank financial institution's organization, management and activities, except matters that belong to the Shareholders’ Council and owner; the Board of Supervisors promulgates its own internal regulations; the Chief Executive Officer (Director) promulgates work regulations, processes and procedures (hereinafter referred to as the internal process);
c) Regular assessment specified in this Circular and the non-bank financial institution’s regulations on appropriateness of and compliance with the law, and make amendments (if necessary).
3. The internal control system must have three lines of defense as follows:
a) The first line of defense has the functions of risk identification, control and minimization, carried out by the following departments: Business departments (also including product development), other revenue-generating departments; departments responsible for making risk-bearing decisions; departments responsible for risk limit allocation, risk management and risk minimization (affiliated with a business department or independent) in each type of transaction and business activity; human resource department, accounting department;
b) The second line of defense has the functions of developing items related risk management and internal regulations on risk management, monitoring risk in accordance with law regulations, carried out by the following departments: compliance department specified in Article 16 of this Circular; risk management department specified in Article 18 of this Circular;
c) The third line of defense has the function of internal audit, carried out by the internal audit department specified in the Law on Credit Institutions and this Circular.
4. Discussions and conclusions about the internal control system in meetings of the Board of Directors, Members' Council, Board of Supervisors, Risk Management Committee, and Human Resources Committee must be recorded in minutes which clearly state the agreement and disagreement of each member thereof.
5. Independent assessment of the internal control system is carried out in accordance with the State Bank’s regulations on independent audit in credit institutions and foreign banks’ branches.
Article 5. Retention of internal control records and documents
1. Non-bank financial institutions must have internal regulations on management and retention of the internal control system’s records and documents.
2. Management and retention of internal control system documents of non-bank financial institutions must:
a) Compliant with the law regulations;
b) Fully retain records and documents in order to provide them upon request of internal auditors, independent auditing organizations, authorities with competence in internal audit, independent audit, inspection and oversight.
Article 6. Submission of internal control reports to the State Bank
1. Non-bank financial institutions must prepare reports on the internal control system using the appendices attached to this Circular, including:
a) Annual report on internal control and risk management (Appendix No. 01);
b) Annual report on internal audit (Appendix No. 02);
c) Ad-hoc reports on internal audit
2. The report on the internal control system must contain updates on the shortcomings, limitations, and risks arising (if any) within the non-bank financial institution (including departments at its head office; its branches and other affiliates).
3. Reporting deadlines:
a) Reports specified at Point a, Clause 1 of this Article: Within 45 days from the end of the fiscal year;
b) Reports specified at Point b, Clause 1 of this Article: Within 60 days from the end of the fiscal year;
c) Reports specified at Point c, Clause 1 of this Article: Within 15 working days from the end of the ad-hoc internal audit (including time for the Board of Supervisors to approve them).
4. The deadline for finalizing reporting data is the end of the fiscal year.
5. The reports shall be made in writing and sent directly or via postal service to the State Bank (via the Banking Supervision Agency).
Article 7. Internal reports on internal control systems
1. The internal reports on internal control systems includes:
a) Internal reports on internal control;
b) Internal credit risk reports;
c) Internal operational risk reports;
d) Internal reports on internal audit results;
2. The internal report on internal control includes assessment of control activities as specified in Article 14 of this Circular and otherwise in the non-bank financial institution’s internal regulations.
3. The internal credit risk report must contain at least the following information:
a) Quality of credit extensions and credit extension portfolios by customer and product;
b) Credit extensions requiring attention and measures for handling them;
c) Customers having outstanding loan balances exceeding the credit risk limits mentioned at Point a, Clause 2, Article 20 of this Circular;
d) The status quo of establishment and use of provisions for credit losses;
dd) Early warning about violations against credit risk limits and restrictions;
e) Violations in credit risk management and their causes;
g) Proposals and requests about credit risk management;
h) The state of fulfillment of requests from internal audit, the State Bank, independent auditing firms and other relevant authorities on credit risk management.
4. The internal operational risk report must contain at least the following information:
a) Operational risks that arose during the reporting period and their causes;
b) Data on losses caused by operational risks, measures for loss recovery and business continuity (if any);
c) External events and factors influencing the non-bank financial institution’s operational risk;
d)The status quo of outsourcing and its operational risk management;
dd) Changes to technology application (if any) and the status quo of its operational risk management;
e) Proposals and requests about operational risk management;
g) The state of fulfillment of requests from internal audit, the State Bank, independent auditing firms and other relevant authorities about operational risk management.
5. The internal report on internal audit results (both annual and ad-hoc) include the following:
a) The status quo of implementation of the scope of, and issues subject to, audit in the fiscal year;
b) Compliance with mechanisms, policies, internal regulations on senior management oversight, internal control and risk management of the Board of Directors, Members’ Council, Chief Executive Officer (Director), individuals and departments;
c) Suitability and compliance with the law regulations of mechanisms, policies, internal regulations on senior management oversight, internal control, and risk management;
d) Problems and limitations discovered during internal audit and requests to competent levels and relevant departments;
dd) Other issues specified in internal regulations of the non-bank financial institution’s Board of Supervisors.
6. Reporting period:
a) Internal reports on internal control: On an annual or ad-hoc manner specified in the non-bank financial institution’s internal regulations;
b) Internal credit risk reports: On a quarterly or ad-hoc manner specified in the non-bank financial institution’s internal regulations;
c) Internal operational risk reports: On a semi-annual (half-year) or ad-hoc manner specified in the non-bank financial institution’s internal regulations;
d) Internal report on internal audit results: After the end of internal audit, the internal audit department presents the report on internal audit results to the non-bank financial institution’s Board of Supervisors for approval and submission to the Board of Directors, Members’ Council and Chief Executive Officer (Director) as specified in the Board of Supervisors’ internal regulations;
7. Report recipients (individuals or departments):
The Board of Directors, Members' Council, Board of Supervisors, Chief Executive Officer (Director) and relevant individuals and departments in accordance with the non-bank financial institution’s internal regulations.
Chapter II
SENIOR MANAGEMENT OVERSIGHT
Article 8. Requirements for senior management oversight
1. In the case of non-bank financial institutions, the organizational structure, tasks and powers of the Board of Directors, Members' Council, Board of Supervisors, Chief Executive Officer (Director) shall be in accordance with regulations of the Law on Credit Institutions applicable to non-bank financial institutions and this Circular.
2. Ensure that internal control, risk management, and internal audit are carried out effectively and fulfill the set requirements.
3. Comprehensively understand the non-bank financial institution’s risk position and status quo of risk management policy implementation.
4. There are loss prevention and handling measures which are carried out in a timely manner, in order to increase efficiency and safety in the non-bank financial institution’s operation.
Article 9. Organizational structure of a non-bank financial institution’s senior management oversight
1. The oversight structure of a non-bank financial institution’s Board of Directors/Members’ Council must have:
a) A Risk Management Committee and a Human Resources Committee under the State Bank's regulations on licensing, organization and operations of non-bank financial institutions;
b) Other committees (if necessary) to help the Board of Directors/Members’ Council carry out senior management oversight.
2. The Board of Supervisors' oversight structure shall be in accordance with regulations of the Law on Credit Institutions and the Board of Supervisors' internal regulations.
Article 10. Senior management oversight of internal control
1. The Board of Directors/Members’ Council of the non-bank financial institution oversees the Chief Executive Officer (Director):
a) Carrying out control, operation and maintenance of the management information system and information exchange mechanism;
b) Maintaining the non-bank financial institution’s control culture specified in Clause 5, Article 3 of this Circular and work ethics specified in Clause 4, Article 14 of this Circular;
c) Rectifying problems and limitations in internal control upon request from the State Bank, independent auditing firms and other relevant authorities;
d) Taking action against violations of law, internal regulations and work ethics;
dd) Other issues specified by the Board of Directors/Members' Council.
2. The non-bank financial institution's Chief Executive Officer (Director) oversees individuals and departments:
a) Implementing internal regulations on internal control, maintaining control culture; assessing implementation of work ethics (not including those of members of the Board of Supervisors and internal auditors);
b) Operating the management information system, assessing its accuracy, adequacy, punctuality and appropriateness, upgrading and perfecting that system, fulfilling the requirements in Article 17 of this Circular;
c) Acting as directed by the Board of Directors/Members’ Council in rectification of problems and limitations in internal control upon request from the State Bank, independent auditing firms and other relevant authorities;
d) Other issues specified by the non-bank financial institution.
Article 11. Senior management oversight of risk management
1. The non-bank financial institution’s Board of Directors/Members’ Council, based on the Risk Committee’s advice and proposals, oversees the Chief Executive Officer (Director):
a) Formulating and organizing implementation of risk management;
b) Rectifying problems and limitations in risk management upon request from the State Bank, independent auditing firms and other relevant authorities;
c) Other issues specified by the Board of Directors/Members' Council.
2. The non-bank financial institution’s Chief Executive Officer (Director), based on the risk management department’s advice and proposals, oversees individuals and departments:
a) Creating processes of risk management formulation and implementation;
b) Assessing issues related to risk management and then propose adjustments thereto to the Board of Directors and Members' Council;
c) Creating and implementing risk limits, proposing risk limit allocation by business and operational activities; implementing handling measures in case of failure to comply with risk limits;
d) Acting as directed by the Board of Directors/Members’ Council in rectification of problems and limitations in risk management upon request from the State Bank, independent auditing firms and other relevant authorities;
dd) Carrying out self-inspection and self-assessment of risk management and suggesting rectifying measures to the Board of Directors/Members’ Council.
e) Others specified by the non-bank financial institution.
Article 12. Senior management oversight of internal audit
The non-bank financial institution’s Board of Supervisors oversees internal audit as follows:
1. Oversee and assess work ethics of the members of the Board of Supervisors and internal auditors;
2. Oversee the internal audit department:
a) Carrying out internal audit;
b) Reviewing and assessing internal audit’s effectiveness and internal auditors’ task results;
c) Rectifying problems and limitations of internal audit upon request from the State Bank, independent auditing firms and other relevant authorities.
3. Other issues specified by the Board of Supervisors.
Chapter III
INTERNAL CONTROL
Article 13. Requirements for internal control
1. Internal control applies to all activities, business processes and departments of the non-bank financial institution (including the headquarters, branches and other affiliates) and must fulfill the following requirements:
a) The activities of the non-bank financial institution shall be compliant with law regulations and internal regulations;
b) Conflicts of interest shall be controlled and prevented while violations of law regulations and the non-bank financial institution’s internal regulations shall be promptly detected and dealt with;
c) Increase awareness of the roles and responsibilities of individuals and departments in internal control in order to build and maintain the non-bank financial institution’s control culture.
2. Internal control is carried out through control activities, management information systems and information exchange mechanisms.
Article 14. Control activities
1. The non-bank financial institution’s control activities shall be carried out at least as follows:
a) Allocation of competence to approve must be based on prestige of the competent level and capacity of the executing individual/department. The competence to approve must be displayed by transaction scale and risk limit criteria, alongside other limits specified in the non-bank financial institution’s internal regulations;
b) Human resources allocation must be appropriate for each business and control activity (including substitutes for absent managers and employees, recruitment, manager transfer and appointment).
c) Bookkeeping complies with accounting standards and regulations; compile, produce and send financial reports in accordance with law regulations and internal regulations of the non-bank financial institution; compile statistical reports in accordance with the law. Bookkeeping and statistical reporting must be inspected and compared in order to detect and rectify errors in a timely manner and must be reported to competent level as specified in the non-bank financial institution’s internal regulations;
d) Measures shall be devised for prevention of and taking action against violations of law and internal regulations of the non-bank financial institution (including the headquarters, branches and other affiliates);
dd) Problems and limitations in internal control shall be rectified upon request from the State Bank, independent auditing firms and other relevant authorities;
e) The deployment, operation, control and maintenance of information technology systems and information exchange mechanisms in compliance with law regulations; regulations on safety and security of information technology systems in banking operations and provision of online banking services; information technology application plans of the non-bank financial institution from time to time; and the non-bank financial institution’s internal regulations.
2. The non-bank financial institution’s (including the headquarters, branches and other affiliates) regulations on functions and tasks of individuals/departments at all levels and in all types of transactions must apply the following principles:
a) Members of the Board of Directors/Members’ Council shall not participate in review and approval of risk-bearing decisions which belong to the functions and tasks of the Chief Executive Officer (Director), unless the Chief Executive Officer (Director) and/or the Deputy Chief Executive Officer (Deputy Director) is one of those members;
b) Divide the functions and tasks among transactions and business processes in order to avoid or control, prevent conflict of interest; an individual shall not be in control of a whole transaction or its process; an individual shall not be given tasks that give rise to conflict of interest;
c) There are independent individuals within a department, or belong to departments which are independent from each other in order to carry out periodic and ad-hoc inspections as specified in the non-bank financial institution’s internal regulations;
3. Controls activities in the non-bank financial institution’s headquarters, branches and other affiliates must ensure that:
a) The headquarters is able to oversee and control transactions and activities of the branches and other affiliates, also including oversight and control through individuals and departments carrying out control activities in those branches and affiliates;
b) There are regulations on functions, tasks, report mechanism, reward/discipline, manager transfer and other mechanisms in order to ensure independence and that the branch’s/other affiliate’s individual/department carrying out control activities does not have conflict of interest with other individuals/departments of the same branch/other affiliate;
c) There are mechanisms that allow clients to search, check and compare transactions carried out in the non-bank financial institution’s branches/other affiliates to those carried out in the headquarters.
4. The Board of Directors and the Members' Council of the non-bank financial institution shall promulgate work ethics (other than those of members of the Board of Supervisors and internal auditors) on the principles that:
a) Managers and employees at all levels carry out tasks within their competence honestly and for the non-bank financial institution’s benefits; do not abuse their positions, use the non-bank financial institution's information, secrets, business opportunities and property for self-profit or damaging the non-bank financial institution's benefits.
b) Individuals and departments have the responsibility to report to the competent level in a timely after discovering any of the violations mentioned at Point a of this Clause, as well as violations against internal regulations of the non-bank financial institution and law regulations.
Article 15. Control activities for credit extension
1. Control activities for the non-bank financial institution’s credit extensions must comply with Clauses 1 and 2, Article 14 of this Circular.
2. Credit extension must be controlled against conflicts of interest on the principle that the responsibility for underwriting shall be separated from the responsibility from loan decision-making in each stage in accordance with regulations of the State Bank.
Article 16. Compliance Department
Depending on its business scale, condition and complexity, the non-bank financial institution decides the structure of the compliance department, which has at least the following functions:
1. Help the Chief Executive Officer (Director):
a) Assess the regulations specified at Point c, Clause 2, Article 4 of this Circular;
b) Report serious violations against law regulations and changes in relevant law regulations to the Board of Directors/Members’ Council/Board of Supervisors, as specified in the non-bank financial institution’s internal regulations;
c) Review and assess regulations on tasks and powers of the compliance department in order to inform the Chief Executive Officer (Director) of any necessary amendments.
2. Report the status quo of compliance with law regulations to the Chief Executive Officer (Director) on a periodic or ad-hoc manner; notify the Chief Executive Officer (Director) and related departments of changes in relevant regulations as specified in the non-bank financial institution’s internal regulations;
3. Support the related departments in internal policy creation and review, ensuring compliance with law regulations; deal with any complication that arises during such compliance as specified in the non-bank financial institution’s internal regulations.
Article 17. Management information systems and information exchange mechanisms
1. The non-bank financial institution must have a management information system for providing information and internal reports to the Board of Directors, Members’ Council, Board of Supervisors, Chief Executive Officer (Director) as well as related individuals and division in order for them to carry out their functions and tasks in compliance with this Circular’s regulations.
2. An information management system must at least include:
a) Internal reports and other management information as specified in the non-bank financial institution’s internal regulations.
b) Organization of management and operation of the information management system, which must specify responsibilities of related individuals and divisions in the use of the system;
c) Collection, processing, storage and provision of information; formulation, sending, receipt and processing of reports.
3. The management information system must:
a) Support implementation of the information exchange mechanism as specified in Clauses 4 and 5 of this Article;
b) Provide sufficient, accurate information and data, hence fulfilling, in a timely manner the management requirements specified in this Article and the non-bank financial institution’s internal regulations;
c) Provide updates on the non-bank financial institution’s status quo of compliance with law regulations and internal regulations
d) Be regularly reviewed, evaluated, upgraded and updated in accordance with the demand for management information in business activities of the non-bank financial institution;
dd) Ensure confidentiality of information and data; backup systems available to ensure that the archive and use of information is safe, efficient and free from interruptions.
4. The non-bank financial institution must have a mechanism for information exchange through the management information system information and other exchange mechanisms, allowing notification, dissemination and propagation of the internal control system to every individual at every level and in every department, hence raising awareness of policies, processes and business goals, enabling those individuals to do well in their responsibilities, tasks and powers.
5. The non-bank financial institution must promptly report to competent authorities on violations against the law, internal regulations and work ethics committed by individuals and divisions in charge of information confidentiality and protection for information providers in accordance with its internal regulations.
Chapter IV
RISK MANAGEMENT
Article 18. Risk management department
Depending on its business scale, condition and complexity, the non-bank financial institution decides the structure of the risk management department which has at least the following functions:
1. Assist the Chief Executive Officer (Director) in proposing and advising on issues specified in Clause 2, Article 11 of this Circular.
2. Cooperate with the first line of defense in full identification and monitoring incurred risks.
3. Analyze and provide warnings about the safety level of the non-bank financial institution against risks and potential risks that may affect it and propose short- and long-term preventive measures against such risks.
4. Involve in risk-related issues during the process of risk-bearing decision make, respective to each competence level, as specified in the non-bank financial institution’s internal regulations.
5. Produce internal reports on risk management as specified in the non-bank financial institution’s internal regulations.
Section 1. CREDIT RISK MANAGEMENT
Article 19. Requirements for, and strategies of credit risk management
The non-bank financial institution shall formulate credit risk management strategies, which must at least contain the following information:
1. Non-performing loan and bad credit extension proportion rate targets.
2. Principles of determining provisions for credit losses in the interest calculation method, credit product pricing based on the customer’s credit risk level;
3. The principles of implementation of credit risk minimization measures (also including competence to approve credit risk minimization measures)
Article 20. Credit risk limits
1. Non-bank financial institutions must provide credit risk limits in compliance with regulations on restrictions to ensure safety in the operations of non-bank financial institutions under the Law on Credit Institutions and regulations of the State Bank.
2. The credit risk limits include at least:
a) Credit limits for customers depending on their solvency;
b) Credit limits by product.
3. Credit risk limits must be reviewed and re-evaluated (and adjusted if necessary) at least once a year in accordance with the internal regulations of the non-bank financial institution.
Article 21. Credit risk monitoring and control
1. The non-bank financial institution must monitor and control credit risk of each credit extension and the entire credit extension portfolio, and have handling measures in case of decline in credit quality, fulfilling at least the following requirements:
a) Monitor the credit extension's debt classification results;
b) Assess adequacy of provisions for credit losses as specified by the State Bank's regulations.
2. Credit risk monitoring and control must at least include the following:
a) Roles and responsibilities of individuals and departments that monitor and control credit risk;
b) Debt classification, establishment and use of provisions for credit losses;
c) Control of credit risk based on the credit risk limit allocated to the credit extension portfolios by customer and product;
d) Assessment criteria and methods for determining the degree of credit quality decline in each credit extension portfolio; early-warning mechanism for credit quality decline.
Article 22. Credit extension underwriting
1. The non-bank financial institution shall carry out credit extension underwriting, which must at least contain the following information:
a) Identify the customer’s affiliated person, the total balance of credit extended to the customer, and the total balance of credit extended to both customer and his/her affiliated person;
b) Evaluate conditions for credit extensions in accordance with relevant law regulations;
c) Assess the profile’s adequacy, legal status and recallability of collateral in the case of credit extensions with collateral in accordance with the non-bank financial institution’s internal regulations;
d) Verify the ability to fulfill obligations and commitments of the guarantor in the case of credit extension with guarantee from a third party.
2. During the verification process, in case of using other information sources outside the non-bank financial institution, such non-bank financial institution must check the quality of information and the independence of such information sources from the customers.
Article 23. Approval of credit risk-bearing decisions
The non-bank financial institution shall approve risk-bearing decisions as follows:
1. Approval of credit risk-bearing decisions shall fall under the competence determined according to quantitative and qualitative criteria.
2. In the case of approval by committee, the approval committee must have the record of approval or any equivalent, which clearly states the reason for approval or rejection and include committee members’ opinions in the record (or its attachments). The approval committee members must be responsible for their decisions.
3. The information provided for approval of credit risk-bearing decisions must be sufficient and appropriate for the scale and type of credit extension in accordance with the non-bank financial institution’s internal regulations. The regulations on list of information to be used as basis for approval of credit risk-bearing decisions must be assessed by the risk management department in order to ensure credit risk management’s effectiveness.
Article 24. Credit management
1. The non-bank financial institution must fulfill the following requirements while carrying out credit management:
a) There are specific regulations on responsibilities and competence of individuals and departments in creation and retention of credit records, ensuring sufficient credit records as specified in the law regulations;
b) Disbursement is appropriate for the capital use and type of credit extension;
c) The credit extension shall be supervised after disbursement on the following principles: The use of loan capital and the performance of other clauses in the customer's credit extension contract shall be checked. Factors affecting the customer’s solvency shall be evaluated. Debt repayment schedules shall be stick to so that customers shall be reminded of fulfilling their debt obligations when due while customers at risk of not performing or delaying their debt obligations shall be promptly reported to the competent level;
d) Criteria and methods to identify and manage credit extensions requiring attention in order to take timely measures shall be clearly defined.
2. Non-bank financial institutions must retain credit records and other relevant information in accordance with law regulations.
Section 2. OPERATIONAL RISK MANAGEMENT
Article 25. Requirements for operational risk management
Operational risk management must at least include the following:
1. Formulating principles of operational risk management.
2. Formulating principles of outsourcing, insurance purchasing and technology application.
3. Developing a business continuity plan, at least in cases of loss of important documents, information technology system failures and force majeure events as specified in law regulations. The business continuity plan must at least fulfill the following requirements:
a) There are backup systems for human resources, information technology system and database;
b) There are measures for minimizing loss coming from disruption;
c) Interrupted business activities may be resumed.
Article 26. Operational risk identification, monitoring and control
1. The non-bank financial institution much fully identify operational risk in its business activities, business processes, information technology system and other management systems. Operational risk identification shall be carried out for the following cases:
a) Internal fraud, caused by swindling and appropriating property, violation against strategies, policies and internal regulations related to at least one individual of the non-bank financial institution (also including ultra vires acts, theft and abuse of internal information for one's own gain);
b) External fraud caused by swindling and appropriating property, committed by outsiders without assistance from or collusion with the non-bank financial institution's individuals and departments (also including theft and forgery of cards and documents, breaking into the information technology in order to steal data and money);
c) Labor and workplace safety policies are compliant with the labor contracts and law regulations on labor, health protection and workplace safety;
d) Involuntary violations related to customers, product provision processes and product properties while carrying out assigned customer-related functions and tasks within competence (also including violations against customer information confidentiality and provision of products and service against regulations);
dd) Violations against law regulations on anti-money laundering;
e) Damage to or loss of property, tools and equipment due to force majeure, human factor and other events;
g) Interruption to business activities due to breakdown of the information technology system;
h) Limitations and drawbacks of transaction processes, control and management;
i) Others specified in the non-bank financial institution’s internal regulations.
2. The non-bank financial institution carry out operational risk control through control activities specified in Article 14 of this Circular as well as other measures specified in the non-bank financial institution's internal regulations.
Article 27. Risk management for outsourcing
1. Outsourcing management shall include at least:
a) Determination of outsourcing scope;
b) Allocation of competence to approve and decide in outsourcing;
c) Verification of the contractor’s capability to fulfill the set outsourcing requirements and objectives before signing the outsourcing contract; assessment of the contractor's capability during execution of the contract;
d) Outsourcing contract which must be detailed, sufficient, protect the ownership and confidentiality of database, customer information and the right to terminate the contract without any impact on the reputation of the non-bank financial institution; scope and scale of outsourcing, the non-bank financial institution's and contractor’s specific responsibilities and the dispute resolution terms in accordance with the law;
dd) For outsourced information technology services, the compliance with law regulations on management of third-party information technology services shall be ensured in accordance with the law regulations on safety and security of information technology systems in banking operations.
2. The non-bank financial institution shall perform operational risk management of outsourcing by:
a) Managing outsourcing as specified in Clause 1 of this Article;
b) Identifying, monitoring and controlling operational risk arising from outsourcing as specified by Article 26 of this Circular.
Article 28. Risk management for technology application
1. Management of technology application must comply with the State Bank’s regulations on digital transactions in banking; safety and security of the information technology system for provision of online banking services as well as other law regulations. Management of technology application shall include at least the following:
a) The information technology system and database’s minimum scope of technology application management;
b) Tasks, responsibilities and powers of individuals and departments managing technology application;
c) The verification system that ensures confidentiality of customer information and safety of transactions and the information technology system;
2. The non-bank financial institution carries out risk management for application of digital, online, automatic and mobile transactions as well as other technologies (hereinafter referred to as technology application) as follows:
a) Manage technology application as specified in Clause 1 of this Article;
b) Identify, monitor and control operational risks arising in technology application as specified in Article 26 of this Circular in order to ensure at least: The potential operational risks related to internal and external network systems, hardware, software, applications, transaction interfaces, operations and human factors shall be identified. The ability to maintain stable operations against potential operational risks arising in technology application shall be monitored and evaluated. Operational risks in technology application shall be controlled and mitigated with prompt measures (if necessary).
Article 29. Insurance for minimization of loss coming from operational risk
1. The non-bank financial institution is allowed to purchase insurance for minimization of loss coming from operational risk as specified in the law regulations, suitable for the non-bank financial institution's financial capabilities and loss recovery.
2. The non-bank financial institution that do not purchase insurance for the aforementioned purpose must assess the minimization of losses coming from operational risk’s effectiveness, assess the insurance provider’s capability in executing insurance contracts as well as other new risks (if any).
Chapter V
INTERNAL AUDIT
Article 30. Principles of internal audit
1. Independence:
a) The internal auditor and internal audit department must not undertake the tasks of individuals and other departments;
b) Internal audit is not subject to any influence or intervention from other individuals or departments;
c) The internal auditor shall neither audit the internal regulations on internal audit or the internal audit plan formulated by such internal auditor; nor audit a unit or department whose head is an affiliated person of such internal auditor; nor audit any activity performed by or any department under the charge of such auditor within 01 year from the date of he/she no longer performs and takes charge of such activity or department; nor audit the criteria for setting salaries and other benefits for positions in the internal audit department that must be separated from business results and performance of other units and departments.
2. Impartiality:
a) Findings in the internal audit report must be carefully analyzed, based on collected data and information;
b) The internal auditor must be honest in reporting and assessment during the internal audit process;
c) The internal auditor has the right and duty to notify the competent level of problems related to impartiality during the internal audit process;
3. Professionalism:
a) Non-bank financial institutions that provide electronic transaction services to 10,000 customers or more must have information technology auditors;
b) Non-bank financial institutions other than those specified at Point a of this Clause, depending on the scale, condition and complexity of their business activities, may opt for in-house information technology auditors or employing external information technology auditors (who can be hired or are the auditors of the owners);
c) The internal auditor must meet the requirements specified in Article 32 of this Circular.
4. Internal audit must have measures for inspection of compliance to the principles mentioned in Clauses 1, 2, 3 of this Article during internal audit processes (also including producing and submitting internal audit reports). The Chief Internal Auditor shall punctually notify the Board of Supervisors of violations or risks of violation against the principles mentioned in Clause 1 of this Article.
Article 31. Mechanisms for cooperation
1. The non-bank financial institution must establish a coordination mechanism between:
a) The Board of Directors/Members’ Council with the Board of Supervisors, internal audit department as specified in Clause 2 of this Article;
b) The Chief Executive Officer (Director), departments and the Board of Supervisors, internal audit department as specified in Clause 3 of this Article;
2. The mechanism for cooperation between the Board of Directors/Members’ Council and the Board of Supervisors, the internal audit department of the non-bank financial institution must ensure that:
a) The Board of Directors/Members’ Council cooperate with the internal audit department during internal audit of senior management oversight on the Board of Directors/Members’ Council;
b) The Board of Directors/Members’ Council carry out the Board of Supervisors' requests to the Board of Directors/Members’ Council in the internal audit reports and notify the Board of Supervisors of the results of those requests’ fulfillment.
3. The mechanism for cooperation between the Chief Executive Officer (Director), departments and the Board of Supervisors, the internal audit department of the non-bank financial institution must ensure that:
a) The Chief Executive Officer (Director) coordinates with the internal audit department when conducting internal audit on senior management oversight of the Chief Executive Officer (Director); instruct relevant departments to provide sufficient information about risks so that the internal audit department can plan the internal audit; organize the implementation of the recommendations given by the Board of Supervisors to the Chief Executive Officer (Director) in the report on internal audit results (if any) and report to the Board of Supervisors on the results of the implementation of such recommendations;
b) Departments that are not part of the Board of Supervisors and the internal audit department provide complete, truthful and accurate information, documents and records as required by the internal audit department during the internal audit; timely notify the internal audit department when detecting problems, violations, losses or potential losses; create favorable conditions for the internal audit department to perform the internal audit; implement internal audit recommendations given in the report on internal audit results and report to the internal audit department on results of the implementation of such recommendations.
Article 32. Standards of members of the Board of Supervisors and internal auditors
1. Members of the non-bank financial institution’s Board of Supervisors must fulfill all standards and requirements specified in the Law on Credit Institutions.
2. The non-bank financial institution must have standards of internal auditors, which include the following:
a) They must obtain a university degree, or any higher degree, specialized in economics, business administration, law, accounting, or auditing;
b) They must have at least 02 years of direct working experience in one of the fields including banking, finance, accounting, and auditing as for internal auditors, and 03 years of such working experience as for the Chief Internal Auditor.
3. The non-bank financial institution must have standards of information technology auditors, which include the following:
a) They must obtain a university degree, or any higher degree, specialized in information technology or an appropriate major;
b) They must have at least 02 years of direct working experience in information technology.
Article 33. Work ethics of members of Board of Supervisors and internal auditors
The work ethics of members of the Board of Supervisors and internal auditors (also including the Chief Internal Auditor and other positions in the internal audit department) must at least include the following principles:
1. Integrity: work in a straightforward and honest manner.
2. Impartiality: carry out the assigned tasks impartially, assess fairly, not out his/her own or anyone else’s interest.
3. Confidentiality: Comply with the law regulations and the non-bank financial institution’s internal regulations on confidentiality of information;
4. Responsibility: carry out the assigned tasks in a timely manner and with quality.
5. Prudence: carry out the assigned tasks with prudence and take the following factors into consideration:
a) Complexity and importance of the internal audit’s subject;
b) Probability of serious errors during the internal audit process.
Article 34. Organizational structure, tasks, powers and responsibilities of the internal audit department
1. The organizational structure, tasks, powers and responsibilities of the non-bank financial institution’s internal audit department are decided by the Board of Supervisors as specified in the Law on Credit Institutions and this Circular.
2. The tasks of the internal audit department include at least the following:
a) Carry out internal audit on an annual or ad-hoc basis for the headquarters, branches and other affiliates of the non-bank financial institution;
b) Develop or review work ethics of members of the Board of Supervisors and internal auditors, internal regulations of the Board of Supervisors, and internal audit plans, then submit them to the Board of Supervisors for the latter to make official or amend them in accordance with Article 33 of this Circular;
c) Monitor and assess fulfillment of the Board of Supervisors' requests for the Board of Directors, Members’ Council, Chief Executive Officer (Director), individuals and divisions;
dd) Fulfill requests of the State Bank, independent auditing firms and other relevant authorities about internal audit.
dd) Make internal reports on internal audit, as specified in Article 7 of this Circular.
3. The powers of the internal audit department include at least the following:
a) Be provided with necessary resources (manpower, finance, assets and other tools);
b) Be provided with information, documents and records which are necessary for internal auditing work, also including meeting records and documents of the Board of Directors, Members’ Council and Chief Executive Officer (Director);
c) Interview individuals about issues related to internal audit; request the competent level as specified in the internal regulations for action against any uncooperative individual or department during the internal audit process;
d) Participate in internal meetings as specified in the Statutes and internal regulations of the non-bank financial institution.
4. The internal audit department and internal auditors shall at least:
a) Hold documents and information in confidence as specified by the law regulations and the non-bank financial institution’s internal regulations;
b) Hold accountability to the Board of Supervisors about the assigned tasks;
c) The internal auditor takes legal responsibility for and answers to the Chief Internal Auditor about the assigned auditing tasks.
Article 35. The Board of Supervisors' internal regulations
The Board of Supervisors' internal regulations shall mention at least the following issues related to internal audit:
1. The internal audit department’s organizational structure, tasks and powers; standards of members of the Board of Supervisors and internal auditors; work ethics of members of the Board of Supervisors and internal auditors, as specified in this Circular.
2. Criteria for determining risk level and material level alongside internal audit frequency of activities, processes and departments; issues subject to internal audit, as specified in this Circular.
3. The internal audit plan formulation and implementation processes.
4. Review and assessment of internal audit regulations; handling of requests from the State Bank, independent auditing firms and other relevant authorities on internal audit.
5. Regulations on hiring external specialists and firms for internal audit (if applicable).
6. Regulations on internal reports on internal audit, as specified in this Circular.
Article 36. Internal audit plans
1. The internal audit is carried out on both ad-hoc and annual basis, as specified in the Board of Supervisors' internal regulations.
2. The annual internal audit plans are issued by the Board of Supervisors upon the Chief Internal Auditor’s request after consulting the Board of Directors/Members’ Council and the Chief Executive Officer (Director). Formulation of the internal audit must fulfill the following requirements:
a) Principles of orientation based on risk: Activities, processes and departments must be assessed on risk level (high, medium and low) as specified in the Board of Supervisors' internal regulations. Resources shall be concentrated on high-risk activities, processes and departments, with audits being prioritized on them and carried out at least once a year;
b) Comprehensiveness: All activities, processes and departments must be internally audited. Activities, processes and departments with material level specified in the Board of Supervisors’ internal regulations must be audited at least once a year;
c) There are reserves of resources and time for ad-hoc internal audits;
d) The annual audit plan must be adjusted when there are material changes in the scale of operation or internal audit resources as specified by the Board of Supervisors' internal regulations.
3. The annual internal audit plan must be issued before December 15 of the previous year and include: scope, subject, objectives, time and resources (also including hiring external specialists and firms) of internal audit alongside other issues as specified by the non-bank financial institution.
4. Within 10 days from the date of issue or amendment, the non-bank financial institution shall submit its internal audit plan to the State Bank (via the Banking Supervision Agency).
Article 37. Issues subject to internal audit
Non-bank financial institutions must conduct internal audits in accordance with the Law on Credit Institutions, based on the following:
1. Independent inspection and assessment of compliance with mechanisms, policies, internal regulations on internal control and risk management of the Board of Directors, Members’ Council, Chief Executive Officer (Director), individuals and departments, also including identification of problems, limitation and their causes.
2. Independent review and assessment of suitability and compliance with the law regulations of mechanisms, policies, internal regulations on internal control and risk management, including identification of problems, limitation and their causes;
3. Proposals and requests to the competent levels and relevant departments for addressing problems and limitations.
4. Other issues specified in the Board of Supervisors’ internal regulations.
Chapter VI
IMPLEMENTATION PROVISIONS
Article 38. Implementation provisions
1. This Circular takes effect from October 1, 2024.
2. To amend and supplement Circular No. 44/2011/TT-NHNN dated December 29, 2011, of the Governor of the State Bank, providing for internal control system and internal auditing of credit institutions and foreign bank branches as follows:
a) To amend and supplement Article 1 as follows:
“Article 1. Scope of regulation
This Circular provides for the internal control system and internal auditing of credit institutions (except commercial banks and non-bank financial institutions).”
b) To remove the phrase “foreign bank branch” in this entire Circular.
3. To annul Clause 3, Article 73 of Circular No. 13/2018/TT-NHNN dated December 29, 2011, of the Governor of the State Bank, on internal control systems and internal auditing of credit institutions and foreign bank branches.
Article 39. Responsibilities for implementation
The Chief of the Ministerial Office, the Chief Inspector of the Banking Supervision Agency, Heads of units affiliated to the State Bank of Vietnam, non-bank financial institutions and relevant organizations and individuals shall be responsible for implementing this Circular./.
| FOR THE GOVERNOR DEPUTY GOVERNOR Doan Thai Son |