Measures for the Administration of Operational Risk of Banking and Insurance Institutions

Measures for the Administration of Operational Risk of Banking and Insurance Institutions

(Issued by Order No. 5 [2023] of the National Financial Regulatory Administration on December 27, 2023, coming into force on July 1, 2024)

Chapter I General Provisions

Article 1 For the purposes of improving the operational risk management of banking and insurance institutions, these Measures are formulated in accordance with the Banking Supervision Law of the People's Republic of China, the Commercial Bank Law of the People's Republic of China, the Insurance Law of the People's Republic of China, and other laws and regulations.

Article 2 For the purposes of these Measures, “operational risk” means the risk of loss stemming from failed internal processes, people, and information technology systems, or external events, including legal risk but excluding strategic risk and reputational risk.

Article 3 Operational risk management, integral to the comprehensive risk management system, aims to prevent operational risk, reduce losses, enhance the ability to respond to internal and external events, and ensure stable business operations.

Article 4 Operational risk management shall follow the following basic principles:

(1) Principle of prudence. Operational risk management shall use a risk-based approach, pay full attention to early signs of risks and hazards, effectively identify adverse factors that affect risk management, allocate sufficient resources, take timely measures, and improve foresight.

(2) Principle of comprehensiveness. Operational risk management shall cover all business lines, branches, departments, positions, employees, and products, underpin the entire decision-making, execution, and supervision process, and fully consider the relevance and contagion of other internal and external risks.

(3) Principle of fitness. Operational risk management shall reflect multi-level and differentiated requirements. The management system and management resources shall be fit for the institutional development strategy, business scale, complexity, and risk condition and be promptly adjusted according to changes in circumstances.

(4) Principle of effectiveness. An institution shall, based on its risk appetite, effectively identify, assess, measure, control, mitigate, monitor, and report the operational risk it faces, and hold operational risk within a tolerable range.

Article 5 A large banking or insurance institution shall, based on a good governance structure, strengthen operational risk management, connect it with business continuity, outsourcing risk management, cybersecurity, data security, emergency response, recovery and disposal plans, and other systems and mechanisms, improve operational resilience, and have the ability to continue performing key business and services in the event of material risks and external events.

Article 6 The National Financial Regulatory Administration (NFRA) and its local offices shall regulate the operational risk management of banking and insurance institutions in accordance with the law.

Chapter II Risk Governance and Management Responsibilities

Article 7 The board of directors of a banking or insurance institution shall regard operational risk as one of the main risks faced by the institution and have the ultimate responsibility for operational risk management. Its main responsibilities are to:

(1) Approve the basic operational risk management system to ensure its alignment with strategic objectives.

(2) Approve operational risk appetite and its transmission mechanism to hold operational risk within a tolerable range.

(3) Approve the senior management's operational risk management responsibilities, authorities, reporting, and other mechanisms to ensure the effectiveness of the operational risk management system.

(4) Deliberate the operational risk management reports submitted by the senior management at least once a year to fully understand and assess overall operational risk management and the work of the senior management.

(5) Ensure that senior management establishes a necessary mechanism for identifying, assessing, measuring, controlling, mitigating, monitoring, and reporting operational risk.

(6) Ensure that the operational risk management system submits to effective examination and supervision by the internal audit department.

(7) Approve systems related to information disclosures concerning operational risk.

(8) Ensure the development of a risk culture that meets operational risk management requirements.

(9) Other related responsibilities.

Article 8 If a banking or insurance institution has supervisors or a board of supervisors, the supervisors or board of supervisors shall have the responsibility for supervising operational risk management, supervising and inspecting the performance of duty by the board of directors and senior management, urging timely corrective action, and including the responsibility in the work report.

Article 9 The senior management of a banking or insurance institution shall have the responsibility for the implementation of operational risk management. Its main responsibilities are to:

(1) Develop basic systems and measures for operational risk management.

(2) Define the operational risk management responsibilities and reporting requirements for departments and branches, urge all departments and branches to fulfill their responsibilities for operational risk management, and ensure the functioning of the operational risk management system.

(3) Establish an operational risk appetite and its transmission mechanism, urge all departments and branches to implement the operational risk management system and risk appetite, conduct regular examinations, and promptly address breaches of risk appetite and other violations of operational risk management requirements.

(4) Comprehensively understand overall operational risk management, especially material operational risk events.

(5) Submit an operational risk management report to the board of directors at least once a year and file it with supervisors or the board of supervisors.

(6) Allocate sufficient financial, human, and information technology system and other resources for operational risk management.

(7) Improve the operational risk management system to effectively respond to operational risk events.

(8) Develop an evaluation, reward, and punishment mechanism for operational risk management.

(9) Other related responsibilities.

Article 10 A banking or insurance institution shall establish three lines of defense for operational risk management and establish and improve risk data and information sharing mechanisms among the three lines of defense and within each line of defense.

The first line of defense, including business and management departments, are the direct bearers and managers of operational risk responsible for operational risk management in their respective fields. The second line of defense, including lead departments responsible for operational risk management and measurement, guides and supervises the operational risk management by the first line of defense. The third line of defense, including internal audit departments, supervises and evaluates the performance of duty by the first and second lines of defense and its effectiveness.

Article 11 The main responsibilities of the first line of defense are to:

(1) Designate persons to be responsible for operational risk management and invest sufficient resources.

(2) Identify and assess operational risk using risk management and assessment methods.

(3) Develop control and mitigation measures and regularly evaluate the effectiveness of the measures.

(4) Continuously monitor risks to ensure compliance with operational risk appetite.

(5) Regularly filing operational risk management reports and promptly reporting material operational risk events.

(6) Developing business processes and systems that comply with the requirements for operational risk management and internal control.

(7) Other related responsibilities.

Article 12 The second line of defense shall remain independent and continue improving the consistency and effectiveness of operational risk management. Its main responsibilities are to:

(1) Establish a post or designate a person for operational risk management at branches at or above the first or provincial level and allocate sufficient resources.

(2) Track operational risk management regulatory policies and organize their implementation.

(3) Formulate basic systems and measures for operational risk management and develop measures and specific provisions for identifying, assessing, measuring, monitoring, and reporting operational risk.

(4) Guide and assist the first line of defense in identifying, assessing, monitoring, controlling, mitigating, and reporting operational risk and conduct regular supervision.

(5) Submit an operational risk management report to the senior management at least once a year.

(6) Measure capital for operational risk.

(7) Providing operational risk management training.

(8) Other related responsibilities.

The NFRA or its local office may, within its regulatory purview, exempt small banking and insurance institutions from the requirement to establish a post or designate a person for operational risk management at branches at or above the first or provincial level.

Article 13 Legal, compliance, information technology, data management, consumer protection, security, accounting, human resources, actuarial, and other departments shall, while assuming their operational risk management responsibilities, provide sufficient resources and support for operational risk management by other departments, within their purview.

Article 14 An internal audit department shall conduct a special audit of operational risk management at least once every three years, covering the first and second lines of defense, evaluating the operation of the operational risk management system, and report to the board of directors.

The internal audit department shall pay full attention to operational risk management when carrying out other audit projects.

Article 15 A large banking or insurance institution shall regularly commission a third-party institution to audit and evaluate its operational risk management, and submit an external audit report to the NFRA or its local office.

Article 16 The domestic branches and departments directly engaged in business of a banking or insurance institution shall have the main responsibility for operational risk management and perform the responsibilities to:

(1) Allocate sufficient resources to the operational risk management departments at the same level and business line.

(2) Strictly implement operational risk management systems, risk appetite, management processes, and other requirements.

(3) Improve operational risk management in accordance with internal and external audit results and regulatory requirements.

(4) Other related responsibilities.

In addition to the requirements of the preceding paragraph, overseas branches shall comply with local regulatory requirements.

Article 17 A banking or insurance institution shall require their domestic financial affiliates and financial technology affiliates within the scope of consolidation to establish an operational risk management system aligned with the group's risk appetite and fit for their business scope, risk characteristics, business scale, and regulatory requirements, establish and improve three lines of defense, and develop an operational risk management system.

In addition to the requirements of the preceding paragraph, an overseas affiliate shall also comply with local regulatory requirements.

Chapter III Basic Requirements for Risk Management

Article 18 The basic operational risk management system shall fit the nature, scale, complexity, and risk characteristics of the institution's business, at least including:

(1) Definition of operational risk.

(2) The organizational structure, authority, and responsibilities for operational risk management.

(3) Operational risk identification, assessment, measurement, monitoring, control, and mitigation procedures.

(4) An operational risk reporting mechanism, including reporting entity, responsibilities, pathway, frequency, and time limits.

A banking or insurance institution shall, within 15 working days after the development or revision of the basic operational risk management system, file a report with the NFRA or its local office according to the regulatory responsibilities.

Article 19 A banking or insurance institution shall formulate operational risk appetite with equal emphasis on qualitative and quantitative indicators under the overall risk appetite, and conduct re-examination every year. Risk appetite shall be connected with strategic goals, business plans, performance evaluation, and compensation mechanisms, among others. Risk appetite indicators shall include operational risk monitoring indicator requirements determined by regulatory authorities for specific institutions.

The bank or insurance institution shall establish a risk appetite transmission mechanism by determining operational risk tolerance or risk limits or other means, and continuously monitor and promptly warn against operational risk.

Article 20 A banking or insurance institution shall establish a management information system with operational risk management functions, mainly including:

(1) Recording and storing loss-related data and information on operational risk events.

(2) Supporting self-assessment of operational risk and controls.

(3) Supporting monitoring of key risk indicators.

(4) Supporting operational risk capital measurement.

(5) Providing the relevant content of operational risk reports.

Article 21 A banking or insurance institution shall develop a good oper......