Measures for Operational Risk Management in Banking and Insurance Institutions
Measures for Operational Risk Management in Banking and Insurance Institutions
Measures for Operational Risk Management in Banking and Insurance Institutions
Order of the National Financial Regulatory Administration [2023] No.5
December 27, 2023
(Promulgated by Order of the National Financial Regulatory Administration [2023] No.5 on December 27, 2023, and effective as of July 1, 2024)
Chapter I General Provisions
Article 1 These Measures are formulated in accordance with the Banking Regulation Law of the People's Republic of China, the Law of the People's Republic of China on Commercial Banks, the Insurance Law of the People's Republic of China, and other laws and regulations to improve operational risk management in banking and insurance institutions.
Article 2 For the purposes of the Measures, the term “operational risk” refers to the risk of losses caused by issues concerning internal procedures, employees, and information technology systems, as well as external events, including legal risks, but excluding strategic risks and reputational risks.
Article 3 Operational risk management, as an important part of a comprehensive risk management system, aims to effectively prevent operational risks, reduce losses, improve the ability to cope with the impact of internal and external events, and provide guarantees for the stable operation of business.
Article 4 Operational risk management shall follow the basic principles below:
(1) Principle of prudence. In operational risk management, it is imperative to adhere to the risk-based concept, pay full attention to risk signs and potential hazards, effectively identify adverse factors affecting risk management, allocate sufficient resources, and take timely measures to enhance foresight.
(2) Principle of comprehensiveness. Operational risk management shall cover all business lines, branches, departments, positions, employees and products, run throughout the decision-making, implementation and supervision process, and fully consider the relevance and contagiousness of other internal and external risks.
(3) Compatibility principle. Operational risk management shall reflect multi-level and differentiated requirements, and management systems and management resources shall be commensurate with the institution's development strategy, business scale, complexity and risk status, and be timely adjusted based on changes in the situation.
(4) Effectiveness principle. Banking and insurance institutions shall, under the guidance of risk preference, effectively identify, evaluate, measure, control, mitigate, monitor and report the operational risks that they face, and control the operational risks to within an acceptable range.
Article 5 Large-scale banking and insurance institutions shall strengthen their operational risk management based on a good governance structure, effectively ensure organic connection with systematic mechanisms for business continuity, outsourcing of risk management, cybersecurity, data security, emergency response and recovery and disposal plan, and improve their operational resilience, making them able to consistently deliver critical business and services in the face of significant risks and external events.
Article 6 The National Financial Regulatory Administration (the "NFRA") and its local offices shall regulate the operational risk management of banking and insurance institutions in accordance with the law.
Chapter II Risk Governance and Management Responsibilities
Article 7 The board of directors of a banking or insurance institution shall view operational risks as one of the main risks faced by the institution and bear the ultimate responsibility for operational risk management. The main duties include:
(1) reviewing and approving the basic rules on operational risk management to ensure consistency with strategic objectives;
(2) reviewing and approving the operational risk preference and its transmission mechanism, to control the operational risks to within a tolerable range;
(3) reviewing and approving the duties, authority, reporting and other mechanisms for the senior management related to operational risk management, to ensure the effectiveness of the operational risk management system;
(4) deliberating on the operational risk management report submitted by the senior management at least once a year, to fully understand and evaluate the overall situation of operational risk management and the work of the senior management;
(5) ensuring that the senior management establishes the necessary mechanisms for identifying, assessing, measuring, controlling, mitigating, monitoring and reporting operational risks;
(6) ensuring that the operational risk management system is subject to effective auditing and supervision by the internal audit department;
(7) reviewing and approving the relevant systems for disclosure of operational risk information;
(8) ensuring the establishment of a risk culture that matches the operational risk management requirements; and
(9) other relevant duties.
Article 8 For banking and insurance institutions with supervisors (the board of supervisors), supervisors (the board of supervisors) shall assume the supervisory responsibility for operational risk management, be responsible for supervising and inspecting the performance of duties by the board of directors and the senior management, promptly urge rectification, and include it in the work report of supervisors (the board of supervisors).
Article 9 The senior management of a banking or insurance institution shall bear the responsibility for the implementation of operational risk management. The main duties include:
(1) formulating the basic rules on and administrative measures for operational risk management;
(2) clearly defining the duties and reporting requirements related to the operational risk management of departments and institutions at all levels, urging all departments and institutions at all levels to perform their duties of operational risk management, and ensuring the normal operation of the operational risk management system;
(3) setting up operational risk preference and its transmission mechanism, urging all departments and institutions at all levels to implement the rules on operational risk management and risk preference, reviewing the implementation regularly, and timely dealing with situations that break through risk preference and other violations of operational risk management requirements;
(4) having complete knowledge of the overall situation of operational risk management, especially regarding major operational risk events;
(5) submitting an operational risk management report to the board of directors at least once a year, and submitting it to supervisors (the board of supervisors);
(6) allocating adequate financial and human resources, information technology systems and other resources for operational risk management;
(7) inspecting the operational risk management system to effectively respond to operational risk events;
(8) formulating the assessment and reward and punishment mechanisms for operational risk management; and
(9) other relevant duties.
Article 10 Banking and insurance institutions shall establish three lines of defense for operational risk management, and sound risk data and information sharing mechanisms shall be established among and within the three lines of defense.
The first line of defense includes business and management departments at all levels that are the direct bearer and manager of operational risks, which are responsible for operational risk management in their respective fields. The second line of defense includes lead departments responsible for operational risk management and measurement at all levels, which are responsible for guiding and supervising the operational risk management of the first line of defense. The third line of defense includes internal audit departments at all levels, which are responsible for supervising and evaluating the duty performance and effectiveness of the first and second lines of defense.
Article 11 The main duties of departments in the first line of defense include:
(1) designating personnel to be responsible for operational risk management and investing in sufficient resources;
(2) identifying and assessing their own operational risks in accordance with risk management assessment methods;
(3) establishing control and mitigation measures and regularly evaluating the effectiveness of such measures;
(4) maintaining ongoing risk monitoring to ensure compliance with operational risk preferences;
(5) regularly submitting operational risk management reports and timely reporting major operational risk events;
(6) having the requirements of operational risk management and internal control fully reflected when developing business processes and systems; and
(7) other relevant duties.
Article 12 Departments in the second line of defense shall maintain independence and continuously improve the consistency and effectiveness of operational risk management. The main duties include:
(1) setting up a dedicated post or designating personnel to be responsible for operational risk management in branches at the first level and above (provincial branches), and allocating adequate resources to them;
(2) tracking regulatory policies and regulations on operational risk management and organizing the implementation thereof;
(3) drafting basic rules on and administrative measures for operational risk management, and formulating measures and specific provisions for identifying, assessing, measuring, monitoring and reporting operational risks;
(4) instructing and assisting the first line of defense in identifying, assessing, monitoring, controlling, mitigating and reporting operational risks, and carrying out regular supervision;
(5) submitting the operational risk management report to the senior management at least once a year;
(6) measuring operational risks;
(7) conducting the training on operational risk management; and
(8) other relevant duties.
The NFRA or its local offices may relieve small-scale banking and insurance institutions from the requirement for setting up a dedicated post or designating personnel to be responsible for operational risk management in branches at the first level (provincial branch) in accordance with their respective supervision responsibilities.
Article 13 Law, compliance, information technology, data management, consumer rights and interests protection, security, finance and accounting, human resources, actuary and other departments shall provide sufficient resources and support for the operational risk management of other departments within the scope of their respective duties while assuming their own duties of operational risk management.
Article 14 The internal audit department shall carry out a special audit on operational risk management at least once every three years, covering the operational risk management of the first line of defense and the second line of defense, audit and evaluate the operation of the operational risk management system, and report the relevant situation to the board of directors.
The internal audit department shall pay full attention to operational risk management when carrying out other audit projects.
Article 15 Large-scale banking and insurance institutions shall entrust a third-party institution to audit and evaluate their operational risk management on a regular basis, and submit an external audit report to the NFRA or its local offices.
Article 16 Domestic branches and departments directly engaged in the business of banking and insurance institutions shall bear the primary responsibility for operational risk management and perform the following duties:
(1) allocate sufficient resources to the operational risk management department at the same level or in the same line;
(2) strictly implement rules on operational risk management, risk preference and management process requirements;
(3) improve operational risk management in accordance with internal and external audit results and regulatory requirements; and
(4) other relevant duties.
In addition to meeting the requirements set forth in the preceding paragraph, overseas branches shall meet their local regulatory requirements.
Article 17 A banking or insurance institution shall require its affiliated domestic financial institutions and affiliated fintech institutions within the scope of consolidated financial statement management to establish an operational risk management system that is in line with the group's risk preference and its business scope, risk characteristics, business scale and regulatory requirements, establish and improve three lines of defense, and formulate rules on operational risk management.
In addition to meeting the requirements set forth in the preceding paragraph, affiliated overseas institutions shall meet their local regulatory requirements.
Chapter III Basic Requirements for Risk Management
Article 18 The basic rules on operational risk management shall be in line with the nature, scale, complexity and risk characteristics of institutions' business, and include at least the following:
(1) definition of operational risks;
(2) organizational structure, authority and responsibility of operational risk management;
(3) identification, assessment, measurement, monitoring, control, and mitigation procedures for operational risks; and
(4) reporting mechanism for operational risks, including reporting subject, responsibility, path, frequency, and time limit.
A banking or insurance institution shall, within 15 working days of the formulation or revision of the basic rules on operational risk management, submit them to the NFRA or its local office responsible for regulating the institution.
Article 19 Banking and insurance institutions shall develop the operational risk preference paying equal attention to both qualitative and quantitative indicators under the overall risk preference, and carry out the re-inspection every year.
......
Order of the National Financial Regulatory Administration [2023] No.5
December 27, 2023
(Promulgated by Order of the National Financial Regulatory Administration [2023] No.5 on December 27, 2023, and effective as of July 1, 2024)
Chapter I General Provisions
Article 1 These Measures are formulated in accordance with the Banking Regulation Law of the People's Republic of China, the Law of the People's Republic of China on Commercial Banks, the Insurance Law of the People's Republic of China, and other laws and regulations to improve operational risk management in banking and insurance institutions.
Article 2 For the purposes of the Measures, the term “operational risk” refers to the risk of losses caused by issues concerning internal procedures, employees, and information technology systems, as well as external events, including legal risks, but excluding strategic risks and reputational risks.
Article 3 Operational risk management, as an important part of a comprehensive risk management system, aims to effectively prevent operational risks, reduce losses, improve the ability to cope with the impact of internal and external events, and provide guarantees for the stable operation of business.
Article 4 Operational risk management shall follow the basic principles below:
(1) Principle of prudence. In operational risk management, it is imperative to adhere to the risk-based concept, pay full attention to risk signs and potential hazards, effectively identify adverse factors affecting risk management, allocate sufficient resources, and take timely measures to enhance foresight.
(2) Principle of comprehensiveness. Operational risk management shall cover all business lines, branches, departments, positions, employees and products, run throughout the decision-making, implementation and supervision process, and fully consider the relevance and contagiousness of other internal and external risks.
(3) Compatibility principle. Operational risk management shall reflect multi-level and differentiated requirements, and management systems and management resources shall be commensurate with the institution's development strategy, business scale, complexity and risk status, and be timely adjusted based on changes in the situation.
(4) Effectiveness principle. Banking and insurance institutions shall, under the guidance of risk preference, effectively identify, evaluate, measure, control, mitigate, monitor and report the operational risks that they face, and control the operational risks to within an acceptable range.
Article 5 Large-scale banking and insurance institutions shall strengthen their operational risk management based on a good governance structure, effectively ensure organic connection with systematic mechanisms for business continuity, outsourcing of risk management, cybersecurity, data security, emergency response and recovery and disposal plan, and improve their operational resilience, making them able to consistently deliver critical business and services in the face of significant risks and external events.
Article 6 The National Financial Regulatory Administration (the "NFRA") and its local offices shall regulate the operational risk management of banking and insurance institutions in accordance with the law.
Chapter II Risk Governance and Management Responsibilities
Article 7 The board of directors of a banking or insurance institution shall view operational risks as one of the main risks faced by the institution and bear the ultimate responsibility for operational risk management. The main duties include:
(1) reviewing and approving the basic rules on operational risk management to ensure consistency with strategic objectives;
(2) reviewing and approving the operational risk preference and its transmission mechanism, to control the operational risks to within a tolerable range;
(3) reviewing and approving the duties, authority, reporting and other mechanisms for the senior management related to operational risk management, to ensure the effectiveness of the operational risk management system;
(4) deliberating on the operational risk management report submitted by the senior management at least once a year, to fully understand and evaluate the overall situation of operational risk management and the work of the senior management;
(5) ensuring that the senior management establishes the necessary mechanisms for identifying, assessing, measuring, controlling, mitigating, monitoring and reporting operational risks;
(6) ensuring that the operational risk management system is subject to effective auditing and supervision by the internal audit department;
(7) reviewing and approving the relevant systems for disclosure of operational risk information;
(8) ensuring the establishment of a risk culture that matches the operational risk management requirements; and
(9) other relevant duties.
Article 8 For banking and insurance institutions with supervisors (the board of supervisors), supervisors (the board of supervisors) shall assume the supervisory responsibility for operational risk management, be responsible for supervising and inspecting the performance of duties by the board of directors and the senior management, promptly urge rectification, and include it in the work report of supervisors (the board of supervisors).
Article 9 The senior management of a banking or insurance institution shall bear the responsibility for the implementation of operational risk management. The main duties include:
(1) formulating the basic rules on and administrative measures for operational risk management;
(2) clearly defining the duties and reporting requirements related to the operational risk management of departments and institutions at all levels, urging all departments and institutions at all levels to perform their duties of operational risk management, and ensuring the normal operation of the operational risk management system;
(3) setting up operational risk preference and its transmission mechanism, urging all departments and institutions at all levels to implement the rules on operational risk management and risk preference, reviewing the implementation regularly, and timely dealing with situations that break through risk preference and other violations of operational risk management requirements;
(4) having complete knowledge of the overall situation of operational risk management, especially regarding major operational risk events;
(5) submitting an operational risk management report to the board of directors at least once a year, and submitting it to supervisors (the board of supervisors);
(6) allocating adequate financial and human resources, information technology systems and other resources for operational risk management;
(7) inspecting the operational risk management system to effectively respond to operational risk events;
(8) formulating the assessment and reward and punishment mechanisms for operational risk management; and
(9) other relevant duties.
Article 10 Banking and insurance institutions shall establish three lines of defense for operational risk management, and sound risk data and information sharing mechanisms shall be established among and within the three lines of defense.
The first line of defense includes business and management departments at all levels that are the direct bearer and manager of operational risks, which are responsible for operational risk management in their respective fields. The second line of defense includes lead departments responsible for operational risk management and measurement at all levels, which are responsible for guiding and supervising the operational risk management of the first line of defense. The third line of defense includes internal audit departments at all levels, which are responsible for supervising and evaluating the duty performance and effectiveness of the first and second lines of defense.
Article 11 The main duties of departments in the first line of defense include:
(1) designating personnel to be responsible for operational risk management and investing in sufficient resources;
(2) identifying and assessing their own operational risks in accordance with risk management assessment methods;
(3) establishing control and mitigation measures and regularly evaluating the effectiveness of such measures;
(4) maintaining ongoing risk monitoring to ensure compliance with operational risk preferences;
(5) regularly submitting operational risk management reports and timely reporting major operational risk events;
(6) having the requirements of operational risk management and internal control fully reflected when developing business processes and systems; and
(7) other relevant duties.
Article 12 Departments in the second line of defense shall maintain independence and continuously improve the consistency and effectiveness of operational risk management. The main duties include:
(1) setting up a dedicated post or designating personnel to be responsible for operational risk management in branches at the first level and above (provincial branches), and allocating adequate resources to them;
(2) tracking regulatory policies and regulations on operational risk management and organizing the implementation thereof;
(3) drafting basic rules on and administrative measures for operational risk management, and formulating measures and specific provisions for identifying, assessing, measuring, monitoring and reporting operational risks;
(4) instructing and assisting the first line of defense in identifying, assessing, monitoring, controlling, mitigating and reporting operational risks, and carrying out regular supervision;
(5) submitting the operational risk management report to the senior management at least once a year;
(6) measuring operational risks;
(7) conducting the training on operational risk management; and
(8) other relevant duties.
The NFRA or its local offices may relieve small-scale banking and insurance institutions from the requirement for setting up a dedicated post or designating personnel to be responsible for operational risk management in branches at the first level (provincial branch) in accordance with their respective supervision responsibilities.
Article 13 Law, compliance, information technology, data management, consumer rights and interests protection, security, finance and accounting, human resources, actuary and other departments shall provide sufficient resources and support for the operational risk management of other departments within the scope of their respective duties while assuming their own duties of operational risk management.
Article 14 The internal audit department shall carry out a special audit on operational risk management at least once every three years, covering the operational risk management of the first line of defense and the second line of defense, audit and evaluate the operation of the operational risk management system, and report the relevant situation to the board of directors.
The internal audit department shall pay full attention to operational risk management when carrying out other audit projects.
Article 15 Large-scale banking and insurance institutions shall entrust a third-party institution to audit and evaluate their operational risk management on a regular basis, and submit an external audit report to the NFRA or its local offices.
Article 16 Domestic branches and departments directly engaged in the business of banking and insurance institutions shall bear the primary responsibility for operational risk management and perform the following duties:
(1) allocate sufficient resources to the operational risk management department at the same level or in the same line;
(2) strictly implement rules on operational risk management, risk preference and management process requirements;
(3) improve operational risk management in accordance with internal and external audit results and regulatory requirements; and
(4) other relevant duties.
In addition to meeting the requirements set forth in the preceding paragraph, overseas branches shall meet their local regulatory requirements.
Article 17 A banking or insurance institution shall require its affiliated domestic financial institutions and affiliated fintech institutions within the scope of consolidated financial statement management to establish an operational risk management system that is in line with the group's risk preference and its business scope, risk characteristics, business scale and regulatory requirements, establish and improve three lines of defense, and formulate rules on operational risk management.
In addition to meeting the requirements set forth in the preceding paragraph, affiliated overseas institutions shall meet their local regulatory requirements.
Chapter III Basic Requirements for Risk Management
Article 18 The basic rules on operational risk management shall be in line with the nature, scale, complexity and risk characteristics of institutions' business, and include at least the following:
(1) definition of operational risks;
(2) organizational structure, authority and responsibility of operational risk management;
(3) identification, assessment, measurement, monitoring, control, and mitigation procedures for operational risks; and
(4) reporting mechanism for operational risks, including reporting subject, responsibility, path, frequency, and time limit.
A banking or insurance institution shall, within 15 working days of the formulation or revision of the basic rules on operational risk management, submit them to the NFRA or its local office responsible for regulating the institution.
Article 19 Banking and insurance institutions shall develop the operational risk preference paying equal attention to both qualitative and quantitative indicators under the overall risk preference, and carry out the re-inspection every year.
......