CIRCULAR

PROVIDING FOR RISK MANAGEMENT, INTERNAL CONTROL AND INTERNAL AUDIT OF INSURANCE COMPANIES, REINSURANCE COMPANIES, BRANCHES OF FOREIGN NON-LIFE INSURANCE COMPANIES AND BRANCHES OF FOREIGN REINSURANCE COMPANIES

Pursuant to the Law on Insurance Business dated June 16, 2022;

Pursuant to the Law on Enterprises dated June 17, 2020;

Pursuant to the Government's Decree No. 87/2017/ND-CP dated July 26, 2017, defining the functions, tasks, powers and organizational structure of the Ministry of Finance;

The Minister of Finance hereby promulgates the Circular setting down regulations on risk management, internal control and internal audit of insurance companies, reinsurance companies, branches of foreign non-life insurance companies and branches of foreign reinsurance companies.

Chapter I

GENERAL PROVISIONS

...

...

...

This Circular elaborates Article 84, Article 85; clause 1 and clause 2 of Article 86 in the Law on Insurance Business.

Article 2. Subjects

1. Life insurance companies, non-life insurance companies, health insurance companies (hereinafter referred to as insurance companies), and reinsurance companies.

2. Branches of foreign non-life insurance companies, and branches of foreign reinsurance companies (hereinafter referred to as foreign branches).

3. Entities and persons involved in risk management, internal control and internal audit of insurance companies, reinsurance companies and foreign branches.

Article 3. Interpretation

For the purposes of this Circular, terms used herein shall be construed as follows:

1. Parent company of foreign branch refers to the foreign non-life insurance company or the foreign reinsurance company that sets up its branch in Vietnam.

2. Risk refers to the likelihood to incur loss(es) (financial loss(es), non-financial loss(es)) resulting in any decrease in income and/or equity consequentially causing any reduction in the capital adequacy ratio or any limitation to the capability of achieving business goals and objectives of an insurance company, reinsurance company, or foreign branches.

...

...

...

4. Risk limit refers to a limit of each type of risk that a person or a department or division under an insurance company, reinsurance company or foreign branch may be allowed to run over time periods or during its insurance operations or business process.

5. Material risk is grouped into insurance risk, market risk, operational risk, counterparty risk and other risk judged by an insurance company, a reinsurance company or a foreign branch as substantially or materially affecting its financial safety and operational efficiency.

6. Insurance risk refers to any risk arising due to change(s) in technical factor(s) associated with calculation of insurance premiums and insurance-related technical provisioning, including:

a) Risk related to calculation of insurance premiums: This type of risk may arise from creating an irrelevant assumption underpinning underestimation of insurance premium needed to pay insurance benefit or coverage agreed upon during the policy term and offset operating costs of an insurance company, reinsurance company or foreign branch. An assumption underpinning estimation of insurance premium may embrace: casualty risk ratio, longevity risk ratio, (compensation) claim settlement ratio, cost ratio, rate of return, insurance policy cancellation rate and other assumptions used in insurance premium calculation models;

b) Risk related to non-life insurance company's setting up technical provision for settlement of non-life insurance claims: Setting up technical provisions not sufficient to settle insurance claims or pay compensations or indemnities on the part of a non-life insurance company or branch of a foreign non-life insurance company;

c) Risk related to disasters: This type of risk arises when the actual claim settlement ratio is greater than as stated in the premium calculation assumption due to any epidemic or catastrophic event.

7. Market risk refers to any risk arising from the market where investment and business activities of insurance companies, reinsurance companies and foreign branches take place, including:

a) Risk related to negative trends in market interest rates to the values of bonds or debt securities, interest-bearing financial instruments, derivatives and assets of an insurance company, reinsurance company or foreign branch;

b) Risk related to negative trends in forex rates to reinsurance, cession and foreign investment;

...

...

...

d) Risk from non-equivalence between the term of assets and liabilities agreed upon in insurance contracts entered into by an insurance company, reinsurance company or foreign branch.

8. Operational risk refers to any risk from setting up and carrying out the operating procedures of an insurance company, reinsurance company or foreign branch, including:

a) Risks related to failure to completely set up and conform to the internal regulations and operating procedures of an insurance company, reinsurance company or foreign branch;

b) Legal risk;

c) Risk associated with failure to develop complete and due actuarial processes, which leads to an increase in the rate of high-risk policyholders;

d) Risk associated with designing insurance benefits or coverage that is/are not adaptable to market situation;

dd) Risk associated with staff and safety-at-work policies;

e) Risk associated with unsatisfactory outsourced services or failure of outsourced partner(s) to fulfill obligations under outsourcing agreements;

g) Risk related to information technology (IT) systems, personal data security and cybersecurity;

...

...

...

i) Fraud risk;

k) Other risk related to operations of an insurance company, reinsurance company or foreign branch.

9. Counterparty risk refers to the probability that the other party will not meet its payment commitments when making investment and reinsurance transactions with an insurance company, reinsurance company or foreign branch.

10. Liquidity risk refers to the risk that an insurance company, reinsurance company or foreign branch will not have sufficient cash to meet its capabilities to pay debts that fall due.

11. Risk management refers to identification, measurement, monitoring and control of the operational risk of an insurance company, reinsurance company or foreign branch.

12. Risk management culture refers to the cultural value of an insurance company, reinsurance company or foreign branch that indicates the general awareness of importance of risk management activities amongst the Governing board, Board of Members, General Director (Director) and persons, departments or divisions at an insurance company, reinsurance company or foreign branch.

Chapter II

SPECIFIC PROVISIONS

Section 1. RISK MANAGEMENT

...

...

...

1. Insurance companies, reinsurance companies and foreign branches shall use three separate Lines of Defence hereunder for their risk management:

a) First Line of Defence: This Line of Defence is formed by functional departments, divisions or units that directly identify, receive, assess, control, report and monitor business risks;

b) Second Line of Defence: This Line of Defence is formed by the Risk Management, the Compliance Control and other departments or divisions having the function of controlling risks to the First-Line-of-Defence roles;

c) Third Line of Defence: This Line of Defence is formed by the Internal Audit department or division.

2. Depending on the size, condition and complexity of their business activities, insurance companies, reinsurance companies and foreign branches may build their organizational structure of the Second Line of Defence provided that it performs all of the following functions:

a) Provide expert counsels in order for the General Director (Director) to issue internal rules and regulations on risk management;

b) Work with operational departments or divisions in the First Line of Defence to identify and monitor material risks that may arise;

c) Build and use risk assessment and measurement models to early warn of and identify risks and hazards of risk limits; proposing measures or approaches for control, prevention and minimization of any risk that may arise;

d) Construct the scenario for testing of their risk tolerance;

...

...

...

Article 5. Risk Management Policies; Internal Rules and Regulations on Risk Management

Insurance companies, reinsurance companies and foreign branches shall formulate their Risk Management Policies; Internal Rules and Regulations on Risk Management as follows:

1. Their risk management policies must satisfy the regulations laid down in point c of clause 2 of Article 86 in the Law on Insurance Business.

2. Their internal rules and regulations on risk management shall cover the following:

a) Functions, tasks, mechanism for delegation of authority, decision-making authority and responsibilities of individuals and departments in their risk management activities;

b) Procedures for identifying, measuring, tracking, monitoring and supervising material risks; making reports and exchanging information or feedback on risk changes and response;

c) Specific limits specific to material risks and other related risks; correlation between those risks. Risk limits mentioned above shall be in line with the taste for risk and conform to their internal rules and regulations on risk management; be reviewed periodically at least once a year and irregularly whenever there are major changes affecting the operational risk of these insurance companies, reinsurance companies or foreign branches;

d) Measures or approaches applied to control risks arising from business activities, and control individuals and departments involved in those activities.

dd) Risk tolerance tests meeting regulations laid down in Article 7 herein.

...

...

...

g) Internal regime for reporting of risk management.

Article 6. Identification, Measurement, Monitoring and Control of Risks

Insurance companies, reinsurance companies and foreign branches shall identify, measure, monitor and control risks in a timely and accurate manner, subject to the following regulations:

1. Identify material risks that they may face during their business.

2. Measure risks on the basis of defining impacts of these risks on their business, capital and solvency. Risk measurement shall be carried out by using methods or models. Risk measurement methods and models shall be regularly examined and reviewed to ensure accuracy and rationality in accordance with their internal rules and regulations on risk management. All data used in these risk measurement methods and models shall be reliable and inspectable.

3. Check the risk status, duly assess, give early warning of the possibility of violating risk limits, and restrict exposure to risks to ensure safety in their operations; make internal reports on risk monitoring and send them to relevant individuals and departments.

4. Control the implementation of functional or operating procedures within corresponding risk limits; test risk tolerance as prescribed in Article 7 of this Circular, take measures to prevent, minimize and promptly deal with risks to ensure compliance with risk limits.

Article 7. Risk Tolerance Testing

1. Annually, insurance companies, reinsurance companies and foreign branches shall test their risk tolerance in terms of capital and solvency as prescribed in clause 2 of this Article.

...

...

...

a) Construct at least 02 scenarios, including: A scenario under normal operating condition; the other scenario in response to adverse trends in ratios of risks from insurance, investment activities, operating costs and other factors according to evaluation by insurance companies, reinsurance companies and foreign branches. In order to be chosen, the scenario must be appropriate for use in at least the next 5 financial years and constructed based on analysis of statistical data and actual performance of the tested insurance company, reinsurance company or foreign branch, and forecast about negative macroeconomic trends;

b) Calculate the impacts of assumptions on capital, solvency margin and financial safety indicators of the tested insurance company, reinsurance company or foreign branch as part of each scenario (including quantitative analysis and qualitative analysis).

3. Based on the results of the tolerance test, the tested insurance company, reinsurance company or foreign branch shall decide to take measures to maintain their ongoing operations and business in case of any negative trend that may emerge.

Article 8. Risk Management Reporting

1. Each risk management report shall cover the following:

a) Assess the completeness of risk management activities, determine financial resources required for management of business activities within risk-taking capabilities and business plans of the reporting insurance company, reinsurance company or foreign branch;

b) Make the detailed assessment of specific types of material risk of the reporting insurance company, reinsurance company or foreign branch, and of changes in operational risks that may arise from its business;

c) Methodologies for management of specific types of material risk of the reporting insurance company, reinsurance company or foreign branch;

d) Results of the tolerance test and analysis of capabilities of maintaining ongoing business activities in case of disadvantages to business activities.

...

...

...

Article 9. Management Information Systems

1. Insurance companies, reinsurance companies and foreign branches shall keep management information systems in place to provide internal information and reports for Governing boards, Boards of Members of these insurance companies, reinsurance companies, parent companies of these foreign branches, General Directors (Directors), and relevant individuals or departments in order for them to perform their functions and duties in compliance with this Circular.

2. Each management information system shall include but not limited to the followings:

a) Internal reports, meeting minutes, resolutions of the Governing board, Board of Members of the insurance enterprise, reinsurance enterprise or decisions of the parent company of the foreign branch; decisions of the General Director (Director) and other management information required under the instructions of the insurance company, reinsurance company or foreign branch. Internal report shall comprise at least the following reports: Risk management report; internal audit report and reports of the compliance control department;

b) The organizational structure for management and operation of the management information system, which specifies the responsibilities for using the management information system of the relevant individuals and departments;

c) Collecting, processing, storing and providing information; building, sending, receiving and handling reports;

d) Information technology infrastructure and facilities meeting the requirements defined in point c and d of clause 3 of this Article.

3. Management information systems of insurance companies, reinsurance companies or foreign branches shall:

a) provide complete, accurate and timely information and data to meet their requirements of risk management, internal control and internal audit;

...

...

...

c) ensure confidentiality, security and safety for information and data, and be supported by backup information systems to ensure the safe, effective and uninterrupted storage and use of information;

d) be examined, reviewed, re-evaluated, upgraded and updated regularly and promptly to meet the needs for management information, and to be commensurate with the size, structure, and in line with the complexity in their business activities.

Article 10. Risk Management Culture

1. Insurance companies, reinsurance companies and foreign branches shall build their risk culture by issuing and complying with the codes of professional ethics; internal rules and regulations on risk management; and reward and sanction regulations.

2. Each code of professional ethics shall conform to the following principles:

a) Staff members shall honestly perform assigned tasks and authority for the benefit of the insurance companies, reinsurance companies or foreign branches that they are working for; shall avoid performing the act of abusing their position and information of their employers to seek personal gain, harm the interests of insurance companies, reinsurance companies or foreign branches as their employers;

b) Individuals and departments must promptly report to competent authorities on the acts of violation specified in point a of this clause and those against regulatory provisions and internal rules and regulations of insurance companies, reinsurance companies or foreign branches as their host entities.

3. Internal rules and regulations on risk management shall be in accordance with clause 2 of Article 5 herein.

4. Reward and sanction regulations must ensure accuracy, public access, transparency, fairness and timeliness. Nomination for a reward or imposition of a sanction shall be subject to assigned functions and duties of relevant departments or individuals of insurance companies, reinsurance companies or foreign branches.

...

...

...

Article 11. Requirements of Technical Procedures

1. In order to ensure successful internal controls, insurance companies, reinsurance companies or foreign branches shall develop technical procedures: These technical procedures shall include but not limited to the following: Insurance product costing and development procedures; insurance offering and underwriting procedures; insurance claim settlement, indemnification or compensation and payout procedures; reinsurance procedures and internal control procedures.

2. Those sets or subsets of technical procedures shall be built on the practice of decentralizing and delegating approval-granting authority in a clear manner, ensuring that they are aligned with functions and tasks of individuals and departments in charge of implementing these procedures; Such approval-granting authority shall be determined based on the transaction size, risk limits and other restrictions as stipulated in internal rules and regulations of insurance companies, reinsurance companies and foreign branches.

Article 12. Internal Control Activities

The following principles shall be obeyed when carrying out internal control activities:

1. All operations, technical procedures and departments of insurance companies, reinsurance companies and foreign branches shall be subject to the internal control requirement.

2. Compliance control department shall be independent of other functional departments.

3. A staff member of an insurance company, reinsurance company or foreign branch shall not be allowed to hold positions or be assigned duties concurrently if aims or interests resulting from these positions or duties conflict or overlap.

4. Staff members of insurance companies, reinsurance companies and foreign branches shall not be allowed to use information of their employers for personal purposes; conceal violations against laws and internal rules and regulations of their employers.

...

...

...

6. Financial information systems needed for internal controls shall ensure integrity, rationality, completeness, accuracy and timeliness.

Article 13. Tasks and Duties of Compliance Control Departments

A Compliance Control Department shall have the following tasks and duties:

1. Provide expert counsels in order to help General Director (Director) or a relevant competent authority to issue internal control procedures.

2. Carry out the annual or unscheduled examination and assessment of compliance with the provisions of law, internal rules and regulations and professional ethical standards of staff members and functional or operations departments.

3. Support relevant departments in the process of formulating and reviewing internal rules and regulations to ensure compliance with regulatory provisions; making recommendations or comments on, and improving internal procedures, rules and regulations.

4. Prepare quarterly, annual and ad-hoc update reports for submission to the General Director (Director) on compliance with the provisions of law, internal rules and regulations and professional ethical standards of staff members and functional or operations departments, including proposals for modifications of technical procedures (where necessary). Each quarterly report shall be submitted no later than 30 days following the last day of the quarter in question while each annual report shall be submitted no later than 90 days following the last day of the year in question.

5. Report to the Governing boards or the Boards of Members of the insurance companies, reinsurance companies or parent companies of foreign branches in a timely manner when detecting violations related to compliance with law that are committed by these insurance companies, reinsurance companies or foreign branches.

Section 3. INTERNAL AUDIT

...

...

...

An Internal Audit shall have the following tasks and duties:

1. Audit compliance with the regulatory provisions of laws, internal procedures, rules and regulations of the audited insurance company, reinsurance company or foreign branch.

2. Audit safety and effectiveness in management and usage of capital, assets and other resources of the audited insurance company, reinsurance company or foreign branch.

3. Audit accuracy, integrity and effectiveness of the procedures for control of financial information and the financial reporting.

4. Audit completeness, accuracy and safety of information technology systems and professional software in use.

5. Audit other matters as requested by the Governing board or the Board of Members of the audited insurance company, reinsurance company and parent company of the audited foreign branch.

Article 15. Principles of Internal Audit

1. Independence:

a) The internal audit department must be separated from other departments or functions of the first and second Line of Defense;

...

...

...

c) Internal audit shall in no case be prejudiced when determining the audit scope and subject matters to be audited, and when carrying out its assessment and making audit reports.

2. Objectivity:

a) Persons in charge of internal audit shall have impartial, honest, fair and unbiased assessment views;

b) Entries or recordings contained in internal audit reports must be discreetly analyzed and based on collected data and information;

c) Persons in charge of internal audit shall not be allowed to carry out the internal audit of internal rules, regulations, policies, formalities and procedures of which formulation is mainly under their responsibility;

d) Persons in charge of internal audit shall not be allowed to get involved in auditing operations or departments put under their responsibility to carry out such operations or manage such departments within 02 years from the effective date of the decision on exclusion from doing so binding upon them;

dd) Persons in charge of internal audit shall promptly report to the Head of the internal audit department on issues that may affect the objectivity when carrying out internal audits. In case it is discovered that the person in charge of internal audit may not ensure conformance to the principle of objectivity in his/her internal audit activities, the Head of the internal audit department must report to the Governing Board or the Board of Members of the audited insurance company, reinsurance company or parent company of the audited foreign branch to seek any appropriate solution;

e) Performance of the Head of the internal audit department shall be regularly examined, reviewed and assessed by the Governing Board or the Board of Members of the audited insurance company, reinsurance company and parent company of the audited foreign branch.

3. Persons in charge of internal audit shall comply with laws and be legally responsible for their assigned internal audit duties.

...

...

...

1. Insurance companies, reinsurance companies and foreign branches shall publish internal audit regulations and procedures.

2. Internal audit regulations shall comprise:

a) Objectives, scope of internal audit, positions, tasks, powers and responsibilities of the internal audit department in the insurance company, reinsurance company or foreign branch, and the relationship with other departments;

b) Fundamental principles, professional qualification requirements, quality assurance of internal audit and other relevant matters.

3. Internal audit procedures shall provide details about:

a) Methodologies of assessing and classifying risk levels (e.g. low, medium, high) as a basis to build an internal audit plan;

b) Methodologies of making annual internal audit plans, ways of performing audit work, making and sending audit reports, and monitoring how post-audit recommendations are followed;

c) Forms of filing and archival of internal audit records and documents.

Article 17. Internal Audit Plans

...

...

...

2. Departments and functions or operations assessed by insurance companies, reinsurance companies or foreign branches as posing high risks shall be included in annual audit plans.

3. When devising internal audit plans, internal audit departments shall allow for spare time needed for sudden audit engagements upon request.

Article 18. Authority and Responsibilities of Internal Audit Departments

1. When on duty, the internal audit department shall have the following rights:

a) It can be provided with full information, documents and records needed for internal audit engagements;

b) It can have access to and be entitled to examine all technical procedures and assets when carrying out internal audit engagements;

c) It can approach and interview all staff members of the audited insurance company, reinsurance company or foreign branch about matters associated with the content of an audit engagement;

d) It can receive documents, literature or meeting minutes of the Governing Board or the Board of Members of the audited insurance company, reinsurance company and parent company of the audited foreign branch provided they are related to internal audit engagements.

2. When on duty, the internal audit department shall have the following duties and responsibilities:

...

...

...

b) Immediately report to the Governing Board or the Board of Members of the audited insurance company, reinsurance company or parent company of the audited foreign branch, the General Director (Director) when finding out serious defects or high risks likely to adversely affect business and operations of that audited entity;

c) Promptly prepare, complete and send audit reports to the Governing Board or the Board of Members of the audited insurance company, reinsurance company or parent company of the audited foreign branch, the General Director (Director) and the audited department after each audit engagement;

d) Oversee, assess and monitor corrective and remedial actions against defects or issues which have been recorded by and obtained recommendations from internal audit;

dd) Inform the Governing Board or the Board of Members of the audited insurance company, reinsurance company or parent company of the audited foreign branch of defects or issues stated in audit reports that have not yet been corrected or remedied in a timely manner;

e) Keep and retain internal audit documents and records in written form and according to the permitted process in order for authorized persons and entities to have access to them.

Article 19. Responsibilities of Audited Departments

1. Provide information, documents and records in full and in a timely manner at the internal audit department's request to help with internal audit activities.

2. Immediately report to the internal audit department on any sign of violation or risk that may affect operations and business of the audited insurance company, reinsurance company or foreign branch.

3. Duly carry out recommendations included in internal audit reports and instructions from the Governing Board or the Board of Members of the audited insurance company, reinsurance company, parent company of the audited foreign branch, the General Director (Director) (if any).

...

...

...

1. The internal audit department shall submit the internal audit report to the Governing Board or the Board of Members of the audited insurance company, reinsurance company or parent company of the audited foreign branch no later than 90 days following the end of each audit engagement.

2. An internal audit report must clearly include:

a) Content and scope of each audit engagement;

b) Assessment and conclusion opinions about audited matters and basis for these opinions;

c) Issues, violations and explanatory opinions concerning the audited entity;

d) Recommended correction or remedy actions and sanctions; measures aimed at improving technical procedures, perfecting risk management policies and organizational structure of the audited insurance company, reinsurance company or foreign branch (if any).

Section 4. RESPONSIBILITIES OF GOVERNING BOARDS, BOARDS OF MEMBERS, PARENT COMPANIES OF FOREIGN BRANCHES AND GENERAL DIRECTORS (DIRECTORS)

Article 21. Responsibilities of Governing Boards, Boards of Members, Parent Companies of Foreign Branches

The Governing Board or the Board of Members of the insurance company, reinsurance company or parent company of the foreign branch in question shall have the following responsibilities:

...

...

...

2. Issue risk management policies over time; principles of internal audit; internal audit procedures of the insurance company, reinsurance company or foreign branch in question.

3. Approve internal rules and regulations regarding risk management before being issued by the General Director (Director); approve and revise annual internal audit plans.

4. Instruct the General Director (Director) to carry out the following assignments and supervise his/her performance in such assignments:

a) Correct and address defects or issues relating to the organization structure for risk management, and follow demands and recommendations from independent audit bodies, internal audit departments and competent authorities;

b) Sanction acts of violation, violations against professional ethics and internal rules and regulations of related persons and departments.

5. The Governing Boards and the Boards of Members of the insurance companies or reinsurance companies in question shall be responsible for approving risk management reports of these entities before submitting them to the Ministry of Finance. Authority to approve risk management reports of foreign branches before submitting them to the Ministry of Finance shall be as prescribed under the operating regulations of these foreign branches and regulations of parent companies.

Article 22. Responsibilities of General Director (Director)

The General Director (Director) of the insurance company, reinsurance company or foreign branch in question shall have the following responsibilities:

1. Issue technical procedures (including internal control procedures), professional ethics; internal rules and regulations on risk management; reward and sanction regulations; distribute risk limits according to specific technical procedures and operations.

...

...

...

3. Examine and assess performance in terms of internal control and risk management, and decide correction or remedial actions (where necessary).

4. Take charge of operating and perfecting management information systems.

5. Direct departments of the First Line of Defence and the Second Line of Defence to cooperate with the internal audit according to internal audit regulations of the insurance company, reinsurance company or foreign branch in question.

6. Direct recommendations included in internal audit reports and instructions from the Governing Board or the Board of Members (if any) to be followed, and inform the internal audit department of results obtained from following these recommendations and instructions.

Chapter III

IMPLEMENTATION PROVISIONS

Article 23. Entry into force

1. This Circular shall enter into force as from January 1, 2023.

2. In the course of implementation hereof, if there is any issue or difficulty that arises, it should be promptly informed to the Ministry of Finance to seek solutions./.

...

...

...

PP. MINISTER
DEPUTY MINISTER




Cao Anh Tuan