Chapter 2. Internal Control System.
Section 1. Principles and Scope.
Article 4
A bank’s internal control system shall be based on the following principles:
1. Management’s supervisory and control culture: The board of directors (the board) shall be responsible for approving and periodically reviewing overall business strategies and major policies, and the board has the ultimate responsibility for ensuring the establishment and maintenance of a suitable and effective internal control system. Senior management shall be responsible for carrying out the business strategies and policies approved by the board, developing procedures for identifying, measuring, supervising and controlling the bank’s risks, setting up proper internal control policies and supervising the efficiency and adequacy thereof;
2. Risk identification and evaluation: An effective internal control system shall facilitate the identification and continuous evaluation of material risks that may adversely affect the likelihood of bank achieving its goals, and determine how to respond to related risk to keep it within acceptable range;
3. Control activities and segregation of duties: Control activities shall be a part of a bank’s daily overall operations. A complete control structure should be established with internal control processes defined at every level. An effective internal control system should contain appropriate segregation of duties, and management and employees shall not be given conflicting responsibilities;
4. Information and communication: A bank shall keep pertinent and complete financial, operations and compliance information; such information shall be reliable, up to date, easily accessible, and provided in a uniform format. An effective internal control system shall have effective communication channels; and
5. Monitoring activities and remediation of deficiencies: A bank should continuously monitor the overall effectiveness of its internal control system. The business units, internal auditors and other internal control personnel shall, upon the discovery of deficiencies in such system, report to the appropriate management. Material internal control deficiencies shall be reported to senior management and the board, and be addressed promptly.
Article 5
A bank’s internal control system shall cover all business activities with the following policies and operating procedures established and timely reviewed:
1. Organization charter or management rules, which shall include a clear organizational system, functions and responsibility of respective department, and clear rules governing authorizations and hierarchy responsibilities.
2. Related business rules, procedures and operational manuals, including:
(1) Cashiers, deposits and remittances, extension of credit, foreign exchange, trust business and new financial products.
(2) Investment guidelines and equity management.
(3) Confidentiality of customer data.
(4) Transactions with stakeholders.
(5) Accounting and financial statement preparation process, general affairs, information and human resources (including rules for rotation and vacation).
(6) Management of information disclosure.
(7) Management of outsourcing operation.
(8) Other business rules and operating procedures.
Where necessary, the bank’s compliance and internal audit units should participate in the drafting, revision or abolishing of operational and management rules and procedures mentioned above.
Article 6
A bank shall set up a compliance system, a risk management mechanism, an internal audit system, and a self-inspection system to maintain the effective and proper operations of its internal control system.
Article 7
A bank’s internal control system shall be approved by its board of directors. If any of the directors expresses a dissenting view which is documented or comes with a written statement, the bank shall submit the dissenting view together with the internal control system approved by the board to its supervisors; the preceding provisions apply when the bank revises its internal control system.
If the bank has independent director(s), the views of respective independent director should be taken into account fully when the internal control system is submitted to the board for discussion. The specific consenting or opposing views of the independent director(s) and reasons for the opposition shall be recorded in the board meeting minutes.