Circular on Printing and Distributing the Basic Standards of Internal Control for Insurance Companies
Circular on Printing and Distributing the Basic Standards of Internal Control for Insurance Companies
Circular on Printing and Distributing the Basic Standards for Internal Controls in Insurance Companies
Bao Jian Fa [2010] No.69
August 10, 2010
All insurance companies and insurance regulatory bureaus:
The Commission has formulated the Basic Standards for Internal Controls in Insurance Companies for the purposes of strengthening the establishment of internal controls among insurance companies, enhancing the risk prevention capacity and operational and management standards of insurance companies, and promoting the stable and effective operation of insurance companies in compliance with laws and regulations. They are hereby printed and distributed; please follow and implement these Standards.
Basic Standards for Internal Controls of Insurance Companies
Chapter I General Provisions
Article 1 These Standards have been formulated in accordance with the Insurance Law and the Basic Standards for Internal Controls in Enterprises, as well as other relevant regulations, and for the purposes of strengthening the establishment of internal controls in insurance companies, enhancing the risk prevention capacity and operational and management standards of insurance companies, promoting the stable and effective operation of insurance companies in compliance with laws and regulations, and protecting the lawful rights and interests of insurers, the insured, and other stakeholders.
Article 2 The term "internal controls" as used herein refers to the mechanisms and processes by which decision-making bodies and personnel at all levels in an insurance company take appropriate measures according to their respective duties and responsibilities to reasonably prevent and effectively control all kinds of risks that might arise in the course of operations and management to guard against the company's operations deviating from its development strategy and operational objectives.
Article 3 The internal control objectives of insurance companies include:
1. Compliance in activities. To guarantee the operational and management activities of insurance companies comply with laws, regulations, regulatory provisions, industrial standards, the company's internal management systems, and the principle of honesty;
2. Security of assets. To guarantee the safety and reliability of insurance company assets and prevent the illegal use, disposition or misappropriation of company assets;
3. Authenticity of information. To guarantee the authenticity, accuracy and completeness of business, financial and management information included in the financial reports and solvency reports of insurance companies;
4. Effectiveness of operations. To strengthen the execution of decisions, enhance management efficiency, and improve operational profitability;
5. Safeguarding strategy. To ensure insurance companies realize their development strategies, promote stable operations and sustainable development, and protect the lawful rights and interests of shareholders, the insured and other stakeholders.
Article 4 Insurance companies shall adhere to the following rules when establishing and implementing internal controls:
1. Achieve a balance between comprehensiveness and emphasis. Insurance companies shall establish a comprehensive, systematic and standardized system of internal control to cover all business processes and operating links, which shall be implemented throughout all operating and management processes. In addition to comprehensive management practices, control of significant business matters and business fields involving a high level of risk for the company shall be emphasized.
2. Achieve a balance between collaboration and checks and balances. The internal controls of an insurance company shall impose reasonable restrictions and result in effective supervision in terms of organizational structure, the establishment of work positions, the assignment of responsibilities, and business processes through appropriate mechanisms for the segregation of duties, authorization, and hierarchical approval. All functional departments and business units shall cooperate with each other and ensure close collaboration to enhance efficiency and avoid mutual disclaimer of responsibility or work loopholes through a system of checks and balances.
3. Achieve a balance between authority and appropriateness. The internal controls of insurance companies shall be connected to performance assessments and accountability; no one shall fall outside the scope of restrictions imposed by internal controls, and no change shall be made to internal control procedures without proper authorization. Where authority through internal controls is secured, the company shall make timely adjustments to and regularly optimize their internal control procedures to accommodate changes in the operating environment and management requirements.
4. Achieve a balance between effective control and reasonable cost. The internal controls of insurance companies shall reflect with the risks actually face by the company to ensure internal control measures meet management requirements and that such risks are effectively prevented from arising. With the prerequisite of effective control, resources shall be allocated in a reasonable manner to reduce internal control costs as much as possible.
Article 5 The internal control systems of insurance companies shall consist of the three following elements:
1. the basis of internal control, including corporate governance, organizational structure, human resources, information systems, and enterprise culture, etc.
2. internal control procedures, including measures for identifying and assessing risks and for designing and implementing controls.
3. safeguarding internal controls, including communication of information, management of internal controls, the internal audit emergency response mechanism, and risk accountabilities.
Article 6 Basis of Internal Control. Insurance companies shall strengthen their work in establishing a basis of internal control to create a healthy environment for the effective implementation of internal controls.
Insurance companies shall establish standard corporate governance practices and implement systematic and effective mechanisms in terms of decision making, implementation and supervision with explicit delegated powers and standardized operations. The board of directors, the board of supervisors and company management shall pay close attention to internal controls and set an example by diligently performing their internal control functions.
Insurance companies shall establish a reasonable organizational structure based on insurance business procedures and internal control requirements. Internal departments, branches and work posts shall be set up in a systematic manner with explicit descriptions of responsibilities and a clear indication of reporting lines based on the principles of convenient management, straightforward assessment, a simplified hierarchy, and the avoidance of intersecting responsibilities.
Insurance companies shall establish human resource policies that are adequate in meeting internal control requirements to ensure that personnel who take up key positions possess professional competence and capacity and will regularly receive relevant training; human resource policies relating to the assessment, compensation, reward and penalization, and promotion of those holding key positions in the company shall be linked to the results of internal controls.
Insurance companies shall establish a safe and practical information system covering all business links to ensure that all business activities are information-based, streamlined and automated as far as possible and reduce or eliminate human intervention and operating errors to provide technological safeguards and systems support for internal controls.
Insurance companies shall foster a culture of internal control whereby leaders pay close attention to internal controls, all staff play a role in and thus take responsibility for internal control, and any violation of internal control rules will be investigated, and shall form management concepts and an operating style through guidance on risk control, enhance the risk prevention awareness of all personnel, and ensure they conscientiously abide by internal control systems.
Article 7 Internal Control Procedures. Insurance companies shall reasonably design internal control procedures embedded in their business activities to make every effort to realize risk control processes based on risk patterns (if any).
Insurance companies shall comprehensively and systematically identify and analyze risk elements they might face in their operating, management or business activities, find and determine key risk areas while conducting quantitative and qualitative assessments of the probability of risk occurrence, inducing factors, diffusion patterns, and potential losses in key risk areas, and determine mitigation strategies and key points for controlling risks.
Insurance companies shall, based on the results of their identification and assessment of risks, systematically design internal control policies, procedures and measures and strictly implement the same, while continuously improving internal control procedures based on their effectiveness in controlling the risks at which they are aimed or within the scope of acceptable risk levels.
Article 8 Safeguarding Internal Controls. Insurance companies shall establish a multi-tiered monitoring system across all dimensions to realize effective ex ante, ex post or current monitoring of internal control activities to safeguard their internal control objectives.
Insurance companies shall establish information and communication mechanisms to promote the extensive sharing and timely and full communication of company information, to enhance the transparency of operations and management, and to prevent the occurrence of fraudulent events.
Insurance companies shall establish internal control management practices and assessment mechanisms to promote the real-time surveillance and regular clearance of risks by personnel responsible for internal control through the company's overall design and planning of internal controls, and shall subsequently adjust and improve their internal control procedures based on such surveillance and clearance work.
Insurance companies shall strengthen their auditing and inspection of internal controls, regularly conduct assessments of the soundness, reasonableness and effectiveness of internal controls based on the results of such inspections, and give timely feedback and reports to audited parties, compliance management functional departments and superior leaders in accordance with regulatory reporting indicators.
Insurance companies shall establish an internal control emergency response management mechanism, formulate a highly practical and comprehensive emergency plan, define mitigation measures under different risk conditions, and mitigate the influence of and potential losses caused by internal control risks as far as possible.
Insurance companies shall strictly conduct internal control accountability investigations; any activity in breach of internal control requirements shall, regardless of whether such activity has led to a loss, be dealt with stringently, and the persons responsible for such activity and their supervisors shall be investigated for accountability.
Article 9 Administrative levels of internal control activities. Insurance companies shall, in accordance with the business procedure characteristics and resource optimizing allocation needs of insurance companies, and based on the principles of risk control, service enhancement, cost reduction and efficiency improvement, systematically establish and reasonably distinguish between the key areas and administrative levels of their internal control activities.
The internal control activities of insurance companies shall be divided into three administrative levels: front-end controls, back-end controls, and basic controls. Front-end controls refer to control activities directly facing the market and client marketing and transaction activities; back-end controls refer to control activities within operating activities such as business processes and backup support; and basic controls refer to control activities within company operation management activities to provide decision-making support and to safeguard resources.
Chapter II Internal Control Activities
Section 1 Sales Controls
Article 10 Content of and Basic Requirements for Sales Controls.
......
Bao Jian Fa [2010] No.69
August 10, 2010
All insurance companies and insurance regulatory bureaus:
The Commission has formulated the Basic Standards for Internal Controls in Insurance Companies for the purposes of strengthening the establishment of internal controls among insurance companies, enhancing the risk prevention capacity and operational and management standards of insurance companies, and promoting the stable and effective operation of insurance companies in compliance with laws and regulations. They are hereby printed and distributed; please follow and implement these Standards.
Basic Standards for Internal Controls of Insurance Companies
Chapter I General Provisions
Article 1 These Standards have been formulated in accordance with the Insurance Law and the Basic Standards for Internal Controls in Enterprises, as well as other relevant regulations, and for the purposes of strengthening the establishment of internal controls in insurance companies, enhancing the risk prevention capacity and operational and management standards of insurance companies, promoting the stable and effective operation of insurance companies in compliance with laws and regulations, and protecting the lawful rights and interests of insurers, the insured, and other stakeholders.
Article 2 The term "internal controls" as used herein refers to the mechanisms and processes by which decision-making bodies and personnel at all levels in an insurance company take appropriate measures according to their respective duties and responsibilities to reasonably prevent and effectively control all kinds of risks that might arise in the course of operations and management to guard against the company's operations deviating from its development strategy and operational objectives.
Article 3 The internal control objectives of insurance companies include:
1. Compliance in activities. To guarantee the operational and management activities of insurance companies comply with laws, regulations, regulatory provisions, industrial standards, the company's internal management systems, and the principle of honesty;
2. Security of assets. To guarantee the safety and reliability of insurance company assets and prevent the illegal use, disposition or misappropriation of company assets;
3. Authenticity of information. To guarantee the authenticity, accuracy and completeness of business, financial and management information included in the financial reports and solvency reports of insurance companies;
4. Effectiveness of operations. To strengthen the execution of decisions, enhance management efficiency, and improve operational profitability;
5. Safeguarding strategy. To ensure insurance companies realize their development strategies, promote stable operations and sustainable development, and protect the lawful rights and interests of shareholders, the insured and other stakeholders.
Article 4 Insurance companies shall adhere to the following rules when establishing and implementing internal controls:
1. Achieve a balance between comprehensiveness and emphasis. Insurance companies shall establish a comprehensive, systematic and standardized system of internal control to cover all business processes and operating links, which shall be implemented throughout all operating and management processes. In addition to comprehensive management practices, control of significant business matters and business fields involving a high level of risk for the company shall be emphasized.
2. Achieve a balance between collaboration and checks and balances. The internal controls of an insurance company shall impose reasonable restrictions and result in effective supervision in terms of organizational structure, the establishment of work positions, the assignment of responsibilities, and business processes through appropriate mechanisms for the segregation of duties, authorization, and hierarchical approval. All functional departments and business units shall cooperate with each other and ensure close collaboration to enhance efficiency and avoid mutual disclaimer of responsibility or work loopholes through a system of checks and balances.
3. Achieve a balance between authority and appropriateness. The internal controls of insurance companies shall be connected to performance assessments and accountability; no one shall fall outside the scope of restrictions imposed by internal controls, and no change shall be made to internal control procedures without proper authorization. Where authority through internal controls is secured, the company shall make timely adjustments to and regularly optimize their internal control procedures to accommodate changes in the operating environment and management requirements.
4. Achieve a balance between effective control and reasonable cost. The internal controls of insurance companies shall reflect with the risks actually face by the company to ensure internal control measures meet management requirements and that such risks are effectively prevented from arising. With the prerequisite of effective control, resources shall be allocated in a reasonable manner to reduce internal control costs as much as possible.
Article 5 The internal control systems of insurance companies shall consist of the three following elements:
1. the basis of internal control, including corporate governance, organizational structure, human resources, information systems, and enterprise culture, etc.
2. internal control procedures, including measures for identifying and assessing risks and for designing and implementing controls.
3. safeguarding internal controls, including communication of information, management of internal controls, the internal audit emergency response mechanism, and risk accountabilities.
Article 6 Basis of Internal Control. Insurance companies shall strengthen their work in establishing a basis of internal control to create a healthy environment for the effective implementation of internal controls.
Insurance companies shall establish standard corporate governance practices and implement systematic and effective mechanisms in terms of decision making, implementation and supervision with explicit delegated powers and standardized operations. The board of directors, the board of supervisors and company management shall pay close attention to internal controls and set an example by diligently performing their internal control functions.
Insurance companies shall establish a reasonable organizational structure based on insurance business procedures and internal control requirements. Internal departments, branches and work posts shall be set up in a systematic manner with explicit descriptions of responsibilities and a clear indication of reporting lines based on the principles of convenient management, straightforward assessment, a simplified hierarchy, and the avoidance of intersecting responsibilities.
Insurance companies shall establish human resource policies that are adequate in meeting internal control requirements to ensure that personnel who take up key positions possess professional competence and capacity and will regularly receive relevant training; human resource policies relating to the assessment, compensation, reward and penalization, and promotion of those holding key positions in the company shall be linked to the results of internal controls.
Insurance companies shall establish a safe and practical information system covering all business links to ensure that all business activities are information-based, streamlined and automated as far as possible and reduce or eliminate human intervention and operating errors to provide technological safeguards and systems support for internal controls.
Insurance companies shall foster a culture of internal control whereby leaders pay close attention to internal controls, all staff play a role in and thus take responsibility for internal control, and any violation of internal control rules will be investigated, and shall form management concepts and an operating style through guidance on risk control, enhance the risk prevention awareness of all personnel, and ensure they conscientiously abide by internal control systems.
Article 7 Internal Control Procedures. Insurance companies shall reasonably design internal control procedures embedded in their business activities to make every effort to realize risk control processes based on risk patterns (if any).
Insurance companies shall comprehensively and systematically identify and analyze risk elements they might face in their operating, management or business activities, find and determine key risk areas while conducting quantitative and qualitative assessments of the probability of risk occurrence, inducing factors, diffusion patterns, and potential losses in key risk areas, and determine mitigation strategies and key points for controlling risks.
Insurance companies shall, based on the results of their identification and assessment of risks, systematically design internal control policies, procedures and measures and strictly implement the same, while continuously improving internal control procedures based on their effectiveness in controlling the risks at which they are aimed or within the scope of acceptable risk levels.
Article 8 Safeguarding Internal Controls. Insurance companies shall establish a multi-tiered monitoring system across all dimensions to realize effective ex ante, ex post or current monitoring of internal control activities to safeguard their internal control objectives.
Insurance companies shall establish information and communication mechanisms to promote the extensive sharing and timely and full communication of company information, to enhance the transparency of operations and management, and to prevent the occurrence of fraudulent events.
Insurance companies shall establish internal control management practices and assessment mechanisms to promote the real-time surveillance and regular clearance of risks by personnel responsible for internal control through the company's overall design and planning of internal controls, and shall subsequently adjust and improve their internal control procedures based on such surveillance and clearance work.
Insurance companies shall strengthen their auditing and inspection of internal controls, regularly conduct assessments of the soundness, reasonableness and effectiveness of internal controls based on the results of such inspections, and give timely feedback and reports to audited parties, compliance management functional departments and superior leaders in accordance with regulatory reporting indicators.
Insurance companies shall establish an internal control emergency response management mechanism, formulate a highly practical and comprehensive emergency plan, define mitigation measures under different risk conditions, and mitigate the influence of and potential losses caused by internal control risks as far as possible.
Insurance companies shall strictly conduct internal control accountability investigations; any activity in breach of internal control requirements shall, regardless of whether such activity has led to a loss, be dealt with stringently, and the persons responsible for such activity and their supervisors shall be investigated for accountability.
Article 9 Administrative levels of internal control activities. Insurance companies shall, in accordance with the business procedure characteristics and resource optimizing allocation needs of insurance companies, and based on the principles of risk control, service enhancement, cost reduction and efficiency improvement, systematically establish and reasonably distinguish between the key areas and administrative levels of their internal control activities.
The internal control activities of insurance companies shall be divided into three administrative levels: front-end controls, back-end controls, and basic controls. Front-end controls refer to control activities directly facing the market and client marketing and transaction activities; back-end controls refer to control activities within operating activities such as business processes and backup support; and basic controls refer to control activities within company operation management activities to provide decision-making support and to safeguard resources.
Chapter II Internal Control Activities
Section 1 Sales Controls
Article 10 Content of and Basic Requirements for Sales Controls.
......