CIRCULAR

INTERNAL CONTROL SYSTEM OF NON-BANK CREDIT INSTITUTION

Pursuant to the Law on the State Bank of Vietnam dated June 16, 2010;

Pursuant to the Law on Credit Institutions dated June 16, 2010 and the Law on amendments to the Law on Credit Institutions dated November 20, 2017;

Pursuant to the Government's Decree No. 102/2022/ND-CP dated December 12, 2022 on functions, tasks, powers and organizational structure of the State Bank of Vietnam;

At the request of the Chief Inspector of the Banking Inspection and Supervision Agency under SBV;

The Governor of the State Bank of Vietnam promulgates Circular on internal control system of non-bank credit institution.

Chapter I

...

...

...

Article 1. Scope

This Circular prescribes internal control system of non-bank credit institution.

Article 2. Regulated entities

1. Non-bank credit institutions, including finance companies and finance lease companies.

2. Organizations and individuals related to internal control systems of non-bank credit institutions.

Article 3. Definition of terms

In this Circular, the terms below are construed as follows:

1. "Internal control system” means a combination of mechanisms, policies, processes, internal regulations and organizational structures of a non-bank credit institution in accordance with regulations of the Law on Credit Institutions, this Circular and other relevant regulations of law and is implemented with a view to controlling, preventing, detecting and handling risks, and fulfilling requirements that have been set out. The internal control system carries out senior management supervision, internal control, risk management and internal audit.

2. “Senior management supervision” is carried out by the Board of Directors, Council of Members, Director General (Director) with regard to internal control and risk management, and by the Board of Controllers of a non-bank credit institution with regard to internal audit.

...

...

...

4. “Risk management” means identification, monitoring and control of risks in operations of a non-bank credit institution.

5. “Control culture” means the cultural value of a non-bank credit institution, which shows unity in awareness of important of risk control and management among the Board of Directors, Council of Members, Board of Controllers, Director General (Director), individuals and departments. The control culture is created from work ethics, internal regulations and commendation/discipline schemes in order to encourage individuals and departments to proactively identify and control risks in their own activities as well as operations of the non-bank credit institution.

6. "Risk” means the probability of loss (financial or non-financial loss), causing decrease in a non -bank credit institution’s own capital and income, thereby reducing the capital safety ratio or hindering the non-bank credit institution from achieving its business goals.

7. “Risk position” means value of risk assets, liabilities and off-balance sheet items of a non-bank credit institution.

8. Credit risk includes:

a) “Credit risk” means the risk of a customer’s failure or incapacity to fulfill part or all of debt repayment obligations under a contract or agreement with a non-bank credit institution, unless otherwise prescribed in Point b of this Clause. In this case, customers (including credit institutions and foreign bank branches) have relationships with non-bank credit institutions in receipt of credit (including credit receipt through entrustment), deposits and issuance of corporate bonds;

b) “Counterparty credit risk” refers to the risk of a counterparty’s failure or incapacity to discharge part or all of payment obligations prior to or by the maturity dates of proprietary trades; repo and reverse repo transactions; trades in derivatives for risk prevention; trades in foreign currencies and financial assets to serve the needs of customers and partners. In this case, counterparties (including credit institutions and foreign bank branches) enter into transactions with non-bank credit institutions in proprietary trades; repo and reverse repo transactions; trades in derivatives for risk prevention; trades in foreign currencies and financial assets to serve the needs of customers and partners.

9. “Operational risk” means the risk arising due to inadequate or failed internal processes, people, system errors, failures or external events that cause financial losses or non-financial negative impacts on a non-bank credit institution (including legal risks). The operational risk does not include:

a) “Reputational risk” refers to the risk arising from negative reactions by customers, partners, shareholders or the public to the reputation of a non-bank credit institution;

...

...

...

10. “Conflict of interest” is a situation where an individual or department makes decisions within their competence that are not appropriate for or go against interests of the non-bank credit institution.

11. “Risk-bearing decisions” mean decisions of the competent person/department of a non-bank credit institution that create risks or change the institution’s risk position.

12. “Credit risk-bearing decisions” mean risk-bearing decisions on credit activities, including at least: credit extension decisions; credit limit decisions; limit-exceeding loan decisions; loan term restructuring decisions; and loan group transfer decisions.

13. “Credit extensions requiring attention”, with the minimum amount regulated by the non-bank credit institution, are loans belonging to loan group 2 or above, as specified in the State Bank’s regulations on classification of assets, ratio and method of establishment and use of provisions for credit risk of a credit institution or a foreign bank’s branch.

14. “Outsourcing” means an act where the non-bank credit institution makes an agreement in writing (an outsourcing contract) to hire another organization, enterprise, credit institution or foreign bank’s branch (hereinafter referred to as “the contractor”) to carry out one or multiple activities (including data processing or some steps of the business process) in the non-bank credit institution’s stead, in accordance with the law.

15. “Internal auditor” means a person who carries out internal audit and belongs to an internal audit department of a non-bank credit institution.

Article 4. Requirements for internal control system

1. The internal control system of a non-bank credit institution shall fulfill the following requirements:

a) Meeting requirements according to regulations of the Law on Credit Institutions;

...

...

...

c) Having sufficient financial, human and IT resources in order to ensure the internal control system’s effectiveness;

d) Creating and maintaining control culture and work ethics for the non-bank credit institution.

2. The non-bank credit institution shall have internal regulations in compliance with regulations of the Law on Credit Institutions, in which the following requirements shall be met:

a) Being consistent with regulations in this Circular and relevant laws;

b) The Board of Directors or the Council of Members promulgates regulations on the non-bank credit institution 's organization, management and activities, except for matters under the competence of the Shareholders’ Council and owner; the Board of Controllers promulgates its own internal regulations; the Director General (Director) promulgates work regulations, processes and procedures (hereinafter referred to as “internal process”);

c) Being subject to regular assessments specified in this Circular and the non-bank credit institution’s regulations on appropriateness of and compliance with the law, and making amendments if necessary.

3. The internal control system shall have three lines of defense as follows:

a) The first line of defense has functions of risk identification, control and minimization carried out by the following departments: business departments (including product development department), other revenue-generating departments; departments responsible for making risk-bearing decisions; departments responsible for risk limit allocation, risk management and risk minimization (affiliated to a business department or an independent department) in each type of transactions and business activities; human resource department, accounting department;

b) The second line of defense has functions of formulation of risk management policies and issuance of internal regulations on risk management and monitoring in accordance with regulations of law, carried out by the following departments: Departments conforming to the regulations in Article 16 of this Circular and risk management department specified in Article 18 of this Circular;

...

...

...

4. Discussions and conclusions on the internal control system in meetings held by the Board of Directors, Council of Members, Board of Controllers, Risk Management Committee, and Human Resource Committee shall be recorded in writing, in which agreements and disagreements of members shall be specified.

5. Independent assessment of the internal control system shall be carried out in accordance with the State Bank’s regulations on independent audit in non-bank credit institutions and foreign bank branches.

Article 5. Retention of internal control records and documents

1. A non-bank credit institution shall have internal regulations on management and retention of records and documents on the internal control system.

2. Management and retention of records and documents on the internal control system in the non-bank credit institution shall:

a) Comply with regulations of law;

b) Fully retain records and documents in order to provide them upon request of internal auditors, the independent auditing organization, and the authority having competence in internal audit, independent audit, inspection and supervision.

Article 6. Submission of reports on internal control system to the State Bank

1. The non-bank credit institution shall produce reports on the internal control system according to Appendices issued together with this Circular, including.

...

...

...

b) Annual reports on internal audit (Appendix 02);

c) Ad hoc reports on internal audit.

2. The report on internal control system shall indicate shortcomings, restrictions and risks arising (if any) in the whole non-bank credit institution (including departments in its headquarter, branches and other affiliated units).

3. Report submission deadline:

a) In case of reports mentioned in Point a Clause 1 of this Article: The non-bank credit institution shall submit such reports within 45 days after the end of fiscal year.

b) In case of reports mentioned in Point b Clause 1 of this Article: The non-bank credit institution shall submit such reports within 60 days after the end of fiscal year.

c) In case of reports mentioned in Point c Clause 1 of this Article: The non-bank credit institution shall submit such reports within 15 days after the ad hoc internal audit’s date of completion (including approval of the Board of Controllers).

4. The data collection period is the date on which a fiscal year ends.

5. These reports shall be made in writing and sent to the State Bank (the banking inspection and supervision agency) in person or by post.

...

...

...

1. Internal reports on the internal control system include:

a) Internal report on internal control;

b) Internal report on credit risk;

c) Internal report on operational risk;

d) Internal report on internal audit results;

2. The internal report on internal control contains assessment of control activities according to regulations in Article 14 of this Circular and other contents under internal regulations of the non-bank credit institution.

3. The internal report on credit risk shall contain at least the following contents:

a) Quality of credit extensions and credit extension portfolios by customer and product;

b) Credit extensions requiring attention and measures for handling them;

...

...

...

d) State of establishment and use of provisions for credit risk;

dd) Early warning about violations against credit risk limits and restrictions;

e) Violations against regulations on credit risk management and their causes;

g) Proposals and recommendations about credit risk management;

h) Results of fulfillment of requests and implementation of recommendations from internal auditors, the State Bank, independent auditing organizations and other functional authorities.

4. The internal report on operational risk shall contain at least the following contents:

a) Operational risks that have arisen during the reporting period and their causes;

b) Loss caused by operational risk, and measures for recovering loss and sustaining operations (if any);

c) External events and factors that influence the non-bank credit institution’s operational risk;

...

...

...

dd) Changes to technology application (if any) and state of its operational risk management;

e) Proposals and recommendations about operational risk management;

g) Results of fulfillment of requests and implementation of recommendations about operational risk management from internal auditors, the State Bank, independent auditing organizations and other functional authorities.

5. The internal report on internal audit results (annual and ad hoc internal audits) shall contain the following contents:

a) State of implementation of contents and scope of audit in the fiscal year;

b) Compliance with mechanisms, policies and internal regulations on senior management supervision, internal control, risk management issued by the Board of Directors, Council of Members, Director General (Director), individuals and departments;

c) Appropriateness and compliance with law regulations and those in this Circular of mechanisms, policies and internal regulations on senior management supervision, internal control, and risk management;

d) Shortcomings and restrictions that have been detected during the process of internal audit and recommendations about the competent person/department and relevant departments;

dd) Other contents under internal regulations of the Board of Controllers of the non-bank credit institution.

...

...

...

a) The internal report on internal control shall be made on an annual or ad hoc basis according to internal regulations of the non-bank credit institution;

b) The internal report on credit risk shall be made on at least a quarterly or ad hoc basis according to internal regulations of the non-bank credit institution;

c) The internal report on operational risk shall be made on at least a biannual or ad hoc basis according to internal regulations of the non-bank credit institution;

d) Regarding internal report on internal audit results: After completion of the internal audit, the internal audit department shall submit the report on internal audit results to the Board of Controllers for approval and submission to the Board of Directors, Council of Members, Director General (Director) according to internal regulations of the Board of Controllers of the non-bank credit institution.

7. Individuals and departments receiving reports:

Individuals and departments receiving reports are the Board of Directors, Council of Members, Board of Controllers, Director General (Director) and relevant individuals and departments according to internal regulations of the non-bank credit institution.

Chapter II

SENIOR MANAGEMENT SUPERVISION

Article 8. Requirements for senior management supervision

...

...

...

2. Ensuring that internal control, risk management and internal audit are carried out effectively and the set requirements are fulfilled.

3. Fully grasping the non-bank credit institution’s risk position and state of implementation of the risk management policy.

4. Promptly adopting loss prevention and handling measures in order to increase efficiency and safety in the non-bank credit institution’s operation.

Article 9. Organizational structure of a non-bank credit institution’s senior management supervision

1. The supervision structure of a non-bank credit institution’s Board of Directors/Council of Members shall have:

a) Risk Management Committee and Human Resource Committee, as specified in the State Bank’s regulations on license issuance, organization and operations of non-bank credit institutions;

b) Other committees (if necessary) with a view to helping the Board of Directors/Council of Members carry out senior management supervision.

2. The supervision structure of the Board of Controllers shall comply with regulations of the Law on Credit Institutions and internal regulations of the Board of Controllers.

Article 10. Senior management supervision for internal control

...

...

...

a) Carrying out control, operation and maintenance of the management information system and information exchange mechanism;

b) Maintaining the non-bank credit institution’s control culture specified in Clause 5, Article 3 of this Circular and work ethics specified in Clause 4, Article 14 of this Circular;

c) Rectifying problems and limitations in internal control upon request of the State Bank, independent auditing organizations and other functional authorities;

d) Taking actions against violations against law, internal regulations and work ethics;

dd) Other contents specified by the Board of Directors/Council of Members.

2. The non-bank credit institution’s Director General (Director) shall oversee individuals and departments:

a) Implementing internal regulations on internal control, maintaining control culture; assessing implementation of work ethics (except for those of members of the Board of Controllers and internal auditors);

b) Operating the management information system, assessing its accuracy, adequacy, punctuality and appropriateness, upgrading and perfecting the system, fulfilling the requirements in Article 17 of this Circular;

c) Acting as directed by the Board of Directors/Council of Members in rectification of problems and limitations in internal control upon request of the State Bank, independent auditing organizations and other functional authorities;

...

...

...

Article 11. Senior management supervision for risk management

1. The non-bank credit institution’s Board of Directors/Council of Members, on the basis of the Risk Committee’s advice and proposals, shall oversee the Director General (Director):

a) Formulating and organizing implementation of risk management policies;

b) Rectifying problems and limitations in risk management upon request of the State Bank, independent auditing organizations and other functional authorities;

c) Other contents specified by the Board of Directors/Council of Members.

2. The non-bank credit institution’s Director General (Director), on the basis of the Risk Committee’s advice and proposals, shall oversee individuals and departments:

a) Establishing procedures for formulation and implementation of the risk management policy;

b) Assessing risk management policies in order to suggest adjustments to the Board of Directors/ Council of Members;

c) Creating and implementing risk limits, proposing risk limit allocation by business and professional activities; implementing handling measures in case of failure to comply with risk limits;

...

...

...

dd) Carrying out self-inspection and self-assessment of risk management and suggesting rectification measures to the Board of Directors/Council of Members.

e) Other contents specified by the non-bank credit institution.

Article 12. Senior management supervision for internal audit

The Board of Controllers of a non-bank credit institution shall oversee internal audit as follows:

1. Oversee and assess implementation of work ethics of members of the Board of Controllers and internal auditors;

2. Oversee the internal audit department:

a) Carrying out internal audit;

b) Reviewing and assessing internal audit’s effectiveness and the Internal Auditor's task results;

c) Rectifying problems and limitations in internal audit upon request of the State Bank, independent auditing organizations and other functional authorities;

...

...

...

Chapter III

INTERNAL CONTROL

Article 13. Requirements for internal control

1. Internal control applies to all activities, business processes and departments of the non-bank credit institution (including the headquarter, branches and other affiliates) or and must fulfill the following requirements:

a) The non-bank credit institution's activities shall comply with law and internal regulations;

b) Controlling and preventing conflict of interest; detecting and handling violations against law and internal regulations in a timely manner;

c) Increasing awareness of roles in and responsibilities of individuals and departments for internal control in order to build and maintain the non-bank credit institution's control culture according to regulations in this Circular.

2. The internal control is conducted through control activities, the information exchange mechanism and the management information system.

Article 14. Control activities

...

...

...

a) The delegation of competence in approval shall be based on prestige of the competent person/department and capacity of the executing individual/department The competence in approval shall be displayed by transaction scale and risk limit criteria, alongside other limits specified in the non-bank credit institution's internal regulations;

b) Human resources allocation shall be appropriate for each business and control activity (including substitutes for absent managers and employees, recruitment, manager transfer and appointment).

c) Bookkeeping shall comply with accounting standards and regulations; financial reports shall be compiled, produced and sent in accordance with law regulations and internal regulations of the non-bank credit institution; statistical reports shall be made in accordance with law regulations. Bookkeeping and statistical reports shall be inspected and compared in order to detect and rectify errors in a timely manner, and be reported and sent to the competent authority as specified in the non-bank credit institution’s internal regulations;

d) Measures for preventing and handling violations against law and internal regulations of the non-bank credit institution (including the headquarter, branches and other affiliates) shall be adopted;

dd) Problems and limitations in internal control shall be rectified upon request of the State Bank, independent auditing organizations and other functional authorities;

e) The development, operation, control and maintenance of the information technology system and information exchange mechanism shall comply with law regulations; regulations on safety and security of the information technology system in banking operations and supply of banking services on the internet; information technology application plans made by non-bank credit institutions by each period; and internal regulations of the non-bank credit institution.

2. The non-bank credit institution’s regulations (including the headquarter, branches and other affiliates) on functions and tasks of individuals/departments at all levels (from the lowest level to the highest level) and in all types of transactions and professional procedures shall apply the following principles:

a) Members of the Board of Directors/Council of Members shall not participate in review and approval for risk-bearing decisions which belong to functions and tasks of the Director General (Director), unless the Director General (Director)/Deputy Director General (Deputy Director) is one of those members;

b) The functions and tasks among transactions and professional procedures shall be divided in order to avoid or control, prevent conflict of interest; an individual shall not be in control of a whole transaction or its process; an individual shall not be given tasks that give rise in conflict of interest;

...

...

...

3. The non-bank credit institution’s headquarter shall control its branches and other affiliates according to the following principles:

a) The headquarter is able to oversee and control transactions and activities of the branches and other affiliates, including supervision and control through individuals and departments carrying out control activities in those branches and affiliates;

b) There are regulations on functions, tasks, report mechanism, salaries, commendation/discipline, manager transfer and other mechanisms in order to ensure independence and that the branch’s/affiliate’s individual/department carrying out control activities does not have conflict of interest with other individuals/departments of the same branch/affiliate;

c) There are mechanisms that allow clients to search, check and compare transactions carried out in the non-bank credit institution’s branches/other affiliates to those carried out in the headquarter.

4. Work ethics (except for those applied to members of the Board of Controllers and internal auditors) shall be promulgated by the Board of Directors/Council of Members of the non-bank credit institution according to the following principles:

a) Officials and employees at all levels shall carry out tasks within their competence in a honest manner and for the non-bank credit institution’s benefits; do not abuse their positions and use the institution's information, secrets, business opportunities and property for self-profit or damage to the institution's benefits.

b) Individuals and departments shall be responsible for reporting to the competent authority in a timely manner when discovering any of the violations mentioned in Point a of this Clause, as well as violations against internal regulations and regulations of law.

Article 15. Control activities for credit extension

1. Control activities for the non-bank credit institution’s credit extension shall comply with Clauses 1 and 2, Article 14 of this Circular.

...

...

...

Article 16. Compliance department

Depending on the business activity’s scale, condition and complexity, the non-bank credit institution shall decide the organizational structure of the compliance department to ensure that the department carries out at least functions as follows:

1. Help the Director General (Director):

a) Assess contents specified in Point c Clause 2 Article 4 of this Circular;

c) Report serious violations against regulations of law and changes in relevant regulations of law to the Board of Directors/Council of Members/Board of Controllers, as specified in the non-bank credit institution’s internal regulations;

c) Review and assess regulations on tasks and powers of the compliance department in order to inform the Director General (Director) of any necessary amendments;

2. Send periodic and ad hoc reports on the state of compliance with regulations of law to the Director General (Director); notify the Director General (Director) and related departments of changes in relevant regulations as specified in the non-bank credit institution’s internal regulations.

3. Assist the related departments to develop and review internal regulations, ensuring compliance with regulations of law; deal with any complication that arises during such compliance as specified in the non-bank credit institution’s internal regulations.

Article 17. Management information system and information exchange mechanism

...

...

...

2. The management information system includes at least:

a) Internal reports and other management information specified in the non-bank credit institution’s internal regulations;

b) Structure of organization, management and operation of the management information system, in which responsibilities of relevant individuals and departments for use of the management information system shall be specified;

c) Information collection, processing, storage, and provision; formulation, submission, receipt and processing of reports;

3. The management information system shall:

a) Support implementation of the information exchange mechanism as specified in Clauses 4 and 5 of this Article;

b) Provide sufficient and accurate information and data, thereby fulfilling, in a timely manner the management requirements specified in this Circular and the non-bank credit institution’s internal regulations;

c) Provide updates on compliance with regulations of law and internal regulations of the non-bank credit institution;

d) Be subject to review, assessment, upgradation, regular update in conformity with the management information demand the non-bank credit institution’s business activities;

...

...

...

4. The non-bank credit institution shall have an information exchange mechanism through the management information system and other mechanisms, ensuring that all individuals at all levels and relevant departments receive notification and information about the internal control system so that they clearly understand, have awareness of policies, procedures and business objectives in a full and uniform manner, effectively fulfill their tasks and assume their responsibilities and powers.

5. The non-bank credit institution shall promptly report to competent authorities on violations against law regulations, internal regulations and work ethics committed by individuals/departments that take charge of information security and protection of information providers in accordance with the non-bank credit institution’s regulations.

Chapter IV

RISK MANAGEMENT

Article 18. Risk management department

Depending on the business activity’s scale, condition and complexity, the non-bank credit institution shall decide the organizational structure of the risk management department to ensure that the department carries out at least functions as follows:

1. Help the Director General (Director) to propose and give advice on the contents of Clause 2, Article 11 of this Circular;

2. Cooperate with the first line of defense in full identification and monitoring of incurred risks;

3. Analyze and give warnings about the safety of the non-bank credit institution against potential risks that may give influence and propose measures for preventing such risks in a short-term or long-term manner.

...

...

...

5. Produce internal reports on risk management as specified in the non-bank credit institution’s internal regulations.

Section 1. CREDIT RISK MANAGEMENT

Article 19. Requirements and strategies for credit risk management

The non-bank credit institution shall formulate a credit risk management strategy with at least the following contents:

1. Non-performing loan and bad credit extension rate targets.

2. Principles of determination of costs for offsetting credit risk in the interest calculation method, credit product pricing according to the customer’s credit risk level;

3. Principles of implementation of credit risk minimization measures (including competence in approving credit risk minimization measures).

Article 20. Credit risk limits

1. The non-bank credit institution shall set credit risk limits in accordance with regulations on restrictions to ensure the safety in its operations under the Law on Credit Institutions and the State Bank's regulations.

...

...

...

a) Credit extension limit for each customer demographic on the basis of the customer’s solvency;

b) Credit extension limit for each product.

3. Credit extension limits shall be reviewed and re-assessed (or adjusted if necessary) at least once a year according to the non-bank credit institution’s internal regulations.

Article 21. Credit risk monitoring and control

1. The non-bank credit institution shall monitor and control credit risk of each credit extension and the entire credit extension portfolio, and adopt handling measures in case of reduction in credit quality, thereby fulfilling at least the following requirements:

a) Monitoring the credit extension's debt classification result;

b) Assessing adequacy of risk provisions as specified by the State Bank's regulations;

2. Credit risk monitoring and control shall include at least the following contents:

a) Roles and responsibilities of individuals and departments that monitor and control credit risk;

...

...

...

c) Credit risk control in accordance with the allocated credit risk limit for the portfolio of credit extensions, sorted by customer demographics and products;

d) Assessment criteria and methods for determining the degree of credit quality reduction in each credit extension portfolio; early-warning mechanism for credit quality reduction.

Article 22. Credit extension appraisal

1. The non-bank credit institution shall carry out credit extension appraisal, which must have at least the following contents:

a) Identifying the customer’s affiliated person, the total balance of credit extended to the customer and his/her affiliate;

b) Assessing credit extension conditions according to regulations of relevant laws;

c) Assessing the profile’s adequacy, legal status and recallability of collateral in case of credit extension with collateral in accordance with the non-bank credit institution’s internal regulations;

d) Appraising the ability to fulfill obligations and commitments of the guarantor in case of credit extension with guarantee from a third party.

2. During appraisal, in case of use of any line of communication with customers other than that of the non-bank credit institution, the institution shall inspect the information quality and independence of such line of communication.

...

...

...

The non-bank credit institution shall approve credit risk-bearing decisions as follows:

1. The competence in approving credit risk-bearing decisions shall be determined by quantitative and qualitative criteria.

2. In case of approval by committee, the approval committee shall make an approval record or any equivalent, which clearly states the reason for approval or rejection and state committee members’ opinions either in the record or its appendix. The approval committee’s members shall be responsible for their decisions.

3. The information provided for approval for credit risk-bearing decisions shall be sufficient and appropriate for the scale and type of credit extension in accordance with the non-bank credit institution’s internal regulations. Regulations on the list of information to be used as basis for approval for credit risk-bearing decisions shall be assessed by the risk management department in order to ensure effectiveness of credit risk management.

Article 24. Credit management

1. The non-bank credit institution shall fulfill the following requirements while carrying out credit management:

a) There are specific regulations on responsibilities and competence of individuals and departments in creation and retention of credit records, ensuring sufficient credit records as specified in law regulations;

b) Disbursement is appropriate for the capital use and type of credit extension;

c) Supervision of credit extensions after disbursement shall apply the following principles: (i) inspecting loan use and implementation of other terms of the customer’s credit extension contract; (ii) assessing factors affecting the customer’s solvency; (iii) monitoring the repayment schedule, reminding each customer of their obligation to repay by the deadline, notifying the competent authority in a timely manner when the customer has the risk of failure to repay debt or late repayment.

...

...

...

2. The non-bank credit institution shall retain credit records and other relevant information according to law regulations.

Section 2. OPERATIONAL RISK MANAGEMENT

Article 25. Requirements for operational risk management

The operational risk management shall contain at least the following contents;

1. Principles of operational risk management.

2. Principles of outsourcing, insurance purchase and technology application;

3. Plans to sustain operations in at least the following cases: (i) loss of important documents; (ii) breakdown of the information technology system; and (iii) force majeure according to law regulations. A plan to sustain operations shall fulfill at least the following requirements:

a) There are backup systems for human resources, information technology system and database;

b) There are measures for minimizing loss due to disruption;

...

...

...

Article 26. Operational risk identification, monitoring and control

1. The non-bank credit institution shall fully identify operational risk in its business activities, professional procedures, information technology system and other management systems. Operational risk identification shall be carried out in the following cases:

a) Internal fraud, caused by swindling and appropriating property, violation against strategies, policies and internal regulations related to at least one individual of the non-bank credit institution (including ultra vires acts, theft and abuse of internal information for one's own gain);

 b) External fraud caused by swindling and appropriating property, committed by outsiders without assistance from or collusion with the non-bank credit institution’s individuals and departments (including theft and forgery of bank cards and documents, and intrusion into the information technology system for appropriation of data and money);

c) Labor and workplace safety policies are not appropriate for labor contracts, regulations of the law on labor, health protection and workplace safety;

d) Involuntary violations related to customers, product provision processes and product properties while carrying out customer-related functions and tasks that have been assigned within competence (including violations against customer-related information security and provision of products and services against regulations);

dd) Violations against regulations of the law on anti-money laundering;

e) Damage to or loss of property, tools and equipment due to force majeure, human factor and other events;

e) Interruption to business activities due to breakdown of the information technology system;

...

...

...

i) Other cases specified in internal regulations of the non-bank credit institution.

2. The non-bank credit institution shall monitor and control operational risk through control activities specified in Article 14 of this Circular and by other measures under its internal regulations.

Article 27. Operational risk management for outsourcing

1. Outsourcing management shall include at least:

a) Determination of outsourcing scope;

b) Delegation of competence in approval for and decision on outsourcing;

c) Assessment of the contractor’s capability to fulfill outsourcing requirements and objectives that have been set out before signature of the outsourcing contract; assessment of the contractor's capability during execution of the contract;

d) Outsourcing contracts, which must be detailed, sufficient, and protect the ownership and security of database, customer information and the right to terminate the outsourcing contract without damage to the reputation of the non-bank credit institution; scope and scale of outsourcing, the non-bank credit institution’s and contractor’s specific responsibilities and terms of dispute resolution under law regulations;

dd) The information technology outsourcing (IT outsourcing) shall comply with law regulations on management of IT services of the third party under law regulations on safety and security of the information technology system in banking operations.

...

...

...

a) Outsourcing management according to regulations in Clause 1 of this Article;

b) Identification, monitoring and control of operational risk arising from outsourcing according to Article 26 of this Circular.

Article 28. Operational risk management for technology application

1. The technology application management shall comply with the State Bank’s regulations on e-transactions in banking sector; safety and security of the information technology system for provision of online banking services and relevant law regulations. The technology application management shall include at least the following contents:

a) Information technology system’s and database’s minimum scope of technology application management;

b) Tasks, responsibilities and powers of individuals and departments managing technology application;

c) Verification system that ensures customers' information security, safety of transactions and the information technology system;

2. The non-bank credit institution shall carry out risk management for application of electronic, online, automatic and mobile transactions and other technologies (hereinafter referred to as “technology application”) as follows:

a) Technology application management according to regulations in Clause 1 of this Article;

...

...

...

Article 29. Insurance for minimization of loss from operational risk

1. The non-bank credit institution is allowed to purchase insurance for minimization of loss from operational risk as specified in law regulations, ensuring conformity with the institution’s financial capability and loss recovery.

2. The non-bank credit institution that does not make insurance purchase for replacement of management of operational risk shall assess the insurance purchase’s effectiveness of minimization of loss from operational risk and the insurance provider’s capability of executing the insurance contract and other new risks (if any).

Chapter V

INTERNAL AUDIT

Article 30. Principles of internal audit

1. Independence:

a) The internal auditor and internal audit department shall not undertake the tasks of other individuals and departments;

b) Internal audit shall not be subject to control and intervention from other individuals and departments;

...

...

...

2. Impartiality:

a) Findings in the internal audit report shall be carefully analyzed according to the collected data and information;

b) The internal auditor shall be honest when making report and assessment during the internal audit process;

c) The internal auditor has the right and obligation to notify competent authorities of problems related to impartiality during the internal audit process;

3. Professionalism:

a) The non-bank credit institution that provides e-transactions for at least 10.000 customers shall have information technology auditors;

b) Non-bank credit institutions other than those specified in Point a of this Clause shall, according to scale, conditions and complexity of business activities, choose between employing IT auditors of the owner or hiring external IT auditors;

c) Internal auditors shall meet standards specified in Article 32 of this Circular.

4. Internal auditors shall implement measures for inspecting compliance with the principles mentioned in Clauses 1,2 and 3 of this Article during internal audit processes (including formulation and submission of internal audit reports). The Chief Internal Auditor shall promptly notify the Board of Controllers of violations or risks of violations against the principles mentioned in Clause 1 of this Article.

...

...

...

1. The non-bank credit institution shall have mechanisms for operation between:

a) Board of Directors/Council of Members and the Board of Controllers, internal audit department as specified in Clause 2 of this Article;

b) Director General (Director), departments and the Board of Controllers, internal audit department as specified in Clause 3 of this Article;

2. The mechanism for cooperation between the Board of Directors/Council of Members and the Board of Controllers, internal audit department of the non-bank credit institution shall ensure that:

a) The Board of Directors/Council of Members cooperates with the internal audit department during internal audit for senior management supervision on the Board of Directors/Council of Members;

b) The Board of Directors/Council of Members carries out recommendations from the Board of Controllers to the Board of Directors/Council of Members in internal audit reports and notifies the Board of Controllers of results of implementation of such recommendations.

3. The mechanism for cooperation between the Director General (Director), departments and the Board of Controllers, internal audit department shall ensure that:

a) The Director General (Director) cooperates with the internal audit department during internal audit for senior management supervision on the Director General (Director); directs relevant departments to provide sufficient information on risks so that the internal audit department can formulate internal audit plans; carries out recommendations from the Board of Controllers to the Director General (Director) in internal audit reports (if any) and notifies the Board of Controllers of results of implementation of such recommendations;

b) Departments that do not belong to the Board of Controllers and the internal audit department provide sufficient, authentic, accurate information, documents and records upon request of the internal audit department during the internal audit process; notify the internal audit department of problems, violations, losses or risks of loss in a timely manner; facilitate the internal audit department’s internal audit; carry out recommendations from the internal audit department in internal audit reports and notify the internal audit department of results of implementation of such recommendations.

...

...

...

1. Members of the Board of Controllers of the non-bank credit institution shall fulfill all standards and requirements specified in the Law on Credit Institutions.

2. The non-bank credit institution shall set standards applicable to internal auditors that meet the following requirements:

a) Having bachelor’s degree (or above) in one of the following disciplines: economics, business administration, law, accounting or audit;

b) Gaining at least two years of experience (in case of internal auditors) and three years of experience (in case of Chief Internal Auditors) in working directly in the banking, finance, accounting or audit sector.

3. The non-bank credit institution shall set standards applicable to IT auditors that meet the following requirements:

a) Having bachelor’s degree (or above) in information technology discipline or other appropriate disciplines;

b) Gaining at least two years of experience in information technology sector.

Article 33. Work ethics of members of the Board of Controllers and internal auditors;

Work ethics of members of the Board of Controllers and internal auditors (including the Chief Internal Auditor and other title holders in the internal audit department) of the non-bank credit institution shall include at least the following principles:

...

...

...

2. Impartiality: impartially carry out the assigned tasks and make fair assessment, not for their own or anyone else’s interests;

3. Security: Comply with regulations of law and the non-bank credit institution’s internal regulations on information security;

4. Responsibility: carry out the assigned tasks in a prompt and effective manner;

5. Prudence: carry out the assigned tasks in a prudent manner on the basis of consideration of the following factors:

a) Complexity and importance of contents subject to the internal audit;

b) Probability of serious errors during the internal audit process.

Article 34. Organizational structure, tasks, powers and responsibilities of internal audit department

1. The organizational structure, tasks and powers of the internal audit department of the non-bank credit institution are decided by the Board of Controllers as specified in the Law on Credit Institutions and this Circular.

2. Tasks of the internal audit department:

...

...

...

b) Carry out establishment, review and submission to the Board of Controllers for promulgation of and amendments to work ethics of members of the Board of Controllers and internal auditors mentioned in Article 33 of this Circular; internal regulations of the Board of Controllers; and internal audit plans;

c) Monitor and assess implementation of recommendations from the Board of Controllers to the Board of Directors, Council of Members, Director General (Director), individuals and departments;

d) Implement recommendations from the State Bank, independent auditing organizations and other functional authorities about internal audit.

dd) Produce internal audit reports as specified in Article 7 of this Circular.

3. Powers of the internal audit department:

a) Be provided with necessary resources (human, finance, assets and other tools);

b) Be provided with information, documents and records which are necessary for internal audit, including meeting minutes and documents of the Board of Directors, Council of Members and Director General (Director);

c) Interview individuals about contents related to internal audit; request the competent person/department (as specified in the non-bank credit institution’s internal regulations) to handle any uncooperative individual or department during the internal audit process;

d) Participate in internal meetings as specified in the Charter and internal regulations of the non-bank credit institution.

...

...

...

a) Secure documents and information as specified by law regulations and the non-bank credit institution’s internal regulations;

b) Be responsible to the Board of Controllers for performance of the assigned tasks;

c) Internal auditors shall be responsible to the law and the Chief Internal Auditor about the assigned audit tasks.

Article 35. Internal regulations of the Board of Controllers

The internal regulations of the Board of Controllers shall include at least the following contents:

1. Internal audit department’s organizational structure, tasks and powers; standards applicable to internal auditors; work ethics of members of the Board of Controllers and internal auditors, as specified in this Circular.

2. Criteria for determination of risk levels, material levels and internal audit frequency of activities, processes and departments; internal audit contents, as specified in this Circular.

3. Internal audit plan formulation and implementation procedures.

4. Review and assessment of internal audit regulations; implementation of recommendations from the State Bank, independent auditing organizations and other functional authorities on internal audit.

...

...

...

6. Regulations on internal reports on internal audit as specified in this Circular.

Article 36. Internal audit plans

1. a) The internal audit shall be conducted on an annual or ad hoc basis according to internal regulations of the Board of Controllers;

2. The Board of Controllers shall issue annual internal audit plans upon request of the Chief Internal Auditor after reaching agreement with the Board of Directors, Council of Members and Director General (Director). The formulation of the internal audit plan shall fulfill the following requirements:

a) Principles of orientation according to risk: Activities, processes and departments shall be assessed on risk levels (high, medium and low levels) as specified in internal regulations of the Board of Controllers. Resources shall be concentrated on high-risk activities, processes and departments. These activities, processes and departments shall be audited first and at least once a year;

b) Comprehensiveness: All activities, processes and departments shall be subject to internal audit. Activities, processes and departments that are material specified in internal regulations of the Board of Controllers shall be audited at least once a year;

c) There are reserves of resources and time for ad hoc internal audits;

d) The annual audit plan shall be adjusted when there are material changes in the operation scale or internal audit resources as specified by internal regulations of the Board of Controllers.

3. The annual internal audit plan shall be issued before December 15 of the previous year and include scope, subjects, objectives, time and resources (including hire of external specialists and organizations) of internal audit and other contents under the non-bank credit institution's regulations.

...

...

...

Article 37. Internal audit contents

The non-bank credit institution's internal audit shall be carried out in accordance with regulations of the Law on Credit Institutions on the basis of the following contents:

1. Independent inspection and assessment of compliance with mechanisms, policies, internal regulations on internal control and risk management of the Board of Directors, Council of Members, Director General (Director), individuals and departments, including identification of problems, limitations and their causes;

2. Independent review and assessment of suitability and compliance with law regulations on mechanisms, policies, internal regulations on internal control and risk management including identification of problems, limitations and their causes;

3. Proposals and recommendations to the competent person/department and relevant departments for settlement of problems and limitations;

4. Other contents specified in internal regulations of the Board of Controllers on internal audit.

Chapter VI

IMPLEMENTATION PROVISIONS

Article 38. Implementation

...

...

...

2. The State Bank Governor’s Circular No. 44/2011/TT-NHNN dated December 29, 2011 on credit institutions’/foreign bank branches’ internal control and internal audit systems is amended as follows:

a) Article 1 shall be amended as follows:

“Article 1. Scope

This Circular provides for internal control and internal audit systems of credit institutions (except for commercial banks and non-bank credit institutions).”

b) The phrase “chi nhánh ngân hàng nước ngoài” (foreign bank branches) shall be annulled in this Circular.

3. Clause 3 Article 73 of the State Bank Governor’s Circular No. 13/2018/TT-NHNN dated May 18 2018 on internal control systems of commercial banks and foreign bank branches shall be annulled.

Article 39. Implementation responsibilities

The Chief of Office, Chief Bank Inspector and Overseer, heads of units affiliated to the State Bank; non-bank credit institutions and relevant organizations and individuals shall be responsible for organizing implementation of this Circular./.

...

...

...

PP. THE GOVERNOR
DEPUTY GOVERNOR



Doan Thai Son

APPENDIX 01

(Issued together with the State Bank Governor’s Circular No. 14/2023/TT-NHNN dated November 20, 2023 on internal control system of non-bank credit institution)

NAME OF NON-BANK CREDIT INSTITUTION
-------

SOCIALIST REPUBLIC OF VIETNAM
Independence – Freedom – Happiness
----------------

No: ………./……………

[Location and date]

...

...

...

INTERNAL CONTROL AND RISK MANAGEMENT

(Year…)

To: the State Bank of Vietnam

(the banking inspection and supervision agency)

A. INTERNAL CONTROL

1. State of internal control

1) Regarding control activities:

a) Internal regulations;

(i) List of internal regulations that have been issued under regulations of the Law on Credit Institutions;

...

...

...

(iii) Individuals and departments’ compliance with internal regulations;

b) Results of self-inspection and assessment of control activities

2. Regarding management information system and information exchange mechanism:

a) Description of the management information system;

b) Information exchange mechanism;

c) Assessment of the management information system and information exchange mechanism in compliance with regulations in Article 17 of the State Bank Governor’s Circular No /2023/TT-NHNN on internal control system of non-bank credit institution.

3. Weaknesses of the internal control system:

II. Results of remediation of the internal control system’s weaknesses as recommended by the State bank, independent audit organization and other functional agencies, reasons why recommendations have not been implemented, estimated time to complete implementation of such recommendations.

B. RISK MANAGEMENT

...

...

...

a) Credit risk management strategy and changes during the reporting period (if any) and reasons for such changes;

b) Credit risk limit and changes during the reporting period (if any) and reasons for such changes;

c) Implementation of the credit risk management strategy and credit risk limit during the reporting period;

d) Assessment of credit risk monitoring and control;

d) Violations against regulations on credit risk management and their causes;

dd) Weaknesses and causes thereof;

e) Results of implementation of recommendations from the State Bank, independent audit organization and other functional agencies about credit risk management, reasons why recommendations have not been implemented, estimated time to complete implementation of such recommendations.

2. Operational risk management:

a) Assessment of identification, monitoring and control of operational risk;

...

...

...

c) Assessment of impact of operational risk events and material damage;

d) Assessment of effectiveness of development of the plan to maintain continuous operation;

dd) Weaknesses and causes thereof;

e) Results of implementation of recommendations from the State Bank, independent audit organization and other functional agencies about operational risk management, reasons why recommendations have not been implemented, estimated time to complete implementation of such recommendations.

C. PROPOSALS AND RECOMMENDATIONS TO THE STATE BANK

LEGAL REPRESENTATIVE OF THE NON-BANK CREDIT INSTITUTION
(signature, full name and seal)

...

...

...

(Issued together with the State Bank Governor’s Circular No. 14/2023/TT-NHNN dated November 20, 2023 on internal control system of non-bank credit institution)

NAME OF NON-BANK CREDIT INSTITUTION
-------

SOCIALIST REPUBLIC OF VIETNAM
Independence – Freedom – Happiness
----------------

No: ………/……………

[Location and date]

REPORT

INTERNAL AUDIT

(Year…)

...

...

...

(the banking inspection and supervision agency)

I. Contents and scope of internal audit

II. Internal audit results

1. Compliance with mechanisms, policies and internal regulations on senior management supervision, internal control, and risk management of the non-bank credit institution.

2. Appropriateness and compliance with law regulations of mechanisms, policies and internal regulations on senior management supervision, internal control, and risk management;

3. Weaknesses and proposals to the Board of Directors, Council of Members, Director General (Director).

4. Other contents (if any).

III. Results of self-assessment of internal audit

1. Assessment of internal audit in the reporting year.

...

...

...

3. Recommendations from the Board of Directors, the Council of Members, Director (General Director), other departments and individuals about internal audit, which have been implemented or have not yet been implemented in the reporting year, and reasons why such recommendations have not yet been implemented.

IV. Results of implementation of recommendations about internal audit from the State Bank, independent audit organization and other functional agencies

1. Recommendations implemented.

2. Recommendations which have not yet been implemented, reasons why recommendations have not been implemented, estimated time to complete implementation of such recommendations.

V. Proposals and recommendations to the State bank

HEAD OF THE BOARD OF CONTROLLERS
(Signature, full name, and seal)

LEGAL REPRESENTATIVE OF THE NON-BANK CREDIT INSTITUTION
(signature, full name and seal)

...

...

...