Yin Jian Fa  No. 40
CBRC local offices, policy banks, state-owned commercial banks, joint-stock commercial banks, banking asset management companies, postal saving bank, rural cooperative financial institutions at provincial level, and trust companies, finance companies of corporate groups and financial leasing companies under CBRC’s supervision,
We hereby issue the revised Guidelines on Internal Control of Commercial Banks which shall be earnestly implemented.
12 September, 2014
Guidelines on Internal Control of Commercial Banks
Chapter 1 General Provisions
Article 1 To facilitate the establishment of commercial banks and improvement of internal control, effectively guard against risks and ensure the stable and sound operation of the banking sector, the Guidelines are formulated in accordance with Law of the People's Republic of China on Regulation of and Supervision over the Banking Industry, Law of the People’s Republic of China on Commercial Banks and other laws and regulations.
Article 2 Commercial banks established according to laws within the territories of the People’s Republic of China shall be subject to the Guidelines.
Article 3 Internal control refers to dynamic processes and mechanisms designed to achieve objectives through formulation and implementation of systematic rules, processes and methods. The said processes and mechanisms involve the board of directors, board of supervisors, senior management and staff at all levels.
Article 4 Objectives of internal control of commercial banks:
a. to ensure the implementation of relevant laws and regulations;
b. to ensure the achievement of the development strategies and business goals of commercial banks;
c. to ensure the effectiveness of risk management of commercial banks; and
d. to ensure the authenticity, accuracy, integrity and timeliness of business records, accounting records, financial records and other management information of commercial banks.
Article 5 Basic principles of internal control of commercial banks:
a. Full coverage. Internal control should cover the whole process of decision-making, execution and supervision, all business processes and management, and all divisions and staff;
b. Check and balance. Internal control of commercial banks should form a check and balance mechanism between the governance structure, organization and distribution of power and duty, business process;
c. Prudential operation. The philosophy of risk-based prudential operation should be adhered to and internal control should be prioritized in setting up institutions or expanding business;
d. Compatibility. Internal control of commercial banks should be compatible with their management models, scale of business, complexity of products and risk status and adjustments should be made in light of changed circumstances in a timely manner
Article 6 Commercial banks should establish and optimize their internal control system, specify responsibilities, improve mechanisms and measures, and make continuing efforts to evaluate and oversee internal control.
Chapter 2 Responsibilities of Internal Control
Article 7 Commercial banks should put in place operational and organizational structures of internal control with reasonable and clear assignment of responsibility and reporting relationship between board of directors, board of supervisors, senior management, internal control, internal auditing and operational departments.
Article 8 The board of directors of a commercial bank is responsible for ensuring the establishment and implementation of an effective internal control system and prudential operation within the framework of laws and policies. The board of directors is responsible for defining the acceptable level of risks, ensuring that necessary measures are taken by senior management and so as to monitor and assess the adequacy and effectiveness of the internal control system.
Article 9 The board of supervisors is responsible for supervising the work of the board of directors and senior management in improving the internal control system and supervising the board of directors and senior management and its members in implementing internal control.
Article 10 Senior management is responsible for executing decisions made by board of directors, formulating systematic regulations, processes and methods based on an acceptable risk level defined by board of director and adopting relevant risk control measures. Senior management is also responsible for establishing and improving internal organizations to ensure effective internal control. Senior management is also responsible for monitoring and evaluating the effectiveness and adequateness of internal control system.
Article 11 Commercial banks should designate specialized department as function department of internal control management, take a leading role in coordinating and organizing internal control systems and in evaluating the systems.
Article 12 Internal auditing departments of Commercial banks supervise internal control, audit adequateness and effectiveness of internal control, report problems in a timely manner and supervise rectification and improvement.
Article 13 Operational departments of commercial banks are responsible for formulating operating systems and processes related to their own responsibility, strictly implementing relevant systems and rules, organizing supervision and inspection, reporting existent flaws in internal control within designated time frame and procedures, and for implementing rectification and improvement.
The operational departments of commercial banks in the Guidelines refer to other departments except internal auditing department and functional departments of internal control.
Chapter 3 Measures of Internal Control
Article 14 Commercial banks should establish and improve institutional frameworks of internal control, formulate a comprehensive, systematic and standardized operation and management system for businesses and management activities, and conduct regular evaluations.
Article 15 Commercial banks should define critical areas of risks in all operation and management activities, adopt proper measures, and implement unified processes of operation and management.
Commercial banks should adopt appropriate technologies and methods to manage risks, identify and evaluate operational risks and constantly monitor major risks.
Article 16 Commercial banks should establish and improve information control systems, and through effective combination of internal control process, operation system and information control system strengthen an automatic control system of operation and management activities.
Article 17 Commercial banks should define responsibility and power of departments and posts according to operational and managerial requirements, form standardized illustration for responsibility of departments and posts, define corresponding reporting processes.
Article 18 Commercial banks should identify and analyze posts of conflicting responsibilities/interests in operation and management process in a comprehensive manner, and adopt segregation measures to exercise checks and balances.
Article 19 Commercial banks should define important posts and formulate internal control requirements for important posts, implement job rotation and compulsory leave systems for employees in important posts.
Article 20 Commercial banks should formulate codes of conduct, define prohibitive rules, strengthen supervision and screening of employee behavior and establish a reporting and investigation system for unusual behavior.
Article 21 In light of operation capacity, level of management, risk status and development strategy of branches and departments, commercial banks should clearly define the scope of authority and competence of different branches, departments, posts and personnel, and make necessary adjustments.
Article 22 Commercial banks should strictly comply with accounting standards and principles and present transactions in each business in a timely and accurate manner to ensure the authenticity, reliability and integrity of accounting records.
Article 23 Commercial banks should establish an effective verifying and monitoring system to verify receipts, invoices and financial statements on a regular basis and take stock of cash, marketable securities and other tangible assets and instruments in a timely manner.
Article 24 Commercial banks should assess potential risks and put in place necessary management systems and operation process when they establish new branches, open new businesses or offer new products and services.
Article 25 Commercial banks should establish and improve an outsourcing management system with defined organizational framework and responsibility and conduct a full risk assessment on outsourcing business at least once a year. Functions that involve development strategy, risk management, internal auditing and other core competence shall not to be outsourced.
Article 26 commercial banks should establish and improve a complaint management system with clear handling process and analyze customer complaints on a regular basis to spot problems and improve service and management.
Chapter 4 Internal control guarantee
Article 27 Commercial banks should establish a management information system and a business operation system that cover all levels of management, all businesses and processes so as to record operation and management information in a timely manner and ensure the integrity, continuity, accuracy and traceability of the information.
Article 28 Commercial banks should strengthen management of information security. Commercial banks should put in place a class-based information management system and closely guard access to the information system to guarantee information security.
Article 29 Commercial banks should establish an effective mechanism of communication to keep the board of directors, board of supervisors and senior management are informed of operation and risk status and keep departments and personnel informed of rules and information relevant to their responsibilities.
Article 30 Commercial banks should establish a business continuity management system in line with their strategic goals. Commercial banks should define organizational structure and managerial functions, formulate a business continuity plan and organize testings on the plan and regular assessments of business continuity to ensure effective response to business-disrupting events.
Article 31 Commercial banks should adopt a sustainable human resource policy and set professional ethics and capabilities as important selection and recruitment criteria to ensure the qualifications and experience requirements are met. Commercial banks should also step up staff training.
Article 32 Commercial banks should develop an effective performance appraisal system and set reasonable measurements of performance for internal control department. Commercial banks should conduct evaluation of internal control management in a specific time period and improve management according to the results of evaluation.
Commercial banks should put in place a performance appraisal system dedicated to internal control and internal auditing departments to facilitate fulfillment of their internal control and supervision responsibilities.
Article 33 Commercial banks should foster a culture of internal control, enhance the staff’s compliance and risk awareness, improve their professional ethics and regulate their behavior.
Chapter 5 Evaluation of internal control
Article 34 Evaluation of internal control refers to the research, testing, analysis, evaluation and other structured activities related to the establishment, implementation and operation of the internal control system.
Article 35 Commercial banks should establish an internal control evaluation system that specifies the evaluator, frequency, content, procedure, method and criteria to ensure that internal control evaluation is carried out in accordance with relevant rules.
Article 36 Internal control evaluation in commercial banks should be carried out by departments designated by the board of directors.
Article 37 Commercial banks should conduct evaluation of internal control in organizations under consolidated supervision, including commercial banks and their subsidiaries and affiliates.
Article 38 Commercial banks should determine the frequency of internal control evaluation in light of operation and risk status, and evaluation should be conducted at least once a year. Commercial banks should conduct evaluation in case of major acquisition or resolution matters, major shifts of operational mode and changes in external business environment and other events of substantial influence.
Article 39 Commercial banks should formulate criteria for identification of internal control weaknesses which grade control weaknesses based on implication and probability of occurrence, and specify corresponding remedial measures and plans.
Article 40 Commercial banks should put in place a quality control system for internal control evaluation to monitor the whole process of evaluation and thus ensure objectivity of the evaluation.
Article 41 Commercial banks should make full use of the outcomes of internal control assessment. Commercial banks may tie the outcomes of assessment to performance evaluation.
Article 42 Commercial banks should submit their annual internal control evaluation, approved by the board of directors, to the CBRC or CBRC local offices before April 30th. Branches of commercial banks should submit their internal control evaluation CBRC local offices before April 30th.
Chapter 6 Monitoring on internal control
Article 43 Auditing, internal control and operating departments should share the responsibility of supervising internal control management and establish a supervisory system that covers all departments, products and operational processes.
Article 44 Commercial banks should establish a reporting and feedback system for supervision of inter control. Internal auditing, internal control and operating departments should report internal control weaknesses to the board of directors, board of supervisors, senior management and other competent authorities according to specific procedures in a time manner.
Article 45 Commercial banks should put in place a remedial mechanism for internal control weaknesses to define responsibilities, standardize procedures and processes and ultimately ensure implementation of remedial measures.
Article 46 Commercial banks should establish an accountability system in which:
a. board of directors and senior management should be responsible for classification of effectiveness of internal control and be held accountable for major loss due to ineffective internal control;
b. internal auditing and internal control should be directly responsible for ineffective supervision and evaluation of internal control;
c. operating department should be directly responsible for unimplemented rules and processes, ineffective supervision and overdue remedial measures.
Article 47 Supervisory department of commercial banks should keep continuous supervision on internal control through off-site supervision and on-site inspection, and put forward supervisory advice according to the Guidelines, relevant laws and regulations and internal control evaluation.
Article 48 The CBRC and its local offices should instruct commercial banks with internal control weaknesses to take remedial measures within a time limit. If remedial measures are not taken within the time limit, supervisory measure should be taken in accordance with article 37 of Law of the People's Republic of China on Regulation of and Supervision over the Banking Industry.
Article 49 If commercial banks violate provisions in the Guidelines, CBRC and its local offices can take supervisory measures in accordance with relevant provisions in Law of the People's Republic of China on Regulation of and Supervision over the Banking Industry.
Chapter 7 Appendix
Article 50 Other financial institutions regulated by the CBRC should refer to the Guidelines.
Article 51 The Guidelines shall be effective since the date of issuance.
Copyright: China Banking Regulatory Commission