PEOPLE’S REPUBLIC OF CHINA FINANCIAL SECTOR ASSESSMENT PROGRAM October 2017 DETAILED ASSESSMENT OF OBSERVANCE BASEL CORE PRINCIPLES FOR EFFECTIVE BANKING SUPERVISION Prepared By This report was prepared in the context of a joint Monetary and Capital IMF-World Bank Financial Sector Assessment Markets Department, IMF Program (FSAP) mission in the People’s Republic of and Finance and Markets China during February, 2017. The FSAP was led by Global Practice, World Bank Simon Gray, IMF and Miquel Dijkman, World Bank, and overseen by the Monetary and Capital Markets Department, IMF, and the Finance and Markets Global Practice, World Bank. Further information on the FSAP program can be found at http://www.imf.org/external/np/fsap/fssa.aspx, and www.worldbank.org/fasp. INTERNATIONAL MONETARY FUND THE WORLD BANK PEOPLE’S REPUBLIC OF CHINA CONTENTS Glossary __________________________________________________________________________________________ 3 SUMMARY AND KEY FINDINGS ________________________________________________________________ 5 INTRODUCTION ________________________________________________________________________________ 15 METHODOLOGY ________________________________________________________________________________ 15 INSTITUTIONAL AND MARKET STRUCTURE—OVERVIEW ___________________________________ 16 PRECONDITIONS FOR EFFECTIVE BANKING SUPERVISION __________________________________ 18 DETAILED ASSESSMENT _______________________________________________________________________ 24 A. Supervisory Powers, Responsibilities, and Functions __________________________________________ 24 B. Prudential Regulations and Requirements ___________________________________________________ 127 SUMMARY COMPLIANCE WITH THE BASEL CORE PRINCIPLES ____________________________ 261 RECOMMENDED ACTIONS AND AUTHORITIES' COMMENTS ______________________________ 277 A. Recommended Action _______________________________________________________________________ 277 B. Authorities’ Response to the Assessment ____________________________________________________ 281 2 PEOPLE’S REPUBLIC OF CHINA Glossary ABC Agricultural Bank of China AMA Advanced Measurement Approach AMC Asset Management Companies BCBS Basel Committee on Banking Supervision BOC Bank of China BOCOM Bank of Communications BSL Banking Supervision Law CAMLMAC China Anti-Money Laundering Monitoring and Analysis Center CAR Capital Adequacy Ratio CBRC China Banking Regulatory Commission CCB China Construction Bank CCDC China Central Depository & Clearing Co., Ltd. CICPA Chinese Institute of Certified Public Accountants CIRC China Insurance Regulatory Commission CMB China Merchants Bank CMG Crisis Management Group COAGs Cross-border Cooperation Agreements CPA Certified Public Accountant CSDC China Securities Depository and Clearing Corporation Limited CSRC China Securities Regulatory Commission DPD Days past due EAST Examination & Analysis System Technology EMEAP Executives’ Meeting of East Asia and Pacific Central Banks FCRG Financial Crisis Response Group FSB Financial Stability Board G20 The Group of 20 GSIBs Global Systemically Important Banks HQLAs High Quality Liquid Assets IAASB International Auditing and Assurance Standards Board IASB International Accounting Standards Board ICAAP Internal Capital Adequacy Assessment Process ICBC Industrial and Commercial Bank of China IFRS International Financial Reporting Standards IMA Internal Model Approach IRB Internal Rating-based Approach JMC Financial Regulatory Coordination Joint Ministerial Committee KRI Key Risk Indicator LCR Liquidity Coverage Ratio LDC Loss Data Collection LGFV Local Government Financing Vehicles 3 PEOPLE’S REPUBLIC OF CHINA LTV Loan to Value Ratio MIIT Ministry of Industry and Information Technology MOF Ministry of Finance MOS Ministry of Supervision MOU Memorandum of Understanding MPS Ministry of Public Security NBS National Bureau of Statistics NDRC National Development and Reform Commission NPC National People’s Congress ORMS Obligor Risk Monitoring System OSS Off-Site Surveillance OSSRS Off-site Surveillance Returns System PBC People’s Bank of China P&Ls Profit and Loss statement RCSA Risk and Control Self-Assessment REASS Risk Early-warning Analysis and Supporting System ROA Return on Assets ROE Return on Equity RRP Recovery and Resolution Plan RWA Risk Weighted Assets SAFE State Administration of Foreign Exchange SAIC State Administration for Industry and Commerce SAR Special Administrative Region SEANZA Central Banks of South East Asia, New Zealand and Australia SIBs Systemically Important Banks UBO(s) Ultimate Beneficial Owner(s) 4 PEOPLE’S REPUBLIC OF CHINA SUMMARY AND KEY FINDINGS The China Banking Regulatory Commission (CBRC) has maintained its momentum in regulation and supervision in the face of exceptional growth in scale and increasing complexity of the banking system. Equally, the CBRC has risen to the demands of the international regulatory reform agenda, delivering timely revisions to its body of regulations and maturing its supervisory practices through investing in essential new skills, enhancing methodologies, and broadening its interactions with the industry. In this context, the clarity of supervisory requirements and expectations communicated to the industry is a strength of the CBRC. Recent organizational reforms, in 2015, building on other internal reforms, will serve the CBRC well in delivering its supervisory mandate. While pursuit of financial stability is recognized as fundamentally important, concerns must be acknowledged as to whether the CBRC would, in practice, always be able to act on its primary, stability, objective, especially if government policies, whether focused growth and expansion, or social protection, conflicted with prudential considerations. The China Banking Regulatory Commission (CBRC) has achieved a high degree of compliance with the Basel Core Principles for Effective Banking Supervision (BCPs). Notwithstanding the revision to the BCP methodology, which raised the standards expected of supervisory authorities, the CBRC has demonstrated progress in almost all areas. Nevertheless, further maturing is needed, and taken together the recommendations of this report seek to support the CBRC in developing deeper and more comprehensive diagnostic capabilities, which ought to facilitate early, effective and preventative actions as necessary. It is essential that the CBRC’s achievements in recent years are consolidated as new challenges and complexities in the system will continue to emerge. In particular, it is essential that the CBRC obtain the resources to expand its range and depth of skills before developments in the industry leave it unable to maintain meaningful oversight and authority, not least of the four Global Systemically Important Banks (GSIBs). Building on the supervisory vision expressed in prestige CBRC publications such as the Annual Report, a detailed forward strategy for supervision, covering three to five years, would serve as a vehicle for the CBRC to articulate its case for resources. Although market entry to new products and business lines is tightly controlled, widening of financial groups and cross sectoral activities present the most significant challenges to the CBRC’s effectiveness. The Chinese financial authorities have made efforts into greater coordination and collaboration, and this has stimulated deeper awareness of financial sector themes and issues, particularly at the macro level, on which the individual authorities can act according to their mandates. Despite a high-level infrastructure for bringing regulators together, however, cooperation, coordination and detailed exchanges of information between authorities about financial groups and institutions have been lacking. Equally, there is a broadly held view that effective communication between authorities comprises information exchange after an event as opposed to identifying what information should routinely be shared to ensure that all authorities are well placed to identify emerging issues and act preventively. Such gaps in content and a tendency to ex post information flow have contributed to weaknesses in preventing abuses of financial services 5 PEOPLE’S REPUBLIC OF CHINA as well as a weaker awareness and understanding of risks and vulnerabilities that can arise from more complex groups and from cross sectoral activities than is desirable. While the CBRC has performed well, in terms of evolving its regulatory standards to meet the growing complexity of the system, some important gaps require attention. Several dimensions of credit risk, including treatment of problem assets, concentration risk and related party exposures have aspects in which they lag international best practices and standards. Failure to resolve these issues may hamper the CBRC in its task of assessing the nature and scale of credit risk in the system and within individual institutions. Areas for priority attention include, for example, the current practice of recognizing collateral in loan classification, whereby banks may classify loans over 90 days past due as “special mention” rather than “nonperforming” if good quality collateral is in place and also high regulatory limits—50 percent of Tier 1 capital—for interbank exposures and aggregate related party lending. Further, in the field of corporate governance, it is important for the CBRC to ensure that the existing various regulatory standards are rationalized so that no overlaps or gaps remain in order that all institutions are subject to clear expectations. Divergences from the global standards in relation to independence issues for certain board committees should be addressed. Additionally, the CBRC should be granted the formal power to reject the external auditor of a bank if needed. One final, but significant, gap that the authorities should close, is to ensure a greater disclosure of aggregate statistics and risk indicators for overall banking industry to facilitate a better understanding among market participants. This step would support stability objectives by providing a transparent, comprehensive and authoritative dataset to inform decision making and actions in the market. Objectives, Powers and Responsibilities (CP 1) The legal framework sets clear responsibilities and objectives for banking supervision in China. Overall, CBRC’s legal mandate and responsibilities, supported by broad powers enables CBRC to conduct banking supervision in an effective way, with a primary focus on safety and soundness. A comprehensive set of regulation and procedures have provided CBRC with the necessary tools to properly operationalize its mandate, while strong enforcement powers further support the effectiveness of supervisory actions. While discharging its responsibilities CBRC takes into account the national policy objectives for economic and social progress (which rely importantly on the provision of credit to the economy) aiming at balancing its primary mandate of safety and soundness with need to support and promote particular sectors. The potential conflict between safety and soundness objectives and other objectives exists in many countries but can be more acute in China because of the predominant use of the banking system, much of which is state owned, to achieve economic and social goals. In such context, it is even more important that CBRC communication does not mislead banks as for CBRC first and foremost commitment to safety and soundness. 6 PEOPLE’S REPUBLIC OF CHINA Independence (CP2) The CBRC lacks operational independence which might impair its ability to execute its legal mandate. The CBRC has a clear legal basis for independence, just as it enjoys a clear legal framework generally, acts with the support of the State Council, and commands industry respect, but the CBRC is not operationally independent. This leads to the potential for the CBRC to fail to execute its legal mandate and ensure that soundness and stability considerations are the primary motivation of its work. Factors contributing to this potential outcome include the fact that the CBRC’s decisions can be overturned by the State Council and the fact that there is no legislative requirement to disclose publicly the reasons for the dismissal of the Chair of the CBRC. Although the CBRC has been confirming the central importance of soundness and stability in the CBRC’s work, the assessors are concerned that the CBRC’s independence is sufficiently compromised to call into question whether the supervisor would always be able to act on its primary, stability, objective, particularly if government policies, whether growth or social protection, conflicted with prudential considerations. Finally, and recognizing that the CBRC operates through a geographically large network, the CBRC must be vigilant in ensuring that all its offices exercise the highest standards of independence and objectivity in the course of their daily supervisory tasks, which are in pursuit of supporting financial stability. Noting that the CBRC has autonomy over neither its staffing numbers nor its organizational design, it must be recognized that resource constraint stifles a supervisor from performing its role effectively. The financial sector growth does not require a linear increase in resources, but the growing complexities and interconnectedness of a system, which includes four Global Systemically Important Banks (GSIBs), create a significant risk that the CBRC’s supervisory oversight will be incomplete thus creating the potential for system-wide vulnerabilities to emerge. While the CBRC is to be commended on its achievements in enhancing its specialist skillsets, refreshing its supervisory techniques, and adapting its tools with insight and creativity, the complement of staff has been static for a decade and key staff are increasingly attractive to and attracted by industry opportunities. Budgetary independence, allowing increased resources in salary scale and staffing for the more specialist fields, including the emerging area of supervisory stress testing, is an urgent need. It is recognized that public resources must be deployed carefully, but the supervisory authorities cannot fall behind demands created by the major banks. The supervisor forms part of the frontline defenses and ensuring best practice, intensive and early intervention supervisory approaches comes at significantly lower cost than wide scale capital injection should one or more major banks come under pressure. Cooperation, consolidated supervision and home-host (CPs 3, 12 and 13) Cooperation and collaboration with local and foreign authorities are in place. The legal and regulatory framework have enabled CBRC to set up a sound framework for cooperation and collaboration with domestic authorities and foreign supervisors. The arrangements seem to be functioning as envisioned by the authorities albeit the depth and breadth of data and information gathered from domestic supervisors should benefit from an expected and necessary increase within 7 PEOPLE’S REPUBLIC OF CHINA the context of an effective consolidated supervisory framework. CBRC has put significant efforts since the last FSAP in broadening its home-host relationships, following the expansion of Chinese banks operations abroad and the classification of four Chinese banks as G-SIBs. As Chinese banks further expand their activities and groups increase in complexity, an even more proactive approach might be needed. Progress in consolidated supervision is increasingly embedded in the CBRC’s practices. The CBRC has focused on capacity development in this field and is gaining experience and confidence in probing of group wide risk management, activities and strategies. Careful attention paid to related party transactions by the CBRC supports an important understanding of intra-group dynamics. Areas that should be prioritized for further development include a focus on the wider group and extended network of affiliates, including the upward ownership of groups—i.e. to the ultimate beneficial owners—to ensure that all potential relevant groups are mapped and understood in relation to the bank and the banking group. This mapping is a basic necessity in ensuring a group can be effectively supervised and this information needs to be kept current. The Chinese financial system is changing rapidly in terms of complexity of group structure and with increasing liberalization and openness these conditions can be expected to intensify so it is optimal to act now. The CBRC needs stronger powers of ex ante notification and approval of changes in the wider group to make sure that it can act, if needed, in as timely a manner as possible and be preventative as opposed to reactive and to ensure that consolidated supervision is not undermined. In terms of cross-sectoral activity, cross product selling and provision of similar products—such as wealth management products (WMPs or other forms of collective investment schemes) by the different financial sectors—introduce new dimensions that consolidated supervision must consider, including business, contagion and reputational risks. The CBRC is encouraged to continue applying conservative prudential standards to complement its conduct requirements and indications that there will be cross sectoral agreements to limit arbitrage opportunities are very welcome. Permissible activities, licensing, transfer of ownership and major acquisitions (CPs 4 to 7) Permissible activities are clearly defined and highly controlled through the licensing process. The market entry legal framework and supporting procedures includes powers to define and restrict the types of business that banks are allowed to engage in. Approvals are required for any new business line and branches, as well as sound fit and proper criteria for board and senior management. Non-banking activities are allowed on a case by case basis only, including fund management and insurance. Banks’ investments in commercial enterprises and real estate not for use are not allowed. In the past five years, new licenses have been provided mainly to convert rural cooperatives into banks, as well as for the establishment of foreign banks operations in China. The evolving context of banks and activities in China has brought some further challenges. The increasing sophistication and complexity of business groups in China and full implementation of procedures for the entrance of newly established private banks into the market would require further efforts from the authorities in fully understanding the wider group. The expansion of Chinese operations abroad and increased sophistication of banks activities might also require additional 8 PEOPLE’S REPUBLIC OF CHINA efforts in order to assess joint ventures and other strategic investments. In addition, authorities should exercise caution, when authorizing non-banking activities, ensuring that a robust regulatory framework is in place to properly govern such activities, the risks they entail and their implications to the banks, banking groups and the banking system. The ability of CBRC to control transfer of significant ownership is limited by the legal framework. CBRC has a sound process for approvals of direct transfers of significant ownership above 5 percent. But the concepts of influence or indirect control have not been captured by the legal framework. As the role of the state as a shareholder in the banking system diminishes, and banking groups and shareholders’ interests increase in complexity, transfers of significant ownership and control through indirect holdings will remain outside of CBRC purview. Supervisory approach, techniques, reporting and corrective actions (CPs 8 to 11) The CBRC plans and executes a high quality supervisory approach. The CBRC is continuing to develop its risk based approach since the last assessment. There are good processes in place for planning and executing both the on and off-site supervisory activities. Since the last assessment there has been intensive investment in the quality of the supervisory data and analytical systems and a refreshing of the analytical methodologies. Supervisory expectations are clearly communicated to banks and are followed up. The use not only of meetings but also notices and risk alerts to ensure that there is responsive feedback to the industry has been effective. Effective use is made of broad sources of information and the CBRC’s supervisory programs have focused on key emerging risks and trends such as the provision of wealth management products to clients and interbank/wholesale market activity. Assessing the resolvability of banks is one field which is still work in progress. While the largest banks, which are identified as Global Systemically Important Banks (GSIBs) have been subject to resolvability assessments, the CBRC is still deliberating on the correct approach for domestic institutions. It should be noted that the CBRC has a sound knowledge of the banking groups in the system and of the relative lack of group complexity in most instances. The CBRC needs to continue maturing its diagnostic skills in integrating information on different risks and events to identify root causes of issues in order to devise a more effective forward looking approach. Although the CBRC has further enhanced its supervisory rating approach to permit a greater use of supervisory judgment, the leeway for this judgement is highly constrained and for some banking models might fail to reflect the nature of the risks in the banking institution. The next generation of risk methodologies should address this deficiency and provide further support to forward looking integrated risk analysis so that the interaction between risks can be even more carefully examined and supervisors identify the potential for vulnerabilities and act before issues crystallize. Continued development of the CBRC’s analytical techniques in relation to banks’ strategies and business models will provide a robust underpinning for greater supervisory discretion. The CBRC philosophy is, rightly, that the quality of supervisory data is a fundamental pillar of effective supervision. As a consequence the CBRC has put extensive efforts into its supervisory 9 PEOPLE’S REPUBLIC OF CHINA reporting regime and enhancing the analytical systems that depend on it. There has been an almost wholescale overhaul of the reporting data and considerable care is taken, using on and off-site methods, not only to ensure that the data received is reliable, that banks are accountable for the information they provide, but also to ensure that the CBRC continues to obtain the data that is most relevant for its evolving supervisory tasks. CBRC demonstrates willingness to act at an early stage, supported by broad corrective powers. CBRC supervisory approach encompasses a robust early warning system, aiding early action. CBRC counts with an extensive range of tools to enforce corrective action including penalties for the board, senior management and staff, which have been systematically used over the last few years. Problem banks have been addressed primarily through restructuring. Corporate governance (CP 14) There is clear supervisory emphasis on the effectiveness of corporate governance of banks. In both off-site surveillance and onsite examination, there is consistent focus on the internal governance structure, clear roles and responsibilities and decision-making processes within the banks. However, the regulatory framework for corporate governance of banks is based on a combination of various Guidelines and Listing Rules. It would be useful to rationalize and eliminate gaps or inconsistencies and have a single legislation as the focal point for supervisory corporate governance reviews in the future. It would also be an opportunity to consider and clarify the criteria to be used to implement corporate governance requirements in a proportionate manner across the institutions with varying size and complexity. Specifically, on board committees, there is a need to establish requirements to ensure the independence of risk management committee, and the nomination and remuneration committees of non-listed banks. Given the large and growing financial sector, CBRC needs to closely monitor and adapt its governance frameworks and supervisory expectations, aligning to best practices, to ensure that they continue to facilitate an environment of trust, transparency and accountability. Risk management, capital adequacy and prudential framework (CPs 15 to 25) Banks have made good progress in their management of individual risks but more needs to be done to adopt an enterprise-wide risk approach. Banks are better at managing individual risks, and for the major banks, ICAAP and stress tests have become an important part of their risk management. Supervisors perform more intensive review of ICAAP and stress tests annually for the large banks. However, full enterprise-wide risk approaches that integrate strategy setting, monitoring, management and stress testing in ways that consider interactions among risks are challenging, particularly for banks with business activities across geographical regions, with diverse businesses and products posing different types of risks. In this regard, assessing whether the banks are effective in adopting enterprise-wise risk approaches and are capable of fully identifying, monitoring and managing the risk interactions should continue to be a focus area of supervision. 10 PEOPLE’S REPUBLIC OF CHINA Work on recovery plan and resolvability assessments is in progress, covering the globally systemically important banks. CBRC has required the four globally systemically important banks to prepare and submit recovery plans annually for review, with resolvability assessment being conducted for three. A cross-border crisis management group (CMG) has been established for each G-SIB, comprising senior officials from national authorities including CBRC, MOF and PBC, as well as some foreign authorities. The CMG is mainly responsible for effective management and resolution of the bank in the event of cross-border financial crisis. It has commenced reviewing and assessing the bank’s recovery and resolution plan (RRP) on an annual basis. Given the importance of RRP, CBRC should extend this requirement to the other large banks, in particular those assessed to be systemically important in the domestic market. China has set up a comprehensive and proportionate approach to its capital regime, proactively aligning it with international standards. CBRC has fully adopted Basel III for all banks operating in China, with a few not material deviations setting higher requirements for CET1 and the leverage ratio. So far six banks have been allowed to implement the advanced approaches for credit and market risk and a few other banks are expected to be authorized in the near future. Particular focus has been put into the large banks in terms of ensuring the establishment of a forward-looking approach to capital. Although in principle all banks are required to implement the ICAAP, for middle size and small banks CBRC has focused on ensuring proper implementation of Pillar one and requiring mid-term capital planning. Over the last few years CBRC has set informal expectations of dividends distribution around 30 percent in order to further increase banks’ reserves. CBRC needs to continue its focus in ensuring that banks adopt a comprehensive approach towards identifying, monitoring and managing overall credit risks. There has been an increase in the scale and complexity of banks’ credit risk origination activities since the previous assessment. Non-standard credit activities have emerged, including investments in structured products, off- balance sheet activities and interbank investments. Under this heightened risk environment, CBRC has enhanced its offsite surveillance of credit risk trends and vulnerabilities, intensified onsite examinations, and issued risk alerts and specific notices aimed at addressing challenges and containing specific risks. These are commendable efforts. Given the large number and the diversity of banks and the increased complexity of activities, it is important for CBRC to continue its focus to ensure that banks effectively implement and comply with the recently issued guidelines targeted at emerging risks. More importantly, the banks’ ability to evaluate, monitor and manage overall credit risks comprehensively should continue to be the focus of CBRC’s supervisory activities. It will also be useful to develop a comprehensive guidance on credit risk management in line with international standards to ensure that supervisory expectations and minimum standards are well understood. While CBRC has intensified its supervision on banks’ loan classification, it should review the current loan classification requirements. Given the rising trend in non-performing loans (NPL), CBRC has taken a lot of efforts, through offsite surveillance and onsite examinations, to ensure accuracy of banks’ loan classification and adequacy of provisions. It is important to continue this effort and in addition, CBRC should review the current loan classification requirements permitting 11 PEOPLE’S REPUBLIC OF CHINA the use of collaterals in influencing NPL classification. Such practice makes it difficult to properly assess increase in credit risk and could potentially result in lower regulatory provisions. Likewise, the requirement permitting loans granted to small enterprises to be classified as NPL only when they are more than 180 days-past-due should be reviewed. The review should assess whether this practice results in slow downgrading of problem loans and delays the detection of increase in credit risks in this micro-lending segment. The supervisory framework to guard against large exposures needs to be strengthened. CBRC has put in place requirements for a more comprehensive capture of concentration risks and banks are required to include significant risk concentrations in their stress testing programs for risk management purposes. On the large exposures requirement, however, there is a need to further review and articulate the criterion in identifying relationships between entities with common local government ownership. There is also a need to reduce the existing 50% (of Tier-1 capital) limit on interbank exposure and establish a limit on exposures between G-SIBs, to avoid excessive risk concentrations. Such a review would also be in line with CBRC’s plans to move towards adopting Basel’s large exposures framework. Gaps remain in the related party exposure framework. While the definition of related party is comprehensive, it does not include related banks, and ownership by the state government is not treated as a trigger for related party reporting, limits or approvals. Consistent with recommendations earlier with regard to having a focus on wider group and extended network of affiliates, it is recommended that the exclusions be reviewed to ensure the extra due diligence is accorded to all related parties. Although there has been substantive growth in the Chinese banking system, market risk remains low and the complexity of banks’ market risk profile, likewise, remains generally straightforward. Nevertheless, there have been some important developments since the last BCP assessment as now five banks have been approved to use internal models for capital adequacy calculation. Some medium-sized banks have also adopted the internal models approach for market risk measurement, risk appetite setting, limit management and capital management. There are also pilot schemes to introduce securitization into the market, which, if it develops, could introduce new challenges, although the CBRC confirmed that complex transactions (including correlation trading, re-securitization and synthetic products) are not permitted and there is no intention to ever permit such products. As in other risk areas, there are heightened regulatory standards in market risk for the five largest banks and the precise targets that each bank must meet is set on an individual case basis. The CBRC should be well placed to implement the revised Basel market risk standard that was published following the fundamental review of the trading book. Looking forward, however, it is imperative that the CBRC remain vigilant and continue its path in building its market risk capacity. Phased liberalization of interest rates appears to have given banks time to adapt and, to date, banks’ behavior is still largely conservative. For its part, the CBRC has enhanced its specialist staff to the extent possible, its outlier analyses, and is introducing pilot projects in targeted locations for more demanding stress and scenario testing (e.g. 250 and 300 basis point shifts as well as twists). 12 PEOPLE’S REPUBLIC OF CHINA Banks are also required to undertake their own scenario analysis and interest rate sensitivity is incorporated in stress testing. The CBRC is, however, encouraged to use the adoption of the revised Basel standard as a springboard for issuing more extensive guidance to the industry. The CBRC approach to liquidity risk supervision is more sophisticated and intensive than at its last assessment. All banks with at least RMB200bn total assets are subject to the LCR and this represents about 90 percent of the assets of the banking system. All banks, including those below the LCR threshold must meet the liquidity ratio (liquid assets as a percentage of liquid liabilities) and all without exception, are subject to the liquidity risk management standards and monitoring tools which are based on the Basel standard. The strengthening of liquidity supervision is particularly welcome given market developments, as lower tier banks are becoming increasingly dependent on wholesale funding and to the extent that this sector is not subject to the LCR, the CBRC should devote a particular supervisory focus. Severe scenarios and parameters are needed in banks’ internal stress tests, to address shocks including on wholesale funding and the potential for contagion risk in WMPs causing high demand for outflows. At the time of the assessment, the CBRC was awaiting the Basel Regulatory Consistency Assessment Program (RCAP) mission to examine the regulatory implementation of the Liquidity Coverage Ratio. The BCP and RCAP assessments have an overlapping but not identical focus and should not be seen as substitutes for each other. From the BCP perspective, the CBRC is encouraged to be highly assertive in setting industry expectations in building scenarios, stress testing and contingency planning. Such stress testing practices should, of course, be linked to stress tests required for banks’ capital adequacy and risk management planning (i.e., Pillar 2). The CBRC does not permit advanced modelling approaches for capital adequacy and its operational risk supervision has a strong emphasis on business continuity and IT practices. The CBRC does not employ operational risk specialists. As with market risk, there is a considerable variation in the sophistication of banks’ approach to operational risk, with the most sophisticated banks using internal approaches to drive forward their risk management approaches, while less complex, typically local and regional banks are more focused on internal controls. As the less complex banks expand their businesses, the challenge for them, as the CBRC is fully aware, is to develop their approach to operational risk in a commensurate manner with their growth. It was striking that some banks are seeking to develop internal approaches for credit risk but remain content with analytical approaches to operational risk based on the basic indicator approach. There should be scope, through the implementation of the expected revised Basel standard on operational risk, to encourage development of operational risk standards within banks that is not limited to the internal controls and IT environment. Controls, audit, accounting, disclosure and transparency (CPs 26 to 28) There is a strong emphasis and attention on internal control, compliance and audit throughout supervisory processes. The effectiveness of the three lines of defense is key area of supervisory focus. On the external audit front, CBRC has established requirements on the qualification and independence of external auditors, to mandate rotation of audit firm, and to strengthen the communication between 13 PEOPLE’S REPUBLIC OF CHINA supervisors and auditors. However, CBRC does not have the direct power to reject or rescind the appointment of the external auditor who is deemed unfit to perform a reliable and independent audit. There continues to be a need to increase audit oversight and quality review of the audit of small-to- medium sized banks. Accounting, disclosures and auditing standards in China are substantially in line with the international standards, but there is room for more information disclosure on the banking sector. All banks are required to prepare audited financial statements. Listed banks, which account for close to 80% of total banking system assets, have appointed international accounting firms as their external auditors, and their accounting and information disclosures are generally comprehensive. CBRC has progressively enhanced its banking system disclosures in its annual reports and website. Given the size and complexity of the banking sector, there is room for more disclosures on aggregate statistics and risk indicators for overall banking industry to facilitate a better understanding among market participants, analysts and the public of the risk profile of and issues affecting the financial system in China. Abuse of financial services (CP29) Both the regulatory framework and supervisory practices have continued to develop since the last assessment but some gaps still remain. An important initiative since the last assessment has been the establishment of the AML JMC. This body has been a valuable cross-body authority to consider and develop policies and strategies in respect of AML/CFT issues. Cooperation between the PBC and the CBRC is also strong at a policy level and the quality of the working relationships supporting this dialogue is very strong. Nevertheless, until recently, the PBC and CBRC have not focused on information exchange or coordination with respect to findings or concerns with respect to individual institutions. The recent decision for the CBRC and PBC AML Bureau to conduct joint on- site examinations is very welcome and can be expected to yield valuable results and insights for both authorities. Regulatory guidance, while extensive, should be improved by broadening of requirements related to Politically Exposed Persons to domestic individuals as well as foreign persons. Second, requirements should be enhanced in relation to banks’ obligation to identify the ultimate beneficiaries of transactions. The authorities are encouraged to reconsider the calibration of the severity of the fines permitted under the AML Law and a more explicit linkage between multiple offences and repeat offences and additional measures being imposed by the CBRC would be powerful. 14 PEOPLE’S REPUBLIC OF CHINA INTRODUCTION 1 1. This assessment of the current state of the implementation of the Basel Core Principles for Effective Banking Supervision (BCP) in China has been completed as part of the 2017 FSAP update. The FSAP update was undertaken by the International Monetary Fund (IMF) and World Bank (WB) and the BCP assessment mission took place from 9 to 28th February 2017. METHODOLOGY 2. It should be noted that the ratings assigned during this assessment are not directly comparable to previous assessments. The current assessment of the CBRC was against the BCP methodology issued by the Basel Committee on Banking Supervision (BCBS) in September 2012. The authorities have opted to be assessed on the essential criteria. The last BCP assessment in the People’s Republic of China was prepared in the course of the 2011 Financial Sector Assessment Program (FSAP). The BCP methodology has been revised since the last assessment took place and the revisions have led to some substantive changes. 3. In the 2012 revision of the CPs, the BCBS sought to reflect the lessons from the global financial crisis and to raise the bar for sound supervision reflecting emerging supervisory best practices. New principles have been added to the methodology along with new essential criteria (EC) for each principle that provide more detail. Altogether, the revised CPs now contain 247 separate essential and also additional criteria against which a supervisory agency may now be assessed. In particular, the revised BCPs strengthen the requirements for supervisors, the approaches to supervision and supervisors’ expectations of banks. While the BCP set out the powers that supervisors should have to address safety and soundness concerns, there is a heightened focus on the actual use of the powers, in a forward-looking approach through early intervention. 4. The assessment team reviewed the framework of laws, rules, and guidance and held extensive meetings with authorities and market participants. The assessment team met officials of CBRC, including from the provincial office of the CBRC in Chongqing, and additional meetings were held with the People’s Bank of China (PBC), the Ministry of Finance (MoF), auditing firms, and banking sector participants. The authorities provided a comprehensive self-assessment of the CPs, as well as detailed responses to additional questionnaires, and facilitated access to staff and to supervisory documents and files on a confidential basis. Owing to time constraints it was not possible to make as full a study of the documents as the assessors would have wished but the authorities did everything that was possible to facilitate access. 5. The team appreciated the very high quality of cooperation received from the authorities. The team extends its warm thanks to staff of the authorities, in Beijing and Chongqing, who provided excellent cooperation, including provision of documentation and technical support. 1 This Detailed Assessment Report has been prepared by Katharine Seal, IMF, Valeria Salomao Garcia, World Bank and Yee Theng, external expert from the Monetary Authority of Singapore. 15 PEOPLE’S REPUBLIC OF CHINA 6. The standards were evaluated in the context of the sophistication and complexity of the financial system of the People’s Republic of China. The CPs must be capable of application to a wide range of jurisdictions whose banking sectors will inevitably include a broad spectrum of banks. To accommodate this breadth of application, a proportionate approach is adopted within the CP, both in terms of the expectations on supervisors for the discharge of their own functions and in terms of the standards that supervisors impose on banks. An assessment of a country against the CPs must, therefore, recognize that its supervisory practices should be commensurate with the complexity, interconnectedness, size, and risk profile and cross-border operation of the banks being supervised. In other words, the assessment must consider the context in which the supervisory practices are applied. The concept of proportionality underpins all assessment criteria. For these reasons, an assessment of one jurisdiction will not be directly comparable to that of another. 7. An assessment of compliance with the BCPs is not, and is not intended to be, an exact science. Reaching conclusions required judgments by the assessment team. Banking systems differ from one country to another, as do their domestic circumstances. Furthermore, banking activities are undergoing rapid change after the crisis, prompting the evolution of thinking on, and practices for, supervision. Nevertheless, by adhering to a common, agreed methodology, the assessment should provide the Chinese authorities with an internationally consistent measure of the quality of their banking supervision in relation to the revised CPs, which are internationally acknowledged as minimum standards. INSTITUTIONAL AND MARKET STRUCTURE— OVERVIEW 8. Banking supervision and regulation is carried out by the China Banking Regulatory Commission (CBRC). The CBRC’s headquarters in Beijing is supported by a nation-wide structure of 36 provisional offices. Furthermore, the CBRC maintains over 300 field offices and more than 1,700 supervisory agencies as well as four training centers. The CBRC is one of three financial sector regulators, the others being the China Insurance Regulatory Commission (CIRC) which has responsibility for the insurance sector and the China Securities Regulatory Commission (CSRC) which regulates the securities industry. The CBRC, like its fellow sectoral regulators, is a ministry-level government agency directly under the State Council (SC), to which it is accountable. Some banking supervisory functions, specifically in relation to AML/CFT, are the responsibility of the People’s Bank of China (PBC). 9. Economic growth has relied increasingly on credit since 2010, and the financial sector has grown exponentially. Credit growth in China has averaged around 20 percent per year between 2009 and 2015, leading to an increase in the ratio of private credit to GDP to over 200 percent. China is now home to 4 of the world’s 5 largest banks, the second-largest stock market, and the third-largest bond market. 2 Ping An Insurance, the world’s fifth largest insurance company 2 The four large banks are International Commercial Bank of China (ICBC), Bank of China, China Construction Bank, and Agricultural Bank of China. All are state-owned G-SIFIs, and are collectively referred to as the Big 4. 16 PEOPLE’S REPUBLIC OF CHINA by revenue, is classified as a G-SII, and the increasingly liberalized insurance market has grown at annual rates of 20 percent in recent years. 10. Growth in the nonbank financial sector has outpaced bank asset growth since 2010. Since 2010, only 60 percent of the growth in total social financing, China’s broadest measure of credit, has been in bank assets, with much of the rest in nonbank debt. Though still small, China is the world leader in fintech. P2P has grown from zero to $65 billion since 2012, while Alibaba, China’s largest internet retailer and effectively a competitor to the payments system, allows its customers to invest money held in its escrow accounts in financial assets such as WMPs. 11. The Chinese banking sector is less concentrated than at the time of the last FSAP. Banking business is diversifying as the dominance of large state-owned banks wanes. At the time of the last FSAP large public banks accounted for approximately half of the system wide bank assets but this has diminished to nearly 40 percent in 2016. The next tier of banks are the joint stock commercial banks, and city commercial banks. Other categories of banking institutions are rural commercial banks, rural cooperative banks, rural credit cooperatives and a range of other financial and trust companies. Over recent years foreign owned banks have begun to enter the market and as at end 2015 there were 40 such institutions. Equity investment by foreign financial institutions into domestic banks is permitted up to a limit of 20 percent per holding. 12. Bank balance sheets have continued to expand rapidly over the past year with asset growth outstripping deposit growth. Bank assets grew at 16 percent over the twelve months to September 2016. The fastest expansion was from the smaller, provincial, unlisted and policy banks, with the new lending from policy banks making up 13.8 percent of the total new loans (17 percent in 2015). Bank claims on nonbank financial institutions rose to around 11 percent of total bank assets by Q2, up from 3 percent in 2011. At the same time, the ratio of wholesale funding to total funding has more than doubled to 31 percent since 2011. In terms of funding the largest banks are able to attract deposits at low cost. Deposits now account for 69 percent of banking sector liabilities. Repos are the main wholesale funding instrument, and the daily volume of repos reached RMB 1.4 trillion in December 2015. Medium and smaller banks have funded growth through higher-cost wealth management products (WMPs) and, more recently, through short-term wholesale financing (via the rapidly growing “interbank” market). 13. China's banks appear to be well-capitalized and liquid, though profitability is declining. Despite slowing growth, the average regulatory capital ratio in 2016Q2 was 13.1 percent (11.1 Tier 1 capital). Liquidity positions across the system appear strong, with liquid assets accounting for a relatively constant 20 percent of total assets since 2013, and liquid liabilities slightly less than half of total liabilities. Profitability has declined with the slowing economy, with ROA falling from 1.3 percent in 2013 to only 1.1 percent in 2016Q2, and ROE from 19.2 to 15.2 percent during the same period. The banking system is relatively closed, with minimal foreign currency lending or deposits, and net open positions only around 3 percent of capital. 14. Asset composition and quality is starting to shift. Until recently, credit went mainly to corporate borrowers, but mortgage lending is now growing rapidly. Lending to large companies 17 PEOPLE’S REPUBLIC OF CHINA (often SOEs with explicit government guarantees) is almost exclusively the purview of the major commercial banks and the smaller banks have moved into riskier lending and, especially, products invested in nonstandard credit assets. 3 The nonperforming loan ratio (NPL) has risen, but remains low at 1.8 percent (up from 1 percent in 2013), while the sum of NPLs and special-mention loans has risen to around 5½ percent of GDP. Regional differences in problem loan rates are significant in some instances, and rates for SOEs are higher than for private sector borrowers. PRECONDITIONS FOR EFFECTIVE BANKING SUPERVISION Sound and sustainable macroeconomic policies and financial sector policies 15. There is a developed economic policy framework, which is increasingly aimed at reorienting the economy towards consumption-led growth. After decades of growth led by investment and exports, the authorities are targeting a more market-oriented, consumption-based and services-driven economy. The approach has been clearly articulated in the 13th Five Year Plan. Target growth levels have been reduced. A program of supply side reforms is being implemented and the government plans to move to an effectively floating exchange rate regime by around 2018. GDP growth remains high, fiscal policy expansionary (but government debt levels remain relatively low) and inflation at a low level. China continues to run a large current account surplus. 16. There is a policy-making infrastructure in place for the financial sector. A sector-based regulatory framework has been in place since the late 1990s, comprising the China Banking Regulatory Commission (CBRC), China Securities Regulatory Commission (CSRC) and China Insurance Regulatory Commission (CIRC). The People’s Bank of China (PBC) is responsible for financial stability. All these agencies fall under the leadership of the State Council, which is the leading body for coordinating the development of financial stability policies and also provides the mechanism for developing and publishing broad strategic plans for economic sectors, including financial services. Well-established Financial Stability Policy System 17. The State Council coordinates the overall planning and development of financial stability policies. After the global financial crisis, the State Council established Financial Crisis Response Group (FCRG) to boost the progress of financial reforms and address the prevention and resolution of systemic risks. The PBC is responsible for analyzing macro-financial stability, while the CBRC, CSRC and CIRC are responsible for rolling out prudential supervisory arrangements in respective sectors. In August 2013, the Financial Regulatory Coordination Joint Ministerial Committee (JMC) was established to enhance the coordination between monetary policies and 3 Nonstandard credit assets are non-loan debt instruments that are not traded in the interbank bond market or stock exchange, and are generally illiquid. They include instruments such as trust loans, various types of beneficiary rights, bills of exchange, letters of credit, accounts receivables and equity financing under repurchase agreements. 18 PEOPLE’S REPUBLIC OF CHINA financial regulatory policies. The JMC also has a role in closing supervisory loopholes, prohibiting supervisory arbitrage, preventing cross-sector and cross-market systemic financial risks and safeguarding financial stability. 18. In order to prevent and control systemic risks, the authorities have sought to establish a comprehensive system. The coverage is intended to extend from individual financial institutions to the financial industry as a whole. Under this framework, the PBC, CBRC, CSRC and CIRC, and other relevant agencies collaborate to tackle cross-sector and cross-market risks. Economic and financial factors that may lead to systemic risks are identified and monitored so that control and mitigation can be deployed in a timely manner. A Well-developed Public Infrastructure Business law system 19. China has an established framework of commercial laws and judicial system. The legislative framework includes company, bankruptcy and contract laws as well as laws on the protection of consumer rights and property. The judicial system comprises investigation and prosecution services, a courts and penal system, people’s mediation, and lawyer and notary services. 20. Judicial independence in China is protected by law as enshrined in the Constitution. In recent years, China has pursued reforms to improve judicial effectiveness and public accessibility. For example, cases can be registered online or at circuit courts. Legal aid has been extended more broadly, with RMB 260 million litigation fees exempted in 2015. Mediation processes have also been enhanced and simplified procedures developed for the handling of less complex cases, both civil and criminal. In 2015, for example, courts in China heard 10.09 million civil and commercial cases in the first instance, with 9.57 million cases concluded and 910,000 appealed, of which 900,000 were concluded on appeal. Internationally-accepted accounting standards and Independent external auditing 21. Accounting and auditing standards are aligned with international standards and practices. The Accounting Law, Law on Certified Public Accountants and Accounting Standards for Business Enterprises (ASBE) include both standards and implementation rules and material on the roles of and responsibilities of Chinese Certified Professional Accountants (CPAs). Issued originally in 2006, ABSEs are in general based closely on International Financial Reporting Standards (IFRS) and the government is committed to continued alignment. The Accounting Regulatory Department of the Ministry of Finance (MoF) is responsible for issuing ASBEs and auditing standards, which since 2010 have also been based on international standards. Currently, the MOF is revising China’s auditing standards with reference to the IAASB updates. The use of IFRS is not permitted for domestic reporting, although companies whose securities trade on the Hong Kong Stock Exchange may and do in many cases choose to use them for reporting to Hong Kong investors. 19 PEOPLE’S REPUBLIC OF CHINA 22. Audit firms are licensed and oversight of audit work is undertaken by the MoF and the relevant provincial governmental finance departments. Registration requirements for firms include criteria relating to registered capital investment, numbers of CPAs and scope of business operations. Licenses for individual auditors are issued by provincial CPA institutes. The MoF has powers to inspect companies and may require auditors to provide audit documentation of the company under inspection. The Chinese Institute of Certified Public Accountants (CICPA), also has powers, providing a second layer of oversight. Firms that undertake audits of listed entities are further required to be licensed by the CSRC, which has powers to inspect companies listed in China. China is not currently a member of the International Forum of Independent Audit Regulators. Competent, independent and experienced professionals 23. China has a pool of independent and experienced accountants and auditors, as well as developed professional bodies. The CICPA, a member of the International Federation of Accountants (IFAC), is responsible for formulating the codes and rules of practice of certified public accountants and for supervising their implementation. Although a professional body, CICPA operates under the oversight of the MoF and has inspection and disciplinary powers against audit firms and individual auditors. As of end-2015, there were over 8,300 accounting firms (including branches), around 100,000 practicing CPAs, and more than 300,000 practitioners in the industry. Small and medium-sized accounting firms are subject to an examination every 5 years. From 2010 to 2015, over 8,000 examinations were carried out. Since 2011, the CICPA has examined over 7,600 accounting firms and conducted random inspections of 74,000 business activities. 24. A system of laws and regulations provide lawyers with professional, technical and ethical codes and standards. The Law of the People’s Republic of China on Lawyers prescribes the criteria qualified lawyers must meet to demonstrate competence and professional ethics. Laws in China safeguard lawyers’ professional rights and independence in defending or representing their clients. By the end of 2015, there were over 24,000 law firms and 297,000 lawyers nationwide. Regulation, supervision and rules for other financial markets and players 25. There is sectoral supervision for the financial industry in China. Hence, the banking, securities and insurance sectors are separately regulated and supervised by its functional supervisory authority. The securities and insurance sectors are regulated and supervised by the CSRC and CIRC respectively according to the Securities Law of the People’s Republic of China and the Insurance Law of the People’s Republic of China. The PBC is the supervisory authority of the interbank bond market, interbank lending market and gold market, with its statutory authority granted by the Law of the People’s Republic of China on the People’s Bank of China. Safe, effective and stringently-regulated payment and settlement systems 26. China’s landscape for Financial Market Infrastructures (FMIs) is one of the largest and most complex in the world. It consists of a range of systemically important payment, clearing and settlement systems, including several interbank payment systems, settlement systems and central 20 PEOPLE’S REPUBLIC OF CHINA counterparties (CCPs) for securities, exchange-traded derivatives and over the counter (OTC) derivatives (Appendix X). 4 The different systems are interlinked and all settle directly or indirectly in the real-time gross settlement (RTGS) system—the High-Value Payment System (HVPS) operated by the People’s Bank of China (PBC China’s Cross-border Interbank Payment System (CIPS) was recently launched to facilitate the clearing and settlement of cross-border renminbi payments and to support the renminbi in becoming a major global currency. Many of the systems have high volumes by international comparison. To give some sense of scale, in 2015, the payment system of the PBC processed 5.996 billion payments worth RMB 3,135.25 trillion, up by 43.31 percent and 27.67 percent respectively over the year. Efficient credit reporting sector 27. China has established and is continuing to develop platforms for holding data on credit. In 2006, China built up a nationwide database of financial credit information that connected commercial banks, rural credit cooperatives, consumer finance companies, micro credit companies, finance companies, AMCs, trust companies, insurance companies and guarantee companies. The government has also built a national credit information sharing platform and launched the www.creditchina.gov.cn website. In June 2014, the State Council issued the Planning Outline for the Construction of a Social Credit System (2014-2020), which made it clear that a society-wide credit reporting system based on credit information sharing will be basically built by 2020. Publicly accessible information on economic, financial and social statistics 28. Information on economic and social statistics is available through a number of channels. Sources include the website of the National Bureau of Statistics of China (www.stats.gov.cn), press conferences, national databases (both Chinese and English versions available on the website), China Statistical Yearbook and other publications. Statistical information includes GDP, CPI, total retail sales of consumer goods, fixed assets investment, output of industrial products, income of residents, housing prices in large and medium-sized cities, profits of industrial enterprises, PMI, number of people employed, unemployment rate, demographic structure, etc. Basic financial statistics are also readily accessible to the public through multiple channels, including the website of PBC (www.pbc.gov.cn), as well as the CBRC website. The PBC discloses financial information, such as the official reserve assets, and data templates for international reserve and foreign currency liquidity and banking sector data is available through the CBRC. China adopted the International Monetary Fund Special Data Dissemination Standard (SDDS), in 2015 and improved its statistical transparency and data services. Framework for crisis management, recovery and resolution 29. The CBRC has the powers to take over, restructure or close distressed banking financial institutions. Where a banking financial institution has experienced or is likely to experience a credit 4 As a G20 member China is keen to comply with the commitment to centrally clear all standardized over-the-counter derivatives, and started clearing CNY interest rate swaps through the Shanghai Clearing House. 21 PEOPLE’S REPUBLIC OF CHINA crisis that will severely jeopardize the lawful rights and interests of depositors and other customers, the CBRC may, take over the institution or facilitate its restructuring. Further, where a banking financial institution fails to comply with applicable laws and regulations or is not properly operated or managed, and such failure or poor operation/management will severely threaten financial order and/or undermine public interests the CBRC has right to close it (The Banking Supervision Law). The CBRC has the right to apply to the courts to initiate bankruptcy, reorganization or liquidation processes of a commercial bank that is unable to pay its debts or is likely to become insolvent (the Commercial Bank Law and the Enterprise Bankruptcy Law). 30. Mechanisms for information sharing and supervisory coordination among CBRC, PBC, MOF, and relevant agencies have been put into place. Crisis resolution efforts are coordinated through the JMC in a typical scenario that PBC providing liquidity support via financial-stability- oriented re-lending, and the Deposit Insurance Fund repaying insured deposits pursuant to applicable regulations. 31. Crisis management groups (CMGs) are being established. For global systemically important banks (G-SIBs), a domestic crisis management group (CMG) comprising members from CBRC, PBC and MOF and a cross-border CMG with members from the home country and key host countries have been formed. The CMGs are responsible for developing recovery and resolution plans and regularly evaluating and improving such plans. In 2015, China conducted the resolvability assessment of G-SIBs. 32. The Chinese authorities are in the process of updating their legislation to meet developing international standards in the fields of resolution and recovery. Currently, the Regulations on Resolving Bankruptcy Risk of Commercial Banks has been drafted and is under revision. The draft makes reference to the Key Attributes of Effective Resolution Regimes for Financial Institutions published by the FSB to improve effectiveness and efficiency, and reflects considerations on the liquidation system stability, close-out netting, cross-border resolution, etc. Public Safety Net 33. Deposit insurance protection has been put in place as of May 1, 2015. The Regulations on Deposit Insurance sets forth provisions on compulsory insurance, reimbursement limit, base premium rate and differential premium systems, as required by the Core Principles for Effective Deposit Insurance Systems and other international deposit insurance standards. The deposit insurance system strengthens information sharing in the current financial regulatory coordination mechanism, and supports supervisory work. Effective Market Discipline 34. There is a range of requirements that support transparency. Pursuant to the Company Law, the Securities Law and the Commercial Bank Law, borrowers shall make timely and accurate disclosure of information on their production, operation and financial position to the lenders and investors. In 2014, the State Council issued the Interim Regulations on Enterprise Information 22 PEOPLE’S REPUBLIC OF CHINA Disclosure, stipulating that government departments shall lawfully disclose enterprises’ information and enterprises shall, besides annual reports, disclose other information as required hereof. Where a borrower fails to make timely disclosure, investors and creditors can take necessary protective measures pursuant to the above laws, regulations and related contracts. 35. Banks are subject to information disclosure standards set out in the CBRC’s Guidelines on the Corporate Governance of Commercial Banks and Rules on the Information Disclosure of Commercial Bank. Information disclosure includes the financial and accounting statements, risk management, corporate governance and matters of significance. These Guidelines and Rules also require banks to put in place effective appraisal systems as beacons for compliant operations and sound development, which are building blocks of an effective market discipline mechanism. 23 PEOPLE’S REPUBLIC OF CHINA DETAILED ASSESSMENT A. Supervisory Powers, Responsibilities, and Functions Principle 1 Responsibilities, objectives and powers. An effective system of banking supervision has clear responsibilities and objectives for each authority involved in the supervision of banks and banking groups. 5 A suitable legal framework for banking supervision is in place to provide each responsible authority with the necessary legal powers to authorize banks, conduct ongoing supervision, address compliance with laws and undertake timely corrective actions to address safety and soundness concerns. 6 Essential criteria EC1 The responsibilities and objectives of each of the authorities involved in banking supervision 7 are clearly defined in legislation and publicly disclosed. Where more than one authority is responsible for supervising the banking system, a credible and publicly available framework is in place to avoid regulatory and supervisory gaps. Description and China Banking Regulatory Commission (CBRC) is responsible for banking supervision in findings re EC1 China. Article 2 of the Law of the People’s Republic of China on Banking Regulation and Supervision (Banking Supervision Law) establishes that the banking regulatory authority under the State Council shall be responsible for the regulation and supervision of the banking institutions in China and their business operations. Art 3 and Article 4 define the objectives of the CBRC. Article 3 establishes that the objectives of banking regulation and supervision are to promote the safety and soundness of the banking industry and maintain public confidence in the banking industry. It also states that towards such objectives, banking regulation and supervision shall protect fair competition and competitiveness of the banking industry. Article 4 states that the banking regulation and supervision authority shall exercise banking regulation and supervision in accordance with laws and regulations and in line with the principles of openness, fairness and efficiency. The CBRC website discloses its objectives and functions. The People’s Bank of China’s (PBC) responsibilities encompass, among others, to maintain the stability of the financial industry, with the power to promulgate and implement orders and regulations in relation to its functions. (Article 2 of the Law of the People’s Republic of China on the People’s Bank of China -PBC Law). The PBC Law has a Chapter on Supervision and Control over the Banking Industry, pertaining to its central bank core functions. Article 33 in particular states that “PBC may suggest that CBRC make inspections and supervision 5 In this document, “banking group” includes the holding company, the bank and its offices, subsidiaries, affiliates and joint ventures, both domestic and foreign. Risks from other entities in the wider group, for example non-bank (including non-financial) entities, may also be relevant. This group-wide approach to supervision goes beyond accounting consolidation. 6 The activities of authorising banks, ongoing supervision and corrective actions are elaborated in the subsequent Principles. 7 Such authority is called “the supervisor” throughout this paper, except where the longer form “the banking supervisor” has been necessary for clarification. 24 PEOPLE’S REPUBLIC OF CHINA over banking institutions” (i.e. the wording does not imply that it is mandatory; also both institutions interpret it as such). Authorities reported that suggestions of inspections in the past related to interest rates and after the liberalization of the market there have been no more circumstances to suggest such inspections. Article 76 and 77 of the Commercial Banking Law specifies that PBC can suggest CBRC order a commercial bank to temporarily suspend business and make due corrections or revoke its business license in certain cases comprising to foreign exchange ad interbank operations, as well as failing to meet minimum reserves or providing false reports. In practice, CBRC reported that PBC has never exercised such powers. EC 2 The primary objective of banking supervision is to promote the safety and soundness of banks and the banking system. If the banking supervisor is assigned broader responsibilities, these are subordinate to the primary objective and do not conflict with it. Description and As mentioned under EC1, Article 3 of the Banking Supervision Law establishes the findings re EC2 objectives of banking regulation and supervision as to promote the safety and soundness of the banking industry and maintain public confidence in the banking industry. It also states that towards those objectives, banking regulation and supervision shall protect fair competition in the banking industry and promote the competitiveness of the banking industry. The overall legal framework does make reference to developmental objectives, nevertheless. In particular, the Law of People’s Republic of China on Commercial Banks (Commercial Banks Law), Art 1, which states the objectives of the law, includes, among others, “promoting the development of the socialist market economy”. Article 34 also establishes that commercial banks shall carry out their loan business upon the needs of national economy and the social development and under the guidance of the state industrial policies. CBRC stated that at the time of the issuance of the Commercial Banks Law, that was indeed one of its objectives, in the context of the banking system reform, adding that the law has never been through a full revision to eliminate such references. CBRC objectives are not purely limited to safety and soundness, as the law makes clear. The effect of the primary and subsidiary objectives can be seen in the 2015 annual report which sets out the CBRC’s short term strategy and objectives and which includes a “commitment to the fundamental goal of promoting the banking sector to better serve the real economy and vigorously support the real economy to grow better and stronger”, seeking development, reform and innovation, with also considerations to supporting banks to improve their overseas network within the overall Chinese goal towards globalization of its companies.” Other measures, presented in the annual report reinforce a broad commitment to developmental national policies as the annual report encouraged banking sector to explore “One Enterprise, One Policy” loan mechanism to avoid the one-size-fits-all practice of simply withholding, withdrawing or terminating loans, and support enterprises with promising futures to tide over short-term difficulties.” For example, differentiated regulatory policies were adopted for loan collection and re-lending to shantytown renovation projects, so as to motivate the banking sector to support those projects. Nevertheless, to interpret this situation correctly, it must be remembered that it is vital for the Chinese banking sector to develop the skills to move away from a “one size fits all” 25 PEOPLE’S REPUBLIC OF CHINA assessment of credit risk as market liberalization takes hold. Differentiated, but appropriate, standards for different types of finance—as can be clearly seen in the Basel II/III capital requirement standards—are an essential part of sound banking and regulation. As the Chinese banking sector is still in a strongly development phase, although it is relatively unusual, it is less surprising that the supervisory authority is issuing guidance that in other jurisdictions would be seen as good banking practice taught in professional banking institutes. Over the years, CBRC has issued regulations providing clear incentives for banks to enter certain credit markets, in particular SMEs. Nonetheless, the assessors did not find evidence that CBRC has put its prudential safety below the objective of encouraging credit supply to certain sectors. In fact, regulations reviewed by the assessors indicated that CBRC expected banks to not disregard risk management practices in pursuing lending to those sectors. Effectively, a potential conflict between safety and soundness goals and other objectives does exist in China. While that conflict exists in various countries, it is more acute in China due to the way policy direction is exercised, including the use by government of the banking system, much of which is state owned, to achieve economic and social development objectives. EC3 Laws and regulations provide a framework for the supervisor to set and enforce minimum prudential standards for banks and banking groups. The supervisor has the power to increase the prudential requirements for individual banks and banking groups based on their risk profile 8 and systemic importance. 9 Description and Article 21 of the Banking Supervision Law provides that prudential rules and regulations findings re EC3 applied to banking institutions may be stipulated in the form of laws or administrative regulations, or formulated by CBRC in accordance with applicable laws and administrative regulations. It also states that those prudential rules and regulations shall cover, among others, risk management, internal controls, capital adequacy, asset quality, loan loss provisioning, risk concentrations, connected transactions, and liquidity management. Based on those powers, CBRC has put a broad set of regulations in place. All prudential regulations and procedures are issued by CBRC headquarters but the provincial offices have the autonomy to issue additional regulations to further detail procedures, tailoring them to the local circumstances. The law also establishes circumstances where CBRC has the authority or is required to take corrective measures. In particular, Article 46 establishes that failure to meet prudential rules and regulations - with serious consequences - results in corrective actions to be enforced, as well as fines. Article 25 establishes that CBRC shall regulate and supervise banking institutions on a consolidated basis. 8 In this document, “risk profile” refers to the nature and scale of the risk exposures undertaken by a bank. 9 In this document, “systemic importance” is determined by the size, interconnectedness, substitutability, global or cross-jurisdictional activity (if any), and complexity of the bank, as set out in the BCBS paper on Global systemically important banks: assessment methodology and the additional loss absorbency requirement, November 2011. 26 PEOPLE’S REPUBLIC OF CHINA Article 27 requires CBRC to establish a rating system and early warning system, which should be used to determining the frequency and scope of on-site examination, as well as other supervisory measures that may deemed necessary. This broad provision, empowering CBRC to take supervisory measures, is interpreted as empowering CBRC to increase prudential requirements for individual banks and banking groups as necessary. EC4 Banking laws, regulations and prudential standards are updated as necessary to ensure that they remain effective and relevant to changing industry and regulatory practices. These are subject to public consultation, as appropriate. Description and The legal framework for banking supervision in China comprises three levels: at the highest findings re EC4 level are laws promulgated and amended by the National People’s Congress and its Standing Committee (e.g., the Banking Supervision Law and the Commercial Bank Law. At the next level are administrative regulations promulgated and amended by the State Council, such as the Regulation on Administration of Foreign-funded Banks. The third level comprises all supervisory rules and regulations issued by CBRC, including notices, opinions and guidelines. In order for a law to be updated it usually has to be included in a five-year legislation plan. In practice, laws and regulations seem to be updated as necessary. The Commercial Bank Law was first released in 1995 and amended in 2003 and 2015 respectively. The Banking Supervision Law was issued in 2003 and amended in 2006. For a particular law to be updated, the standard procedure is to propose to the State Council its inclusion into the legislation plan. The Commercial Bank Law is under review, as part of the Legislation Plan 2013-2018. There are yet no concrete plans for the revision of the Banking Supervision Law, which was not included in the current five-year legislation plan. Administrative Regulations are issued by the State Council (and drafted by CBRC). Currently, the only administrative regulation in place is the Regulation on Administration of Foreign-funded Banks was promulgated in 2006 and amended in 2014. All other regulations have been issued by, CBRC. On occasion CBRC has submitted particular regulations to the State Council, such as the capital rules implementing Basel III. CBRC has reported to assess rules and guidelines on a regular basis in response to changes and developments in the banking and regulatory environment, amending and abolishing outdated rules and guidelines as necessary to ensure their relevance and effectiveness. In practice, in light of the changes in the banking industry and supervisory practices in China and by drawing on the experiences of the international regulatory reforms, CBRC has, indeed, over the past five years, updated several prudential rules including capital framework, leverage ratio, liquidity risk management and corporate governance in an effort to make them more relevant and effective. CBRC reports to consult with the industry and other authorities when formulating regulations, either through written form or discussions, also making them available through their website for public comments. Interactions with the industry confirmed such statements. 27 PEOPLE’S REPUBLIC OF CHINA EC5 The supervisor has the power to: (a) have full access to banks’ and banking groups’ Boards, management, staff and records in order to review compliance with internal rules and limits as well as external laws and regulations; (b) review the overall activities of a banking group, both domestic and cross-border; and (c) Supervise the activities of foreign banks incorporated in its jurisdiction. Description and Effectively, CBRC has broad supervisory powers, informing not to have difficulties in findings re EC5 accessing bank’s data, systems, documents and staff, including senior management and the board, needed to perform its duties. Article 33 of the Banking Supervision Law empowers CBRC to require banks to submit information on balance sheets, income statements, other financial and statistical reports, information concerning business operations and management, as well as audit reports prepared by certified public accountants. Article 34 provides that CBRC may take the following measures to conduct on-site examinations: (a) to enter banks for on-site examinations; (b) to interview banking staff and require them to provide explanations on issues of concern; (c) to review and copy banking institutions’ documents and materials related to the on-site examination items, and to seal up documents and materials that are likely to be transferred, concealed or destroyed; and (d) to examine the banking institutions’ information technology system for business operations and management. In addition, Article 46 empowers the CBRC to require corrective measures and also impose fines in case of refusal or obstruction to on-site examinations or off-site surveillance. In addition, Article 75 of the Commercial Bank Law further empowers the CBRC to perform supervisory activities, laying down the measures CBRC can take in case banks refuse or impede supervision. In case of noncompliance within the required period of time CBRC can require suspension of business or revocation of license. The Banking Supervision Law enables CBRC to review the overall activities of a banking group both domestic and cross-border. Article 2 of the Banking Supervision Law establishes the CBRC as the supervision authority of banking institutions operating in China and extend its supervisory powers to encompass asset management companies, trust and investment companies, finance companies, financial leasing companies and other financial institutions established in China and authorized to operate by CBRC. It also grants CBRC power to supervise cross-border activities conducted by supervised institutions. As already mentioned, Article 25 provides CBRC with powers to regulate and supervise banking institutions on a consolidated basis. Article 35 of the Banking Supervision Law provides that CBRC may, for the purpose of performing its responsibilities, hold supervisory meetings with directors and senior managers of banking institutions to inquire about the major activities concerning the banks’ business operations and risk management. 28 PEOPLE’S REPUBLIC OF CHINA EC6 When, in a supervisor’s judgment, a bank is not complying with laws or regulations, or it is or is likely to be engaging in unsafe or unsound practices or actions that have the potential to jeopardize the bank or the banking system, the supervisor has the power to: (a) take (and/or require a bank to take) timely corrective action; (b) impose a range of sanctions; (c) revoke the bank’s license; and (d) cooperate and collaborate with relevant authorities to achieve an orderly resolution of the bank, including triggering resolution where appropriate. Description and Article 37 of the Banking Supervision Law establishes that when a bank fails to meet findings re EC6 prudential regulations, CBRC shall require it to take corrective actions within a prescribed period of time. If the bank fails to correct the deficiencies within the prescribed period of time, or the safety and soundness of the bank is likely to be severely threatened, and the interests of depositors and other customers are likely to be jeopardized, CBRC may take the following actions according to the gravity of situation: (a) suspend part of the current businesses of the bank and/or withhold approval of new business; (b) restrict dividend or other forms of payments to shareholders; (c) restrict asset transfers; (d) require the controlling shareholders to transfer shares or restrict the powers of relevant shareholders; (e) order the bank to replace board members and/or senior managers or restrict their powers; and (f) to withhold approval of new branches. Arts. 45 to 49 outline additional situations where CBRC is empowered to impose corrective actions and penalties on banking institutions that violate laws or banking regulations, including establishing a branch without authorization, change or terminate business operations without authorization, appoint directors or senior managers without the fit and proper test, fail to meet prudential rules and regulations with serious consequences, among others. CBRC is also granted powers to take over, facilitate restructuring or to close a bank. Article 38 of the Banking Supervision Law provides that when a banking institution is experiencing or likely to experience a financial distress, thereby seriously jeopardizing the legitimate rights and interests of depositors and other customers, CBRC may take over the banking institution or facilitate a restructuring in accordance with the law. In addition, Article 39 establishes that when a banking institution has been found in serious violation of laws and regulations, or conducting significant unsafe or unsound practices, thereby seriously threatening financial stability and public interests unless it is closed, CBRC shall have the authority to close that bank in accordance with applicable laws and regulations. In addition, Article 64 of the Commercial Banks Law establishes that in case a bank has experienced or may experience loss of faith by the market (“occur creditability crisis”), which may seriously influence the interests of the depositors, the CBRC may take over the bank. There are no specific provisions determining that CBRC should cooperate and collaborate with relevant authorities to achieve an orderly resolution of a bank as such but Article 13 of the Banking Supervision Law determines that local governments and relevant government departments at various levels shall cooperate and provide assistance in resolving problem banking institutions. 29 PEOPLE’S REPUBLIC OF CHINA EC7 The supervisor has the power to review the activities of parent companies and of companies affiliated with parent companies to determine their impact on the safety and soundness of the bank and the banking group. Description and Article 25 of the Banking Supervision Law stipulates that CBRC shall regulate and supervise findings re EC7 banking institutions on a consolidated basis. Article 24. of the Guidelines on the Consolidated Management and Supervision of Commercial banks establish that the principal shareholders of a commercial bank shall meet the requirements set out by the CBRC and provide the relevant information in accordance with the law. In addition, Article 84 states CBRC should closely monitor whether the business activities of the principal shareholder, directly or indirectly have a significant impact on the consolidated financial condition and risk status of a commercial bank. Although the powers to access parent companies and their affiliates are not explicitly stated in the legal framework, with the overall power to conduct consolidated supervision combined with its strong powers to impose corrective actions result that CBRC in practice does have the powers to review the activities of parent companies and of companies affiliated with parent companies to determine their impact on the safety and soundness of the bank and the banking group. CBRC reported to never have experienced any difficulties in obtaining information deemed relevant for its supervisory duties. Assessment of Compliant Principle 1 Comments The legal framework clearly establishes CBRC responsibilities and also defines the objectives for banking regulation and supervision, granting CBRC powers to authorize banks, regulate, and conduct ongoing supervisions and undertake corrective actions to address safety and soundness concerns. Although the powers to access parent companies and their affiliates are not explicitly stated in the legal framework, CBRC has in practice the powers to require information on significant shareholders as it deem necessary. The primary objective of banking supervision is from, a legal perspective, to promote the safety and soundness of banks and the banking system. This is set out in law, as is a subsidiary objective whereby the CBRC is required, “towards the objectives” of stability and soundness, to protect fair competition in the banking industry as well as to promote the competitiveness of the banking industry. Hence, CBRC strategy and objectives include, market and economy development considerations, support toward internationalization of Chinese enterprises and in particular preferential treatment to SMEs. Assessors did not, however, find concrete evidence that CBRC has jeopardized its primary mandate of safety and soundness in the pursuit of those objectives. Nevertheless, the assessors also acknowledge that the CBRC is acting in a context where references within the Commercial Banks Law to developmental considerations for banks when conducting their business might result in additional pressures, in time of stress, for both the banks and supervisors to prioritize those considerations over safety and soundness concerns. Additional mandates for the supervisor are common globally and acceptable under the terms of the methodology of the assessment, provided that the soundness and stability 30 PEOPLE’S REPUBLIC OF CHINA objective takes clear precedence. The assessors find that the Chinese legislation meets the test in CP1 which is whether there is clarity of appropriate objectives for the supervisor and a clear legal framework. However, the assessors also recognize that there are circumstances under which the CBRC may find it difficult to act consistently and clearly on the basis of its primary objective. This concern is reflected in CP2, which considers the independence of the CBRC’s capacity for action. Also, specific issues related to the treatment of problem assets, provisions and reserves have been addressed through CP 18. Authorities are recommended: a) to eliminate from the Commercial Banks Law the reference to developmental objectives; b) to amend the Banking Supervision Law to explicitly grant CBRC powers to have access to de facto parents and their affiliates; c) to ensure that CBRC clearly and consistently communicates to banks that their first and foremost commitment is to safety and soundness. Principle 2 Independence, accountability, resourcing and legal protection for supervisors. The supervisor possesses operational independence, transparent processes, sound governance, budgetary processes that do not undermine autonomy and adequate resources, and is accountable for the discharge of its duties and use of its resources. The legal framework for banking supervision includes legal protection for the supervisor. Essential criteria EC1 The operational independence, accountability and governance of the supervisor are prescribed in legislation and publicly disclosed. There is no government or industry interference that compromises the operational independence of the supervisor. The supervisor has full discretion to take any supervisory actions or decisions on banks and banking groups under its supervision. Description and The CBRC is a ministerial level organization under the State Council, originally established findings re EC1 in 2003. In addition to 28 departments in the head office, the CBRC has a national network of 36 provincial offices, 306 field offices and 1,730 supervisory agencies. The CBRC also maintains 4 training centers. Independence Legally, the CBRC’s position is well defined. The Banking Supervision Law (BSL) (Article 5) provides that “there shall be no interference by local governments, government agencies at various levels, public organizations or individuals.” The CBRC reports directly to the State Council. The State Council, that is, the Central People's Government, of the People's Republic of China is the executive body of the supreme organ of state power; it is the supreme organ of State administration. No external agency or individual has the legal right to direct the decisions of the CBRC. The CBRC confirmed that representatives or officials from other government agencies or professionals from the financial industry do not attend the working meetings of the CBRC’s top management. 31 PEOPLE’S REPUBLIC OF CHINA The CBRC’s funding is accounted for and allocated by the MOF in common with the budget management process for central ministries and agencies. Nevertheless, as approved by MOF and National Reform Commission the CBRC levies supervision and business fees. The institution supervision fee is charged in proportion to the institution’s capital and business fee is in relation to scale of assets and can be adjusted according to the risk rating of the bank. Funding is allocated by the MOF and the fees levied by the CBRC flow to central treasury funds. At present funding received by the CBRC is approximately equivalent to the fees that are charged to banks but there is no formal relationship between these two figures (i.e. budget and fees). There have been some changes since the last assessment. First, the CBRC headquarters and local offices may now determine part of their budget structure within the total amount approved by the Ministry of Finance. Secondly, the CBRC and its local offices may apply for additional budget or adjust the budget among different project expenditure categories with MOF’s approval. The CBRC has the power to issue regulatory rules and standards for banking institutions as set out in the Banking Supervision Law (Article 15) and the Legislation Law (Article 80). In the event that the CBRC’s regulations are in contradiction with higher laws, then the Legislation Law (Article 97) provides for the revocation of such regulations by the State Council. The powers under the Legislation Law are widely drawn and while they provide important safeguards against any law or regulation that is ultra vires, Article 97 also permits the State Council to amend or withdraw any “inappropriate rule” and the degree of discretion in determining what is “inappropriate” is not specified. No rule or regulation issued by the CBRC has ever been amended or withdrawn as a result of triggering the powers in the Legislation Law. The CBRC and its local offices have full discretion to impose supervisory actions on banks and banking groups. The CBRC’s decisions, like those of its fellow sectoral regulators, are subject to the provisions of a number of laws (Administrative Licensing Law, Administrative Penalty Law, Administrative Reconsideration Law and Administrative Litigation Law) which ensure that individuals and entities to whom the CBRC decisions apply have right of appeal if they consider their rights have been infringed. The CBRC does not have right of self-determination over its headcount or over its organizational structure. The 2015 reforms (please see following ECs and commentary for more detail) had to be approved by the State Council headcount department. The distribution of staff between head office and the provincial and local offices is also governed by the headcount department. In practice the CBRC’s reform proposals were not modified in the approval process. Accountability Institutional accountability is also set forth legally (Article 14) as the Banking Supervision Law provides that the CBRC shall be subject to the oversight by relevant government agencies such as the National Audit Office (NAO) and the Ministry of Supervision (MOS) under the State Council. As part of the relationship with the State Council, the CBRC regularly answers inquiries from the National People’s Congress, and operates under the oversight of the NAO and the MOS. The NAO’s remit concerns the budget of the CBRC and 32 PEOPLE’S REPUBLIC OF CHINA the MOS’ remit is in respect of the administrative discipline of the CBRC in respect of compliance and enforcement of the State laws and regulations. Transparency is provided for the Banking Supervision Law (Article 12) which requires the CBRC to make public its supervision processes and procedures, and put in place a supervisory accountability system and an internal compliance monitoring mechanism. In practice the CBRC website and its Annual Report contain a wealth of information including the CBRC’s organizational structure, legislative and regulatory notices and statistical information on the banking sector. As noted above, the CBRC reports to the State Council and according to the State Council Working Procedures (Article 34) provides that the State Council and government agencies under it shall use performance assessment and administrative accountability systems to assess the implementation of major decisions, performance of duties, progress of major tasks and development of the agency, and to improve the mechanisms for the correction of errors and ensure strict accountability. Reports submitted to the State Council include the CBRC annual report and an annual summary of the banks. The CBRC chairman and vice chairs attend the work meeting of the State Council and report on the risk conditions of the banking sector. Should a major risk or issue emerge, then, according to the Banking Supervision Law (Article 28), the CBRC local offices will report to the head office of the CBRC and then the CBRC may, in turn, report to the full Council if necessary. With respect to internal procedures and behaviours, the CBRC has developed the Rules on the Performance and Accountability of CBRC Staff and established an internal Accountability Committee headed by the CBRC Chairman. The Rules set out the scope of accountability and the procedures to be followed. Governance The Chairman of the CBRC is appointed by the State Council, as are the five vice Chairmen. The Chairman of the CBRC at the time of the assessment also served as a member of the 18th Central Committee of the Communist Party of China. In 2015 the CBRC undertook a reorganization with the objective of re-emphasising the clarity and effectiveness of its regulatory structure, as described in its Annual Report for 2015. One major shift as a result of the 2015 reorganization was the decision that banks that are active on a nationwide basis would be supervised from headquarters while regional and local banks would be supervised by the Provincial Office network, reflecting a clear move to a more delegated approach and to locate supervisory decisions as close to the banking activities as possible. Headquarters retains the supervisory decision making powers over market entry (ie initial licensing), exit and change of control of the banks but day to day supervision is executed at the local level. Major regulatory initiatives and supervisory issues are discussed and decided at the Chairman’s Work Meeting attended by the top management and department heads. The CBRC explained that the daily supervisory decisions of the CBRC departments and local offices are made by relevant heads, or discussed at the CBRC-level/local-office-level meetings, as the case may be. Decisions on significant initiatives and supervisory issues are subject to approval by superior heads. 33 PEOPLE’S REPUBLIC OF CHINA EC2 The process for the appointment and removal of the head(s) of the supervisory authority and members of its governing body is transparent. The head(s) of the supervisory authority is (are) appointed for a minimum term and is removed from office during his/her term only for reasons specified in law or if (s)he is not physically or mentally capable of carrying out the role or has been found guilty of misconduct. The reason(s) for removal is publicly disclosed. Description and In terms of transparency of appointment, the CBRC Chairman is appointed following a findings re EC2 sequence of procedures set out in the Official Appointment Regulation, including recommendation, assessment, discussion and decision-making. There is fixed tenure in post as the Interim Rules on the Tenure of Government Officials (Article 3) provides that heads of government agencies serve for a term of 5 years. Tenure within post has protections as the Civil Servant Law (Article 13(2)) provides that a civil servant shall not be removed from office, demoted, dismissed or subject to disciplinary action due to non-statutory causes or via non-statutory procedures. Although it is not mandatory, Article 3 of the Interim Rules provides that no more than two consecutive terms should be recommended or served. The CBRC chairman is also subject to the restrictions on when an official can resign (for example, Article 81). Generally the minimum term is 5 years but if an official has not concluded important work for which the official is personally vital, or if the official is undergoing an audit, disciplinary review or investigation, then the official may not stand down. Grounds for dismissal are set out in the Regulations on the Selection and Appointment of Government Officials (Article 57) which provides that a government senior officer falling under any of the following circumstances shall be removed from current position: (a) having reached the age limit for the post or the age of retirement; (b) having been held accountable to such an extent that his/her removal is required; (c) having resigned or been transferred elsewhere; etc. Public disclosure of the reasons for the removal of the CRBC Chairman is not required under legislation. No CBRC chairman has ever been removed from office due to non- statutory causes. The reasons for removal have, in practice, been made public. It may be noted that the CBRC Information Disclosure Rules (Article 9(6)) requires the disclosure of the fact of appointment or dismissal of any important personnel, although not the reasons for dismissal. EC3 The supervisor publishes its objectives and is accountable through a transparent framework for the discharge of its duties in relation to those objectives. 10 Description and The CBRC makes public its supervisory objectives, philosophy, approaches and standards findings re EC3 via its website, press conference, annual reports and through other media. In addition to a clear statement of mandate, objectives, and code of conduct, the Annual Report also includes a forward-looking section that offers a discussion of the future priorities of the CBRC in its supervisory practice. Although the section also describes recent actions and decisions it provides a clear steer to the banking industry in terms of key priorities. 10 Please refer to Principle 1, Essential Criterion 1. 34 PEOPLE’S REPUBLIC OF CHINA The CBRC also set up a Transparency Steering Team (2007) led by a senior CBRC officer and has established the “transparency coordination mechanism” in order to review division of work on transparency in the CBRC and promote implementation of transparency. Available on the CBRC website are a list of administrative responsibilities, a list of information disclosed, the information disclosure guidebook and rules governing information disclosure. In addition, the supervisory rules and regulations issued by CBRC, licensing and punishment decisions made by CBRC and some banking industry statistics collected by CBRC are accessible online. While not mandatory, the CBRC local offices can also make public banking supervision information on the websites of local governments as well as on their own websites. Disclosure practices are underpinned by a number of rules and regulations. The CBRC Information Disclosure Rules set forth requirements on the disclosure of banking supervisory information in order (as described in Article 1) to increase transparency and safeguard legitimate access of citizens, legal persons and other organizations to information of banking supervision. The Surveillance and Assessment Rules of CBRC on Government Information Disclosure set forth requirements on supervising and assessing the effort of government information disclosure. The Regulations on Government Information Disclosure issued by the State Council (Article 6) provides that government agencies shall lawfully disclose government information in a timely and accurate manner. Furthermore (Article 9) information falling under any of the following categories must be disclosed by government agencies on their own initiative: (a) information that involves the vital interests of citizens, legal persons or other organizations; (b) information that needs extensive awareness and participation by the general public; (c) information that shows the structure, functions and working procedures of the administrative authority; and (d) other information whose disclosure is required by laws, regulations and relevant state provisions. For accountability practices please refer to EC 1. EC4 The supervisor has effective internal governance and communication processes that enable supervisory decisions to be taken at a level appropriate to the significance of the issue and timely decisions to be taken in the case of an emergency. The governing body is structured to avoid any real or perceived conflicts of interest. Description and The CBRC has put in place the CBRC Working Procedures and other internal management findings re EC4 rules and policies, which sets forth detailed regulations on the working process, reporting lines and decision-making process within the CBRC. A document, dating from 2004, shortly after the CBRC was established, sets out the cascade of responsibilities and powers from HQ to the Provincial, City and County offices of the CBRC. As part of the 2015 reforms the CBRC also put in place the Operational Procedures of CBRC Headquarter (Provisional) which define the powers, responsibilities and procedures regarding the development of regulatory rules, licensing, OSS, and on-site examination. The objective was to separate the development of regulation from implementation, prudential regulation from conduct regulation, administrative affairs from supervisory issues, off- site/on-site supervision from imposing sanctions and penalties. The changes were 35 PEOPLE’S REPUBLIC OF CHINA accompanied by reforms to supervisory processes and procedures and also supervisory governance. A key objective of the reforms was to focus on coordination between headquarters and the local offices to ensure systemic and coordinated supervision. The legal framework sets the tone for both day to day practices and emergency responses. The Banking Supervision Law sets out requirements and expectations for the CBRC, and provides that that CBRC shall put in place a supervisory accountability system and an internal oversight mechanism (Article 12). With respect to emergencies, the CBRC is required to create an accountability system linked to specific positions with regard to the identification and reporting of banking emergencies and immediately report to the head of the CBRC upon identifying an emergency with the potential to trigger systemic banking risk and/or severely affect social stability (Article 28). Beyond the CBRC itself, and pursuant to Article 29, the CBRC is required to work with PBC, MOF and other relevant authorities to build the banking emergency response system, develop contingency plans, define the contingency response organization and staff as well as their roles and responsibilities, and clearly describe the contingency actions and procedures. The Rules Governing Contingency Plans issued by the State Council sets forth specific requirements on the planning, preparation, approval, release, filing, rehearsal, revision, training and publicity of the contingency plans. Pursuant to the Banking Supervision Law, the Emergency Response Law and other applicable laws and regulations, the CBRC has developed and issued the Major Emergency Events Reporting Policy and the supervisory contingency plan for the banking industry. It has a set of supervisory contingency plans focusing on key risks, and defined the reporting lines, decision-making processes as well as the roles and responsibilities of all parties, so as to enable timely decision-making in case of emergency. It may be noted that the Emergency Response Law covers emergencies including natural disasters, calamitous accidents, public health accidents and public security incidents, which occur abruptly and cause or may potentially cause serious social harm (Article 3). The CBRC’s senior management is comprised of full-time supervisors, with no representation from other government agencies or financial institutions. In terms of avoiding conflicts of interest, the CBRC top management complies with the requirements set forth in the Civil Servant Law and the Implementation Rules on the Recusal of CBRC Headquarter Staff. The Civil Servant Law imposes a 3-year period before an official can work in a supervised institution. EC5 The supervisor and its staff have credibility based on their professionalism and integrity. There are rules on how to avoid conflicts of interest and on the appropriate use of information obtained through work, with sanctions in place if these are not followed. Description and The issues of skills, professionalism, integrity and confidentiality are addressed in the findings re EC5 Banking Supervision Law (Articles 9, 10 and 11). The law provides that CBRC supervisors shall have the professional skills and work experience as required for performing their duties; that CBRC staff shall perform their duties with integrity and in accordance with laws and regulations, and shall be prohibited from taking advantage of their positions to seek 36 PEOPLE’S REPUBLIC OF CHINA inappropriate gains, or concurrently holding position in any bank; and CBRC staff must shall protect the confidentiality of State secrets and of the confidential information of the supervised banking supervision. Furthermore, the Law requires investigation of criminal liability or administrative penalty, as applicable if State secrets, commercial secrets or personal privacy has been infringed. The Civil Servant Law (including Articles 68, 70 and 71) sets out broad-ranging prohibitions to address conflict of interests such as prohibition on accepting a post or performing official duties when (a) his/her personal interests are involved; (b) interests of his/her relatives are involved; or under “other circumstances which may interfere with the performance of his/her official duties.” These restrictions are articulated in more detail in the “Implementation Rules for Duties Performed by CBRC Staff”. Similarly, at a more granular level, the CBRC has put in place recusal and confidentiality policies. Regulations, including the Rules on Preserving Work-related Secrets by CBRC Headquarter, the CBRC Confidentiality Policy, the Code of Conduct for CBRC Staff, the Provisional Rules on the Performance and Accountability of CBRC Staff, and the Opinions of CBRC on Further Strengthening Staff Recusal Rules, prescribe detailed requirements on preservation of secrets, recusal, and accountability for non-compliances. Where a staff member fails to meet the requirements for confidentiality and recusal, the CBRC requires the staff member in question and his/her department or local office to make timely correction, and investigation of accountability will be undertaken accordingly. Article 14 of the Provisional Rules on the Performance and Accountability of CBRC Staff provides that where a supervisor has leaked supervisory information or commercial secrets of banking institutions, and such leakage constitutes violation of applicable regulations, the staff member shall be held accountable and dealt with by circulating a notice of criticism, transferring from current positions, demoting, requiring him/her to resign or dismissing, imposing disciplinary actions, or handing over to court if such violation constitutes a crime. The CBRC places value on openness of procedures and on the cultivation of a pool of skilled professionals to foster public confidence in the institution. The establishment of the International Advisors Council was intended to broaden the CBRC’s exposure to world leading expertise and advice in the supervisory field. Over the years since the global financial crisis, CBRC participation in international supervisory fora and gatherings has increased and a number have swiftly been able to adopt leading roles in policy development and practices. Discussions with banks revealed a consistently high regard for the rigor of the CBRC and its constructive approach. Banks perceived the CBRC to be a supportive authority but one that was unafraid to challenge or to say no and to disagree with the firm. Major banks pointed to the very long lead times that the CBRC had required before it was ready to grant supervisory approvals for more advanced methodologies. EC6 The supervisor has adequate resources for the conduct of effective supervision and oversight. It is financed in a manner that does not undermine its autonomy or operational independence. This includes: 37 PEOPLE’S REPUBLIC OF CHINA (a) a budget that provides for staff in sufficient numbers and with skills commensurate with the risk profile and systemic importance of the banks and banking groups supervised; (b) salary scales that allow it to attract and retain qualified staff; (c) the ability to commission external experts with the necessary professional skills and independence, and subject to necessary confidentiality restrictions to conduct supervisory tasks; (d) a budget and program for the regular training of staff; (e) a technology budget sufficient to equip its staff with the tools needed to supervise the banking industry and assess individual banks and banking groups; and (f) a travel budget that allows appropriate on-site work, effective cross-border cooperation and participation in domestic and international meetings of significant relevance (e.g. supervisory colleges). Description and Please refer also to EC1 for information on the funding of the CBRC. In terms of legislation, findings re EC6 the Administrative Rules on the Finance of CBRC, CSRC and CIRC has superseded the Provisional Rules on the Finance of CBRC, CSRC and CIRC issued by the MOF in 2004. From 2011 to 2015, the CBRC’s funding increased approximately 6 percent from RMB 4.865 billion to RMB 5.165 billion. Over the same period the level of staffing has remained stable at around 24,000 staff—almost identical to the headcount at the time of the last BCP assessment. As noted above, the CBRC has no autonomy to increase its budget or headcount. It successfully made a request to increase by 10 staff to focus on illegal fund raising. Nevertheless, compensation has increased by over 44 percent from RMB 1.66 billion in 2011 to RMB 2.401 billion, with average compensation increasing by 42 percent. The CBRC compensation level is commensurate with that of other government agencies and staff turnover rate has been less than 2 percent for the last five years equating to approximately 300 supervisors each year. However, taking figures from 2014, most of the departures from HQ have been director or director general level. The CBRC headquarters has specialist skills in its workforce. As of end June 2016 there were 32 IT specialists and approximately a hundred risk specialists, of whom 60 are credit risk specialists. It should be noted that over the period between end 2010 and end 2015 the banking sector has grown from 288 to 1,053 banks and the assets of the banking system have also grown by 110 percent. In terms of recruitment the CBRC recruits via the Civil Servant Enrollment Examination and public recruitment examinations. Since 2005, 8 public examinations have been held to recruit 60 high-caliber professionals, 3 of whom were included in the Thousand Talents Program of China, which is a recruitment program of global experts launched in 2008 to attract the highest quality talents to China. Currently, the CBRC has a headcount of approximately 24,000, the majority of whom have graduate status. Among them, 15,122 or 64 percent have a bachelor’s degree; 4,471 or 18.92 percent hold a master’s degree or 38 PEOPLE’S REPUBLIC OF CHINA above, including 299 PhD degree holders, accounting for 1.27 percent. A significant number of staff has overseas educational experience. The CBRC has available funds to commission external experts and consultants with expertise in regulation and supervision subject to necessary confidentiality arrangements. For example, work on enhancing off-site indictors and stress tests had been developed in a project jointly with the ADB in which external consultants had been hired and costs shared with the ADB. There is separate budget for staff training, which has been running at around RMB 20 million per year and which is used to deliver the annual training plan which is developed at the start of each year. Separate budgets are also available for IT development, on-site examination and cross- border cooperation. The annual investment in the IT budget around RMB 260 million in information technologies, and the annual expenses on on-site examination and international supervisory cooperation stood at around RMB 400 million and RMB 8 million respectively. The CBRC participate in Basel and FSB meetings at multiple levels as well as in colleges of supervisors, crisis management groups and conduct on-site examinations in host jurisdictions. Improvements to IT systems as a result of investments include developments to the OSS information system and customer risk information system such as the “statistical information net” for better internal information sharing efficiency. Similarly, the Examination and Analysis System Technology (EAST) system has been developed to improve the efficiency of on-site examination. EC7 As part of their annual resource planning exercise, supervisors regularly take stock of existing skills and projected requirements over the short- and medium-term, taking into account relevant emerging supervisory practices. Supervisors review and implement measures to bridge any gaps in numbers and/or skill-sets identified. Description and As a general basis, professional training is addressed by legislation including the Civil findings re EC7 Servant Law, which applies to government agencies, and requires that individuals shall be provided with initial training, and, as necessary, professional training, including continuous professional development (Articles 61 and 62). Training received is taken into consideration in performance assessment as well as in decisions on appointment and promotion. The length of the training on the job (how many hours) is decided by relevant department in charge of civil servant management. More specifically, the CBRC provides training programs to improve supervisory staff’s professional skills. At the beginning of every year, the CBRC develops an annual training plan in light of its supervisory priorities. In recent years, about 50 training programs were provided per year. Since 2013, the CBRC has held 198 training workshops for 14,000 participants. Local offices also develop their respective training plans in light of their key risk areas, supervisory focuses and gaps in skill sets. In addition, since 2011, the CBRC has organized 35 overseas training workshops for 1,021 participants. It has also recommended supervisors for overseas study and training programs. As part of the planning process to design an appropriate training program, the CBRC issues an annual questionnaire to staff as an input into identifying skills needed. There is specialized training for staff at director 39 PEOPLE’S REPUBLIC OF CHINA general level and also targeted training for mid-rank officers for innovative businesses and other business priorities (see below). The CBRC HR department factors in emerging needs as part of its recruitment strategy. As part of a focus on enhancing skills and professionalism, but also to support efficient access to specialist skills, the CBRC has set up a regulation expert team and built a number of talent pools, such as the pool of overseas returnees and talents for international organizations, pools dedicated to on-site examination, economic and financial research, regulation formulation and legal affairs, Off-site surveillance (OSS), and financial innovation supervision. There are dedicated experts in capital adequacy, credit, market, liquidity and operational risks. It has actively participated in the research and development of international regulatory rules. The talent pools dedicated to OSS and on-site examination also have risk management experts. The CBRC has also set up expert taskforces dedicated to major tasks or professional fields. For example, borrower rating, debt rating, and market risk expert taskforces comprising members from the Large Commercial Banks Supervision Department and local offices were set up to facilitate the verification and assessment of the Advanced Approach to capital adequacy supervision of large banks. Task forces have also been established to address financial innovation including such issues as wealth management, asset securitization and credit card business. EC8 In determining supervisory programmes and allocating resources, supervisors take into account the risk profile and systemic importance of individual banks and banking groups, and the different mitigation approaches available. Description and The Banking Supervision Law establishes the expectation that the CBRC take a risk approach findings re EC8 to its operations and use of resources and this expectation is followed through in the Rules and Guidelines of the CBRC. The Banking Supervision Law (Article 27) provides that the CBRC shall establish a supervisory rating system and an early risk warning system, and based on the rating and risk profile of each individual bank, CBRC shall determine the frequency and scope of on- site examination as well as other supervisory actions that may be deemed necessary. The concept is underpinned by the Off-site Surveillance Rules (Article 5) which requires differentiated OSS to be implemented in the light of individual banks’ risk profile and systemic importance. Subsequent articles (notably 44) requires the proper allocation of supervisory resource, and differentiated supervisory actions based on risk analysis (of individual banks and peer groups). The annual on-site examination plan, as required by the On-site Examination Rules (Article 20) is based on opinions from the institutional supervisory departments, functional supervisory departments and CBRC local offices and it allocates available resources accordingly. The Rules on Chief Supervisors and Examiners provide that the number of institutions under one designated chief supervisor shall be determined according to the risk profile of the institutions. 40 PEOPLE’S REPUBLIC OF CHINA Article 16 of the Internal Guidelines on Supervisory Ratings of Commercial Banks provides that supervisory rating results shall serve as an important reference for determining supervisory plans and allocating supervisory resources. Please see CPs 8 and 9 for more details of the risk assessment approach taken by the CBRC. Based on discussions with the CBRC and review of supervisory materials, in the assessors’ view, when allocating supervisory resources, the CBRC takes into account characteristics of banks’ risk profiles. It allocates significant share of resources for addressing prominent risks by strengthening OSS, on-site examination, and regulation development if necessary. More resources are allocated to the supervision over large banks with great systemic importance, which is one of the CBRC’s supervisory focuses. Building on the minimum supervisory standards, more stringent requirements with regard to capital adequacy, asset quality, provisioning, etc. are set for those large banks. In 2015, altogether 2,142 and 2,260 supervisors were involved in OSS and on-site examinations on large banks respectively. The CBRC places emphasis on examining and assessing intrinsic risks of large banks’ business activities and their risk management capability. Each year, the CBRC conducts examinations of large banks. In 2015, the number of on-site examination conducted by the CBRC on the 5 major banks accounted for 50 percent of the total. Appropriately 90 percent of the CBRC local offices participated in these examinations. EC9 Laws provide protection to the supervisor and its staff against lawsuits for actions taken and/or omissions made while discharging their duties in good faith. The supervisor and its staff are adequately protected against the costs of defending their actions and/or omissions made while discharging their duties in good faith. Description and Legal protection for the CBRC and staff is clearly set out in the Banking Supervision Law. findings re EC9 Article 5 provides that the CBRC and its staff are protected by law while performing supervisory responsibilities in accordance with laws and regulations. Additionally, under the Administrative Procedure Law (Article 26) where a citizen, a legal person or any other organization files a lawsuit against the actions of a government agency, only the government agency that has taken the administrative actions shall be the defendant. Hence should a lawsuit be brought against actions of a government agency, the supervisory staff will not be subject to litigation nor liable for any costs. To date, other than in a very few cases, the courts have found in favor of the CBRC in all cases of administrative litigation and the costs have been funded by the supervisory authorities. Any litigation costs imposed on the CBRC must be funded by the annual budget. Assessment of Materially Non Compliant Principle 2 Comments The CBRC has legal independence as granted by the Banking Supervision Law. Nevertheless, there are avenues through which the CBRC’s independence and authority are or can be undermined and its ability to fulfil its legal mandate thwarted. As noted in CP1, the CBRC enjoys a clear legal framework, but CP2 considers whether the supervisory authority has the independence to permit it to act always in accordance with its mandate. There are a number of elements which undermine the CBRC, however, and cast 41 PEOPLE’S REPUBLIC OF CHINA doubt on whether the CBRC can, in all circumstances, act on its mandate as drafted, namely protecting soundness and stability as its primary objective. One factor is the potential for the State Council to override certain CBRC regulations or supervisory decisions although reportedly, no supervisory decision has been over-turned. This State Council power, while unused, has not been removed, as recommended in the previous FSAP. Of course, the CBRC is a ministerial level organization that reports directly to the State Council, and accountability to the State Council is vital, but equally the CBRC needs the ability and willingness to take an independent stance, particularly if prudential conservatism were ever seen at odds with or capable of restricting other goals that were clearly championed by the State Council, such as financial or economic opportunity. For example, credit growth targets can conflict with stability objectives, and particularly so in regions where there may be a dearth of viable credit worthy enterprises or counterparties. In such instances, CBRC prudential standards aimed at ensuring financial institutions remain soundly based, could easily be seen as economically unsupportive to the local region as credit is withheld and certain industries might struggle. While the CBRC has re-enforced the centrality of soundness and stability, the assessors nonetheless share a concern that it may be hard for the CBRC always to act on its primary (soundness and stability) objective. Another factor is that although the CBRC has embraced transparency as part of its supervisory philosophy, should the Chairman of the CBRC be dismissed, there is no legislative requirement for the disclosure of the reasons for the dismissal. Operational independence is lacking in respect of resourcing as the CBRC has autonomy over neither its staffing numbers nor its internal organization. Without an adequate complement of skilled staff, the CBRC is not able to fulfil its mandate and its independence is de facto compromised. For example, the 2015 major internal reorganization of departments, which has permitted a valuable re-focusing on the CBRC’s core mandate, relied upon the approval of the State Council headcount department. Despite the 110 percent increase in banking sector assets in five years, the CBRC’s headcount has remained static. Within this inelastic resource envelope, a provincial office with responsibility for a burgeoning region could not be granted supplementary resources without removing resources from elsewhere which would be sub-optimal, even if it were permitted. The increase of scale of financial sector does not require a linear increase in the supervisory authority’s resources, but the growing complexities of the system, in particular the interconnectedness between different parts of the financial sector, and the demands of implementing the post crisis international regulatory agenda, place heavy demands on a supervisory authority whose resources have not been amplified in more than a decade. While the CBRC is to be commended on enhancing its specialist skillsets, refreshing its supervisory techniques, and adapting its IT tools, all of which have enabled the CBRC to perform well in this assessment, the complement of staff also needs to be increased, with a focus on needed skills, such as in the emerging field of supervisory stress testing, and this decision does not rest with the CBRC. It is recognized that public resources need to be deployed carefully, but the supervisory authorities remain on the front line of defense and ensuring early intervention through appropriately intense scrutiny comes at significantly lower cost than wide scale capital injection in the event of a major, or system wide banking failure. 42 PEOPLE’S REPUBLIC OF CHINA In view of the increasing sophistication and supervisory demands of the GSIBs, as well as the need to ensure that the CBRC can continue or, better, further devote attention to smaller and regional institutions which together account for roughly one fifth of the system, the need for the CBRC to augment resource is now at critical level. Building on the supervisory vision expressed in CBRC publications such as the Annual Report, a detailed forward strategy for supervision, covering three to five years, would serve as a vehicle for the CBRC to articulate its case for resources. It is noted that the CBRC has already developed a medium-term fiscal expenditure plan to make its budget more forward- looking. The CBRC as an institution and its staff as individuals command the respect of the industry. The Annual Report has developed significantly as a vehicle for the CBRC to articulate its supervisory philosophy and its forward-looking agenda. Although the CBRC is a prestigious institution, there is already some evidence in staff turnover data to suggest that the widening salary gap between public and private sector may be siphoning seasoned and skilled staff out of the authority into the industry. A recalibration of salary scales is recommended. Principle 3 Cooperation and collaboration. Laws, regulations or other arrangements provide a framework for cooperation and collaboration with relevant domestic authorities and foreign supervisors. These arrangements reflect the need to protect confidential information. 11 Essential criteria EC1 Arrangements, formal or informal, are in place for cooperation, including analysis and sharing of information, and undertaking collaborative work, with all domestic authorities with responsibility for the safety and soundness of banks, other financial institutions and/or the stability of the financial system. There is evidence that these arrangements work in practice, where necessary. Description and China legal framework provides the grounds for the establishment of cooperation findings re EC1 arrangements with domestic authorities with responsibilities for the safety and soundness of banks and overall financial stability. Article 6 of the Banking Supervision Law provides that CBRC shall establish supervisory information sharing mechanisms with the PBoC and other financial regulatory authorities under the State Council. Article 29 of the Banking Supervision Law provides that CBRC shall work with relevant government agencies, including the PBoC, and the Ministry of Finance (MoF) to establish the banking emergency response mechanism, develop contingency plans for banking emergencies, clearly designate the agencies and staff in charge as well as their roles and responsibilities, and set forth the contingency response actions and procedures, so as to deal with banking emergencies in a timely and effective manner. In addition, Article 9 of the PBoC Law states that the State Council shall establish a coordination mechanism for financial regulation and supervision and formulate specific measures for it. 11 Principle 3 is developed further in the Principles dealing with “Consolidated supervision” (12), “Home-host relationships” (13) and “Abuse of financial services” (29). 43 PEOPLE’S REPUBLIC OF CHINA CBRC regulatory framework further elaborates on cooperation and information sharing. The Guidelines on the Consolidated Management and Supervision of Commercial Banks elaborate on the cooperation arrangements for interagency cooperation. Article 89 provides that CBRC shall, according regulatory coordination arrangements and cooperation agreements, maintain sound communication with China Insurance Regulatory Commission (CIRC) and China Securities Regulatory Commission (CSRC) and other regulatory authorities, which should make joint efforts to promote information sharing and consultations on major issues, timely understand the profile of risks associated with cross- sector operations of banking groups and the judgments of relevant regulatory authorities, and strengthen regulatory and supervisory cooperation to avoid supervisory overlaps and loopholes and prevent cross-sector risk contagion. In addition, Article 22 of the Rules of CBRC on Off-site Surveillance provides that supervisory authorities at various levels shall strengthen information sharing and supervisory coordination with PBC, CSRC, CIRC and other related agencies, in order to form supervisory synergy and ensure the soundness of the banking system. In practice, a number of mechanisms for collaboration and information sharing have been established, which include the Financial Crisis Response Group (FCRG) under the State Council, the Financial Regulatory Coordination Joint Ministerial Committee (JMC), an MoU between supervisory agencies, and an MoU between the supervisory agencies and PBC, in addition to the Emergency Response Policy (contingency plan). The FCRG was established in 2010, in the aftermath of the financial crisis. It is chaired by the Vice Premier of the State Council in charge of the financial sector and includes representatives from PBoC, the State Administration of Foreign Exchange (SAFE), the National Development and Reform Commission (NDRC), the Ministry of Finance (MoF), CBRC, CIRC and CSRC. The FCRG meets regularly, discussing financial stability issues and concerns. The JMC was created in August 2013, aiming at enhancing policy coordination, closing supervisory gaps and avoiding supervisory arbitrage maintaining financial stability. The JMC is chaired by the governor of PBoC, and attended by the chairs of CBRC, CSRC, CIRC and SAFE. Since its creation it has held 13 meetings, in addition to 20 technical meetings to further explore specific topics among focal points of the respective institutions. The PBoC holds the secretariat. In practice, the JMC has focused most of its discussions on cross- sectoral issues and cross market financial innovation. The discussion of individual entities is not part of the scope of the JMC. The JMC has one permanent working group dedicated to the establishment of a comprehensive statistical system. The system has been already designed but implementation is yet to begin. One of the outputs of the engagements through the JMC has been the issuance of joint regulations, including on FinTech and payment system related issues. Within the cooperation and coordination efforts, other joint regulations have also been issued, including a CBRC/CIRC regulation on distribution of insurance products and a 44 PEOPLE’S REPUBLIC OF CHINA PBC/CBRC regulation on third party payment institutions, regulating the business conducted by commercial banks with those third parties. Other cooperation initiatives include consultations on specific topics and thematic joint examinations on cross sectoral issues. Ad-hoc communication with CIRC and CRSC on individual cases/supervised entities occur based on particular concerns, related to cross- sectoral issues. PBoC and CBRC share information through a database system accessed through the intranet. While PBC provides CBRC with information on aggregate figures for total lending, lending by sectors, interbank operations and reserves, CBRC provides PBoC with information on prudential ratios and asset qualification. CIRC and CRSC feed to CBRC monthly physical reports, with aggregate information for their respective markets, and CBRC shares monthly newsletters summarizing recent initiatives, market trends and issues of concern. EC2 Arrangements, formal or informal, are in place for cooperation, including analysis and sharing of information, and undertaking collaborative work, with relevant foreign supervisors of banks and banking groups. There is evidence that these arrangements work in practice, where necessary. Description and Just as with domestic authorities, the legal framework established in China provides for the findings re EC2 establishment of arrangements for cooperation with foreign supervisions. Article 7 of the Banking Supervision Law provides that CBRC may establish supervisory cooperation mechanisms with the banking supervisory authorities in other countries and jurisdictions for cross-border supervision. Article 11 of the Banking Supervision Law makes a general statement requiring CBRC staff to preserve the confidentiality of information. It also provides that CBRC shall have in place information confidentiality arrangements with banking supervisors of other countries/regions with respect to exchanges of supervisory information. Article 4 of the Working Procedures of CBRC on Cross-border Banking Supervisory Cooperation stipulates that supervisory cooperation shall be established in the form of MOUs or other forms agreed by both parties. Article 8 prescribes that CBRC and overseas supervisors share supervisory information with each other, including information needed for licensing and ongoing supervision. Article 91 of the Guidelines on the Consolidated Management and Supervision of Commercial Banks authorizes the banking regulatory authority to have supervisory cooperation arrangements with overseas authorities in the form of bilateral MoUs or others, strengthening cross-border supervisory coordination and information sharing and taking necessary cross-border supervisory actions to ensure effective supervision on banks’ affiliates overseas. Detailed requirements include: a) CBRC shall exchange supervisory opinions with the host supervisors with respect to the risk profile of banks’ overseas establishments; b) For commercial banks with overseas operations, CBRC shall establish international supervisory college, in line with the risk profile, complexity and systemic importance of 45 PEOPLE’S REPUBLIC OF CHINA such banks. Meanwhile, crisis management group for G-SIBs shall be established, and the routine communication and cooperation with the host supervisors shall be strengthened; c) Before conducting the cross-border on-site examination, CBRC shall notify the host regulatory authority the purposes and coverage of the examination in advance. After the on-site examination, CBRC may inform the host supervisor of the results and conclusion of the examination; d) As a home supervisor, CBRC may inform the host supervisors of changes in significant supervisory measures; e) CBRC shall comply with applicable laws, regulations, bilateral MOUs and agreements when exchanging supervisory information with the overseas authorities and keep confidentiality of information received. Article 23 of the Rules of CBRC on Off-site Surveillance provides that CBRC shall enhance the cooperation with overseas financial supervisors via supervisory college and consultations. In practice, CBRC has established a significant number of MoUs and other cooperation arrangements, with a total of 63 jurisdictions and there is evidence that arrangements work in practice. In particular, bilateral meetings are systematically conducted with the most relevant jurisdictions. In addition, CBRC has been organizing supervisory colleges for its 4 G-SIBs, also actively participating at colleges as a host supervisor. Correspondence made available to the assessors indicate that results of examinations have been shared with host authorities, upon request. EC3 The supervisor may provide confidential information to another domestic authority or foreign supervisor but must take reasonable steps to determine that any confidential information so released will be used only for bank-specific or system-wide supervisory purposes and will be treated as confidential by the receiving party. Description and The MoU among CBRC, CSRC and CIRC establishes that the recipient of information findings re EC3 received should protect the confidentiality and guarantee that it will be used for supervisory purposes only. The legal framework enables CBRC to share confidential information with foreign supervisors. Article 11 of the Banking Supervision Law provides that CBRC shall have in place information confidentiality arrangements with banking supervisors of other countries/regions with respect to exchanges of supervisory information in order to ensure the preservation of confidentiality. As already mentioned, Article 91 of the Guidelines on the Consolidated Management and Supervision of Commercial Banks provides that supervisory information sharing between CBRC and overseas regulatory authorities shall be in accordance with applicable laws and regulations, bilateral regulatory MOUs and regulatory cooperation agreements. CBRC is responsible for protecting the confidentiality of relevant supervisory information. 46 PEOPLE’S REPUBLIC OF CHINA Article 30 of the Law of the People's Republic of China on Maintaining State Confidentiality provides that in the event that state secrets are required to be provided to organizations or authorities for cooperation purposes, prior approval from relevant departments of the State Council (CBRC is a State Council department) or the provincial governments should be obtained and the party receiving the confidential information shall sign a confidentiality agreement. The Working Procedures of CBRC on Cross-border Banking Supervisory detail procedures and information to be exchanged, including the need for confidentiality and that information is expected to be used for supervisory purposes only. Article 20 of the procedures establishes that CBRC has the right to refuse providing information due to confidentiality issues. In practice, CBRC informed not to have any legal difficulties in providing confidential information for supervisory purposes. In practice, the assessors had access to MoUs establishing that authorities receiving information are required to keep them confidential and that such information is only to be used for supervisory purposes. EC4 The supervisor receiving confidential information from other supervisors uses the confidential information for bank-specific or system-wide supervisory purposes only. The supervisor does not disclose confidential information received to third parties without the permission of the supervisor providing the information and is able to deny any demand (other than a court order or mandate from a legislative body) for confidential information in its possession. In the event that the supervisor is legally compelled to disclose confidential information it has received from another supervisor, the supervisor promptly notifies the originating supervisor, indicating what information it is compelled to release and the circumstances surrounding the release. Where consent to passing on confidential information is not given, the supervisor uses all reasonable means to resist such a demand or protect the confidentiality of the information. Description and As already mentioned, Article 11 of the Banking Supervision Law provides that CBRC may findings re EC4 exchange supervisory information with banking supervisors of other countries or jurisdictions making arrangements to preserve confidentiality. Article 22 of the Working Procedures of CBRC on Cross-border Banking Supervisory Cooperation provides that CBRC staff shall abide by confidentiality rules proscribed in the MOUs. No information shall be revealed without the provider’s approval. CBRC shall ensure safe keeping of the information received from the overseas supervisory authorities. Information should be used for supervisory purposes only. Article 23 states that if CBRC is required to provide confidential information received from other parties under supervisory cooperation MOUs to judiciary agencies, CBRC shall protect information confidentiality to the largest extent on the legal basis. There are no provisions on the need to notify the originating supervisor indicating what information CBRC has been legally compelled to release and the circumstances surrounding the release. CBRC informs never to have been subject to such cases. EC5 Processes are in place for the supervisor to support resolution authorities (e.g., central banks and finance ministries as appropriate) to undertake recovery and resolution planning and actions. 47 PEOPLE’S REPUBLIC OF CHINA Description and The legal framework empowers CBRC to take over, facilitate restructuring or close a bank. findings re EC5 CBRC is yet to establish a recovery and resolution framework per se. To that end, CBRC has drafted the Regulations on Resolving Bankruptcy Risk of Commercial Banks, which was submitted to the State Council for legal review. Article 29 of the Banking Supervision Law provides that for the purpose of effectively responding to banking emergencies, CBRC shall work with PBoC, MoF and other relevant agencies to develop banking emergency response mechanism, formulating contingency plans, designating institutions and staff as well as their roles and responsibilities, and stipulating resolution measures and procedures. CBRC reported that an emergency response plan has been established at the State Council level encompassing banking, insurance and securities. Both Article 38 of the Banking Supervision Law and Article 64 of the Commercial Banks Law providee for CBRC intervention if a bank is failing or likely to fail. Article 38 of the Banking Supervision Law provides that when a bank is experiencing or likely to experience a credit crisis, thereby seriously jeopardizing the interests of depositors and other customers, CBRC may take over the bank or facilitate restructuring according to laws and regulations. Similarly, Article 64 of the Commercial Banks Law provides that when a bank is experiencing or likely to experience a credit crisis, thereby seriously jeopardizing the interests of depositors, CBRC may take over the bank in order to take the necessary measures to protect the interest of depositors. Article 39 of the Banking Supervision Law provides that when a bank has been found in serious violation of laws and regulations or conducting significant unsafe or unsound practices, thereby seriously threatening financial stability and public interests, CBRC shall have the authority to close the bank in accordance with applicable laws and regulations. Article 71 of the Commercial Banks Law states that in the event that the commercial bank has due but unpaid debt, with CBRC consent, the people’s court can declare its bankruptcy according to law. In case of bankruptcy of a commercial bank, the court shall organize the CBRC and relevant agencies to form a liquidation group to conduct liquidation. Assessment of Compliant Principle 3 Comments Legal and regulatory provisions, as well the arrangements currently in place, provide for a sound framework for cooperation and collaboration with relevant domestic authorities and foreign supervisors, reflecting the need to protect confidential information. Cooperation and collaboration arrangements in place and seem to be functioning as envisioned by the authorities. The breadth and depth of data and information gathered from domestic supervisors, particularly CIRC and CSRC should benefit from an expected and necessary increase within the context of an effective consolidated supervisory framework. 48 PEOPLE’S REPUBLIC OF CHINA In addition, CBRC should consider including into its procedures, the need to notify the foreign supervisor in case CBRC is legally compelled to disclose confidential information received from a foreign supervisor. Principle 4 Permissible activities. The permissible activities of institutions that are licensed and subject to supervision as banks are clearly defined and the use of the word “bank” in names is controlled. Essential criteria EC1 The term “bank” is clearly defined in laws or regulations. Description and Both the Commercial Banks Law and the Banking Supervision Law define the term bank. findings re EC1 Article 2 of the Commercial Bank Law defines banks as entities established to take public deposits, make loans, conduct settlement of accounts and engage in other authorized activities in accordance with the Commercial Bank Law and the Company Law of the People’s Republic of China (Company Law). Article 11 states that a commercial bank shall be subject to the examination and approval of the CBRC and that no entity or individual may engage in absorbing public deposits or other business of a commercial bank without CBRC approval. The Banking Supervision Law (Article 2), for the purpose of determining the scope of application of banking supervision, establishes that CBRC is responsible for the regulation and supervision of banking institutions, defining banking institutions as financial institutions established in China that take deposits from the general public, including, commercial banks, urban credit cooperatives and rural credit cooperatives, in addition to policy banks (which are not-deposit takers). EC2 The permissible activities of institutions that are licensed and subject to supervision as banks are clearly defined either by supervisors, or in laws or regulations. Description and Article 3 of the Commercial Bank Law lists 13 categories of business that commercial banks findings re EC2 can engage in, including deposit taking, granting loans, settlement services, issuing bonds, negotiating government bonds, FX trading, guarantees, interbank operations and others, all typical of commercial banking. Banks are also allowed to engage in other business activities upon CBRC approval. Banks are not allowed to undertake trust and broker dealer activities, nor invest in non-banking financial institutions, commercial enterprises and non-use real estate property unless authorized by the State Council (upon analysis by the CBRC). The activities that a bank can effectively undertake are determined at the time of licensing and any changes/ additions are subject to further supervisory approval. Trust and brokerage activities, investments in non-banking and non-financial institutions, as well as real estate (unless for its own use) are not permitted (Article 43) unless approved by the State Council. In practice, since 2009 CBRC has expended the permissible activities through a set of pilot programs towards universal banking some years ago, including fund management activities, equity investments in insurance companies, leasing companies and consumer finance companies. 49 PEOPLE’S REPUBLIC OF CHINA Article 92 states that the Commercial Bank Law is applicable to foreign-funded banks unless provisions are made in other laws and regulations. Article 29 of the Foreign-funded Banks Regulations list the business activities that foreign-funded banks can engage, also establishing that other business activities require special regulatory approval. In practice, foreign banks are allowed to conduct the same activities as local banks, in addition to financial advisory services. Article 3 of the Commercial Bank Law establishes that banks’ business scope shall be defined in commercial banks’ articles of association and submitted to CBRC for approval. Article 27 provides that changes to business scope shall be subject to regulatory approval. Banks are not allowed to conduct financial activities beyond the approved scope. Breach of rules will lead to either administrative punishment or criminal liabilities. (Article of the Rules on Regulatory Sanctions against Illegal Financial Business Operations). EC3 The use of the word “bank” and any derivations such as “banking” in a name, including domain names, is limited to licensed and supervised institutions in all circumstances where the general public might otherwise be misled. Description and Article 11 of the Commercial Bank Law provides that no entity shall use the word “bank” in findings re EC3 its name or engage in deposit taking or other business of a commercial bank without CBRC approval. Article 79 provides that any institution that uses the word “bank” in its name without authorization shall be ordered by CBRC to correct (i.e. stop) and its illegal gains, if any, shall be confiscated or a fine shall be imposed (if illegal gains are less than RMB 50,000 yuan. In addition, Article 81 provides that those who set up a bank without approval or take public deposits illegally or in any disguised form shall be banned (i.e. declared illegal, terminate activities and make the fact public) and subject to criminal liabilities. Article 174 of the Criminal Law of the People’s Republic of China (Criminal Law), establishes that setting up a bank without CBRC approval results in incarceration and a fine. Article 176 provides that whoever takes deposits from the general public illegally or in disguised form, thereby disturbing the financial market shall be sentenced to fixed-term imprisonment or criminal detention, and concurrently or independently be sentenced to a fine. EC4 The taking of deposits from the public is reserved for institutions that are licensed and subject to supervision as banks. 12 Description and In addition to banks, rural and credit cooperatives are also deposit takers, supervised by findings re EC4 CBRC but deposits are immaterial, amounting to 3.71 percent of total deposits. Article 11 of the Commercial Bank Law establishes that no entity or individual may engage in deposit taking activities without the approval of the CBRC and Article 19 of the Banking Supervision Law provides that no institution or individual may establish a banking financial institution nor engage in banking activities without CBRC authorization. As described in EC3, the Commercial Bank Law and the Criminal Law set up a strong framework for punishment the illegal taking of deposits from the public. In fact, CBRC is particularly 12 The Committee recognizes the presence in some countries of non-banking financial institutions that take deposits but may be regulated differently from banks. These institutions should be subject to a form of regulation commensurate to the type and size of their business and, collectively, should not hold a significant proportion of deposits in the financial system. 50 PEOPLE’S REPUBLIC OF CHINA committed to the prevention of illegal deposit taking, with a dedicated department for such purpose. EC5 The supervisor or licensing authority publishes or otherwise makes available a current list of licensed banks, including branches of foreign banks, operating within its jurisdiction in a way that is easily accessible to the public. Description and CBRC ensures that the information on licensed banks is publicly available and that the findings re EC5 legitimacy of an entity operating as a bank is known to the public. Three main methods are used for this purpose: (a) making announcements on bank’s establishment, changes or termination of business in relevant media; (b) requiring banks to display licenses in noticeable places at all service venues; and (c) updating licensing information on banks, including foreign bank branches on its website. Assessment of Compliant Principle 4 Comments The permissible activities for Banks operating in China are clearly defined and the use of the word “bank” in names is controlled, with stringent punishment for the use of the word bank or deposit taking by unauthorized entities. Principle 5 Licensing criteria. The licensing authority has the power to set criteria and reject applications for establishments that do not meet the criteria. At a minimum, the licensing process consists of an assessment of the ownership structure and governance (including the fitness and propriety of Board members and senior management) 13 of the bank and its wider group, and its strategic and operating plan, internal controls, risk management and projected financial condition (including capital base). Where the proposed owner or parent organization is a foreign bank, the prior consent of its home supervisor is obtained. Essential criteria EC1 The law identifies the authority responsible for granting and withdrawing a banking license. The licensing authority could be the banking supervisor or another competent authority. If the licensing authority and the supervisor are not the same, the supervisor has the right to have its views on each application considered, and its concerns addressed. In addition, the licensing authority provides the supervisor with any information that may be material to the supervision of the licensed bank. The supervisor imposes prudential conditions or limitations on the newly licensed bank, where appropriate. Description and The Banking Supervision Law and the Commercial Bank Law establish the CBRC as the findings re EC1 authority responsible for granting and withdrawing a banking license. Article 16 of the Banking Supervision law states that in accordance with the criteria and procedures provided in applicable laws and regulations, the CBRC shall authorize the establishment, changes, termination and business scope of banking financial institutions. Article 11 of the 13 This document refers to a governance structure composed of a board and senior management. The Committee recognizes that there are significant differences in the legislative and regulatory frameworks across countries regarding these functions. Some countries use a two-tier board structure, where the supervisory function of the board is performed by a separate entity known as a supervisory board, which has no executive functions. Other countries, in contrast, use a one-tier board structure in which the board has a broader role. Owing to these differences, this document does not advocate a specific board structure. Consequently, in this document, the terms “board” and “senior management” are only used as a way to refer to the oversight function and the management function in general and should be interpreted throughout the document in accordance with the applicable law within each jurisdiction. 51 PEOPLE’S REPUBLIC OF CHINA Commercial Banks Law states that the establishment of a commercial bank shall be subject to CBRC approval. From 2011 to 2015, CBRC received 870 applications for commercial banking licenses from domestic entities, among which 8 applications were for private-owned banks, and the remaining 862 for rural commercial banks, established through transformations or mergers of rural credit cooperatives or rural cooperative banks. It also received 41 applications for commercial banking licenses from foreign entities (4 for subsidiaries, 37 branches). CBRC imposes restrictions ex-ante for all banks within a certain segment, e.g. for rural banks (FX operations for a period of time and upon authorization, after meeting specific conditions) and foreign-funded banks (RMB transactions for at least one year)). In addition, currently, in practice, Rural banks are subject to higher capital requirements at the onset (12 percent). CBRC may also impose further restrictions on activities—business scope and products and have done so on occasion. New licenses issued to rural commercial banks established through transformation from single rural credit cooperative or rural cooperative bank on the county level, are approved at the CBRC provincial office both for preparation and establishment/opening. Other new licenses, which are issued to Chinese banks, foreign-funded banks and rural commercial banks established through merger of two or more rural credit cooperatives or rural cooperative banks, are approved at CBRC headquarters for preparation, while fit and proper assessments for board members and senior management are performed at the provincial level during the establishment/opening phase. Verifications regarding risk management, internal control systems, AML, corporate governance, policies and procedure, as well as the overall readiness for starting business are also performed at the provincial level. Approvals are also required for branches and new business lines. EC2 Laws or regulations give the licensing authority the power to set criteria for licensing banks. If the criteria are not fulfilled or if the information provided is inadequate, the licensing authority has the power to reject an application. If the licensing authority or supervisor determines that the license was based on false information, the license can be revoked. Description and As stated in EC1, Article 16 provides that CBRC shall, in accordance with the criteria and findings re EC2 procedures provided in applicable laws and regulations, authorize the establishment, changes, termination and business scope of banking financial institutions. Based on the power granted by the Banking Supervision Law, and taking into account the Law on Administrative Licensing, CBRC issued a regulation on procedures of Administrative License, which describe the procedures for authorizations, elaborating on rejections due to lack/inadequacy of information or due to substantive reasons. In cases where information provided is incomplete or inadequate, (Arts. 13 and 14), a notice should be issued to the applicant on supplementation and correction and in case the applicant fails to submit the required materials within three months or if the new materials are incomplete or do not meet the requirements the application can be rejected, with a statement on the reasons for the rejection. In cases where the information provided is deemed adequate/complete but criteria are not met, the decision to reject an application has to be accompanied by the reasons for the 52 PEOPLE’S REPUBLIC OF CHINA rejection and can be appealed, through applying for administrative reconsideration or lodging an administrative lawsuit (Article 29). The legal framework empowers CBRC to reject, modify or reverse any authorization based on false information. Arts. 46 of the Banking Supervision law empowers CBRC to revoke a license in case a bank submits statements, reports, documents or materials that are false or conceal important facts, which the authorities interpret as empowering them. More importantly, China counts with an Administrative Licensing Law, applicable to applicable to “all acts that the administrative organs permit” (Article2). Specifically, Article78 of Administrative Licensing Law, provides that where an applicant for administrative license conceals any relevant information or provides false documents in applying for an administrative license, the authority shall not accept its application or shall not grant such administrative license, and shall give it a warning. Article 69 provides that where the applicant obtains a license through cheating, bribing, or other illegitimate means, such license shall be revoked. In practice, from 2011 to 2015 31 out of 870 applications were denied, mainly due to prudential indicators (conversion of rural cooperatives in rural banks) or promoters qualifications. EC3 The criteria for issuing licenses are consistent with those applied in ongoing supervision. Description and The criteria for issuing licenses are broadly consistent with those applied in ongoing findings re EC3 supervision. Criteria to be met include having directors and senior management personnel with professional knowledge and work experience and sound organization and risk management (Article 12 pf the Commercial Bank Law). Fit and proper criteria to be applied to shareholders, board members and senior management does not differentiate the process of issuing a license from the ongoing business of an established bank. Criteria regarding risk management and internal controls applied, as in ongoing supervision, are commensurate with the business plan and activities to be pursued. EC4 The licensing authority determines that the proposed legal, managerial, operational and ownership structures of the bank and its wider group will not hinder effective supervision on both a solo and a consolidated basis. 14 The licensing authority also determines, where appropriate, that these structures will not hinder effective implementation of corrective measures in the future. Description and Article 12 of the Commercial Banks Law lays down the following requirements to be met in findings re EC4 establishing a commercial bank: a) having articles of association that conform to the Commercial Bank Law and the Company Law; b) having the minimum amount of registered capital as specified; c) having directors and senior managers with expertise and work experience as required for holding such positions; d) having a sound organization structure and management system; and 14 Therefore, shell banks shall not be licensed. (Reference document: BCBS paper on shell banks, January 2003.) 53 PEOPLE’S REPUBLIC OF CHINA e) having the required business venues, security precautions and other business-related facilities. It also states that he establishment of a commercial bank shall also meet other prudential requirements. Article 15 require applicants to submit to the CBRC documents and materials including: a) The draft of the articles of association; b) Qualification certificates of the directors and senior management personnel to assume the posts; c) Certificate of capital issued by a legal capital checking organ; d) List of shareholders and the amount of capital contributions and shares thereof; e) Certificates of credibility and relevant documents of the shareholders who hold more than 5% of the registered capital f) Business policies and plans; g) Place of business accompanied with the safeguard measures and documents of other facilities in relation to the business; and h) Other documents and materials as required by the CBRC. The Licensing Manuals require bank to have sound corporate governance and internal controls, and promoters (when a legal person) to be a legally incorporated entity with sound corporate governance and effective organizational arrangements. In particular, Article 13 of the Licensing manual for Chinese banks and Article 14 of the Licensing Manual for Foreign-funded banks prohibit certain companies to be a promoter or a shareholder in a bank: a) companies with problematic corporate governance structures (“evidently defective”); b) companies with a large number of affiliates, complicated equity relationships or low transparency, or in which transactions with affiliates are frequent and abnormal c) companies where its core business is not prominent or its business scope involves too many sectors; d) companies that hold equity in a bank on behalf of others. The License Manual for Rural Banks is silent on the matter. Authorities stated that in practice rural banks have relatively simple ownership structures and that applicants with complex shareholding structures would be denied. In the case of Chinese banks and Rural banks, major shareholders are required to submit the structure of their group, including affiliates. In the case of foreign funded banks, it is required the group organizational chart, main shareholders list as well as list of overseas subsidiaries and affiliates. Files made available to the authorities confirmed such requirements. Files made available to the assessors also had information on the natural persons deemed as major shareholders. In addition, the Licensing Manual for Foreign-funded banks, (Article 12) require that that the foreign shareholders and the sole Chinese or principal shareholder shall be financial institutions and the foreign sole or principal shareholder shall also be a commercial bank. Applicants are required to be from jurisdictions which have supervisory cooperation relationships with CBRC (Article 10). 54 PEOPLE’S REPUBLIC OF CHINA The legal framework has no explicit provisions prohibiting the establishment of shell banks in China. In practice, the authorities report that up to now there are no shell banks operating in China. EC5 The licensing authority identifies and determines the suitability of the bank’s major shareholders, including the ultimate beneficial owners, and others that may exert significant influence. It also assesses the transparency of the ownership structure, the sources of initial capital and the ability of shareholders to provide additional financial support, where needed. Description and Article 15 of the Commercial Bank Law provides that applicants shall submit the name list findings re EC5 of shareholders and their proposed capital contributions and shares, as well as relevant documents of shareholders who intend to hold five percent or more of the registered capital. The Company law (Article 25) also establishes that the articles of association of a limited liability company shall include the names of the shareholders while Article 81 establishes that for joint stock limited companies the articles of association are required to include the name of each promoter, number of shares and form and date of capital contributions made. CBRC sets forth requirements for bank shareholders in its Licensing Manuals as well as in other rules and regulations, including sound corporate governance, effective management and internal control, sound business and financial conditions, and genuine and legitimate sources of proposed capital. The Commercial Bank law (Article 15) requires banks to submit the certificate of capital issued by a legal capital checking organ while Article 17 of the Banking Supervision law requires CBRC to review and assess the sources of initial capital and the ability of shareholders to provide additional financial support, as needed. In addition, Article 12 of Corporate Governance Guidelines provides that commercial banks shall specify in their articles of association that principal shareholders shall make long-term commitments in written form to providing additional capital as part of the capital planning. Requirements include information on the ultimate beneficial owners (UBOs) of shareholders and the authorities state that in cases where CBRC understand that there might be significant influence over the bank further investigation is performed. Otherwise focus is concentrated on the shareholders that hold direct stakes in the bank. Files made available to the assessors indicated that information from UBOs included identification proof, net worth, and credit history, in addition to a commitment to provide financial support if needed. In the case of entities, financial information, as well as business profiles were provided. The files had also organograms encompassing shareholders’ affiliates and the UBOs. A centralized data base, with information from CBRC, NDRC, SAIC and other government agencies stores information on administrative penalties issued against companies and 55 PEOPLE’S REPUBLIC OF CHINA natural persons, which, provides additional information on suitability of entities as shareholders. EC6 A minimum initial capital amount is stipulated for all banks. Description and The Commercial Bank Law (Arts. 12 and 13) requires national commercial banks to have a findings re EC6 minimum registered capital of RMB one billion Yuan. City commercial banks are required to hold a minimum of RMB 100 million Yuan and rural commercial banks are required to hold RMB 50 million Yuan. EC7 The licensing authority, at authorization, evaluates the bank’s proposed Board members and senior management as to expertise and integrity (fit and proper test), and any potential for conflicts of interest. The fit and proper criteria include: (i) skills and experience in relevant financial operations commensurate with the intended activities of the bank; and (ii) no record of criminal activities or adverse regulatory judgments that make a person unfit to uphold important positions in a bank. 15 The licensing authority determines whether the bank’s Board has collective sound knowledge of the material activities the bank intends to pursue, and the associated risks. Description and Article 20 of the Banking Supervision Law requires the CBRC to conduct fit and proper tests findings re EC7 for Board members and senior managers. The Administrative Rules on the Qualifications of Directors and Senior Managers of Banking Financial Institutions and the CBRC Licensing Manual establish specific qualification requirements for Board members and senior managers. The Administrative Rules on the Qualifications of Directors and Senior Managers of Banking Financial Institutions lays down the criteria and procedures to assess board members (directors) and senior management as to expertise and integrity, as well as conflicts of interest. Article 6 establishes that banks shall ensure that their directors and senior management always comply with fit and proper criteria upon appointment and during their tenure. Article 8 establishes basic conditions for the qualification of directors and senior management including: full capacity for civil conduct, good record of law abiding and compliance, good conduct and reputation, relevant knowledge, experience and capability for the correspondent position; good records of performance in the economic and financial fields; stable individual and family financial situation; the independence required for taking the office; performing the duty of royalty and diligence of financial institutions. The regulation also details circumstances that impede the holding of Board members or senior positions by the candidates, described under Arts. 9, 10 and 11. Article 9 lays the following circumstances as basis for disqualification of directors and senior management (or applicants) as fit and proper: a) criminal record of willful misconduct or gross negligence; b) bad conduct violating social morality and causes adverse impact; 15 Please refer to Principle 14, Essential Criterion 8. 56 PEOPLE’S REPUBLIC OF CHINA c) the person is personally liable or bears leadership responsibility for illegal operation or huge losses of the working institution in the past, and the situation is severe; d) the person takes or used to take the office of director or senior officer of a bank that is subject to takeover, cancellation, declaration of bankruptcy or revocation of business license, with the exception where it can be proved that the applicant bear no personal responsibility to the takeover, cancellation, declaration of bankruptcy or revocation of business license of the institution; e) the person causes huge losses or adverse impact due to violation of occupational ethics or code of conduct or gross neglect of duty; f) the person orders the institution he works for to disobey or involves in the disobedience of supervision or case investigation in accordance with the law; g) the person has been disqualified perpetually, or the person was accumulatively punished by the regulators or other financial administrative departments for two times; h) the person meets reasons for disqualifications specified in the Rules but still obtains the verification of qualifications through improper means. Article 10 specify further criteria for disqualification as fit and proper in a number of circumstances: a) the person or his spouse fails to repay a relatively large amount of due debt, including but not limited to the due loan in the financial institution; b) the person and his close relatives in aggregate hold over 5% of shares of the financial institutions, and the credit line they received from the financial institution obviously exceeds the net value of equities they hold in the financial institution; c) the person and the companies where he has controlling shares jointly hold over 5% of shares of the financial institution, and the credit line they received from the financial institution obviously exceeds the net value of the equities they hold in the financial institution; d) the person or his spouse works in a company which holds over 5% of shares, and the credit line the shareholders' companies received from the financial institution obviously exceeds the net value of the equities they hold in the financial institution, with the exception where he can prove that the credit has no relationship with himself or his spouse; The preceding paragraph is not applicable to finance companies of the enterprise groups. e) the person’s other position is in obvious conflict with the position to be appointed and the incumbent position of the financial institution, or is obviously distracting the time and energy of working in the financial institution. For this purpose, close relative includes spouses, parents, sons and daughters, brothers and sisters, grandparents, grandsons and granddaughters. Article 11 lays down further restriction for independent directors) as follows: a) he and his close relatives in aggregate hold more than 1% shares or equities in such financial institution; b) he or his close relative holds office at an institution which, as a shareholder, holds more than 1% shares or equities in such financial institution; c) he or his close relative holds office at such financial institution or an institution controlled or actually controlled by such financial institution; 57 PEOPLE’S REPUBLIC OF CHINA d) he or his close relative holds office at an institution that cannot repay the loans owed to such financial institution on time; e) there are business relations arising from law, accounting, auditing, management and consultation, guarantee and cooperation and interests relations in respect of creditors' right or debts between the institution at which he or his close relative holds office and such financial institution at which he is proposed to hold (currently holds) office, which prevents him from independently performing his duties; and f) he or his close relatives may be controlled or under significant influence by the major shareholder or senior management of such financial institution, which prevents him from performing his duties. Licensing manuals further elaborate on the necessary qualifications for directors. Article 82 of the Licensing Manual for Chinese commercial banks and also Article 100 of the Licensing Manual for small and medium-sized rural financial institutions require applicants to have five years or more of experience in the fields of law, economics, finance, accounting or any other work experience favorable to the performance of the duties as director. It also requires the person to be able to make judgment on risks and financial matters, in addition to understanding the corporate governance structure, bylaws and duties of the board of directors. Article 144 of the Licensing manual for foreign-funded banks has similar provisions and goes beyond that, further elaborating the chairman of the board, vice chairman and other positions. Article 20 of the Corporate Governance Guidelines provides that banks shall define the number of Board directors and the Board composition according to their sizes and business profiles. The regulations and procedures do not further elaborate on the matter. The authorities indicated that in assessing board compositions they look for complementarity of expertize, in line with the proposed target market. Files made available to the assessors included identification, CV, a detailed report from the previous employer, credit history, among others and the summary of an interview conducted by CBRC. EC8 The licensing authority reviews the proposed strategic and operating plans of the bank. This includes determining that an appropriate system of corporate governance, risk management and internal controls, including those related to the detection and prevention of criminal activities, as well as the oversight of proposed outsourced functions, will be in place. The operational structure is required to reflect the scope and degree of sophistication of the proposed activities of the bank. 16 Description and As mentioned in previous ECs, the legal framework sets up some basic information to be findings re EC8 provided to CBRC by applicants. Article 12 of the Commercial Bank Law requires that articles of association that comply with the Commercial Bank Law and the Company law, registered minimum capital, sound organizational structure and management systems, as well as directors and senior management personnel with professional knowledge for holding the post and work experience. Article 14 require the submission of a feasibility 16 Please refer to Principle 29. 58 PEOPLE’S REPUBLIC OF CHINA study report and enable CBRC to require additional documents and materials as necessary. Article 15 require applicants to submit business policies and plans and also empowers the CBRC to require other documents and materials as deemed necessary. In addition, Article 59 and 60 require banks, according to rules and regulations set up internal policies, controls and risk management, having also in place internal audit processes and systems. Article 15 of Anti-money Laundering Law of the People’s Republic of China provides that financial institutions shall have in place anti-money laundering internal control systems, with senior management bearing the responsibility for its effective implementation. Regulations details requirements related to the feasibility report and business plans, stating that it should include market analysis, status of the industry, proposed services to be provided, financial projections including profitability, liquidity and prudential ratios, business development strategy, as well as organization and management structure of the bank. For foreign banks, there are also specific requirements on the AML system at the parent level. Files made available to the assessors showed comprehensive feasibility reports and business plans. Based on the analysis of such information, the applicant get an initial approval to set up the business, after which on-site examinations will be conducted to assess risk management, IT systems, internal controls and AML, as well as corporate governance, which are performed by the examination teams together with licensing staff, in according with rules and regulations on the matter, including outsourcing. After the examination is conducted and the readiness for operations is established the approval for commencing operations is granted. EC9 The licensing authority reviews pro forma financial statements and projections of the proposed bank. This includes an assessment of the adequacy of the financial strength to support the proposed strategic plan as well as financial information on the principal shareholders of the bank. Description and Arts. 14 and 15 of the Commercial Bank Law require the submission of a feasibility report, findings re EC9 business policies and plans, the list of names of proposed shareholders and proposed amount of capital contributions and shares, as well as other relevant documents of shareholders holding 5 percent or more of the proposed capital. It also empowers the CBRC to require other documents and materials as needed. Article 17 of the Banking Supervision Law provides that CBRC shall review and assess the sources of capital, financial strength, ability to replenish capital and integrity of shareholders while reviewing an application for the establishment of a bank. CBRC performs an assessment of the financial statement projections to ensure that the proposed bank will have in place sound and effective/projected capital ratios projected P&Ls. In addition, shareholders are required to have a long history of stable operations, strong operating and managerial capabilities and sound financial conditions. On that regard, banks promoters are required to satisfy the criteria that net assets shall account for at least 30 percent of total assets and equity investment shall, in principle, not exceed 50 percent of net assets (both on a consolidated basis). 59 PEOPLE’S REPUBLIC OF CHINA CBRC requires the applicant to provide information about shareholders’ operations and industries, taxation records and audited financial statements so as to evaluate whether they meet suitability criteria including financial conditions criteria and whether they are able to provide additional financial support to the proposed bank. Files made available to the authorities confirmed such procedures. EC10 In the case of foreign banks establishing a branch or subsidiary, before issuing a license, the host supervisor establishes that no objection (or a statement of no objection) from the home supervisor has been received. For cross-border banking operations in its country, the host supervisor determines whether the home supervisor practices global consolidated supervision. Description and Article 9 of the Foreign-funded Bank Regulations provides that shareholders of proposed findings re EC10 wholly foreign-owned banks, foreign shareholders of proposed Chinese-foreign joint venture banks, or parent banks of proposed foreign bank branches or representative offices shall be under effective supervision by their home regulator(s), and that their applications are approved by the home regulator(s). The Article further provides that the home jurisdictions shall have in place sound financial regulatory system and cross-border regulatory cooperation mechanism with CBRC. In practice, CBRC requires the applicant to submit a written statement of home regulator(s) approving (or having no objection to) the application. In order to assess supervision in the home country, CBRC gathers information through the applicant (requiring them to provide information on the legal and regulatory framework pertaining to the home supervisor) exchanges information with home authorities, and also make use of other available information. A case made available to the assessors indicated correspondence inquiring about the existence of consolidated supervision. The authorities indicated that information might also be obtained through other methods, including previous experience the home supervisor and further investigation. EC11 The licensing authority or supervisor has policies and processes to monitor the progress of new entrants in meeting their business and strategic goals, and to determine that supervisory requirements outlined in the license approval are being met. Description and The Risk Early-warning Analysis and Supporting System (REASS system), described in CP8, findings re EC11 enables CBRC to monitor operations of newly established bank within its OSS. In addition, more frequent on-site examinations are conducted to make sure their operations are sound and stable and comply with supervisory requirements. Foreign-funded banks in particular are subject to an overall on-site examination after they commence business for a full year. The examination focuses on whether they have put in place operation and management policies and procedures according to supervisory requirements and the initial setting and whether resources commensurate with business development are in place as per business plans. Assessment of Compliant Principle 5 Comments Powers are in place for CBRC to set criteria and reject licensing applications. CBRC licensing process encompass the assessment of the ownership structure, including the fitness and propriety of Board members and senior management, as well as feasibility study, financial 60 PEOPLE’S REPUBLIC OF CHINA projections, internal controls, risk management etc. Prior consent or non-objection from the home supervisor is required in the case of foreign banks. CBRC licensing framework has been mostly used in the conversion of rural cooperatives into rural banks, as well as in the establishment of operations of foreign banks in China. Since 2014, fully private Chinese banks have been allowed into the system, which can significantly increase the complexity of the analysis necessary to ensure that the ownership structure and governance of the wider group do not impose undesired risks to the bank and the banking system. CBRC should consider reviewing procedures and training as necessary to ensure that CBRC is well equipped to adequately review the ownership structure and governance of the wider group in complex cases in order not to impose undesired risks to the bank and the banking system. Further considerations regarding CBRC overall approach regarding the wider group are reflected in the rating of CP 12 – Consolidated Supervision. Principle 6 Transfer of significant ownership. The supervisor 17 has the power to review, reject and impose prudential conditions on any proposals to transfer significant ownership or controlling interests held directly or indirectly in existing banks to other parties. Essential criteria EC1 Laws or regulations contain clear definitions of “significant ownership” and “controlling interest”. Description and The Commercial Law (Article 216), to which banks are subject to (please refer to CP5) has a findings re EC1 comprehensive definition of controlling interest, encompassing holdings over 50 percent and cases where voting rights are sufficient to have a significant influence at the board level or shareholders meeting. In addition, the law defines an actual controller as someone who, although not being a shareholder is in a position to exercise de facto control by means of investments, relationships or any other agreements. The Banking Supervision Law, nevertheless, does not explicitly define significant ownership or controlling interest for approval purposes but it does differentiate shareholdings above certain threshold (five percent), requiring approval in those cases, as described below, which imply a definition of significant control or controlling interest. Article 17 of the Banking Supervision Law prescribes that any proposed holding over a certain percentage of the capital or shares of a bank as stipulated in applicable laws and regulations shall be subject to CBRC’s approval. Article 24 of the Commercial Bank Law lays down several circumstances where approval needs to be sought, including alteration of shareholders who hold more than five percent of the total amount of capital or shares. Article 28 prescribes that any entity or person who intends to acquire 5 percent or more of the capital or shares of a bank shall obtain prior approval of CBRC. 17 While the term “supervisor” is used throughout Principle 6, the Committee recognizes that in a few countries these issues might be addressed by a separate licensing authority. 61 PEOPLE’S REPUBLIC OF CHINA EC2 There are requirements to obtain supervisory approval or provide immediate notification of proposed changes that would result in a change in ownership, including beneficial ownership, or the exercise of voting rights over a particular threshold or change in controlling interest. Description and As detailed in EC1, the Banking Supervision Law and Commercial Bank Law establish that findings re EC2 any changes of ownership involving shareholders holding or intending to hold five percent or more are subject to CBRC approval. In particular for foreign funded banks, Article 27 of the Foreign-funded Banks Regulations provides that proposed changes in shareholders or ownership shall be subject to CBRC’s approval. That means any change in the percentage of ownership of a foreign-funded bank is subject to approval. Article 39 of Licensing Manual for Chinese Commercial Banks and Article 61 of Licensing Manual for Small and Medium-sized Rural Financial Institutions provide that proposed ownership changes involving any shareholder holding or intending to hold 5 percent or more of the capital or shares of state-owned commercial banks, the Postal Saving Bank of China, joint-stock commercial banks, city commercial banks, rural commercial banks, rural cooperative banks, rural credit cooperatives, rural credit unions, village and township banks, or rural mutual cooperatives, and proposals by any foreign financial institutions to become shareholders thereof shall be subject to CBRC’s approval. Proposed ownership changes involving more than 1 percent but less than 5 percent of the capital or shares of any of the above banks shall be reported to CBRC. The framework is silent regarding beneficial ownership. In exchanges with the authorities they did indicate to gather information on groups including beneficial owners. Nonetheless, there are no procedures in place or legal requirements to insure that significant changes in beneficial ownership are subject to CBRC approval. EC3 The supervisor has the power to reject any proposal for a change in significant ownership, including beneficial ownership, or controlling interest, or prevent the exercise of voting rights in respect of such investments to ensure that any change in significant ownership meets criteria comparable to those used for licensing banks. If the supervisor determines that the change in significant ownership was based on false information, the supervisor has the power to reject, modify or reverse the change in significant ownership. Description and Overall, regulations empower CBRC to reject proposed changes in significant direct findings re EC3 ownership, as well as the power to revoke changes based on false information. As described under CP 5, CBRC has the power to reject any application for an authorization of any kind that does not meet criteria. The Provisions of CBRC on the procedures of administrative license regulation elaborate on rejections due to lack/inadequacy of information or due to substantive reasons. In cases where information provided is incomplete or inadequate, (Arts. 13 and 14), establishing that a notice should be issued to the applicant on supplementation and correction and in case the applicant fails to submit the required materials within three months or if the new materials are incomplete or do not meet the requirements the application can be rejected, with a statement on the reasons for the rejection. In cases where the information provided is deemed adequate/complete but 62 PEOPLE’S REPUBLIC OF CHINA criteria are not met, the decision to reject an application has to be accompanied by the reasons for the rejection and can be appealed (Article 29). Regulations also specify that criteria for changes in significant ownership are the same as those used for licensing banks. Article 39 of Licensing Manual for Chinese Commercial Banks provide that the criteria for reviewing and approving the change of any shareholder holding or intending to hold 5 percent or more of the capital or shares of a bank shall be the same as those applied to initiators of a new bank. Article 66 of the Licensing Manual for Foreign-funded Banks (Section 2. Alteration of Shareholders) refer to the need to satisfy criteria established in the Articles pertaining to the licensing process. Article 61 of the Licensing Manual for Small and Middle Size Rural banks establishes that changes in significant ownership are required to satisfy to satisfy qualification requirements for a promoter. Article 28 of the Foreign-funded Banks Regulations and Article 66 (Section 2, Alteration of Shareholders) refer to the need to satisfy criteria established in the Articles pertaining to the licensing process. In the case of foreign-funded banks there are no thresholds for changes in ownership, i.e. any changes are subject to approval. The legal framework empowers CBRC to reject any application based on false information. Article78 of Administrative Licensing Law provides that where an applicant for administrative license conceals any relevant information or provides false documents in applying for an administrative license, the authority shall not accept its application or shall not grant it such administrative license, and shall give it a warning. Article 69 provides where the applicant obtains a license through cheating, bribing, or other illegitimate means, such license shall be revoked. Over the last five years CBRC approved 2,200 requests and denied 92. No appeals occurred. EC4 The supervisor obtains from banks, through periodic reporting or on-site examinations, the names and holdings of all significant shareholders or those that exert controlling influence, including the identities of beneficial owners of shares being held by nominees, custodians and through vehicles that might be used to disguise ownership. Description and The Banking Supervision Law has no explicit provisions regarding gathering information findings re EC4 related to significant shareholders or those that exert controlling influence. Article 33 of the Banking Supervision Law provides that CBRC has the power to, for the purpose of discharging its supervisory duties, require banking financial institutions to submit their balance sheets, P&Ls, other financial and statistical reports, operation and management information, as well as audit reports prepared by certified public accountants. Article 34 grants CBRC the power to conduct on-site examination: enter a bank for on-site examination purposes, interview staff and require them to provide explanations on examined matters, have full access and make copies of the bank’s documents related to the examination and examine the bank’s information technology infrastructure for business operation and management. Article 35 enables CBRC to have consultations with directors 63 PEOPLE’S REPUBLIC OF CHINA and senior management to inquire about the major activities concerning its business operations and risk management. Article 35 of the Rules of CBRC on Off-site Surveillance provides that institutional supervisory departments of CBRC shall prepare an overview of banking financial institutions and update the overview at least annually, which includes significant shareholders of the institutions. In practice, CBRC gathers information on shareholders of listed companies, which account for roughly 80 percent of banks’ total assets, given the requirement to disclose changes in shareholders/actual controllers with holdings of over 5 percent. The Provisions on Information Disclosure by Listed Companies require listed companies to annually disclose controlling shareholders and actual shareholders holding more than 5 percent and also to immediately disclose significant events, including when a shareholder with over 5 percent of shares or an actual controller has significant change in shares or control of the company. For the remaining banks, authorities claim that there is a significant portion where the controller is actually the state and that also for most the shareholder structure is fairly simple and that therefore changes in ownership would be subject to approval (i.e. CBRC would be informed). In addition, Article 123 of the Guidelines on Corporate Governance, require banks to disclose to the public within 10 working days, change in controlling shareholders or actual shareholders. An institutional overview presented by the authorities had information up to the beneficial ownership. It is unclear, nevertheless, whether current CBRC procedures would be sufficient to obtain the names and holdings of those that exert controlling influence in cases of more complex shareholding structures and where eventually less than 5 percent might still result in controlling influence. Nominees, custodians are not permitted in China. Regulations establish that shareholders shall not own bank shares on behalf of others, and shall invest with their own funds rather than entrusted funds, debt funds or other forms of non-self-funds. When submitting application materials, shareholders shall also provide a statement in writing to guarantee that the investment funds are of their own and the sources of funds are real and lawful. IN practice, in case of companies that are listed abroad, shares might be held by nominees but significant holdings are required to be disclosed. EC5 The supervisor has the power to take appropriate action to modify, reverse or otherwise address a change of control that has taken place without the necessary notification to or approval from the supervisor. Description and Laws and regulations empower CBRC to modify, reverse or otherwise address a change of findings re EC5 direct ownership over 5 percent that has taken place without approval. Article 74 of the Commercial Bank Law prescribes that in case where a subjected change has taken place without the necessary notification to or approval from CBRC “failing to apply for approval in violation of regulations”), the regulator shall order the bank to rectify, confiscate unlawful gains, if any, and impose a fine accordingly. Where such violation is regarded as material or the bank fails to rectify within specified period of time, CBRC may 64 PEOPLE’S REPUBLIC OF CHINA suspend its business for rectification or revoke its banking license and where such violation constitutes a crime, criminal liability shall be investigated according to law. In addition, Article 79 prescribes that where an investor acquires 5 percent or more of the capital or shares of a bank without approval, CBRC has the power to order the investor to rectify, confiscate unlawful gains, if any, and impose fines accordingly. From 2011 to 2015 CBRC has made 21 modifications or reversions to changes of control. EC6 Laws or regulations or the supervisor require banks to notify the supervisor as soon as they become aware of any material information which may negatively affect the suitability of a major shareholder or a party that has a controlling interest. Description and Article 24 of the Guidelines on Consolidated Management require principal shareholders of findings re EC6 a commercial bank to meet the requirements set by CBRC and provide relevant information in accordance to the law. Article 84 requires CBRC to pay continuous attention to the principal shareholder of a commercial bank on whether there is any material change in the qualification of the principal shareholder. The Rules on implementing the Regulations on Administration of Foreign-funded banks (Article 66) require foreign-funded banks to report major troubles in the financial condition on their shareholders, as well as material regulatory measures implemented by the home supervisory authority or by the supervisory authority of countries or regions of other overseas branches, as well as significant changes to the financial regulatory laws or regulations and financial regulatory systems of the countries or regions of parents. Nevertheless, there are no express instructions in laws, regulations or other provisions requiring Chinese and Rural banks to notify CBRC as soon as they become aware of any material information which may negatively affect the suitability of a major shareholder or a party that has a controlling interest. Assessment of Materially Non-Compliant principle 6 Comments CBRC has the power to review and reject any proposal to transfer significant ownership above 5 percent held directly in existing banks to other parties. The legal framework, nevertheless, does not require authorization for changes of de facto control, i.e. controlling interests held indirectly or circumstances where although holdings are below five percent, can entail significant influence. CBRC collect through various means information on significant holdings in banks. Nonetheless, there is no systematic process for regularly receiving/collecting information on names and holdings of all significant shareholders or those that exert controlling influence. In addition, the legal framework, regulations and procedures do not require Chinese or Rural banks to notify CBRC as soon as they become aware of any material information which may negatively affect the suitability as a major shareholder. Authorities are recommended to: 65 PEOPLE’S REPUBLIC OF CHINA (a) amend the legal framework requiring that all de facto changes of control, directly or indirectly and irrespective of percentage are subject to approval by CBRC; (b) amend the legal framework to have more explicit and clear powers to have access to information on ultimate beneficiary owners and controlling interests, as necessary to perform its duties; (c) expressly require all commercial banks to notify CBRC as soon as they become aware of any material information which may negatively affect their suitability as a major shareholder; (d) establish procedures in order to receive periodic information on the names and holdings of all significant shareholders or those that exerct controlling influence over a bank. Principle 7 Major acquisitions. The supervisor has the power to approve or reject (or recommend to the responsible authority the approval or rejection of), and impose prudential conditions on, major acquisitions or investments by a bank, against prescribed criteria, including the establishment of cross-border operations, and to determine that corporate affiliations or structures do not expose the bank to undue risks or hinder effective supervision. Essential criteria EC1 Laws or regulations clearly define: (a) what types and amounts (absolute and/or in relation to a bank’s capital) of acquisitions and investments need prior supervisory approval; and (b) cases for which notification after the acquisition or investment is sufficient. Such cases are primarily activities closely related to banking and where the investment is small relative to the bank’s capital. Description and Banks are not allowed to invest in non-bank financial institutions or enterprises unless findings re EC1 authorized by the state. The Commercial Bank law, as discussed in CP 4, defines the types of activities that a bank can conduct and also enables CBRC to approve other business. The law has also specific provisions restricting banks from conducting certain activities, including, non-bank financial institutions or enterprises unless otherwise prescribed by the State Council (Article 43). Through what the authorities call pilots, insurance, leasing, fund management and consumer finance have been allowed, upon specific authorization. All acquisitions and investments by Chinese banks and rural banks are subject to CBRC approval. Investments or acquisitions of banking institutions are subject to a total cap of 50 percent of net assets. The Licensing Manuals for Chinese Commercial Banks (Article 34) require approval for acquisitions of domestic financial institutions. Arts. 35 and 36 establishes that overseas acquisitions are also subject to approval, i.e. tier-one branches, wholly owned subsidiaries, holding financial institutions, representative offices of commercial banks and the institutions formed by the overseas tier-one branches and wholly-owned subsidiaries across countries. The requirement for prior approval for acquisitions made by Rural banks is spelled out at Article 43 of the Licensing Manual for Small and Medium-sized Rural Financial Institutions. 66 PEOPLE’S REPUBLIC OF CHINA The Licensing Manual for Foreign-funded Banks makes no reference to acquisitions. CBRC informed that given the historical very limited size of foreign funded banks operating in China, there was no need for such provisions. Those operations have been growing nevertheless and in the current review of the licensing manual they expect to incorporate provisions on the matter. They also informed that apart from a case of a merger at the parent level, where a new legal entity was established in China (therefore going through the license process), no other case has happened so far. There are no procedures established in the regulatory framework regarding equity investments in commercial enterprises, as there has never been a case of such type of investment. Authorities stated that those cases where the State Council might consider approval under Article 43 of the Commercial Bank Law would be subject to an initial review by CBRC, in which case CBRC would establish procedures. EC2 Laws or regulations provide criteria by which to judge individual proposals Description and Criteria by which to judge individual proposals are set through the Licensing Manuals and findings re EC2 other regulations. Article 31 of the Licensing Manual for Chinese Commercial Banks provides that where a Chinese commercial bank applies to acquire another bank and to incorporate the target as a branch, it shall have sufficient operating capital and its authorized operating branch shall be in good operation and have robust internal controls. Article 33 stipulates that where a Chinese commercial bank applies to acquire or invest in a domestic financial legal entity, it shall have sound corporate governance, effective risk management and internal controls, robust consolidated management and adequate IT system. It shall be profitable for 3 consecutive accounting years and its equity investment shall be no more than 50 percent of net assets. In addition, it must not have committed any serious violations of laws and regulations nor been involved in any major cases resulting from internal management problems in the last two years, in addition to having a good rating and other prudential conditions as prescribed by CBRC. Article 35 provides that where a Chinese commercial bank applies to acquire or invest in an overseas institution, the applicant shall have adequate management, risk management and internal controls, commensurate with overseas business environment as well as clearly- defined overseas development strategy and consolidated management capabilities, with professionals acquainted with the overseas business environment. In addition, the applicant is required to be compliant with the main prudential ratios, have earned profits over the last three years and have total assets over RM 100 billion yuan and have equity investments generally not exceeding 50 percent of its net consolidated assets. Rural commercial banks may establish, invest in or acquire domestic incorporated financial institutions. Article 42 of the Licensing Manual for Small and Medium-sized Rural Financial Institutions lays down minimum criteria, which include: a good corporate governance structure, risk management and internal controls; a clear development strategy and a mature financial business model; strong external support, being able to replenishing capital on an ongoing basis; good consolidated management capability; rating Grade II or above in 67 PEOPLE’S REPUBLIC OF CHINA the past two years; earned profits during the last three years; equity investments generally of no more than 50 percent of its net consolidated assets. As mentioned in EC1, the Licensing Manual for Foreign-funded Banks makes no reference to acquisitions. EC3 Consistent with the licensing requirements, among the objective criteria that the supervisor uses is that any new acquisitions and investments do not expose the bank to undue risks or hinder effective supervision. The supervisor also determines, where appropriate, that these new acquisitions and investments will not hinder effective implementation of corrective measures in the future. 18 The supervisor can prohibit banks from making major acquisitions/investments (including the establishment of cross-border banking operations) in countries with laws or regulations prohibiting information flows deemed necessary for adequate consolidated supervision. The supervisor takes into consideration the effectiveness of supervision in the host country and its own ability to exercise supervision on a consolidated basis. Description and As detailed in previous ECs, apart from exceptional cases (further elaborated on EC5, banks findings re EC3 are only allowed to acquire or invest in banks and such investments or acquisitions are subject to approval. Article 80 of the Consolidated Management and Supervision Guidelines prescribes that when reviewing an application for establishing an affiliate, CBRC shall take into consideration the corporate governance and consolidated management capability of the banking group. If any material deficiency is detected, CBRC may reject the application. A case made available by the authorities a reviewed by the authorities confirmed the application of such procedures. Regarding the effectiveness of supervision in the host country, Article 90 of the Consolidated Management and Supervision Guidelines requires CBRC to assess the regulatory environment of the host country. If banking supervision in the host country is regarded as inadequate or hindering access to important information, CBRC may impose restrictions on licensing. These restrictions include, but are not limited to, prohibiting or restricting banks or banking groups from setting up entities in such host countries or jurisdictions; restricting the scope of business activities, etc. So far CBRC did not have to make use of such provisions. In practice, CBRC makes use of information previously acquired on the host authorities. In cases of new jurisdictions, CBRC makes use of various sources of information, including the host authority website, bilateral exchanges of information within the framework of MoU. During those exchanges, CBRC gets information on the overall banking environment and legal structure. In addition, information from FSAPs, if available is taken into consideration as well as country classification for members of OECD, and ratings from public rating agencies, etc. 18 In the case of major acquisitions, this determination may take into account whether the acquisition or investment creates obstacles to the orderly resolution of the bank. 68 PEOPLE’S REPUBLIC OF CHINA CBRC procedures reviewed by the assessors did not encompass provisions according to which the CBRC can determine, where appropriate, that these new acquisitions and investments will not hinder effective implementation of corrective measures in the future. EC4 The supervisor determines that the bank has, from the outset, adequate financial, managerial and organizational resources to handle the acquisition/investment. Description and As detailed in EC2, the Licensing Manuals and procedures require banks to have robust findings re EC4 financial, managerial and organization resources in order for CBRC to approve banks’ investment and acquisition. CBRC requires banks to submit plans for such acquisition or investment and subsequent integration and development, potential risks and responses, risk isolation arrangements between banks and the targets, and policies for consolidated management and related party transactions, so as to ensure that banks are capable of supporting the proposed investment or acquisition. CBRC also informed that the process for approving those investments includes also gathering information from on-site examinations, OSS, and interviews. Particular focus is put on managerial, IT, and internal controls capabilities, as well as previous experience in other acquisitions or investments. In case of cross border investments, authorities also reported to verify what preparations have been made in order to be compliant with local requirements. Although not established in written procedures, CBRC also reports that it only considers applications of investments/acquisitions in cases of banks rated 2 or above. Particularly in the case of establishment of affiliates abroad, most cases relate to the large banks, which already have a large experience with those types of investments. A file made available by the authorities showed assessment of internal control capabilities, assessment of financial information projections incorporating the acquisition, as well as considerations regarding the bank’s knowledge of the market to be invested in and its expertise in investments abroad. EC5 The supervisor is aware of the risks that non-banking activities can pose to a banking group and has the means to take action to mitigate those risks. The supervisor considers the ability of the bank to manage these risks prior to permitting investment in non-banking activities. Description and CBRC is aware of the risks that non-bank activities can pose to a banking group, reflected findings re EC5 by the fact, as detailed in CP 4 and EC1, investments in non-banking activities are in principle restricted for banks. For a while now, the authorities established what they call pilot investments for areas such as fund management, insurance and leasing, more in line with universal banking. Those investments require prior authorization by the State Council and CBRC has issued, individually or jointly with other supervisors formulated specific regulations for those businesses, setting forth requirements on risk control and segregation, setting up firewalls for banks’ investment in non-bank financial institutions and aiming at preventing conflict of 69 PEOPLE’S REPUBLIC OF CHINA interest. Authorities reported those cases where CBRC has no objections are submitted to the State Council. More specifically, for instance the Administrative Rules on the Pilot Establishment of Fund Management Companies by Commercial Banks requires fund management companies established by commercial banks to have in place sound corporate governance and effective risk segregation with the banks, and report to CBRC for filing. For the perspective of risk segregation, the Rules sets requirements on the use of assets managed by such fund management companies and prescribe that “the assets shall not be used to purchase negotiable securities issued or underwritten by its shareholders during the underwriting period”. For the purpose of avoiding tunneling, the Rules also provides that “no commercial bank may act as the trustee of the funds managed by the fund management company that is established by the bank”. In addition, Similar provisions are provided on the Pilot Program of Commercial Banks' Equity Investment in Insurance Companies. Exchanges with the industry indicated the authorities do perform evaluation of compliance with those requirements regarding risk control, and firewalls prior and after authorization, in some cases authorizing certain business initially for a limited number of outlets and monitoring after a few months of establishment to evaluate risk management and risk control. Authorities should exercise caution, nevertheless, when authorizing non-banking activities, ensuring that a robust regulatory framework is in place to proper govern such activities, the risks they entail and its implications to the banks, banking groups and the banking system. Assessment of Compliant Principle 7 Comments Investments and acquisitions by banks are tightly controlled in China. CBRC requires approval of all acquisitions and investments. Banks are not allowed to invest or acquire broker dealers, trusts, non-bank financial institutions or commercial enterprises unless prescribed by the State Council. So far pilots for fund management, insurance, leasing and finance companies have been established and are subject to specific approval. Authorities should exercise caution, nevertheless, when authorizing non-banking activities, ensuring that a robust regulatory framework is in place to proper govern such activities, the risks they entail and its implications to the banks, banking groups and the banking system. Please refer to CP 12 for a more detailed discussion on the matter Moreover, with the increasing sophistication of the Chinese banking system and expansion abroad, CBRC should ensure that is prepared to properly assess joint ventures and other strategic investments that banks may consider. Principle 8 Supervisory approach. An effective system of banking supervision requires the supervisor to develop and maintain a forward-looking assessment of the risk profile of individual banks and banking groups, proportionate to their systemic importance; identify, assess and address risks emanating from banks and the banking system as a whole; have a framework in place for early intervention; and have plans in place, in partnership with other relevant authorities, to take action to resolve banks in an orderly manner if they become non-viable. 70 PEOPLE’S REPUBLIC OF CHINA Essential criteria EC1 The supervisor uses a methodology for determining and assessing on an ongoing basis the nature, impact and scope of the risks: (a) which banks or banking groups are exposed to, including risks posed by entities in the wider group; and (b) which banks or banking groups present to the safety and soundness of the banking system. The methodology addresses, among other things, the business focus, group structure, risk profile, internal control environment and the resolvability of banks, and permits relevant comparisons between banks. The frequency and intensity of supervision of banks and banking groups reflect the outcome of this analysis. Description and Legislation requires the CBRC to create a risk based methodology, to ensure consolidated findings re EC1 supervision and to tailor its supervisory activity to its analytical findings. The Banking Supervision Law provides (Article 27) requires the CBRC to establish a supervisory rating system and an early warning system, based on which the CBRC must determine the frequency and scope of on-site examination as well as other necessary supervisory actions. The BSL (Article 25) requires the CBRC to practice supervision on a consolidated basis. The CBRC adopts on and off-site approaches to monitor banks’ business features, group structure, risk profile, internal control and resolvability. The off-site supervisory processes (OSS) make use of supervisory data that is submitted to the CBRC through the off-site supervision returns system (OSSRS). On-site examinations focus can, for example, include banks’ corporate governance, internal controls, business operation, risk control and risk profile, and propose relevant supervisory actions and administrative penalties. The supervisory cycle comprises 6 stages: supervision planning, day-to-day monitoring and analysis, risk assessment, collaboration with on-site examinations, supervisory rating and supervisory conclusion. At the end of each supervisory cycle, the CBRC prepares assessment reports based on results of OSS and on-site examinations, and rates banks according to the CAMELS+I rating standards. At this stage the CBRC identifies potential risks and existing problems. The report, in essence, provides the supervisory conclusions for the year, and includes a summary of the work over the preceding year and any enforcement documents. The CAMELS+I risk rating system assesses seven components on a regular basis, including capital adequacy (C), asset quality (A), management (M), earnings (E), liquidity (L), sensitivity to market risk (S), and IT risk (I). The rating results serve as important input to determining the frequency and intensity of supervision. The rating system utilizes both quantitative and qualitative inputs and is intended to allow for the application of supervisory judgment within a framework of constrained discretion. That is to say, that according to the Guidelines on Supervisory Ratings of Commercial Banks, the weighting of the key risk components is as follows: capital adequacy (15 percent), quality of assets (15 percent), quality of management (20 percent), profitability (10 percent), liquidity risk (20 percent), market risk (10 percent), and information technology risk (10 percent). According to the risk characteristics and regulatory priorities of various types of banking institutions, the regulatory authorities of the CBRC may adjust the weight 71 PEOPLE’S REPUBLIC OF CHINA of each rating element by 5 percentage points. Therefore, for example, the weighting given to market risk can range from 5 percent to 15 percent. Ratings are adjusted annually unless there is a clear finding during an on-site review that warrants a more immediate adjustment. The supervisory cycle is illustrated below: The analytical system is designed to ensure that the CBRC reviews a bank or banking group’s shareholder structure, capital adequacy, qualifications of directors and senior managers, organizational structure, management policies and procedures, risk management and internal control, IT systems, business venues, and projected financial position and determines whether it has appropriate risk control tools and mechanisms appropriate with its businesses. The CBRC maintains an up to date institutional overview for each bank or banking group, covering ownership structure, organizational structure, development strategy, business profile, management issues, financial positions and projection, supervisory ratings, risk assessment results and other information. Greater intensity of supervisory effort is directed at the systemic and the large commercial banks. One aspect of this heightened intensity was the 2016 evolution of the CBRC’s CARPALS system into the Heightened Regulatory Standards for Large Banks (HRS). (Please see EC2 for details). Also, the CBRC is working with the GSIBs to work towards meeting the Basel Principles for effective risk data aggregation and reporting. Further, as noted elsewhere, the CBRC has required the 4 Chinese G-SIB banks to put in place RRPs and submit these plans to their Crisis Management Groups, who will then assess the 72 PEOPLE’S REPUBLIC OF CHINA resolvability and evaluate the impact on financial stability of the banking industry, or even the whole financial system. EC2 The supervisor has processes to understand the risk profile of banks and banking groups and employs a well-defined methodology to establish a forward-looking view of the profile. The nature of the supervisory work on each bank is based on the results of this analysis. Description and To assist prompt risk detection and early warning, CBRC has developed the “Risk Early findings re EC2 warning Analysis and Supporting System” (REASS). The system imports data from the off- site supervisory information system on a regular basis, and calculates key supervisory indicators. It generates automatic alerts when indicator values breach pre-defined thresholds and generates visual representations for supervisors. In addition to the early warning signals, the system’s functionality includes search features and analysis of early- warning indicators, etc. It permits comparison and analysis of warning signals and indicators (such as asset growth rate, interest spread, newly emerged NPLs, etc.) for similar banks. In 2016, the CBRC upgraded its CARPALS system into the Heightened Regulatory Standards for Large Banks (HRS). The CARPALS system dated from 2009, and covered 7 categories of indicators, including C (Capital adequacy), A (Asset quality), R (Risk concentration), P (Provisioning coverage), A (Affiliated institutions), L (Liquidity), and S (Swindle prevention & control). More stringent standards for these indicators have been applied to large banks. With the introduction of HRS, the CBRC set higher-than-statutory target values based on each bank’s risk management and internal control capabilities, as well as economy and finance cyclical factors. The HRS standards are incorporated into banks’ annual operating objectives and performance appraisal, and evaluated on a quarterly basis. If one or more indicators are breached, the CBRC will issue a risk alert to the bank and require corrective action to be taken. All banks and banking groups are subject to comprehensive stress tests covering all major risk types and primary business lines both on- and off-balance sheet. Targeted stress tests are also required for fast-growing new businesses and those with potential material risk. The CBRC introduced stress tests in 2007 (Guidelines on Stress Tests of Commercial Banks) and refreshed its Stress Test Guidelines in 2014, including greater detailed requirements than before. The Guidelines set out the supervisory expectations that banks must meet and also indicate the supervisory oversight that the CBRC must apply. Also, the CBRC undertakes unified stress test for banks using a unified scenario, which includes systemic risk considerations, that all banks must take. The CBRC’s supervisory response depends on the risk levels identified, and will range between issuing supervisory briefings and opinions; applying corrective actions (with monitoring put in place); amending the intensity of supervision; and if corrective actions fail or are unsatisfactory, the CBRC will impose penalties. EC3 The supervisor assesses banks’ and banking groups’ compliance with prudential regulations and other legal requirements. Description and The CBRC promotes banks’ compliance with laws, regulations, rules and other supervisory findings re EC3 requirements through rule-making, on-site examinations and OSS. Both the Banking 73 PEOPLE’S REPUBLIC OF CHINA Supervision Law and the Commercial Bank Law prescribe the banks’ obligations to comply with laws, regulations, rules and other supervisory requirements (See Article 21 of the Banking Supervision Law and Article 8 of the Commercial Bank Law respectively). Both laws also prescribe the CBRC’s statutory authority to take enforcement actions or impose sanctions on banks that fail in compliance (See Chapter V of the Banking Supervision Law and Chapter VII and VIII of the Commercial Bank Law for details) The CBRC requires banks to establish a compliance management function. Indeed the Guidelines on Internal Control of Commercial Banks provide (Article 4) that one of the goals of commercial banks’ internal control is to ensure compliance with laws and regulations. Furthermore, the Guidelines on Compliance Risk Management of Commercial Banks requires banks to establish a management system to identify, measure, assess, monitor, and report compliance risks, and take effective control measures to ensure compliance in business operations. The CBRC uses its examination program to assess the quality and effectiveness of banks’ compliance function including their policies and procedures. Most on-site examinations include inspections on internal control and compliance function. Data and information gathered for OSS is monitored and banks failing to meet regulatory requirements (such as CAR, liquidity ratio, and large exposure limit, etc.) are identified. As noted in EC1, should a bank breach a trigger value, supervisors will require it to take corrective actions. Where non-compliance is identified, CBRC takes supervisory actions such as holding supervisory meetings with senior management requiring banks to make rectifications within a prescribed timeframe. More severe interventions may be taken if warranted, such as suspending the bank’s business operation, releasing supervisory briefing, issuing supervisory letters, or imposing administrative sanctions. The CBRC monitors the progress of remedial actions. Please see CP11 for more details. The CBRC discussed several examples of holding supervisory meetings. EC4 The supervisor takes the macroeconomic environment into account in its risk assessment of banks and banking groups. The supervisor also takes into account cross-sectoral developments, for example in non-bank financial institutions, through frequent contact with their regulators. Description and There is an overarching requirement under the Banking Supervision Law (Article 6) for the findings re EC4 CBRC to establish supervisory information sharing mechanisms with PBC and other regulatory authorities. Under the Rules of CBRC on Off-site Surveillance more detailed requirements are set out concerning coordination mechanisms, supervisory communication, information sharing, and cooperation. This encompasses both CBRC’s relationship with other authorities (for example, the PBC, CSRC and CIRC) (Article 22) but also internal coordination between departments responsible for systemic and regional risk supervision and those responsible for institutional supervision (Article 25). There is a range of information sources used by the CBRC to take the macro economic environment into account in its analysis. These are: 74 PEOPLE’S REPUBLIC OF CHINA • Quarterly economic and financial briefings for institutional supervision department to obtain a thorough understanding of domestic and global macro-economic conditions and identify significant risks facing individual banks; • Risk information shared by functional supervision departments such as those on housing market or financial innovations etc.; • Inclusion of macroeconomic and financial scenarios in banks’ stress tests, upon the CBRC’s requirement; • Monitoring of market information and other external information, including complaints and petitions from financial consumers and ad hoc events in the industry; and • Information sharing mechanisms and exchange with other authorities, including collaboration mechanisms such as the JMC. • CBRC also participates in the quarterly economic analysis conference held by National Development and Reform Commission (NDRC) and quarterly meeting of monetary policy commission held by the PBC to obtain latest information on macro-economic developments. The assessors were shown numerous examples of analyses and also of contact and consultation on various issues with other regulators. Banks commented that they found the quarterly briefings from the CBRC to be valuable. Please see also CP9 EC4 (f). EC5 The supervisor, in conjunction with other relevant authorities, identifies, monitors and assesses the build-up of risks, trends and concentrations within and across the banking system as a whole. This includes, among other things, banks’ problem assets and sources of liquidity (such as domestic and foreign currency funding conditions, and costs). The supervisor incorporates this analysis into its assessment of banks and banking groups and addresses proactively any serious threat to the stability of the banking system. The supervisor communicates any significant trends or emerging risks identified to banks and to other relevant authorities with responsibilities for financial system stability. Description and Risk monitoring by the CBRC findings re EC5 The CBRC monitors risk accumulation in the banking sector through four main approaches: • Surveillance of systemic risk. The Prudential Regulation Bureau is responsible for collecting, monitoring and analyzing off-site data and information of the banking industry and potential risks; • Surveillance of regional financial risks. The CBRC local offices produce regional risk supervision reports covering material risks within local region and relevant supervisory actions. Thematic presentations to head office are made when necessary. Moreover, the CBRC has established regional coordination surveillance mechanisms, such as the Yangtze River Delta quarterly meeting on economic and financial situations hosted in turn by local offices in Shanghai, Jiangsu Province, Zhejiang Province and Anhui Province; • Monitoring risks of homogeneous or similar banks. The CBRC classifies commercial banks into large banks, joint-stock banks, city commercial banks, rural commercial banks and foreign-funded banks; 75 PEOPLE’S REPUBLIC OF CHINA • Monitoring thematic risks, such as risks related with the housing market, and rapidly growing financial innovations, etc. Additionally, the CBRC plans targeted examinations to address prominent risks and issue corresponding supervisory recommendations. The CBRC monitors NPLs of the banking industry, as well as the dynamic migration of asset quality. A dedicated OSS return, (Table G12), is designed to collect quarterly information on loan quality changes. Since the outbreak of “liquidity crunch” in 2013, the CBRC has carried out day-to-day interbank market monitoring for market expectations, overall liquidity and financing costs. When monitoring problem assets and liquidity of banks, supervisors compare bank indicators against sector average, and seek to identify problems and causes as well as apply corrective actions. Information sharing with other regulatory authorities In practical terms, there are several modes of information sharing between the regulatory authorities, chief among which are the inter-agency working group of supervisory information and statistical data sharing and the supervisory coordination mechanism, through which the CBRC shares risk profile assessments. Additionally, although, not purely focused on systemic risk, the CBRC publishes an annual report (both in Chinese and in English) to disclose information on the banking industry and provides information to host supervisory authorities of Chinese parent banks in the context of supervisory colleges for G-SIBs. Laws, Guidelines and Rules require there to be supervisory information sharing and regulatory coordination. There are also a number of regulatory MoUs signed between the authorities to support open and timely information sharing. Please see CP 3 also. The principal laws involved are the Banking Supervision Law and the Law of the People’s Republic of China on the People’s Bank of China. The Banking Supervision Law (Article 6) requires the CBRC to establish supervisory information sharing mechanisms with PBC and other regulatory authorities. The Law of the People’s Republic of China on the People’s Bank of China (Article 9) requires the State Council to establish a financial regulatory coordination mechanism and this mechanism was officially set up in 2013, (see the Reply of the State Council on Approving the Establishment of the Joint Ministerial Conference.) Good communication, coordination and discussion between regulatory authorities is further underpinned by the Guidelines on the Consolidated Management and Supervision of Commercial Banks (Article 89) and the Rules of CBRC on Off-site Surveillance. For example, the Rules of CBRC on Off-site Surveillance (Article 21) provides that supervisors responsible for consolidated supervision shall strengthen two-way communication with supervisors responsible for banks’ affiliates. According to Article 22 the Rules provide that supervisors at various levels shall strengthen information sharing and supervisory coordination with PBC, CSRC, CIRC and other authorities, making concerted efforts to ensure the soundness of the banking industry. The CBRC, CIRC and CSRC have signed the MOU on Division of Responsibilities and Cooperation in Financial Supervision and Regulation. Also the CBRC and CIRC have signed the MOU of Cross-industrial Supervision Cooperation of Banking and Insurance Industries 76 PEOPLE’S REPUBLIC OF CHINA and the CBRC and CSRC have issued the Guidelines on Cross-industry IT System Emergency Response for Banking and Securities Industries. A series of regulatory documents for commercial banks involving in insurance and interbank businesses have been released in conjunction with the CIRC and CSRC in order to promote a cross-sector approach to the supervision of banking, insurance and securities industries. As an example of a regulatory response to an emerging risk, in 2014, in view of potential risks associated with fast-growing interbank businesses and under the framework of the JMC, CBRC issued the Notice on Regulating the Governance of Interbank Business jointly with the PBC, CSRC, CIRC and SAFE. EC6 Drawing on information provided by the bank and other national supervisors, the supervisor, in conjunction with the resolution authority, assesses the bank’s resolvability where appropriate, having regard to the bank’s risk profile and systemic importance. When bank-specific barriers to orderly resolution are identified, the supervisor requires, where necessary, banks to adopt appropriate measures, such as changes to business strategies, managerial, operational and ownership structures, and internal procedures. Any such measures take into account their effect on the soundness and stability of ongoing business. Description and As reported by the Chinese authorities to the FSB (end August 2016) both recovery findings re EC6 planning and resolution planning processes are in place for systemic banks but specific implementation rules for effective resolution have not yet been fully developed. There are four Chinese banks with G-SIB designation as of November 2016: Bank of China (BOC), Industrial and Commercial Bank of China (ICBC), Agricultural Bank of China (ABC), and China Construction Bank (CCB) were included in the G-SIB list issued by FSB in 2011, 2013, 2014 and 2015 respectively. Pursuant to FSB requirements, the CBRC has required the four G-SIBs to develop RRPs. CMGs have been set up for all of the G-SIBs, composed of high-ranking officers from national authorities including the CBRC, MOF and PBC, as well as some foreign authorities. Reviews of RRPs are conducted on an annual basis. In August 2015, the CBRC led a resolvability assessment of ICBC and BOC pursuant to the Key Attributes of Effective Resolution Regimes for Financial Institutions published by FSB. A number of barriers to orderly resolution were identified in the assessment and, through supervisory briefings and interviews, CBRC urged two banks to make corrective actions and develop a timetable to remove barriers for orderly resolution. The CBRC has developed the Resolvability Assessment Manual for Global Systemically Important Banks, to assist in ensuring a consistent approach to assessing the resolvability of the four G-SIBs. At the time of the assessment, the CBRC was still working actively on developing its approach towards identifying systemic institutions at the domestic level and had not yet broadened its resolvability assessments beyond the GSIBs. Nevertheless, it may be noted that the CBRC is aware that the group structures of the great majority of the banking institutions in China are not yet complex, although they may have the capacity to develop complexity rapidly. 77 PEOPLE’S REPUBLIC OF CHINA EC7 The supervisor has a clear framework or process for handling banks in times of stress, such that any decisions to require or undertake recovery or resolution actions are made in a timely manner. Description and In order to facilitate practices when banks are in a stressed condition, or likely to findings re EC7 deteriorate, in 2016 the CBRC formulated the Early Intervention and Resolution Procedures of Commercial Banks, specifying procedures for recovery and resolution for banks in times of stress, as well as cooperation among regulatory authorities in the resolution. The CBRC confirmed that this policy has not yet been used in practice as the need has not arisen. In any case, the CBRC rating system requires the CBRC to take early and preventative measures such as when banks have poor ratings. For banks whose ratings are between 3 and 6 (inclusive), early intervention and resolution procedures shall be taken. Those between 4 or 5 are deemed to be problem banks, and supervisors shall take necessary actions to improve their survivability and safeguard the interest of depositors. For banks with ratings of 6, the exit process should be launched as soon as possible. Ratings are further sub-divided into three categories and the assessors were able to view the distribution of ratings, in the banking sectors, over the past five years. EC8 Where the supervisor becomes aware of bank-like activities being performed fully or partially outside the regulatory perimeter, the supervisor takes appropriate steps to draw the matter to the attention of the responsible authority. Where the supervisor becomes aware of banks restructuring their activities to avoid the regulatory perimeter, the supervisor takes appropriate steps to address this. Description and With respect to illicit deposit taking and other illegal financial activities, the State Council findings re EC8 has released and subsequently updated Rules on the Clampdown of Illegal Financial Institutions and Illegal Financial Operations since 1998 and the latest version of these rules is currently under consultation and due to be finalized shortly. Further, in 2007, the State Council established the Anti-illegal Fund-raising Joint Ministerial Committee (AIFR JMC) whose office is based in the CBRC. As a member of the AIFR JMC, the CBRC is responsible for establishing monitoring and early-warning mechanisms for illegal fund-raising. Information is drawn from day-to-day supervision, whistle-blowing by organizations or individuals, and broad oversight by press and journalists. Should suspected illegal fund-raising be identified, the CBRC is required to collect relevant evidence and report to the AIFR JMC. The office will then, pursuant to the Procedures on Resolving Illegal Fund-raising (Provisional), request local government to investigate and determine the nature of suspected activities. Should the suspected activities be determined as illegal fund-raising, action will be taken according to the Rules on the Clampdown of Illegal Financial Institutions and Illegal Financial Operations. With respect to regulatory arbitrage, the Guidelines on the Consolidated Management and Supervision of Commercial Banks (Article 87) requires the CBRC to cover all cross-sector conduit businesses operated by banks and other affiliates within banking groups during consolidated supervision. Particular attention shall be paid to the resulting supervisory arbitrage, risk concealing, risk transfer, etc., to avoid risk contagion. 78 PEOPLE’S REPUBLIC OF CHINA The CBRC monitors potential risks associated with financial innovations on an ongoing basis. It investigates business models and transaction structures with a forward-looking view through daily risk monitoring and on-site visits. In addition, the CBRC seeks to remind banks of continuously monitoring innovative businesses and associated risks through regular CBRC briefings on economic and financial developments, and takes supervisory measures as appropriate. In 2013, for example, the CBRC required banks to strengthen risk management, information disclosure and investor education on wealth management businesses. In CBRC briefings on economic and financial developments held in 2014 and 2015, the CBRC analyzed risks associated with non- standard credit assets and adopted a set of supervisory measures. In the briefing held in 2016, CBRC alerted banks to liquidity risks associated with interbank business, wealth management products and investment activities. Over the last five years, CBRC has published a series of regulatory documents that aim to prevent banks from innovating for the purpose of regulatory arbitrage, notable among which are: (a) The Notice of CBRC General Office on Regulating Interbank Agency Payment issued in 2012. It aims to address inaccurate accounting treatments, non-compliant business processes and inadequate risk management in interbank agency payment business. It requires banks to uniformly manage all businesses satisfying the definition or substance of interbank agency payment activities and ensure authentic accounting treatments and entrusted payments. (b) The Notice on Further Standardizing Investment Operations of Wealth Management Business of Commercial Banks issued in 2013. In this Notice, the CBRC requires banks to create a separate account for each wealth management product in order to manage and conduct accounting on a separate basis. Banks are also required to disclose sufficient information on their non-standard debt investment, and place reasonable control on the total amount of wealth management funds invested in non-standard debts. The amount of wealth management funds invested in non-standard debts must not exceed 35 percent of total amount of wealth management products at any point or four percent of its consolidated assets disclosed in previous year’s annual report, whichever is smaller. (c) The Notice on Regulating the Governance of Interbank Business issued in 2014. This Notice is designed to address problems of non-compliant transactions, insufficient information disclosure and regulatory arbitrage resulting from rapid growth of interbank businesses, The CBRC together with PBC and other national authorities has also released the Notice of PBC, CBRC, CSRC and Other Departments on Regulating the Interbank Business of Financial Institutions, standardizing interbank transactions and strengthening internal and external management of interbank business. (d) (d) The Notice of CBRC General Office on Regulating the Transfer of Credit Beneficiary Rights by Banking Financial Institutions issued in 2016. This Notice is intended to address problems of non-compliant trading structure and imprudence in accounting treatment and provisioning within transactions of loan assets beneficiary rights. It requires banks to standardize their business behavior and control risk when conducting transactions of loan assets beneficiary rights. It sets regulatory requirements in order to 79 PEOPLE’S REPUBLIC OF CHINA strengthen business compliance, control relevant risk, and enhance market discipline, to prevent disguised risk transfer. Assessment of Largely Compliant Principle 8 Comments The CBRC plans and executes a high quality supervisory approach. Effective use is made of broad sources of information and the CBRC’s supervisory programmes have focused on key emerging risks and trends such as the provision of wealth management products and interbank activity. Assessing the resolvability of banks is one field which is still work in progress. While the largest banks, which are identified as Global Systemically Important Banks (GSIBs) have been subject to resolvability assessment, the CBRC is still deliberating on the approach it should take to identifying banks that are systemic at a domestic level and resolvability assessment will take place once the DSIB issues have been decided upon. In mitigation, it should be noted that the CBRC has a sound knowledge of the banking groups in the system and of the relative lack of complexity in the vast majority of cases. Principle 9 Supervisory techniques and tools. The supervisor uses an appropriate range of techniques and tools to implement the supervisory approach and deploys supervisory resources on a proportionate basis, taking into account the risk profile and systemic importance of banks. Essential criteria Essential Criteria EC1 The supervisor employs an appropriate mix of on-site and off-site supervision to evaluate the condition of banks and banking groups, their risk profile, internal control environment and the corrective measures necessary to address supervisory concerns. The specific mix between on-site and off-site supervision may be determined by the particular conditions and circumstances of the country and the bank. The supervisor regularly assesses the quality, effectiveness and integration of its on-site and off-site functions, and amends its approach, as needed. Description and The CBRC’s approach to Off-Site Surveillance (OSS) is set out in the Off-site Surveillance findings re EC1 Rules which defines OSS procedures and provides that supervisors shall monitor bank performance and risk profile at regular intervals to ensure the timely identification of issues and provide guidance for on-site examinations. The OSS Rules require there to be sound interaction and coordination between on-site examinations and OSS. The supervisory cycle (see also CP8 EC1) is determined by the relevant institutional supervisory departments and reflects risk profile and systemic importance and also the availability of supervisor resources (see Article 28 of the OSS Rules). The on-site examination plans are developed taking into account suggestions made by the institutional and functional supervisory departments, the department for systemic and regional risk supervision regarding key institutions, regions, business activities and risk areas as well as taking into account banks’ compliance status, supervisory ratings, risk profiles, results of previous examinations and, again, the availability of supervisory resources. (See also Article 45 of the OSS Rules). Requirements and procedures for on-site examinations are set out in the Rules of CBRC on On-site Examination. 80 PEOPLE’S REPUBLIC OF CHINA Following an onsite examination, the findings—Supervisory Opinions of On-site Examination—are sent to relevant departments which are responsible for following up the issues that have been identified, including necessary rectifications and on-going monitoring. (see Article 47 of the OSS Rules). Both the OSS Rules and the Rules of CBRC on On-site Examination set out specific requirements on post-surveillance and post- examination evaluations. The on-site examination findings are taken into consideration in the context of the risk assessments and supervisory ratings that are carried out by the supervisory departments. The ratings themselves are carried out according to the Internal Guidelines on Supervisory Ratings of Commercial Banks. On-site examinations and OSS are designed as an integrated supervisory process. During every supervisory cycle, off-site supervisors (each bank is assigned a chief supervisor in charge of its surveillance) analyze banks’ major risk areas on an ongoing basis, help determine the priorities and scope of on-site examinations, and keep track of and evaluate the rectification of issues identified during on-site examinations. During on-site examinations (there is a chief examiner assigned to each examination) the examiners are expected to independently verify, validate and confirm the business status, risk level, management quality and potential weakness of the examined institutions, to assess banks’ corporate governance, internal control and risk management, and provide input for OSS and the development of macro-prudential policies. The scope and intensity of both the on and off-site supervisory activity is determined by the size, complexity, risk profile, risk development and systemic importance of the supervised institution. Generally speaking, and as is common across many jurisdictions, large banks can expect to be examined more often while small institutions are supervised mainly through OSS. A SIB would be subject to several thematic on-site examinations with different focuses in a supervisory cycle. For example, in 2016, one SIB was examined with respect to interbank investment, comprehensive risk management, and internal control of overseas institutions. As a backstop requirement under the Rules of CBRC on On-site Examination, the full-scope on-site examination of a locally incorporated bank shall be conducted at least once every five years. The CBRC has specific requirements on post-surveillance and post-examination evaluation (see, for example, Articles 79 to 85 of the Off-site Surveillance Rules and Articles 60 to 63 of the Rules of CBRC on On-site Examination) including on-site examinations effectiveness, OSS effectiveness and the results of newly implemented regulatory policies. In this context it may also be noted that the Provisional Rules on the Performance and Accountability of CBRC Staff create accountability for staff in the performance of on-site examination and OSS analysis. The methodology used by the CBRC in the evaluation process—it considers approximately 50 factors or elements that might be relevant for a bank—in fact provides a good framework to guide consistent analysis across the CBRC organization as a whole. For post-OSE evaluation there are not only criteria (e.g. whether weaknesses were identified) but mechanisms which allow for recognition if the OSE staff identified possible improvements and the bank adopted these amendments. Suggestions are encouraged for innovations to the methodologies or technologies used in on-site examinations. 81 PEOPLE’S REPUBLIC OF CHINA EC2 The supervisor has a coherent process for planning and executing on-site and off-site activities. There are policies and processes to ensure that such activities are conducted on a thorough and consistent basis with clear responsibilities, objectives and outputs, and that there is effective coordination and information sharing between the on-site and off-site functions. Description and As noted in ECI, OSS procedures are set out in the OSS Rules and these Rules require findings re EC2 interaction and coordination between on-site examinations and OSS. A complete OSS process (i.e. supervisory cycle) contains 6 stages, including specific coordination with the on-site examination function. The 6 stages (see also CP8 EC1) are: development of the supervisory plan, regular surveillance analysis, risk assessment, coordination with on-site examination, supervisory rating and supervisory summary. Responsibilities, objectives and deliverables are defined for each stage, forming a continuous OSS cycle. As noted in CP9 EC1, at the start of a supervisory cycle, the chief supervisor will design a supervisory plan in accordance with banks’ risk profile and provide recommendations on scope and coverage of the examination plan to the chief examiner based on the findings of the OSS work. At the end of a supervisory cycle, the supervisors must prepare detailed and in-depth annual supervisory reports based on off-site and on-site findings, conduct risk ratings according to CAMELS+I system, providing evaluations of banks’ overall operation and risk management status, and identifying existing and potential risk issues. These reports serve as the starting point for the next supervisory cycle. The On-site Examination Rules prescribes examination procedures and sets out requirements on the planning of on-site examination projects, on-site work and examination follow-ups. The Commercial Banks On-site Examinations Manuals further define processes and topics of the on-site examinations and prescribes unified formats for examination documents. The CBRC develops an annual national on-site examination plan at the beginning of each calendar year. As noted above, the frequency and scope of on-site examinations mainly depend on banks’ risk profile, business scope and complexity, risk management capacity, size and systemic importance. Furthermore, the types and nature of issues identified during ongoing OSS are expected to serve as foundations for the establishment of examination projects. The annual examination plan is also informed by recommendations from other departments including macro-prudential departments such as Policy Research Bureau and the Prudential Regulation Bureau with a view to exploring systemic vulnerabilities that have been detected by these departments. Such systemic risks are examined through horizontal thematic examinations. Coordination and information-sharing between OSS and on-site examinations is supported in a number of ways. All the periodic surveillance analysis reports and on-site examination reports can be shared in real time online. In addition, CBRC has also sought to strengthen 82 PEOPLE’S REPUBLIC OF CHINA the connection between OSS and on-site examination for better communication and cooperation through the following approaches: • Consideration of recommendations from the institutional supervisory departments and functional supervisory departments by the on-site examinations; • Joint work between off-site and on-site staff prior to an examination to determine the focus of on-site work; • Participation in on-site examinations by Off-site supervisors where necessary; and • Strengthening of communication and application of examination results - in addition to incorporating the results of the examinations into the annual supervisory reports, supervisory rating and risk assessments, the CBRC has further enhanced sharing of the judgment of on-site inspectors. Major issues identified during the examinations are reported in written form to the institutional supervisory departments using the unified On-site Examination Information Sharing Letter. This technique helps to identify which issues must be kept track of through OSS. Once universal and systemic problems are identified during inspections, supervisory briefings and risk alerts will be released. For example, in 2015, CBRC issued the Notice on Risk Alert of Negotiable Instruments. If issues concerning the supervisory mechanisms or regulatory gaps are spotted, a Regulation Improvement Recommendation Letter is sent to the Legal Department and Prudential Regulation Bureau. The assessors discussed supervisory planning and coordination with multiple departments of the CBRC. EC3 The supervisor uses a variety of information to regularly review and assess the safety and soundness of banks, the evaluation of material risks, and the identification of necessary corrective actions and supervisory actions. This includes information, such as prudential reports, statistical returns, information on a bank’s related entities, and publicly available information. The supervisor determines that information provided by banks is reliable 19 and obtains, as necessary, additional information on the banks and their related entities. Description and The CBRC has well established powers to obtain a range of information as needed. For findings re EC3 example the Commercial Bank Law, and Banking Supervision Law both articulate requirements for the submission of information to the CBRC and PBC (see for example the Commercial Bank Law, Articles 61 and 55 regarding financial and accounting statements). The laws are supplemented by the Off-site Surveillance Rules, the Internal Guidelines on Supervisory Ratings of Commercial Banks and the Operational Procedures on Duty Performance of CBRC Headquarter (Provisional) which require banks to submit information that permits the supervisors to assess banks’ safety and soundness, and risk profiles. In practice, the CBRC requires the regular submission of supervisory returns including information on capital adequacy, liquidity, large exposures, assets and liabilities, profitability and related party transactions. Information can also be gathered directly from banks through inspections and on-site examinations. Targeted investigations can be 19 Please refer to Principle 10. 83 PEOPLE’S REPUBLIC OF CHINA applied to individual banks, certain businesses, a group of banks, the banking industry as a whole, or cross-market activities. The CBRC makes use of its relationships and information gateways to communicate with a range of counterparties. This includes communication with: • Banks’ Board and senior management. Regular meetings with senior management are seen as an important conduit of information. During ongoing supervision, on a quarterly basis, supervisors hold meetings with banks’ senior management on a regular basis to understand significant changes in bank development strategy, organizational structure, risk profile and business performance. Interviews, including exit interviews, with banks’ directors, senior managers and line managers form part of the on-site examination. • External auditors through tripartite or bilateral meetings. The CBRC may also communicate with external auditors when needed in the course of an examination. • Supervisory authorities of major jurisdictions. The CBRC participates in meetings of global supervisory college as the home or host supervisor and has signed MoUs on supervisory coordination (please see also CPs 3 and 13). Additionally, the CBRC analyzes annual reports and other significant public information released by banks and observes public opinions about financial market, banking industry and individual banks. CBRC assesses and verifies the reliability of information submitted by banks through a variety of means. On-site examinations can be used to review and verify banks’ management and business information, through checks on internal rules, risk management policies and procedures, internal control system and process, meeting minutes of the Board and senior management, important contracts, loan records as well as business data including original transaction data. Targeted on-site examinations have been used to assess the quality of supervisory returns. Please see also CP10 EC9. External auditors are expected to audit the authenticity of bank financial reports and provide opinions. Also, they shall audit the internal controls related to financial reports to assess the risk of significant misreporting. The CBRC has the powers to obtain information from banks’ affiliates where necessary. EC4 The supervisor uses a variety of tools to regularly review and assess the safety and soundness of banks and the banking system, such as: (a) analysis of financial statements and accounts; (b) business model analysis; (c) horizontal peer reviews; (d) review of the outcome of stress tests undertaken by the bank; and (e) analysis of corporate governance, including risk management and internal control systems. The supervisor communicates its findings to the bank as appropriate and requires the bank to take action to mitigate any particular vulnerabilities that have the potential to affect its 84 PEOPLE’S REPUBLIC OF CHINA safety and soundness. The supervisor uses its analysis to determine follow-up work required, if any. Description and The CBRC’s tools include the following: findings re EC4 (a) Analysis of financial statements. The off-site supervisors review bank financial statements regularly and prepare monthly, quarterly, semi-annual and annual supervisory reports. These reports contribute to the analysis of banks and determine supervisory ratings. (b) Business model analysis. During OSS, supervisors pay attention to material changes in banks’ development strategies and business models, especially when banks enter new markets, start new businesses, or launch new products. During on-site examinations, supervisors are expected to deepen their understanding of banks’ strategy, risk appetite, profitability model, performance of major business, as well as inherent vulnerabilities in business models, and then assess their sustainability. (c) The CBRC carries out peer group analysis and in the light of its findings, and of the general risk profile of the banking system, might carry out horizontal thematic examinations. In 2015, for example, CBRC organized targeted examinations with respect to assets management and interbank businesses, exposures to major customers, and acceptance bill business. (d) The CBRC has issued Guidelines on Stress Tests of Commercial Banks (revised in December 2014) which requires banks to perform regular stress testing (or a nature and frequency proportionate to the size, complexity of the business and risks entailed (Articles 6 and 19)). The Guidelines specify stress test requirements for commercial banks, including governance structure, methodology and procedures, scenario design, verification and assessment of stress test, and also authorizes supervisor to require certain commercial banks to conduct stress tests and assess the effectiveness of stress tests. In fact the Guidelines impose an obligation on the CBRC and its local offices to assess whether the stress test arrangements are suitable and commensurate with the scale, scope and complexity of the institutions. Supervisors assess stress test results submitted by banks and on-site examinations can look at implementation practices including prudent and appropriate governance structure, stress scenarios and assumptions for stress tests, application of results, and internal controls over stress tests. Corrective measures are proposed and followed up. (e) The CBRC has also issued Guidelines on Corporate Governance of Commercial Banks. (Please see also CP14) and banks’ performance in this field is considered in on and offsite work and feeds into the “M” component of CBRC supervisory rating system which addresses banks’ corporate governance, risk management and internal control systems. (f) The CBRC also analyzes the macro-economic and industry wide environment and, issues risk alerts as well as taking targeted supervisory actions. The CBRC has issued supervisory briefings and risk alerts on such issues as excessive credit growth and flawed risk management. EC5 The supervisor, in conjunction with other relevant authorities, seeks to identify, assess and mitigate any emerging risks across banks and to the banking system as a whole, potentially including conducting supervisory stress tests (on individual banks or system-wide). The supervisor communicates its findings as appropriate to either banks or the industry and 85 PEOPLE’S REPUBLIC OF CHINA requires banks to take action to mitigate any particular vulnerabilities that have the potential to affect the stability of the banking system, where appropriate. The supervisor uses its analysis to determine follow-up work required, if any. Description and The OSS Rules cover requirements for the CBRC with respect to systemic and regional risks, findings re EC5 including risk monitoring and identification, and risk prevention and control. Cross- department information sharing and supervisory cooperation is also addressed (Article 6). Further the OSS Rules (Article 56 to 72) specify requirements for the OSS of systemic and regional risks and this includes an elaboration of how the various offices of the CBRC are expected to collaborate in identification and response to emerging systemic risks (for example Article 71 requires an early warning system to be established). In terms of supervisory responses the On-site Examination Rules (Article 57) provides that supervisory actions shall be taken to address universal and systemic issues identified during examinations, including issuing supervisory announcements, risk warnings, etc. The PBC, CBRC, CSRC and CIRC each have roles in identifying and preventing systemic risks in the financial system and have established channels for communication. The CBRC, CIRC and CSRC have signed the MOU on Division of Responsibilities and Cooperation in Financial Supervision and Regulation. After the Financial Crisis, the Financial Crisis Response Group (FCRG) was set up by the State Council, with members from the PBC, CBRC, CIRC, CSRC and other relevant authorities. The Group meets regularly to discuss systemic risks and take decisions In August 2013, with the approval of the State Council, the Joint Ministerial Committee (JMC) was established. The key responsibility of the JMC is to maintain financial stability and coordinate efforts to address systemic and regional risks. Since its inception, the JMC has held a number of meetings to coordinate the prevention and resolution of systemic financial risks. The PBC provides the secretariat function. Where necessary, the CBRC works with other authorities to take joint preventive measures. For example, as a member of the taskforce led by the NDRC to phase out overcapacities in the coal, iron and steel industries, the CBRC is responsible for examining risks associated with credit exposures to these two industries. The assessors discussed with the CBRC, the cross sectoral initiatives and discussions it had taken in the area of wealth management products and agency sales of financial products. EC6 The supervisor evaluates the work of the bank’s internal audit function, and determines whether, and to what extent, it may rely on the internal auditors’ work to identify areas of potential risk. Description and The Guidelines on Internal Audit of Commercial Banks (Article 42) provides that CBRC shall findings re EC6 assess the effectiveness of banks’ internal audit through OSS, on-site examinations and supervisory interviews. In addition, the CBRC holds tripartite meetings to obtain the external auditors’ opinions on banks’ internal audit. During ongoing supervision, the CBRC obtains and reviews the internal audit plans, reports and conclusions at regular intervals to assess the quality and effectiveness. When the internal audit function is included in the scope of the on-site examinations, inspectors are expected to assess the policy framework, independence, frequency and coverage of internal 86 PEOPLE’S REPUBLIC OF CHINA audit, the number of internal auditors and their professional skills. The assessment methods include interviewing internal auditors, reviewing audit reports and working documents, and independently validating the effectiveness of internal audit. Once the CBRC recognizes the effectiveness of the bank’s internal audit function, the results of internal audit can be used in assisting supervisors to identify potential risks. The Guidelines on Internal Audit (Article 41) authorizes the supervisor to require banks’ internal audit function to audit designated contents and submit results. If deficiencies are identified in internal audit, supervisory actions the CBRC might take include, for example, issuing supervisory letters to set forth supervisory requirements on the system, independence and resource allocation of banks’ internal audit. Several banks commented on the zero tolerance policy the CBRC adopted towards errors in internal audit. EC7 The supervisor maintains sufficiently frequent contacts as appropriate with the banks’ Board, non-executive Board members and senior and middle management (including heads of individual business units and control functions) to develop an understanding of and assess matters such as strategy, group structure, corporate governance, performance, capital adequacy, liquidity, asset quality, risk management systems and internal controls. Where necessary, the supervisor challenges the banks’ Board and senior management on the assumptions made in setting strategies and business models. Description and The Banking Supervision Law (Article 35) confirms the basis for the CBRC’s contact with findings re EC7 banks and provides that the CBRC may hold supervisory meetings with banks’ directors and senior managers to inquire on major issues concerning business operation and risk management. During OSS, supervisors communicate with the Board and senior management through regular or ad hoc meetings, issuing written reports and paying supervisory visits. For example, supervisors may hold regular prudential interviews with the Board, board of supervisors and management to brief issues identified during OSS and discuss changes in banks’ performance and risk profile. If issues have been identified, supervisors may hold interviews with banks’ management and issue risk alerts to banks’ management when necessary. During on-site examinations, and as confirmed by banks, examiners interview banks’ directors (including independent directors), senior managers, heads of business departments, chief compliance officers, and chief internal auditors. As noted throughout the assessment, the CBRC practice is to observe the board meetings of banks and all the banks with whom the assessors met confirmed that the practice is consistently carried out. For more significant messages to be communicated to the banks, the CBRC will arrange to have a separate meeting, very often with the non-executive, independent members of the Board. In the case of the systemic banks, the CBRC chairman will meet with the Board. EC8 The supervisor communicates to the bank the findings of its on- and off-site supervisory analyses in a timely manner by means of written reports or through discussions or meetings with the bank’s management. The supervisor meets with the bank’s senior management and the Board to discuss the results of supervisory examinations and the 87 PEOPLE’S REPUBLIC OF CHINA external audits, as appropriate. The supervisor also meets separately with the bank’s independent Board members, as necessary. Description and It is standard practice for the CBRC to communicate with the bank senior managers on off- findings re EC8 site and on-site examination findings by means of written reports, meetings and other channels. The assessors were able to review a number of these documents. The OSS Rules (Article 55) and OSE Rules (Article 50) provide that the CBRC is permitted to communicate its supervisory concerns and results of inspections to the banks, including Board, management and principal shareholders. Written reports issued to a bank may take the form of: (a) supervisory briefings at the end of supervisory cycle detailing the overall risk conditions, major findings, supervisory ratings for the bank and its branches, and supervisory recommendations for corrective measures; (b) supervisory letters requiring for corrections of deficiencies in business operations and financial conditions identified during the day-to-day supervision; (c) alerts to potential risks; and (d) supervisory opinions issued at the conclusion of on-site examinations that articulate deficiencies identified, recommendations for remedial actions and rectification plan. Discussions and meetings with the management also take various forms, including: (a) regular prudential meetings between CBRC and the management to discuss risk assessment, supervisory rating and supervisory findings; (b) briefings on macro-economic conditions and risk management workshops to update the latest macro-economic situations and risk profiles; and (d) meetings at both the beginning and conclusion of on- site examinations, to report findings and discuss issues identified and the appropriateness of findings. According to examination procedures, inspectors shall meet not only with management but with the Board at the end of an examination to discuss issues that have been identified issues and propose supervisory opinions and corrective requirements. The Supervisory Opinions issued by the CBRC shall be submitted to the bank’s Board. Moreover, at the conclusion of each supervisory cycle, the CBRC holds separate meetings with the Board, supervisory board and senior management to discuss findings with respect to business strategy, asset quality and risk management process, etc., and to recommend corrective measures and determine supervisory priorities of the next cycle. The CBRC also holds tripartite meetings with banks’ management and external auditors to discuss results and significant findings of external audit. The CBRC is authorized to meet with the Board, including having separate meetings with independent directors when necessary. EC9 The supervisor undertakes appropriate and timely follow-up to check that banks have addressed supervisory concerns or implemented requirements communicated to them. This includes early escalation to the appropriate level of the supervisory authority and to the bank’s Board if action points are not addressed in an adequate or timely manner. Description and The CBRC has formulated internal rules and processes to ensure the timely implementation findings re EC9 of supervisory requirements. The OSS Rules provides OSS procedures and requires institutional supervisory departments to formulate a continuous cycle of OSS. The cycle includes a continuous assessment and 88 PEOPLE’S REPUBLIC OF CHINA monitoring of whether banks have addressed the supervisory concerns or implemented the requirements set forth by the supervisors is an essential Article. The OSE Rules (Article 55) provides that the departments responsible for on-site examinations shall assess bank’s implementation of corrective actions to address deficiencies identified in the examinations (“on-site inspection shall be responsible for assessing the rectification of the inspected institution”). During the assessments, supervisors are authorized to review banks’ rectification reports, require additional information, meet with relevant staff and consult institutional supervisory departments and other related departments. Follow-up examinations can be conducted where necessary. During both OSS and on-site examinations, supervisors can communicate with the bank management on deficiencies identified, and set out supervisory requirements for banks by issuing official documents. The CBRC carries out ongoing supervision and on-site examinations to ensure that banks implement supervisory requirements in a timely manner. If a bank fails to make timely corrections, the CBRC is empowered to interview the Board, take supervisory actions or impose administrative penalties according to the Banking Supervision Law. With respect to deficiencies identified, CBRC issues supervisory opinions, which are copied to the institutional supervisory departments who will then urge banks to make rectifications as required. In case of significant corrective recommendations, the department responsible for on-site examinations may assess the correction progress and results, and undertake follow-up examinations where necessary (see Article 55 of the OSE Rules). EC10 The supervisor requires banks to notify it in advance of any substantive changes in their activities, structure and overall condition, or as soon as they become aware of any material adverse developments, including breach of legal or prudential requirements. Description and With respect to banks with foreign ownership, the Rules on Implementing the Regulations of findings re EC10 the People's Republic of China on Administration of Foreign-funded Banks establish clear and extensive expectations for notifications to be made to the CBRC, including (Article 66): (a) material problems related with financial position and operating activities; (b) significant adjustments to operating strategies; (c) suspending operation for two days or less shall be reported to CBRC in written format seven days in advance, except where such suspension is caused by force majeure; (d) important resolutions adopted by the Board in the case of wholly foreign-funded banks or Chinese-foreign joint venture banks; (e) changes to the articles of associations, registered capital or registered domicile of the headquarters of the foreign bank branch, wholly foreign-funded banks or Chinese- foreign joint venture banks; (f) restructuring, such as merger or split, and replacement of the Board chairman or president (CEO or General Manager) of the head office of foreign bank’s branches or the shareholders of wholly foreign-funded banks or Chinese-foreign joint venture banks; (g) material problems related to financial position and business operations of the shareholders of wholly foreign-funded banks or Chinese-foreign joint venture banks or the head office of the foreign bank’s branch; 89 PEOPLE’S REPUBLIC OF CHINA (h) major cases involving the head office of the foreign bank’s branch, shareholders of the wholly foreign-funded banks or Chinese-foreign joint venture banks; (i) significant supervisory measures against the head office of foreign bank’s branch, shareholders of the wholly foreign-funded banks, or foreign shareholders of Chinese- foreign joint venture banks, as well as shareholders’ other oversea branches taken by respective supervisory authorities; (j) changes material to the financial regulations and financial supervisory regime in the home countries/jurisdictions of the head office of foreign bank’s branch, shareholders of the wholly foreign-funded banks, or foreign shareholders of Chinese-foreign joint venture banks; and (k) other issues subject to reporting as required by CBRC. All banks are subject to the requirements of the Major Emergency Reporting Policy which demands timely and full reports and updates for any major emergency. The scope and criteria of events that fall under the Policy are set out, as are the operational details of the report - channel, time, form and content. Broadly speaking, the events covered by the Policy include criminal cases, unexpected vacancies of senior management and events that may lead to systemic risks in the banking sector or severely affect the stability of financial market or the society. Should a commercial bank experience an event that could impair its reputation the Guidelines on Reputation Risk Management of Commercial Banks (Article 6) provides that, among other responses, the bank should report to the CBRC within 12 hours of the incident. EC11 The supervisor may make use of independent third parties, such as auditors, provided there is a clear and detailed mandate for the work. However, the supervisor cannot outsource its prudential responsibilities to third parties. When using third parties, the supervisor assesses whether the output can be relied upon to the degree intended and takes into consideration the biases that may influence third parties. Description and The CBRC does not outsource prudential regulatory responsibility to any third party but findings re EC11 may make use of independent third parties, such as external auditors, to undertake some specific supervisory activities. Before commissioning a third party, the CBRC indicated that it would assess independence and skills as well as performing quality control on the performance of any work carried out. Eligible Third-party institutions may be hired by banking financial institutions to carry out on-site examinations, pursuant to the On-site Examination Rules and Article 24). The results of such work must be reported to the CBRC. EC12 The supervisor has an adequate information system which facilitates the processing, monitoring and analysis of prudential information. The system aids the identification of areas requiring follow-up action. Description and Building on a unified data collection platform, the architecture comprises a number of findings re EC12 systems as the pillars, including the Off-Site Supervisory (OSS) system which feeds into the REASS, the Examination & Analysis System Technology (EAST), licensing management 90 PEOPLE’S REPUBLIC OF CHINA system, etc., which are supported by the integrated office administration platform and information platform. There are three main components to the supervisory data systems used by the CBRC. The OSS, which contains data received from the banks’ supervisory reporting, and feeds into the Risk Early-warning Analysis and Supporting System (REASS) system (please see CP8 EC2) which includes 25 leading indicators and 24 vulnerability indicators are used to monitor potential risks. There is also the Examination & Analysis System Technology (EAST) and the Obligor Risk Monitoring System (ORMS), which contains obligor data (a credit registry). EAST was initially launched in 2011 and has been further upgraded since then to assist the CBRC in analyzing data quality in the course of conducting an on-site examination. The EAST system downloads the bank’s standard data, including public information, card information, accounting information, customer information, counter-party information, credit management information, transaction flow information, statistic account information and customer risk statistics, treasury business and wealth management, etc., to capture suspicious data and detect potential risks. The EAST system enables supervisors conduct more sophisticated analysis as well as confirming and verifying off-site data, and specifying the targets and priorities of examinations. The system has intellectual property rights and patents and the CBRC has been further developing the system over recent years since its introduction. The CBRC sees EAST as a valuable tool in identifying problems in banks, idiosyncratic issues, common trends and contributing to the effort to identify and mitigate regional and systemic risks. ORMS collects monthly information and the on- and off-balance sheet activities of banks’ customers at monthly intervals, including credit extension, loan offering, off-balance sheet activities, interbank activities, and customer registration information, financial status, early- warning indicators, events deserving special attention, senior management, shareholders, related companies, collateral and guarantor’s information. The system is also used to analyze customers and industries concentrated with large exposures and facilitate banks to identify risks associated with corporate groups by interbank information sharing. Please see CPs 17 to and 19. To develop an accurate view of banks’ wealth management activities, CBRC approved the establishment of the China Banking Wealth Management Registration System, which is used for comprehensive registration of wealth management activities. In addition, summary analysis form and product category analysis form have been added to the OSS information system. The CBRC plans to continue to develop and update systems for supervisory data management, supervisory operations, supervisory information integration and office administration. Assessment of Compliant Principle 9 Comments The supervisory practice of the CBRC is of high quality and continued to develop its risk based approach since the last assessment. There are good processes in place for planning and executing both the on and off-site supervisory activities. While the supervisory approach is more balanced towards the off-site (OSS) techniques, there is good use made 91 PEOPLE’S REPUBLIC OF CHINA of the on-site examinations and there is good coordination between the on and off-site departments and bureaus. Since the last assessment there has been intensive investment in the quality of the supervisory data and analytical systems and a refreshing of the analytical methodologies. Supervisory expectations are clearly communicated to banks and are followed up. The use not only of meetings but also notices and risk alerts ensure that there is responsive feedback to the industry in relation to emerging or recently identified issues that might affect one institution or a peer group, or indeed be industry wide. One finding of the previous assessment was that the CBRC’s needed to achieve a more integrated view and understanding of risks in the banking industry, as opposed to taking a risk by risk approach. The methodological and statistical developments in recent years have driven the CBRC forward in this area and have created a strong platform for continued progress but more remains to be achieved. Based on discussions and document review, the assessors are confident in the capacities and potential of the staff a number of whom were of outstanding quality. Nevertheless, past tendencies towards treating symptoms as they emerged and approaching banks on a “risk by risk” basis rather than looking through the risks to identify root causes of issues in order to devise a more effective forward looking approach is still evident. Although the CBRC has further enhanced its supervisory rating approach to permit a greater use of supervisory judgment, the leeway for this judgement is highly constrained and for some banking models might fail to reflect the nature of the risks in the banking institution. At present, given the broad consistency of banking models adopted in the Chinese banking sector, this is not a major deficiency, but banks will diversify and attempt to differentiate themselves, potentially at a rapid pace. The supervisory rating model needs to be able to reflect these emerging characteristics and it is recommended that as more distinctive banking profiles evolve, the procedures allow for the supervisors to be permitted—under senior approval as necessary—to vary the weightings of the rating categories by more than five percent. Continued development of the CBRC’s analytical techniques in relation to banks’ strategies and business models will provide a robust underpinning for greater supervisory discretion. One issue that is not graded in this CP, but is reflected in CP2, is the importance of the CBRC ensuring it can deliver a robust inspection program proportionate to the risks and needs of the smaller and regional institutions. Due to the large numbers of smaller institutions, resource limitations mean that it is extremely difficult for the CBRC to be confident it is maintaining as close a degree of oversight as is necessary in relation to the risk profile of this sub-sector. Principle 10 Supervisory reporting. The supervisor collects, reviews and analyses prudential reports and statistical returns 20 from banks on both a solo and a consolidated basis, and independently verifies these reports through either on-site examinations or use of external experts. 20 In the context of this Principle, “prudential reports and statistical returns” are distinct from and in addition to required accounting reports. The former are addressed by this Principle, and the latter are addressed in Principle 27. (continued) 92 PEOPLE’S REPUBLIC OF CHINA Essential criteria EC1 The supervisor has the power 21 to require banks to submit information, on both a solo and a consolidated basis, on their financial condition, performance, and risks, on demand and at regular intervals. These reports provide information such as on- and off-balance sheet assets and liabilities, profit and loss, capital adequacy, liquidity, large exposures, risk concentrations (including by economic sector, geography and currency), asset quality, loan loss provisioning, related party transactions, interest rate risk, and market risk. Description and The CBRC has powers to obtain information from banks on both solo and consolidated findings re EC1 basis by requiring them to submit information. Requirements in the Banking Supervision Law are echoed in the Commercial Bank Law and further articulated through the OSS Rules. The Banking Supervision Law (Article 33) prescribes that supervisors, for the purpose of performing its responsibilities, have the authority to require banking financial institutions to submit, in accordance with applicable regulations, balance sheets, P&Ls, other financial and statistical reports, information on business operations and management, and audit reports prepared by certified public accountants. As also noted elsewhere, Article 25 of the Banking Supervision Law provides that the CBRC shall supervise banking financial institutions on a consolidated basis. Article 61 of the Commercial Bank Law provides that commercial banks shall submit balance sheets, P&Ls as well as other financial statements, statistical reports and documents to the CBRC and PBC. The Off-site Surveillance Rules requires banks to submit relevant supervisory and statistical reports at regular intervals or on demand. Specifically, Article 12 provides that supervisors collect the supervisory returns from banking financial institutions on a regular basis. The supervisors may require banking financial institutions to provide necessary data and information when needed for performing supervisory work. Article 34 prescribes that the CBRC shall comprehensively and continuously collect information on the performance and risks of supervised banks on a solo basis and by comparison within the peer group. Sources of information include but are not limited to: supervisory returns and also internal rules and policies, documents, reports and other information from the bank. The CBRC’s supervisory returns system dates from 2007 and has the following characteristics: Inclusive coverage. All banking financial institutions supervised by the CBRC are required to make submissions. Broad contents. The supervisory returns cover: assets and liabilities (table G01), off- balance sheet activities (attached chart 1 of table G01), P&Ls (table G04), capital adequacy (table G40, G4A, G4B-1, G4E, etc.), leverage ratio (table G44), liquidity (table G21, G22, G23, G24 and G25), large exposures (table G14), asset concentrations (the first part of table G11 21 Please refer to Principle 2. 93 PEOPLE’S REPUBLIC OF CHINA and table G53), asset quality (table G11 and G12), loan loss provisioning (table G03), related party transactions (table G15), interest rate risk (table G33), market risk (table G32), specific activities (table G02 for derivatives, G06 for wealth management business, G17 for bank card business, G18 for bonds issuance and holdings, and G31 for investments), closely watched industries (table G19) and country risks. Scope of application: These supervisory returns are reported in three formats, namely entity without overseas branches, entity with overseas branches and consolidated group. In addition to regular submission of the supervisory returns, the supervisors may require banks to provide necessary data, tables, reports and other information. The CBRC noted that the supervisory returns have had extensive application. In addition to supervisory analysis and rating, they have permitted the generation of statistics that are regularly submitted to the State Council, shared with PBC, NDRC and other government agencies, and are widely used in the CBRC’s annual reports, periodic information disclosures and international consultations and assessments. EC2 The supervisor provides reporting instructions that clearly describe the accounting standards to be used in preparing supervisory reports. Such standards are based on accounting principles and rules that are widely accepted internationally. Description and Each of the CBRC’s supervisory returns is supplied with detailed instructions, covering: legal findings re EC2 references, applicable institutions, consolidation requirements, submission date and frequency, accounting rules, definitions of items to be reported. Logical validation checks are built into the returns. These validation checks are designed to work both within a single return/schedule and between returns and schedules to ensure overall consistency. In some instances, where supervisory returns are more difficult to prepare the CBRC’s instructions include detailed worked examples to assist the reporting banks. The assessors were able to review some of these instructions. In the event that banks experience difficulty in completing returns they notify the CBRC through their chief supervisor. If the issue is not straightforward to resolve the query is passed on and responses to more complex issues and frequently asked questions are posted on an electronic platform that banks can access. The current instructions require supervisory returns to be based on the CAS issued by MOF. The CBRC requires banks and banking groups to fully comply with the CAS in the recognition and measurement of assets and liabilities, classification of financial instruments, utilization of fair value and identification of asset impairment while filling the supervisory returns. The CAS was issued by MOF on February 15, 2006 and became effective on January 1, 2007. The Standards are substantially convergent with international accounting standards (See CP 27). In 2007, the CBRC issued the Notice on Fully Implementing CAS by Banking Financial Institutions, requiring all banking financial institutions to fully comply with the standards. EC3 The supervisor requires banks to have sound governance structures and control processes for methodologies that produce valuations. The measurement of fair values maximizes the use of relevant and reliable inputs and is consistently applied for risk management and reporting purposes. The valuation framework and control procedures are subject to 94 PEOPLE’S REPUBLIC OF CHINA adequate independent validation and verification, either internally or by an external expert. The supervisor assesses whether the valuation used for regulatory purposes is reliable and prudent. Where the supervisor determines that valuations are not sufficiently prudent, the supervisor requires the bank to make adjustments to its reporting for capital adequacy or regulatory reporting purposes. Description and One of the main instruments to apply standards for valuation is the Guidelines on the findings re EC3 Valuation of Financial Instruments' Fair Value of Commercial Banks. Banks’ fair value valuation with regard to governance structures, control processes and internal audit are addressed in Chapter 2 “Internal Control” and Chapter 3 “Valuation” specifies techniques and validation of banks’ fair value measurement. Specifically, Article 5 provides that the Board of a commercial bank shall establish sound internal control arrangements for the fair value valuation of financial instruments, and assume ultimate responsibility for the adequacy and effectiveness of the internal control system. Article 6 provides that a commercial bank’s internal control arrangements for fair value valuation shall be commensurate with the importance and complexity of its financial instruments. Article 7 provides that a commercial bank’s internal control arrangements and processes for fair value valuation shall include but are not limited to: (a) developing policies for the fair value valuation of financial instruments, which shall be subject to the review and approval of the Board and the senior management, (b) formulating the criteria on the accessibility and reliability of mark-to-market, mark-to-model and parameters according to the nature of financial instruments and sources of valuation parameters, and (c) defining the circumstances under which the valuation model needs to be modified or changed and corresponding criteria. Independence of front office trading, back office valuation and risk management from each other is covered in Article 8 and Article 9 provides that a commercial bank shall identify, monitor and document material differences of fair value measurements between risk management and accounting treatment on an ongoing basis. Regular internal audit over the internal control arrangements, valuation models, parameters and information disclosure in relation to fair value valuation is required by Article 10. Article 16 provides that a commercial bank shall set up an independent team to validate the model before it is put into use or whenever there are major adjustments thereto. Furthermore, Annex 13 “Risk Assessment Criteria” to the Capital Rules for Commercial Banks (Provisional) provides specific requirements on banks’ valuation governance structures, processes and documentation. The Annex prescribes that commercial banks shall have in place effective governance structure and control processes to ensure objective, accurate and consistent valuations and govern the valuation of financial instruments. The governance and control processes shall be applicable to both risk management and accounting reporting. The valuation approaches used by a commercial bank shall be approved and clearly documented. A commercial bank shall develop policies and procedures to standardize the choices and use of approaches for initial pricing, mark-to- market, mark-to-model, valuation adjustment and regular independent revaluation. A commercial bank’s valuation capability is expected to be commensurate with the importance, level and size of its exposures. Equally a commercial bank must have the 95 PEOPLE’S REPUBLIC OF CHINA capability of adopting multiple valuation methods for its major risk exposures under stressful circumstances. In addition, the Capital Rules, Chapter 8 “Supervisory Review,” specifically Article 137, provides that the CBRC shall review and evaluate a commercial bank’s capital level to ensure that it is adequate to cover all material risks. The supervisory review on the bank’s capital adequacy includes, but is not limited to, the following items: reviewing the composition of the bank’s capital instruments, the methods and results of risk-weighted assets calculation, and thereby assessing appropriateness and accuracy of the bank’s capital adequacy calculation. For the banks that have been permitted to use advanced capital adequacy approaches, Article 31 and 34 of the Rules for Commercial Banks on Implementing Advanced Approach to Capital Management prescribe that valuation shall serve as a key criterion in determining supervisory approval for the Foundation Internal Ratings Based approach (FIRB) to credit risk capital requirements and the internal model-based approach to market risk capital requirements. In particular, Article 31 provides that the FIRB cannot be approved for a commercial bank that exhibits significant deficiencies concerning the recognition and valuation of eligible pledges and collateral. Similarly, for market risk, Article 34 excludes the use of the internal model-based approach to market risk capital requirements where: the market risk management policies have significant deficiencies and are therefore not capable of effectively supporting the classification of books, data management, valuation, regulatory capital calculation, limit setting and monitoring, new product approval, market risk reporting, and application of the internal developed models. As mentioned in EC 2, the CBRC’s supervisory returns are based on the CAS issued by MOF. In 2014, MOF issued the CAS No.39 - Fair Value Measurement, which specifies the approaches for recognizing and measuring the fair value of assets and liabilities, according to which the accounting treatment methods are convergent with International Financial Reporting Standards. Assets and liabilities eligible for fair value measurement shall be measured according to the CAS No. 39, of which Article 19 provides that in using valuation techniques, business enterprises shall give priority to using relevant observable inputs. Non-observable inputs can only be used when it is impossible or infeasible to obtain observable inputs. Assets and liabilities eligible for the historical cost principle shall be measured according to the CAS No. 22 –Financial Instrument Identification and Measurement. In terms of supervisory validation of banks’ standards, the OSS Rules require the CBRC to check the data quality management and the authenticity of the supervisory returns through inquiry, interview, targeted assessment, site visit, or on-site examinations. In practice, the CBRC’s approach to satisfy itself on the valuation practices applied by banks rests on its system of examinations and Pillar II supervisory review. Reports that the assessors were able to review confirmed that close attention is paid to valuation. EC4 The supervisor collects and analyses information from banks at a frequency commensurate with the nature of the information requested, and the risk profile and systemic importance of the bank. 96 PEOPLE’S REPUBLIC OF CHINA Description and Supervisory returns are submitted to the CBRC on a monthly, quarterly or semi-annually findings re EC4 basis. Most supervisory returns are required to be submitted quarterly. Monthly: The supervisory returns such as tables for assets and liabilities, off-balance sheet activities, composition of loans and deposits, loans by industry, five-category classification of asset quality, asset impairment provision, liquidity ratio, and loan-to-deposit ratio. Quarterly: The supervisory returns such as tables for capital adequacy, leverage ratio, LCR and NSFR, asset quality, credit concentration, foreign exchange exposures, and real estate related business. Semi-annually: The tables covering re-pricing of interest rates and certain advanced measurement approaches to operational risk capital requirements. I. Nature of information (risk attributes and submission frequency) Supervisory returns that reflect banks’ financial and operating performance, asset quality and liquidity risk requiring timely data submission must be submitted monthly. Supervisory returns covering majority of risk types, such as capital adequacy, leverage ratio, credit risk (including concentration risk) and market risk, are required to be submitted quarterly. II. Supervisory expectation The CBRC divides quarterly supervisory returns into two batches. The first batch has to be submitted within 13 days after the end of a quarter, and the second batch within 18 days after the end of a quarter. Most supervisory returns in the first batch cover underlying data related to various risks, such as P&Ls, asset quality, liquidity (excluding LCR and NSFR), etc. III. Systemic importance of institutions The scope of supervisory returns to be submitted varies from bank to bank. Large complex banks with extensive product offering are required to submit more supervisory returns, while small banks offering simple products are exempted from submitting certain supervisory returns. For example, commercial banks whose assets are less than RMB 200 billion are not required to submit the LCR table. Given that majority of SIBs have quite diversified business and are growing fast, supervisors need to collect consolidated data from banking groups in a more timely manner. So from the beginning of 2016, the CBRC has required banking groups to increase the submission frequency from semi-annual to quarterly. In addition to the supervisory returns, the CBRC may, when needed, require large banks to submit certain data at monthly intervals. In practice, the CBRC has adjusted and plans to continue to adjust the submission frequencies according to its practical supervisory expectations and needs. EC5 In order to make meaningful comparisons between banks and banking groups, the supervisor collects data from all banks and all relevant entities covered by consolidated supervision on a comparable basis and related to the same dates (stock data) and periods (flow data). Description and In order to ensure the comparability of data submitted by different banks, the CBRC has findings re EC5 specified uniform requirements on the submission frequencies and data coverage. The CBRC observed that as there are over 4,000 banks consistency of approach and of reporting 97 PEOPLE’S REPUBLIC OF CHINA deadlines is essential. As noted in EC 4, the CBRC these frequencies are monthly, quarterly or semi-annually. The date of stock data should be the last day of the reporting period. The period of flow data should be made clear if it is the current period or the accumulated period from the beginning of the year. Stock and flow data are subject to consistency checks between tables. All monthly, quarterly and semi-annual tables are based on the Gregorian calendar. The CBRC requires consistency of data coverage for the same indicators in its supervisory returns to ensure comparability of different institutions’ reporting data. For example, the indicators for various types of loans may be contained in multiple tables, and the instructions of these tables provide the same definition for each type of loan. EC6 The supervisor has the power to request and receive any relevant information from banks, as well as any entities in the wider group, irrespective of their activities, where the supervisor believes that it is material to the condition of the bank or banking group, or to the assessment of the risks of the bank or banking group or is needed to support resolution planning. This includes internal management information. Description and In terms of the regulatory framework, the Banking Supervision Law, the OSS Rules and the findings re EC6 Consolidated Management and Supervision Guidelines confirm the CBRC’s information gathering powers and establish its needs and expectations. The information gathering powers under Article 34 of the Banking Supervision Law provides that the CBRC may obtain information through staff interviews when conducting on-site examinations, examining the institution’s documents and other relevant materials, including its information system for business operation and management. As noted in EC 1, the CBRC is authorized to obtain information from banks, which includes quantitative information, like the supervisory returns, and qualitative information such as the banks’ internal management policies, processes, procedures and reports. The CBRC is empowered to seal up documents and materials that might be removed, concealed or destroyed by the examined institutions. Article 12 of the OSS Rules provides that supervisors shall collect the supervisory returns from banking financial institutions on a regular basis. They may require banking financial institutions to provide necessary data and information for supervisory needs. This power extends beyond supervisory returns and includes Internal management reports and internal audit reports. The Consolidated Management and Supervision Guidelines (Articles 24 and 81) provide not only that the principal shareholders of commercial banks shall meet prudential supervisory requirements and provide relevant information to supervisors in accordance with laws and regulations but that the supervisor must maintain a full understanding of the organizational and ownership structures of banking groups as well as their business activities through OSS and analysis. The supervisor is also required to have a risk assessment framework to assess the risks associated with both banking and non-bank activities of banking groups, with special focus on the impact that the risk profiles of overseas institutions, non-bank financial institutions and non-financial institutions within the same banking group may have on the group. 98 PEOPLE’S REPUBLIC OF CHINA In practical terms, when considering the group dimension, including the impact of non- bank affiliates on the finance and business of the bank or the banking group, the CBRC’s approach uses the following channels: (a) supervisory returns. Banks are required to submit Table on Transactions with Top 10 Related Parties for supervisors to analyze businesses between the bank and other members in the same banking group. The Large Commercial Bank Supervision Department asks for the submission of Table on Wholly-owned or Holding Subsidiary Banks, Table on Wholly-owned or Holding Nonbank Subsidiaries on a quarterly basis. (b) regular reports. Banks are required to submit comprehensive risk management report annually, covering risk management strategy, risk appetite, risk limit, risk management policies and procedures, and related party transaction report on a quarterly basis, helping the CBRC to monitor major changes or actions by affiliates that may endanger the safe and sound operation of banks. (c) submission of “major events.” The CBRC requires banks to report major contingencies and risk events in a timely manner, and makes instructions in coming up with proper countermeasures accordingly. The Notice on Further Improving Information Submission of Large Banks provides that large banks shall report information of major contingencies and risk events in a timely manner, including risks of non-bank business and corresponding impact on the banking group. (d) on-site examinations. When conducting examinations, the CBRC may ask the bank to provide information of any institutions within the banking group including internal management materials when necessary. Ancillary to the power to obtain information directly from the banks, the CBRC can also make use of its contacts with the external auditors and other relevant supervisory authorities as well as publicly available information. Through tripartite and bilateral talks, the CBRC has established mechanisms for regular communication with external auditors, and the assessors were able to confirm this practice. As noted below, during on-site examinations, supervisors can communicate with external auditors when needed. Information can also be obtained from other supervisors: as discussed in CPs, 3, 12 and 13, the CBRC has signed MOUs with a wide range of jurisdictions, and organized or attended, as the home or host supervisor, supervisory colleges, through which relevant supervisory information has been shared. The CBRC also makes use of public information, including banks’ annual reports and other publications as well as other market reports. It may be noted that the CBRC seeks to maintain regular contact with the senior management of banks – quarterly meetings are standard practice to deliver supervisory messages – and this is an opportunity to develop an understanding of material changes in the banks’ development strategies, organizational structure, risk level and business performance and identify additional information needs in respect of the wider group. EC7 The supervisor has the power to access 22 all bank records for the furtherance of supervisory work. The supervisor also has similar access to the bank’s Board, management and staff, when required. 22 Please refer to Principle 1, Essential Criterion 5. 99 PEOPLE’S REPUBLIC OF CHINA Description and As mentioned in EC 1, Article 34 of the Banking Supervision Law empowers the CBRC to findings re EC7 obtain and access all bank information through on-site examinations and OSS. Specifically, Article 34 provides that the CBRC may: (a) enter a banking institution for on-site examination; (b) interview the staff of the banking institution and require them to provide explanations on examined matters; (c) have full access to and make copies of the banking institution’s documents and materials related to the on-site examination, and to seal up documents and materials that are likely to be removed, concealed or destroyed; and (d) examine the banking institution’s information technology infrastructure for business operations and management. The CBRC’s right to have access to senior management and directors is confirmed by Article 35 which provides that the CBRC may, for the purpose of performing its responsibilities, hold supervisory meetings with the banks’ directors and senior managers and require them to provide explanations on matters that are important to the banks’ business operations and risk management. Access to the Board is further supported by the Guidelines on Corporate Governance of Commercial Banks (Article 129) which provides that supervisors has the authority to assign its staff to attend the meetings of the Board and supervisory board and annual work conference of banks as observers. While on-site examination is the principal approach for the CBRC to access banks’ records, the CBRC exercises its right of access to banks’ records in the following ways: (a) holding regular prudential meetings with banks’ Board, supervisory board and senior management, (b) holding regular tripartite meetings with banks and their external auditors, (c) paying visits to banks and interviewing relevant employees if needed, and (d) communicating with managers and staff during on-site examinations. (See EC 7 of CP 9 for Supervisory Practices). EC8 The supervisor has a means of enforcing compliance with the requirement that the information be submitted on a timely and accurate basis. The supervisor determines the appropriate level of the bank’s senior management is responsible for the accuracy of supervisory returns, imposes sanctions for misreporting and persistent errors, and requires that inaccurate information be amended. Description and Both the Banking Supervision Law and the Commercial Bank Law specify penalties against findings re EC8 non-compliance with reporting requirements. Under the Banking Supervision Law Articles 46 and 47 specify measures and fines in relation to false submissions, concealment of material facts, failure to submit required reports and returns. In the case of provision of false information and/or concealment the CBRC will require corrective measures and apply fines concurrently (ranging from RMB 200, 000 to RMB 500, 000). Should the violation be deemed material or the bank fails to make remedial actions within the prescribed timeframe, supervisors may suspend the bank’s business for rectification, or revoke its banking license. If the violation constitutes a crime, criminal liability shall be pursued according to law. In the case of failure to submit required reports, returns or information, then corrective measures are imposed. Failure to rectify within the 100 PEOPLE’S REPUBLIC OF CHINA specified time frame will lead to imposition of a fine (ranging from RMB 100, 000 to RMB 300, 000). Penalties and disciplinary actions against relevant personnel are addressed in Article 48. Specifically, Article 48 sets forth that where a bank violates laws, administrative regulations or prudential rules governing banking regulation and supervision, supervisors may, in addition to the penalties specified in Article 44 to 47, take the following actions as appropriate: (a) to require the bank to impose disciplinary actions on the directors, senior managers, and other staff who are directly liable, (b) to give disciplinary warnings to the directors, senior managers, and other staff who are directly liable and impose on them respectively a fine ranging from RMB 50,000 to RMB 500,000, if the violation does not constitute a crime, and (c) to temporarily or permanently disqualify the directors and senior managers directly in charge, or to temporarily or permanently bar them and other persons who are directly responsible from the banking industry. In addition, the Commercial Bank Law prescribes similar requirements and penalties to the Banking Supervision Law for commercial banks that fail to submit data in accordance with relevant requirements including in relation to refusing to comply with the CBRC’s requirements (refusal to provide information or permit access to inspection are specified) liability of the directors and senior management (Article 78), failure to submit information (Article 80). The Notice on Issuing Provisional Standards for Statistic Data Quality and the Implementation Plan sets forth the data quality standards for banking supervisory statistics. The standards cover 5 aspects, including the organizational structure and staff, development of polices and rules, relevant system requirements and data standards, data quality monitoring, inspection and evaluation, as well as data submission, application and storage. Senior management responsibility for data submitted to the CBRC is clearly established: • The Administrative Rules on Banking Supervisory Statistics provides (Article 27) that banks’ legal representatives or persons in charge are responsible for data’s authenticity and accuracy. • The Notice on Establishing Data Quality Commitment Mechanism for Key Off-site Surveillance Indicators requires the bank’s presidents to sign a written commitment regarding the OSS data quality. Hence, banks’ senior management are legally responsible for the authenticity of the data. The supervisory returns must be approved and signed by senior managers before submission and the banks’ presidents are also required to sign off the key quarterly OSS indicators in their commitment letter, which should be sent to the CBRC within five working days after the submission deadline of the supervisory returns. Where the data quality fails quality standards, the CBRC will take supervisory actions. It is stipulated in the Notice that if a bank has persistent reporting errors which have resulted in material impact on the key indicators, the data quality and management capability will be considered as a reference for supervisory rating and licensing. Where a bank has made 101 PEOPLE’S REPUBLIC OF CHINA recurrent material errors concerning data quality, administrative penalties (fines) will be imposed. The CBRC obtains information on the bank’s internal data reporting procedures and pays close regard to the “use test” in that banks are required to develop their internal data reporting policies in line with needs, requirements and instructions of the supervisory returns. The banks are required to specify the source of each data item, quality control approaches for each table, as well as the responsibilities of relevant departments and staff. The CBRC has taken various measures to enhance data quality. These measures include: (a) Locking the data to avoid data manipulation by banks. The OSSRS will automatically lock the supervisory returns on the calendar day after confirmation. The banks cannot revise the locked tables at their own discretion. If a bank identifies a data error in any table, it needs to submit an unlocking application and explain the causes of the errors and the amount of the difference. After the application is approved, the table in question is then unlocked for resubmission. The CBRC monitors resubmission both by bank and by schedule and commented that substantial improvement has been observed in the last years. (b) Feedback briefings. The briefings cover submission of the supervisory returns (deadlines, completeness and accuracy), data unlocking, etc. Banks that have made material data errors are identified in these reports which are circulated to the senior management of the banks (the reports are not public but banks are named in the report so there is a disciplinary element to these circulations). (c) Incorporating the data quality into the supervisory rating (the management factor) as a qualitative indicator. (d) Assessing data quality against the standards for banking supervisory statistics and by issuing reminding notices, alerts, supervisory opinions of on-site examination and penalty notices. The CBRC also conducts on-site examinations to assess banks’ governance structure, formulation of rules and policies, system development, information disclosure and reporting. The CBRC has imposed penalties against banks for misreporting and this includes forfeiture of bonuses for the responsible individuals. EC9 The supervisor utilizes policies and procedures to determine the validity and integrity of supervisory information. This includes a program for the periodic verification of supervisory returns by means either of the supervisor’s own staff or of external experts. 23 Description and The OSS Rules place an obligation on the CBRC to determine the validity and integrity of findings re EC9 the data from the supervisory returns. Specifically, Article 13 prescribes that the supervisors shall strengthen the data review and evaluate the quality of the supervisory returns. Supervisors may, if needed, deploy enquiries, interviews, targeted assessments, field visit, or on-site examination, to check the data quality management of banks and the authenticity of reported indicators. Further, the Administrative Rules on Banking Supervisory Statistics 23 Maybe external auditors or other qualified external parties, commissioned with an appropriate mandate, and subject to appropriate confidentiality restrictions. 102 PEOPLE’S REPUBLIC OF CHINA prescribes that the CBRC shall examine and supervise the statistics of banks, and the examination shall cover the completeness and authenticity of statistical data (Article 30). The CBRC has adopted the following approaches to ensure the authenticity and integrity of supervisory information: Through verification of logical consistency (including within and between tables) of the supervisory returns. If the verification results are unsatisfactory, the system will automatically report the errors to the supervisors and send feedback to the bank, requiring the bank to make timely rectifications or provide necessary explanations. The CBRC also monitors consistency of data over time periods and abnormal shifts in reported data trigger alerts to the supervisors (as an extreme illustrative example, were total assets to double over a quarter, then an alert would go to the supervisor). These consistency checks consider both time sequence analysis and peer group analysis. If aberrations are identified, banks are required to explain abnormal data changes, and make rectifications if needed. The CBRC perceives verification of data authenticity and integrity as one of the major tasks of on-site examinations. Supervisors examine the data and its processing procedures, which include banks’ internal data management systems, data generating processes, quality control methods, the consistency between the reported data and the internal information system data, and the consistency between the supervisory returns and the accounting information, etc. If deficiencies are identified during the inspections, supervisors will require banks to rectify the errors promptly and impose penalties accordingly. Supervisors may issue supervisory opinions to the bank on site. CBRC incorporates data quality into its program of on-site examinations. The quality assessment on the supervisory returns of a number of banks has led to the CBRC requiring the banks to rectify the deficiencies identified. The EAST system assists in this process and data quality is reflected in the bank’s rating. All major banks have been assessed on this aspect in recent years. The CBRC observed that supervisory data reported by banks are generally accurate but the intensified focus on data accuracy in recent years (including the feedback on data performance to senior management) has led to greatly improved data quality. EC10 The supervisor clearly defines and documents the roles and responsibilities of external experts, 24 including the scope of the work, when they are appointed to conduct supervisory tasks. The supervisor assesses the suitability of experts for the designated task(s) and the quality of the work and takes into consideration conflicts of interest that could influence the output/recommendations by external experts. External experts may be utilized for routine validation or to examine specific aspects of banks’ operations. Description and In general, the supervisory returns are validated by the CBRC’s in-house on-site findings re EC10 examination teams. The CBRC does not appoint external experts to conduct supervisory tasks. Also, the CBRC has regular communication with banks’ external auditors through 24 Maybe external auditors or other qualified external parties, commissioned with an appropriate mandate, and subject to appropriate confidentiality restrictions. External experts may conduct reviews used by the supervisor, yet it is ultimately the supervisor that must be satisfied with the results of the reviews conducted by such external experts. 103 PEOPLE’S REPUBLIC OF CHINA tripartite and bilateral meetings. During on-site examinations, supervisors may communicate with the external auditors. EC11 The supervisor requires that external experts bring to its attention promptly any material shortcomings identified during the course of any work undertaken by them for supervisory purposes. Description and See EC 10 of CP 10. findings re EC11 EC12 The supervisor has a process in place to periodically review the information collected to determine that it satisfies a supervisory need. Description and In general terms, the OSS Rules (Chapter 6 “Post-supervision Evaluation”) requires findings re EC12 supervisors to establish the post-OSS evaluation mechanism to assess the effectiveness of supervisory programs and actions against their objectives, analyze the causes of problems identified and share experiences to improve OSS. Specifically, Article 83 demands that the evaluation shall focus, among other aspects, on the effectiveness of OSS, including the completeness of the OSS information collected and the appropriateness of the OSS indicators. In practice, since 2007, the CBRC has assessed whether there are needs for the revision or removal of existing tables and development of new tables in light of changes in regulations, supervisory focuses and international regulatory rules as well as other supervisory needs on an annual basis. Cost-benefit analysis is used and the CBRC will make adjustments as necessary to format and contents, instructions, applicable institutions, submission date and frequencies, and underlying accounting standards. When the new schedules are launched each year, the CBRC hosts a training teleconference for both the supervisors and the banks to make them aware of changes. Implementation of the revised Basel standards has driven a number of changes. In 2013, for example, in order to accommodate the implementation of the Capital Rules, the CBRC released two new tables developed according to the requirements of Basel III, including the capital adequacy table and the advanced measurement approach table. In 2015, Table G44 for leverage ratio was adjusted according to the revised Leverage Ratio Rules for Commercial Banks. In 2016, the CBRC made the following adjustments: the submission frequency of tables reported on a consolidated basis was increased from semi-annual to quarterly. Table G25_II for NSFR was revised. Two new tables, namely G31 for Investment Activities and G18_III for Local Government Bonds were added and 14 tables were removed and the scope of applicable institutions for 8 tables was narrowed down. Assessment re Compliant Principle 10 Comments The CBRC philosophy is that supervisory data is fundamental to effective supervision. As a consequence, the CBRC has put extensive efforts into its supervisory reporting regime and enhancing the analytical systems that depend on it. There has been an almost wholescale overhaul of the reporting data and considerable care is taken, using on and off-site methods, not only to ensure that the data received is reliable, that banks are accountable for the information they provide, but also to ensure that the CBRC continues to obtain the data that is most relevant for its evolving supervisory tasks. 104 PEOPLE’S REPUBLIC OF CHINA Principle 11 Corrective and sanctioning powers of supervisors. The supervisor acts at an early stage to address unsafe and unsound practices or activities that could pose risks to banks or to the banking system. The supervisor has at its disposal an adequate range of supervisory tools to bring about timely corrective actions. This includes the ability to revoke the banking license or to recommend its revocation. Essential criteria EC1 The supervisor raises supervisory concerns with the bank’s management or, where appropriate, the bank’s Board, at an early stage, and requires that these concerns be addressed in a timely manner. Where the supervisor requires the bank to take significant corrective actions, these are addressed in a written document to the bank’s Board. The supervisor requires the bank to submit regular written progress reports and checks that corrective actions are completed satisfactorily. The supervisor follows through conclusively and in a timely manner on matters that are identified. Description and CBRC counts with a legal framework and procedures that enables it to address supervisory findings re EC1 concerns at an early stage in an effective manner. Article 35 of the Banking Supervision Law empowers CBRC to hold supervisory meetings with banks’ directors and senior managers and require them to provide explanations about the banks’ business operations and risk management. Article 27 establishes that based on a bank’s rating and risk profile it can take supervisory actions deemed necessary. Article 37 establishes that when a bank fails to meet prudential rules and regulations, and that CBRC shall require the bank to take remedial measures within a prescribed period of time. Article 39 of the Off-site Surveillance Rules requires CBRC to take supervisory actions according to risk early-warnings. The core element in CBRC supervisory framework that enables early actions is the REASS (please refer to CP8 for further details), Based on those alerts and after additional investigations, as necessary, CBRC will takes supervisory actions regarding the issues/concerns, raising supervisory recommendations and requiring corrective actions, as appropriate. Ad hoc meetings or the quarterly meetings are used to have discussions on recent trends and provide recommendations. In the process of determining the course of action, given an early warning supervisory threshold has been triggered, CBRC highlights the importance of the role the chief inspector, providing further qualitative analysis and judgment. CBRC indicates that on major issues that require significant corrective action CBRC will submit a letter requiring the board to be copied and that can also set up meetings with the Board, as necessary. CBRC attends banks Board’s meetings regularly, which also should enable them to monitor if those issues are addressed/discussed by the board. Overall, exchanges with the industry confirmed that major concerns regarding risk management and corporate governance are addressed to the board. Depending on the severity of the case, when informing banks of issues identified, requiring them to take corrective actions, CBRC can sets forth specific requirement and timeframe for the corrections or ask for a submission of a correction plan. Implementation reports are 105 PEOPLE’S REPUBLIC OF CHINA requested so as to monitor progress. In order to assess progress, CBRC can makes use of additional data submission, supervisory interviews, on-site visits and follow-up examinations. The chief supervisor takes into account correction results when determining follow-up and recommend further supervisory actions where necessary. CBRC is formally required to follow up on implementation of corrective actions is established at its Off-site Surveillance Rules (Article 47) which requires CBRC to track the correction progress of issues identified during on-site examinations and include the correction results into risk assessments and supervisory ratings, as well as to be considered in the licensing process. CBRC has been intensifying its early action approach in recent the years. In 2015, CBRC held 14.5 thousand supervisory meetings, issued 2.3 thousand of requirements of explanation for material matters. It also issued 10.5 thousand risk alerts or briefings, highlighting supervisory concerns and required banks to conduct self-assessments/ targeted audits, stress tests and develop contingency plans 7.3 thousand times. Also, there were over 3 thousand cases of requirement of specific corrections within a certain time frame. From 2011 to 2015 there was a steady increase in all those figures, an enhancement in early action that CBRC reputes to the CBRC restructure. EC2 The supervisor has available 25 an appropriate range of supervisory tools for use when, in the supervisor’s judgment, a bank is not complying with laws, regulations or supervisory actions, is engaged in unsafe or unsound practices or in activities that could pose risks to the bank or the banking system, or when the interests of depositors are otherwise threatened. Description and CBRC has at its disposal a range of supervisory tools and actions to be taken if a bank is findings re EC2 deemed to be not complying with laws and regulations, or engaging in unsafe or unsound practices or in activities that could pose risks to the bank or the banking system, or when the interests of depositors and other customers are otherwise threatened. Article 37 of the Banking Supervision Law empowers CBRC to take a broad range of actions against banks that: (a) have breached prudential rules and regulations and have failed to take remedial actions prescribed within a period of time (b) in case the safety and soundness of the bank is likely to be severely threatened and the interests of depositors are threatened. Actions include suspend business lines; withhold approval of new products and services; restrict dividend or other payments to shareholders; restrict asset transfers; order the controlling shareholder to transfer shares or restrict the power of relevant shareholders; order the senior management and board members replacement or restrict their powers and withhold approval of new branches. Article 38 empowers CBRC to take over a bank or facilitate restructuring in case of financial distress seriously jeopardizing the interests of depositors and other customers. Article 39 25 Please refer to Principle 1. 106 PEOPLE’S REPUBLIC OF CHINA further empowers CBRC to close a bank in case it is found in serious violation of laws and regulations, or undertaking significant unsafe or unsound practices seriously threatening the financial order and public interests unless it is closed. Article 64 of the Commercial Bank Law empowers CBRC to take over a bank in case it experienced a major loss of confidence in the market which may seriously affect the interests of depositors. Arts. 45 to 48, under Chapter V – Legal Liabilities – of the Banking Supervision Law, explicitly empowers CBRC to enforce corrective actions. Article 45 empowers CBRC to require a bank to take corrective measures (and impose fines) also empowering CBRC to require suspension of business for rectification or revocation of the banking license in case the bank fails to correct within the prescribed period of time in several circumstances., including: establishing a branch without authorization, change or terminate business operations without authorization and offer a product or service without approval or filing. Article 46 empower CBRC to enforce corrective measures and if the circumstance is particularly serious or if the bank fails to make correction within the prescribed period of time if the bank fails to meet prudential rules and regulations with serious consequences or refuses to take measures as required by Article 37, among others. Article 48 establishes that when a bank violates laws, administrative regulations or other national regulations, the CBRC, in addition to the enforcement actions prescribed in Arts. 43 to 46 may, depending on the severity of the case: order the bank to impose disciplinary sanctions on board members, senior management or other staff; if the case does not constitute a crime, issue a disciplinary warning to board members and senior management directly in charge and other staff and concurrently impose on them a fine; disqualify the directors and senior management directly in charge as being unfit and improper for a specific period of time or for life and/or bar them and other staff from banking for a specific period of time. In addition, the Rules on Punishment against Illegal Financial Activities prescribe a range of actions that CBRC may take to deal with specific non-compliances and illegal actions of banks. Ratings are an important tool in determining supervisory action as a consequence of supervisory concerns. If a bank’s rating for any single component is lower than 4, CBRC holds interviews with the Board and senior management, and requires actions to be taken to reduce the risk. If a bank’s rating for any single component is 5 or 6, CBRC require banks to make improvement plans and supervises the implementation of the plans. If a bank’s composite rating is 4, CBRC increases the intensity and frequency of on-site examinations, monitors its performance closely, and urges it to take effective actions to reduce the risk. In addition, CBRC imposes certain restrictions on its products offering and business activities, and takes supervisory actions such as having interviews with the Board and senior management, requiring the bank to make rectifications, etc. as appropriate. If a bank’s composite rating is 5, CBRC will monitor it closely and continuously, and take other supervisory actions such as imposing restrictions on its high-risk activities, requiring the bank to improve its performance, and ordering it to replace senior managers, initiating 107 PEOPLE’S REPUBLIC OF CHINA restructuring or taking over the bank where necessary. If a bank’s composite rating is 6, CBRC will initiate the market exit process to restructure or close the bank. In 2015 CBRC restricted dividends or other forms of payments in 105 banks, required shareholders to transfer shares or restricted their powers in 21 cases and required the replacement of board members, senior management and other persons in charge restricting their powers in 50 cases. It also suspended certain business for rectification in 10 cases and withheld the approval of new branches in 45 cases. From 2011 to 2015 there was a sustained increase in all those actions. EC3 The supervisor has the power to act where a bank falls below established regulatory threshold requirements, including prescribed regulatory ratios or measurements. The supervisor also has the power to intervene at an early stage to require a bank to take action to prevent it from reaching its regulatory threshold requirements. The supervisor has a range of options to address such scenarios. Description and CBRC has broad powers corrective powers to act where a bank falls below regulatory findings re EC3 requirements or to intervene at an early stage. As described in EC1 and EC2, Arts. 37 and 46 of the Banking Supervision Law, in addition to Article 75 of the Commercial Bank Law authorize CBRC to take supervisory actions against banks that have breached prescribed thresholds of quantitative requirements, and such actions include requiring corrections within a prescribed timeframe, imposing fines, requiring suspension of certain existing business, restricting dividends and other forms of payment, requiring suspension of business for rectification, or revoking the bank’s license, among others. In addition, as detailed in CP1, Article 27 grants CBRC broad powers to takes supervisory measures as it sees fit based on the rating and risk profile of banks, which can include requiring banks to take action to prevent from reaching its regulatory threshold requirements. In particular, the Capital Rules (Article 153) specify supervisory actions available for CBRC to adopt regarding the CAR (which do not preclude CBRC of taking more severe measures irrespective of the category), providing explicit guidance and criteria in actions to be taken as follows: CBRC is required to classify banks into four categories according to their capital adequacy and take different supervisory actions accordingly. (a) For banks whose CAR, Tier 1 CAR and Common Equity Tier 1 CAR have met the capital requirements at all levels specified in the Capital Rules, CBRC may require them to formulate CAR management plans (feasible and practical), require the improvement of the bank’s risk control capability, require the bank to intensify its analysis in the event of capital decline, (b) For banks whose CAR, Tier 1 CAR or Common Equity Tier 1 CAR has not satisfied the Pillar II capital add-on but have met all the other capital requirements, CBRC may issue supervisory letters and increase the frequency of CAR examinations. (c) For banks whose CAR, Tier 1 CAR and Common Equity Tier 1 CAR have met the corresponding minimum requirements, but have not satisfied any of the other capital requirements, CBRC will restrict dividends, bonuses, and other significant capital expenditures. (d) For banks whose CAR, Tier 1 CAR or Common Equity Tier 1 CAR has not satisfied the corresponding minimum requirements, CBRC will ask 108 PEOPLE’S REPUBLIC OF CHINA such banks to reduce risk assets, require closure of high-risk asset operations, and restrict or prohibit them from establishing new branches or launching new businesses. As detailed in previous CPs CBRC has developed a full range of regulatory ratios and quantitative indicators, which are monitored and analyzed through OSS. Indicators include CAR, leverage ratio, NPL ratio, provisioning ratio, provision coverage ratio, LCR, liquidity ratio, and concentration ratio. CBRC may, in light of a bank’s performance, risk profile and risk management capability, raise regulatory quantitative requirements for the bank, or set special early-warning thresholds. In practice, CBRC and its supervisors emphasize early intervention and established early warning thresholds, providing warnings in case indicators approach the thresholds. More specifically, when relevant indicators of a bank are changing quickly or reaching predefined threshold, CBRC will notify the bank and adopt early measures such as requiring the bank to make liquidity or capital replenishment commitment, urging it to take corrective actions and other necessary actions to prevent such indicators exceeding thresholds. Exchanges with the industry confirmed the issuance of early notice in case of negative trends, with a requirement for the establishment of an action plan to address the concerns. If a bank breaches regulatory thresholds, CBRC will take supervisory actions such as requiring corrections within a prescribed timeframe, requiring remedial actions to be taken, withholding the approval of new business or new establishments, imposing fines, restricting distribution of profits, restricting the powers of shareholders, requiring transfer of shares, etc. As detailed in EC1 and EC2, CBRC has made use of those powers on numerous occasions. EC4 The supervisor has available a broad range of possible measures to address, at an early stage, such scenarios as described in essential criterion 2 above. These measures include the ability to require a bank to take timely corrective action or to impose sanctions expeditiously. In practice, the range of measures is applied in accordance with the gravity of a situation. The supervisor provides clear prudential objectives or sets out the actions to be taken, which may include restricting the current activities of the bank, imposing more stringent prudential limits and requirements, withholding approval of new activities or acquisitions, restricting or suspending payments to shareholders or share repurchases, restricting asset transfers, barring individuals from the banking sector, replacing or restricting the powers of managers, Board members or controlling owners, facilitating a takeover by or merger with a healthier institution, providing for the interim management of the bank, and revoking or recommending the revocation of the banking license. Description and As detailed in EC2, the Banking Supervision Law empower CBRC to take a range of findings re EC4 corrective and enforcement actions to address, at an early stage, problems and issues of banks, including requiring corrective actions within a time frame, suspend business lines; withhold approval of new products and services; restrict dividend or other payments to shareholders; restrict asset transfers; order the controlling shareholder to transfer shares or 109 PEOPLE’S REPUBLIC OF CHINA restrict the power of relevant shareholders; order the senior management and board members replacement or restrict their powers and withhold approval of new branches. As mentioned in previous ECs, the authorities over the last few years have made use of the various instruments at their disposal in a significant number of occasions. The authorities also provide examples of situations where liquidity ratios were made more stringent, approval of new business was withheld, suspension of cash dividends or increase retention ratios, replacing senior management and facilitating a takeover. EC5 The supervisor applies sanctions not only to the bank but, when and if necessary, also to management and/or the Board, or individuals therein. Description and The Banking Supervision Law (Arts. 45 to 48) establish penalties and fines in case of certain findings re EC5 breaches, including establishing branches without authorization, appointing directors or senior management without the fit and proper test, obstruction of on and off site examinations and breaches of prudential rules and regulations, among others. Article 46 in particular establishes that in serious cases, CBRC may order a banks suspension, business rectification or revocation of its banking license. Fines range from 200,000 to 500,000 yuan for appointment of directors or senior management without fit and proper test, refusal or obstruction of supervisory work, failure to meet prudential rules and regulations with serious consequences or failure to take corrective measures as required by CBRC. In cases of establishing a branch without authorization, change or terminate business without authorization, offer a product or service without authorization/notification, in addition to corrective measures, all illegal gains are ceased and a fine from one to five times the amount of the illegal gains is imposed. If the illegal gains exceed 500,000 yuan, a fine ranging from 500,000 yuan to 2,000,000 yuan is imposed and if the case is particularly serious, or corrections are not made within the prescribed time frame, CBRC may order suspension of business for rectification or revocation of the banking license. Chapter 8 of the Commercial Banks Law lays down some similar provisions to the Banking Supervision additional circumstances which result in penalties and fines. CBRC has extensive powers to apply sanctions to management, the Board and individuals and has systematically exercised them in the last few years. The Banking Supervision Law (Article 37, and 48) and the Commercial Bank Law (Article 89) authorize CBRC to not only take supervisory actions on the bank, but also impose penalties and sanctions against the bank’s directors, senior managers and other persons directly in charge when appropriate. Such penalties or sanctions include ordering the bank to replace directors and senior managers or restrict their powers, requiring the bank to impose disciplinary sanctions, warnings or fines on the directors, senior managers and other persons directly in charge, temporarily or permanently disqualifying the directors, senior managers and other persons directly in charge or barring them from the banking industry. CBRC can also impose fines ranging from RMB 50,000 to 500,000 yuan concomitantly with the issuance of a warning to directors and senior managers directly in charge and other staff directly held responsible in cases where the bank violates laws or regulations. 110 PEOPLE’S REPUBLIC OF CHINA In addition, in the course of take-over, restructuring, or liquidation of a bank, CBRC may notify the border control authority to prevent the directors, senior managers and other persons directly in charge from leaving the country. It may also submit an application to the judicial authority to prohibit them from moving or transferring their properties, or establishing other rights on their properties. Where a bank is suspected of illegal financial actions, CBRC has the power to inspect the accounts of its employees and connected parties, and may submit an application to the judicial authority to freeze the illegally obtained funds that are suspected of being transferred or concealed. Article 7 of the Rules of CBRC on Administrative Penalties provides that when imposing sanctions on a bank, CBRC shall impose administrative penalties, according to the circumstances, to the directors, senior managers and other staff who are directly liable. The Administrative Rules on the Qualifications of Directors (Board Members) and Senior Managers of Banking Financial Institutions (Arts. 27, 28 and 29) prescribe additional circumstances under which CBRC may impose sanctions on banks’ directors and senior managers, suspending the qualifications for up to 10 years, depending on the nature and the seriousness of the conditions and consequences. The circumstances under which CBRC may imposes penalties and sanctions on a bank’s directors, senior managers or other persons include the following: (a) Where a bank fails to comply with laws, regulations and regulatory requirements, CBRC would, besides sanctioning the bank, impose penalties and sanctions on the bank’s directors and senior managers where appropriate. (b) Where a bank has violated prudential rules and guidelines but fails to make corrections as required (in terms of actions and timeframe), CBRC would, apart from imposing penalties on the bank, impose penalties and sanctions on the bank’s directors and senior managers where appropriate. (c) Where a bank’s internal management and control policies are not well-developed or effectively implemented, CBRC would, apart from imposing penalties on the bank, impose penalties and sanctions on the bank’s directors and senior managers where appropriate. (d) Where a bank has provided false documents to the supervisors, or concealed important facts, or disclosed false information to the public, CBRC would impose supervisory sanctions on the bank’s directors and senior managers. EC6 The supervisor has the power to take corrective actions, including ring-fencing of the bank from the actions of parent companies, subsidiaries, parallel-owned banking structures and other related entities in matters that could impair the safety and soundness of the bank or the banking system. Description and As described in CP1 and EC3, Article 37 of the Banking Supervision Law empowers CBRC to findings re EC6 take a broad range of actions against banks in case the safety and soundness of the bank is likely to be severely threatened and the interests of depositors threatened, including: suspend business lines; withhold approval of new products and services; restrict dividend or other payments to shareholders; restrict asset transfers; order the controlling shareholder to transfer shares or restrict the power of relevant shareholders; order the senior management and board members replacement or restrict their powers and withhold 111 PEOPLE’S REPUBLIC OF CHINA approval of new branches. CBRC has also signed MoUs as detailed in CP3 which can be used to coordinate actions with CIRC and CSRC. In addition, as detailed in CP1, Article 27 empowers the CBRC to takes supervisory measures as it sees fit due based on the rating and risk profile of banks, which can include increasing regulatory requirements on capital and liquidity. EC7 The supervisor cooperates and collaborates with relevant authorities in deciding when and how to effect the orderly resolution of a problem bank situation (which could include closure, or assisting in restructuring, or merger with a stronger institution). Description and The Banking Supervision Law empowers CBRC to take over, facilitate restructuring, or close findings re EC7 a bank as appropriate. Article 38 provides that when a bank is experiencing or likely to experience financial distress, thereby seriously jeopardizing the interests of depositors and other customers, CBRC may take over the bank or facilitate a restructuring. Article 39 provides that when a bank has been found in serious violation of laws and regulations or conducting significantly unsafe or unsound practices, thereby seriously threatening financial stability and public interests unless it is closed, CBRC shall have the authority to close the bank. Article 29 of the Banking Supervision Law provides that CBRC shall work with PBC, MOF other relevant authorities to establish a banking emergency response policy, develop contingency plans, clearly determine the organization and personnel in charge of resolution and define respective responsibilities, response actions and procedures, so as to address banking emergencies in a timely and effective manner. Authorities stated that in resolving a problem institution, CBRC will consult PBC, MOF, Deposit Insurance Fund, and other national authorities where necessary. In practice, CBRC has resolved most problem banks by facilitating restructuring. Over the last five years CBRC has resolved 97 problem banks, among which one went bankrupt and 96 were restructured. In general, cooperatives have been restructured by the introduction of new strategic shareholders with the necessary expertize, converting them in rural banks. In those situations CBRC does not seek coordination with other authorities. In 2015 the deposit insurance regulation was issued, establishing the Deposit Insurance Fund. The State Council appointed the PBC as the deposit insurance fund management agency. The fund has not been accessed thus far. Assessment re Compliant principle 11 Comments CBRC has a range of powers that enables early action to address unsafe and unsound practices and has exercised them extensively over the last few years, having at its disposal several tools to enforce corrective actions. Principle 12 Consolidated supervision. An essential element of banking supervision is that the supervisor supervises the banking group on a consolidated basis, adequately monitoring and, as appropriate, applying prudential standards to all aspects of the business conducted by the banking group worldwide. 26 26 Please refer to footnote 19 under Principle 1. 112 PEOPLE’S REPUBLIC OF CHINA Essential criteria EC1 The supervisor understands the overall structure of the banking group and is familiar with all the material activities (including non-banking activities) conducted by entities in the wider group, both domestic and cross-border. The supervisor understands and assesses how group-wide risks are managed and takes action when risks arising from the banking group and other entities in the wider group, in particular contagion and reputation risks, may jeopardize the safety and soundness of the bank and the banking system. Description and The CBRC enjoys a clear regulatory framework to support consolidated supervision. The findings re EC1 Banking Supervision Law (Article 25) requires CBRC to supervise banks on a consolidated basis. In particular, Article 2 provides the CBRC with the authority to supervise the financial institutions established outside China with the CBRC’s approval as well as overseas business activities of domestic banks. With respect to forming an understanding of the banking group, the Consolidated Management and Supervision Guidelines, which were revised in 2014, (Article 81) oblige the CBRC to maintain a full understanding of the organizational and ownership structures of banking groups as well as their business activities. The CBRC is required to put in place a sound risk assessment framework to comprehensively assess the risks associated with both banking and non-bank activities of banking groups, with special focus on the impact of the risk profiles of overseas institutions, non-bank financial institutions and non-financial institutions within the banking group. Article 4 of the Guidelines on Comprehensive Risk Management of Banking Financial Institutions requires all banking financial institutions to adopt comprehensive risk management, covering: (a) all business lines, including domestic and foreign currency transactions, on- and off-balance sheet businesses as well as domestic and overseas activities; (b) all branches, subsidiaries, affiliates, as well as all departments, positions and employees therein; (c) all risk types and interactions between different risks; and (d) all processes of decision making, implementation and oversight. Licensing requirements (see also CP 4, CP 5 and CP 7), provide the CBRC with influence and control over the domestic or foreign presence of a commercial bank and the scope of its business activities. Establishing, investing in or acquiring a domestic financial entity or overseas institution requires CBRC’s approval which may be withheld based on the supervisor’s assessment of the soundness and consolidated management capability of the banking group as well as the host country’s regulatory environment. Similarly, the Commercial Bank Law (Article 43) forbids commercial banks engaging in trust business or securities market in mainland China; or investing in properties (other than for its own use) or non-bank financial institutions and enterprises, unless it is otherwise stipulated by the state. There is, however, a loophole in that a corporate (non-financial) parent of a bank can acquire a non-Chinese bank and the CBRC would be reliant on notification and cooperation from the host regulatory authority. As there is no holding company regime in China, the CBRC could only act against this “horizontal” group if it could determine a direct threat to the Chinese bank. With respect to ongoing supervision, during OSS and on-site examinations, the CBRC conducts on-site inspections on banking groups or entrusts other supervisory authorities to 113 PEOPLE’S REPUBLIC OF CHINA inspect both domestic and overseas non-bank financial institutions under supervisory coordination mechanisms. Based on the information collected through OSS and on-site examinations, the CBRC regularly prepares supervisory analysis reports which comprehensively assess the risks of banking groups, with a particular focus on the interactions between entities within the groups and potential risk contagion. In the annual supervisory reports on banking groups and overview of institutions, the CBRC assesses banking group’s comprehensive risk management and seeks to determine whether their risk management structure and processes are commensurate with business complexity and whether major risk exposures are covered. In addition, the CBRC has designed supervisory returns specific to large banking groups to collect operating information of their domestic and overseas affiliates. The assessors were able to review reports and analyses. With respect to supervisory actions, more extensive information is provided in CP11, but the CBRC sees both routine and preventive supervisory actions as important in preventing risks from arising from a banking group and other entities in the wider group. EC2 The supervisor imposes prudential standards and collects and analyses financial and other information on a consolidated basis for the banking group, covering areas such as capital adequacy, liquidity, large exposures, exposures to related parties, lending limits and group structure. Description and The CBRC’s authority to formulate prudential rules and standards on a solo and findings re EC2 consolidated basis stems from Articles 21 and 25 of the Banking Supervision Law. The former article covers CBRC’s standard setting powers for risk management, internal controls, capital adequacy, asset quality, loan loss provisioning, risk concentration, related party transactions, liquidity management, etc., while the latter imposes the requirement to conduct supervision on a consolidated basis. Additionally, Article 33 of the Banking Supervision Law provides the CBRC’s power to require banks to submit balance sheets, P&Ls, other financial and accounting reports, information on business operations and management, as well as auditor’s reports prepared by certified public accountants. The framework for consolidated management and supervision of banks is articulated in the Consolidated Management and Supervision Guidelines, which sets forth out requirements on the scope of consolidation, management over capital, concentration and internal transaction, risk segregation, and consolidated supervision. When supervising on a consolidated basis, the CBRC also seeks to focus on the banking group’s overall structure and strategy, internal trading strategies as well as related party transactions between the group and its principal shareholders and affiliates. The CBRC is also required (Consolidated Management and Supervision Guidelines (Article 85)) to have regard not only to banks but also their affiliates when assessing consolidated profitability, capital adequacy, overall financial status and management capability, and give risk early- warnings accordingly. The assessors were able to identify a strong focus on group structure and group risk management and business strategy in the documents that were reviewed. Major regulatory indicators set by the CBRC on consolidated and solo basis include the CAR, leverage ratio, provision coverage ratio, liquidity ratio, LCR, provision ratio, and large risk exposure ratio, etc. The CBRC has published a range of regulation and guidelines to 114 PEOPLE’S REPUBLIC OF CHINA articulate the consolidated group standards for capital, liquidity risk, large exposure concentration risk and related party transactions, including: the Capital Rules for Commercial Banks (Provisional), the Liquidity Risk Rules for Commercial Banks, the Administrative Rules on Related Party Transactions of Commercial Banks with Insiders and Shareholders, the Guidelines on Due Diligence in Credit Issuance of Commercial Banks, and the Key Indicators for Risk-based Supervision of Commercial Banks (Provisional). (See also CP 16, CP 24, CP 19 and CP 20). The CARPALS system launched in 2009, and upgraded to the Heightened Regulatory Standards for Large Banks (HRS) in 2016, sets overall caps on debts owed by affiliates to banking groups with a view to preventing intra-group contagion of risks as a result of complex and frequent internal transactions (the cap is set through a ratio reflecting affiliates’ dependence on debts owed to large banking groups). As large and medium-sized banking groups in China are listed companies, they are required to disclose consolidated information at the group level, including compliance with regulatory capital and liquidity indicators on a regular basis. In addition, the Pillar III requirements provide market discipline to ensure the soundness of banking groups. EC3 The supervisor reviews whether the oversight of a bank’s foreign operations by management (of the parent bank or head office and, where relevant, the holding company) is adequate having regard to their risk profile and systemic importance and there is no hindrance in host countries for the parent bank to have access to all the material information from their foreign branches and subsidiaries. The supervisor also determines that banks’ policies and processes require the local management of any cross-border operations to have the necessary expertise to manage those operations in a safe and sound manner, and in compliance with supervisory and regulatory requirements. The home supervisor takes into account the effectiveness of supervision conducted in the host countries in which its banks have material operations. Description and The regulatory framework clearly establishes the perspective that the Board has ultimate findings re EC3 responsibility for a bank’s risk management: Article 82 of the Guidelines on the Corporate Governance of Commercial Banks. The Board is required to develop comprehensive risk management strategy, policy and processes commensurate with the bank’s risk profile, size and growth rate. Discussions with banks indicated that the CBRC was following up on the development of the banks’ enterprise wide risk management and reviews of files indicated that the CBRC had regard to whether risk management systems encompassed the entire group. Nevertheless, the CBRC’s direct authorization is required if a bank or banking group intends to establish an overseas institution or undertake overseas acquisition. The judgment of CBRC on the soundness and consolidated management capability of the banking group as well as the host country’s regulatory environment serve as an important reference for CBRC in deciding whether approval is granted. Discussions with the CBRC suggested that the quality of the banks’ own management capabilities acted as the primary filter for the decision. According to the Consolidated Management and Supervision Guidelines (Article 80) the CBRC must explicitly take into account the corporate governance structure and 115 PEOPLE’S REPUBLIC OF CHINA consolidated management capability of the commercial bank where a commercial bank applies for formation of affiliates including those engaging in cross-border and cross- industry businesses. Should the commercial bank fail to comply with the Guidelines in terms of corporate governance or consolidated management or has any material weakness, the CBRC can, and has, rejected the application. The assessors were able to review findings of on-site examinations and risk alerts that focused on deficiencies in cross-sectoral interests. Senior managers of banking groups’ overseas institutions are subject to stringent fit and proper tests. Banks are urged to put in place appropriate policies and procedures to recruit qualified senior managers for overseas institutions. The CBRC, pursuant to the Consolidated Management and Supervision Guidelines (Article 90) is required to assess host countries’ regulatory environment. If banking supervision in the host country is regarded as insufficient or the regulations of the host country hinder the access to important information, CBRC has the power to take supervisory actions against the commercial banks concerned in accordance with applicable laws and regulations as well as arrangements under the cross-border supervisory cooperation framework. Should the CBRC not be satisfied it has a number of possible remedies including restricting market access, conducting a cross-border on-site inspection or requiring the closure of the foreign establishment. It may also (Article 91) seek the cooperation of the relevant host supervisory authority. The Notice of CBRC on Further Enhancing the Management of Overseas Operational Risks of Banking Financial Institutions (Article 21) emphasizes the concept that banking financial institutions should develop at a pace and scale commensurate with their own operating and managerial capabilities. Relevant business processes, policies and rules drawn up to facilitate the overseas activities must be approved by the Board or senior management to ensure bank-wide implementation. While a number of the banks with whom the assessors met commented on the CBRC’s supportive approach to overseas expansion, denial of cross border establishment was standard practice when supervisory concerns existed. The CBRC supervises consolidated groups with non-domestic operations pursuant to the Comprehensive Risk Management Guidelines and the Consolidated Management and Supervision Guidelines. This supervision includes assessment of the banking groups’ comprehensive risk management, including effective management of the parent bank over its overseas branches and affiliates. The CBRC takes account of on-site examination reports provided by overseas supervisors and information obtained through other forms of cross- border exchanges, or through on-site examinations on consolidated management of banking groups and on overseas institutions (including overseas branches, subsidiaries and affiliates. As noted above, deficiencies can lead, if necessary, to supervisory restrictions or the withholding of approval of new overseas establishments. The CBRC has applied the BCBS’s Principles for Effective Risk Data Aggregation and Risk Reporting, to the five large banks, requiring these banking groups to gradually establish risk management frameworks and IT systems commensurate with the business portfolio and complexity, with a particular emphasis on the timeliness, comprehensiveness and 116 PEOPLE’S REPUBLIC OF CHINA suitability of effective management applied by banking groups to their overseas activities. At present, the 5 large banks have developed their compliance plans. The CBRC has established mechanisms for regular consultation and coordination at various levels by signing MOUs and supervisory cooperation agreements. It has established cooperation mechanisms with financial supervisors of 67 countries and jurisdictions to facilitate cross-border supervision. The CBRC will consider, at time of signing, whether the host jurisdiction conducts adequate supervision and regulation. Where the MoU or supervisory cooperation agreement has been signed, the CBRC will seek cooperation with the host jurisdiction if problems emerge in the crossborder group. Please also see CP13. EC4 The home supervisor visits the foreign offices periodically, the location and frequency being determined by the risk profile and systemic importance of the foreign operation. The supervisor meets the host supervisors during these visits. The supervisor has a policy for assessing whether it needs to conduct on-site examinations of a bank’s foreign operations, or require additional reporting, and has the power and resources to take those steps as and when appropriate. Description and The CBRC has the authority (Article 7 of the Banking Supervision Law) to conduct cross- findings re EC4 border on-site examinations for the overseas institutions of Chinese banks. This power is re-emphasised in Articles 90 and 91 of the Consolidated Management and Supervision Guidelines which establish that the CBRC can take necessary cross-border supervisory actions, including but not limited to cross-border on-site examinations. Chapter 4 of the Working Procedures of CBRC on Cross-border Banking Supervisory Cooperation prescribes specific process and requirements for cross-border examinations. Article 18 of the Rules of the CBRC on On-site Examination provides that while conducting cross-border on-site examinations, the CBRC shall strengthen communication and coordination with overseas supervisors according to supervisory MOUs and other cooperation agreements. Article 54 to 56 provide that upon completion of on-site inspection, the institutional supervision departments of the CBRC shall, based on the inspection recommendations, urge the inspected institutions to make corrections as required, and evaluate the correction progress. The assessors discussed examples of cross border on-site examinations with the CBRC, including the pre-briefing and post-briefing meetings with the host authorities to keep them informed of planned actions and findings. The CBRC identifies targets for on-site examinations of overseas institutions and subsidiaries of Chinese banks or banking groups through its annual planning process plans taking into consideration the size and complexity of the banks’ overseas activities, as well as the findings from former cross-border examinations. As noted in EC3, one specific trigger for an on-site inspection or enhanced reporting, is a concern in the insufficiency of the host supervisory authority. Changes to the rating of the parent institution or a rapid expansion of business activities are other triggers that have prompted the CBRC to conduct examinations. It is the CBRC’s practice, upon completing on-site examinations, to meet with the host supervisors to brief them on the examination results and findings. After the examinations, the CBRC examination teams will issue comprehensive findings to the inspected institutions for their corrections and requires submission of written correction reports. 117 PEOPLE’S REPUBLIC OF CHINA The CBRC has a clear program for conducting inspections of overseas entities—as noted elsewhere, the chief determination in the inspection program is the rating of the parent group—and host authorities confirmed that the CBRC was scrupulous in providing pre- and post-visit briefings and sharing of reports. EC5 The supervisor reviews the main activities of parent companies, and of companies affiliated with the parent companies, that have a material impact on the safety and soundness of the bank and the banking group, and takes appropriate supervisory action. Description and Under Article 84 of the Consolidated Management and Supervision Guidelines the CBRC is findings re EC5 required to monitor and analyze the impact of principal shareholders and affiliates of a bank on the bank and banking group, and require the bank and banking group to take risk controls where necessary. Should the bank or banking group fail to comply with prudential rules or guidelines on consolidated management, Article 86 provides that the CBRC shall require the bank to take immediate corrective actions and impose supervisory actions and penalties on the bank and its affiliates. Under the Related Party Transaction Rules (Chapter 5 Legal Liabilities) where a bank’s shareholder forces the bank to engage in misconduct, the CBRC may restrict the shareholder’s powers, or even, if severe consequences are warranted, require the shareholder to transfer shares. For banking groups, where the banking institution is the parent entity of the group, the CBRC conducts consolidated supervision as the chief or lead supervisor. Where a financial non- bank entity is the parent of the group, the CBRC supervises banks or banking sub-groups within this wider group but another financial regulator has overall supervisory responsibility for the consolidated group. Where there is a non-financial parent entity, the CBRC also supervises banks or banking sub-groups within the wider group. At present there is no holding company regime in law or regulation although one is contemplated. Irrespective of the nature of the consolidated group, in the course of supervision, the CBRC seeks to monitor the impact of business activities of the controlling shareholder and its affiliates on the soundness of the bank or banking sub-group. For example, the CBRC requires banks to submit related information for compiling the Overview of Institutions. This provides information on the top five shareholders and shareholders with over 5 percent equity, including the shareholders’ nature, and share ownership in other financial institutions, directors and supervisors, financial reports, etc. Intragroup activity is also monitored through reporting on related parties. For more information on the details of related party monitoring please see CP20. In the licensing process, the CBRC reviews the qualifications of banks’ parent companies, and has the power to reject a company’s application to become a shareholder if it might jeopardize the safety and soundness of the bank. See EC 3 of CP 6 for details. The CBRC monitors every entity within groups on an ongoing basis, including the impact of non-bank affiliates’ business activities on the financial and operating performance of banks and banking sub-groups. The following information is gathered: • Institution overview. While compiling or annually updating the overview of institutions, the CBRC requires banks to submit information on the parent companies and their affiliates. 118 PEOPLE’S REPUBLIC OF CHINA • Supervisory returns. The CBRC requires banks to submit quarterly data on the top 10 related party transactions. Failure to submit the related party report or to submit significant related party transactions can lead to penalty fines ranging from RMB 100,000 to RMB 300,000 if the bank does not rectify its behavior within a prescribed timeframe. • Regular reporting. The CBRC requires banks to submit comprehensive risk management reports (annually) and related party transaction reports (quarterly). The former covers banks’ risk management strategies, policies and procedures, risk appetite and limits, while the latter helps the CBRC to monitor significant business activities that may have impact on the safety and soundness of the bank or banking sub-group. • On-site examinations. The CBRC requires banks to provide information about entities within the same group, including internal management information, if needed during on-site examinations. The inspections include examination of internal transactions in the group, which is consistent with the priority placed on internal transaction risk in the consolidated risk management framework. • Information sharing. As trust companies and financial leasing companies within banking groups are regulated and supervised by the CBRC, the respective supervision departments within the CBRC communicate with banking supervision departments. With respect to securities companies, insurance companies and fund companies within banking groups, the CBRC obtains relevant information from the CSRC, CIRC and other financial supervisors. The CBRC shares supervisory information and exchange supervisory opinions at regular intervals or also as need arises with the consolidated supervisors of financial groups (including CIRC and non-bank supervision departments of the CBRC) and conducts joint on-site examinations where necessary. Based on the information collected through these channels, the CBRC analyzes the impact of a bank’s principal shareholders and affiliates on the safety and soundness of the bank and banking sub-group, gives briefings to the bank at regular intervals, and requires the bank and banking sub-group to take risk controls where necessary in accordance with the Consolidated Management and Supervision Guidelines. The CBRC has established the directors’ performance appraisal mechanism, with particular focus on reviewing the performance of related party transaction control committee. The Board is required to establish a mechanism for identifying, reviewing and managing conflicts of interest between banks and shareholders (Article 19 of the Corporate Governance Guidelines). By monitoring the performance of the Boards and directors appointed by parent companies, the CBRC monitors the influence of parent companies on banks’ operations. EC6 The supervisor limits the range of activities the consolidated group may conduct and the locations in which activities can be conducted (including the closing of foreign offices) if it determines that: (a) the safety and soundness of the bank and banking group is compromised because the activities expose the bank or banking group to excessive risk and/or are not properly managed; (b) the supervision by other supervisors is not adequate relative to the risks the activities present; and/or (c) the exercise of effective supervision on a consolidated basis is hindered 119 PEOPLE’S REPUBLIC OF CHINA Description and The principle of restricting scope and location of activities is established in the Banking findings re EC6 Supervision Law where Articles 16 and 18 of the authorize CBRC to restrict the business scope and geographical presence of banking groups during licensing and ongoing supervision to promote the safety and soundness of banks. (See also CP 4, CP 5 and CP 11) During ongoing supervision, the CBRC requires banks to develop risk management procedures and internal controls commensurate with their business size and complexity. Otherwise, the CBRC has the authority to take corrective steps against their business activities (See also CP11, CP15, CP26 and EC3 of CP12). Where the risk management and internal controls of a banking group is determined to be insufficient, the CBRC may require the group to make corrections, and take further supervisory actions as deemed necessary, ranging from restricting its business scope and geographic presence to closing its branches or subsidiaries. In terms of supervisory action when the safety and soundness of the bank and banking group is compromised the Banking Supervision Law also provides (Article 37) that where a bank is breaching prudential rules and guidelines yet fails to make corrections within the prescribed timeframe as required, or its conducts have led to severe outcomes, the CBRC can take a broad range of actions, including requiring the bank to suspend part of the businesses, withholding approval of new businesses or new branches and subsidiaries, etc. Article 39 grants the CBRC with the power to close the bank when it is operating in violation of laws or engaged in unsound practices, which might jeopardize the financial stability and public interest unless otherwise closed. As noted in EC3, Articles 80 of the Consolidated Management and Supervision Guidelines authorizes the CBRC to reject a commercial bank’s application for establishing subsidiaries when non-compliance with requirements on corporate governance or consolidated management, or material deficiencies have been identified. Article 90 provides that where the regulations of the host country hinder the access to important information, the CBRC is authorized to set market entry restrictions on approval of new establishments and businesses in the host country, or, if necessary, require the bank to close related overseas institutions. EC7 In addition to supervising on a consolidated basis, the responsible supervisor supervises individual banks in the group. The responsible supervisor supervises each bank on a stand- alone basis and understands its relationship with other members of the group. Description and As discussed in CP 8, the Banking Supervision Law empowers the CBRC to regulate and findings re EC7 supervise individual banks and banking groups. In particular, Article 81 of the Consolidated Management and Supervision Guidelines requires the CBRC to monitor the differences between the data of a banking group and that of individual banks in the group, and identify the sources, size and risk level of internal transactions. Consolidated supervision practices build on the supervision of individual banks in the sense that regulatory standards issued by the CBRC are applicable to both banking groups and individual banks. The CBRC regularly collects, reviews and analyzes supervisory returns from individual banks and banking groups, covering basic operational data, financial information, capital management, credit risk, market risk, operational risk, liquidity risk and concentration risk (see discussions in CP 10). 120 PEOPLE’S REPUBLIC OF CHINA With respect to the understanding of the intra-group relationships, the regime for monitoring related party activity is a key input. Under the Related Party Transaction Rules Article 8 identifies the related legal persons or other organizations of a bank as: • a bank’s principal non-individual shareholders; • legal persons or other organizations controlled by the same company as the bank directly or indirectly; • legal persons or other organizations that are controlled directly or indirectly or jointly, or can be significantly influenced by the bank’s insiders, or major individual shareholders as well as their close family members; and • other legal persons or organizations that have direct or indirect or joint controls on the bank, or that have significant influence over the bank. Further, the submission of policies and procedures as well as related party transaction reports are set out in Articles 23, 25 and 37. When supervising banking groups on a consolidated basis, the CBRC focuses on whether the parent bank’s risk management structure, process and policies are suitable for affiliates’ business features and complexity. The assessors were able to see reports where the CBRC had focused on this issue in its analysis and risk alerts to the banking group. With respect to banks under financial groups and “wider” groups, the CBRC assess the bank’s relationship with the group’s parent company and affiliates in the licensing process and during ongoing supervision. Assessment of Largely Compliant Principle 12 Comments The CBRC has paid a lot of attention to consolidated supervision, refreshing its practice, and is starting to reap the benefits. Priority is placed on the knowledge of intra-group and related party connections, the structure, risk profile, risk management of banking groups, and banks confirmed that the CBRC is increasingly probing in terms of group activities, risk management and strategy. With the advent of less straightforward banking group structures, however, it is essential for the supervisor to consider not only the internal group structure and activities but activities and entities in the wider group that could have an impact on the banking entity and its group. Now that the Chinese banking sector is moving away from the model of full state ownership, it already encompasses, for example, corporate group ownership, parallel financial groups, pilot projects in holding of cross- sectoral interests, and in recent years the door has been opened to greater scope for foreign ownership of Chinese banks and all these factors can quickly lead to complex groups. In the case of corporate ownership of a banking group, the corporate parent may acquire a foreign bank, which is thus a wider group affiliate of the banking group, without any pre-notification to the CBRC and the Chinse authorities would be reliant on the foreign regulator contacting them. However unlikely, such structures cannot be ruled out in the future, and all of these structures present obstacles to consolidated supervisory oversight. One concern, therefore, is that the ownership structure and subsequently the wider group structure of a bank or banking group could be changed without the CBRC necessarily being formally notified or without its permission being obtained. The supervisor can only be confident of the effective supervision of a group if it is continuously aware of and can act 121 PEOPLE’S REPUBLIC OF CHINA upon issues that may emerge in the “upward” ownership and wider group structure. While the CBRC has clear ex post powers of information gathering and intervention and would be able to identify inappropriate influence upon or transactions with a bank after the event, it is important to ensure the CBRC has as much information and understanding of a situation in advance and that the burdens of obtaining that information do not rest on the CBRC itself. Although the CBRC is a careful gatekeeper at the point of licensing or change of control, ongoing monitoring of changes to the group, other than of the immediate parent, is not supported by clear obligations upon the banking group or its immediate, interim and ultimate beneficial owners, to notify or seek approval for any change of control. While the issue of UBOs is treated in CP6 it is important to be aware that this weakness can have a significant impact on the effectiveness of group wide consolidated risk supervision. Should a holding company regime be introduced in future, it should be designed to ensure the CBRC has maximum oversight, prenotification and power to require changes to group structure as necessary to ensure consolidated supervision can be made fully effective. A more comprehensive set of notification and approval obligations placed on banks and entities who become direct or indirect controllers of a bank or banking group is strongly recommended. It is important that the onus on reporting information should rest with the entities and not rely upon the CBRC conducting its own researches. At a cross sectoral level, there is a burgeoning of products that are being cross-sold, such as bank agency sales of insurance products, and also of growth in all sectors of common products such as asset management products (AMPs) (that are subject to sectoral regulation depending on the issuer For example, one of the banks’ products, wealth management products (WMPs) are subject to the LCR and operational risk capital requirements, whereas similar activities conducted by other financial institutions in China are not subject to these requirements, From the prudential standpoint, WMPs present a number of issues, all of which need to be considered at a consolidated group perspective. Business model, strategy, reputational risk, liquidity and operational risk are among the aspects that need to be addressed and the supervisor and banking group need to be mindful of the fact that such risks interact. For example, reputational and contagion risk may require that a bank must meet liquidity demands even if it has no contractual obligation to do so. In this example, while day to day business conditions may well mean that the standards imposed through the Liquidity Coverage Ratio (LCR) are adequate, not all banks are subject to the LCR as there is a de minimis threshold, (although such banks are required to improve their cash flow analysis and projections by applying the LCR concepts and methodology to their internal liquidity risk identification and management) and more severe outflows than the LCR calibration are possible. Any banking group offering such products should ensure severe shocks and scenarios in its stress testing programs and the CBRC should ensure that the banking group factors these findings into its contingency planning and back up arrangements so that it has a credible and actionable plan in the event of stress emerging. Similarly, group wide risk management, including operational risk management needs to be robust. Ahead of the introduction of the revised Basel standard on operational risk, the CBRC should consider if it is content with the calibration for capital adequacy for asset management under the basic indicator and standardised approaches given the high concentration of WMP activity in some groups. 122 PEOPLE’S REPUBLIC OF CHINA Principle 13 Home-host relationships. Home and host supervisors of cross-border banking groups share information and cooperate for effective supervision of the group and group entities, and effective handling of crisis situations. Supervisors require the local operations of foreign banks to be conducted to the same standards as those required of domestic banks. Essential criteria EC1 The home supervisor establishes bank-specific supervisory colleges for banking groups with material cross-border operations to enhance its effective oversight, taking into account the risk profile and systemic importance of the banking group and the corresponding needs of its supervisors. In its broadest sense, the host supervisor who has a relevant subsidiary or a significant branch in its jurisdiction and who, therefore, has a shared interest in the effective supervisory oversight of the banking group, is included in the college. The structure of the college reflects the nature of the banking group and the needs of its supervisors. Description and On average cross-border operations of Chinese banks are not significant, at around 7 findings re EC1 percent, mostly concentrated on the largest banks, BoC with 26%, followed by ICBC and CCB at 11%. Operations are concentrated in Hong Kong, with 49% of the total cross border operations, followed by the US, with 10%, Macao with 7% and the UK with 5%. China is a home supervisor to a significant number of banks and has established supervisory colleges for its G-SIBs, the ones with the most active cross-border activities. CBRC does not count with formal guidelines for determining composition of supervisory colleges but reports to take into account overall business presence, strategic priorities and systemic importance of the bank in the host country. Colleges’ agendas encompass general macroeconomic and banking sector developments, a presentation by the bank’s senior management, regulatory developments, and supervisory concerns from both home and host supervisions, as well as a Q&A session. The assessors had access to evidence of documentation on the colleges organized by CBRC. Over the years China has been enhancing its supervisory college activities, starting with only one college (for one bank) held in 2009 to 3 colleges held in 2015 and 4 in 2016, for all G-SIBs, ensuring to hold annual colleges for G-SIBs As the host supervisor, CBRC has joined supervisory colleges of 26 foreign banks from 2011 to June 2016, and participated in the meetings of Crisis Management Groups (CMGs) of two foreign banks. During CMG meetings, CBRC reported to have offered suggestions on drafting recovery and resolution plans of parent banks from the host supervisor perspective. EC2 Home and host supervisors share appropriate information on a timely basis in line with their respective roles and responsibilities, both bilaterally and through colleges. This includes information both on the material risks and risk management practices of the banking group 27 and on the supervisors’ assessments of the safety and soundness of the 27 See Illustrative example of information exchange in colleges of the October 2010 BCBS Good practice principles on supervisory colleges for further information on the extent of information sharing expected. 123 PEOPLE’S REPUBLIC OF CHINA relevant entity under their jurisdiction. Informal or formal arrangements (such as memoranda of understanding) are in place to enable the exchange of confidential information. Description and As detailed in CP 3, the legal and regulatory framework enables CBRC to cooperate and findings re EC2 share confidential information, as needed, with 63MoUs and other formal arrangements in place to enable such exchange. There is a legacy of a few countries with which CBRC does not have formal arrangements in place but authorities reported that none of them relate to material exposures. Through the colleges, correspondences and bilateral meetings CBRC exchanges confidential information for authorization and supervisory purposes on an ongoing basis. CBRC has a systematic program of regular bilateral and trilateral meetings with jurisdictions such as Hong Kong, US, UK, Japan, Korea, and Singapore. Those meetings are perceived as an important element within its cooperation framework to maintain timely exchanges regarding banks’ performance and risk profile. Overall, as a home supervisor, CBRC exchanges information with host supervisors during the licensing process as well as ongoing supervision, providing host supervisors with information on overall supervisory framework, banks and banking groups, upon request. In particular, correspondence made available to the assessors revealed CBRC shared broad information on safety and soundness, supervisory concerns, as well as qualification of senior management upon request. Moreover, as mentioned in EC1, during supervisory colleges CBRC presents its overall supervisory assessment on banking groups, major supervisory concerns and focuses, covering the impact of macro-economic and market developments on banks, banks’ management information systems, group organizational structure, operational and financial information, capital adequacy, and major supervisory policy changes. Overtime, CBRC has been increasing its exchanges through colleges, which have broadened its outreach capacity. As a host supervisor, CBRC informs home supervisors of foreign banks’ violations, non- compliances, negative supervisory assessment, major supervisory concerns as well as material supervisory actions against them such as administrative sanctions. Such information is usually provided upon request during supervisory colleges, meetings, correspondence or during cross-border on-site examinations by home supervisors. CBRC also share on-site examination findings, upon request. EC3 Home and host supervisors coordinate and plan supervisory activities or undertake collaborative work if common areas of interest are identified in order to improve the effectiveness and efficiency of supervision of cross-border banking groups. Description and The cooperation framework described in EC1 enables the CBRC to coordinate supervisory findings re EC3 activities with home and host supervisors to improve the effectiveness and efficiency of their respective supervisory approaches. CBRC shares supervisory concerns and discuss and coordinate supervisory plans through the bilateral and trilateral meetings with key supervisors, as well as through colleges, as necessary. 124 PEOPLE’S REPUBLIC OF CHINA CBRC has also taken joint supervisory actions under existing cross-border supervisory cooperation mechanisms. In particular, CBRC has cooperated with host supervisors conducting joint on-site examinations of operations in China in a couple of occasions. CBRC also take into account cross-border on-site examination findings by home supervisor in its follow-up inspections. EC4 The home supervisor develops an agreed communication strategy with the relevant host supervisors. The scope and nature of the strategy reflects the risk profile and systemic importance of the cross-border operations of the bank or banking group. Home and host supervisors also agree on the communication of views and outcomes of joint activities and college meetings to banks, where appropriate, to ensure consistency of messages on group-wide issues. Description and As detailed in previous ECs, as a home supervisor, CBRC has developed various forms of findings re EC4 cooperation mechanisms with relevant host supervisors taking into account risk profile and systemic importance of by Chinese banks or banking groups cross-border activities in deciding frequency and intensity of communications. The strategy includes colleges, written communication, bilateral meetings, trilateral meetings and round tables, as appropriate. CBRC and the host supervisors agree on the communication of views and outcomes derived from college meetings and cross-border crisis management groups (CMGs) meetings. EC5 Where appropriate, due to the bank’s risk profile and systemic importance, the home supervisor, working with its national resolution authorities, develops a framework for cross- border crisis cooperation and coordination among the relevant home and host authorities. The relevant authorities share information on crisis preparations from an early stage in a way that does not materially compromise the prospect of a successful resolution and subject to the application of rules on confidentiality. Description and Based on banks’ risk profile and systemic importance, CBRC has established CMGs for each findings re EC5 G-SIB with members including CBRC, MOF, PBC and key host authorities. CMG members have jointly signed COAGs on G-SIBs, which clearly define the obligations, responsibilities and rights of each party before and during crisis and set forth information sharing mechanism to facilitate crisis resolution. The MOUs signed by CBRC after 2010 provide that both parties, in order to ensure better crisis management, shall timely share relevant information without breaching laws, regulations and confidentiality arrangements. In order to share information, CBRC has established working-level supervisory meetings or roundtables with supervisors of Hong Kong SAR, South Korea, and Singapore. EC6 Where appropriate, due to the bank’s risk profile and systemic importance, the home supervisor, working with its national resolution authorities and relevant host authorities, develops a group resolution plan. The relevant authorities share any information necessary for the development and maintenance of a credible resolution plan. Supervisors also alert and consult relevant authorities and supervisors (both home and host) promptly when taking any recovery and resolution measures. Description and Resolution plans have been recently established for all G-SIBs. ICBC and BOC resolution findings re EC6 plans were finalized in 2014, ABC in 2015 and CCB in 2016. Through CMGs meetings, 125 PEOPLE’S REPUBLIC OF CHINA resolution strategies were discussed and decided collectively and the resolution plans approved. CMGs meetings for the four G-SIBs are expected to be held in 2017 and annually in the forthcoming years to insure the plan is updated against internal and external changes. CBRC has also joined the CMGs of some foreign banks (mainly G-SIBs) and participated in CMG meetings regularly to discuss recovery and resolution arrangements for those banks with home supervisor and other host supervisors. There is no rule or regulation that requires GSIBs to have resolution plans nonetheless they have been doing so and updating the plans on an annual basis. EC7 The host supervisor’s national laws or regulations require that the cross-border operations of foreign banks are subject to prudential, inspection and regulatory reporting requirements similar to those for domestic banks. Description and Article 92 of the Commercial Bank Law provides that foreign funded banks operating in findings re EC7 China are subject to the Commercial Bank Law unless specified differently by laws or regulations. In practice, overall requirements are similar, as the core prudential standards applied by CBRC to foreign-funded banks, include CAR, risk concentration, five-category asset classification, provisioning, liquidity requirements, and supervisory reporting requirements, are consistent with those applied to Chinese banks. In view of the cross- border operations of foreign banks, certain supervisory actions are tailored accordingly, such as such as cross-border capital flows (banks are required to report cross-border flows of large amounts of funds). Foreign banks branches are also required to comply with net positive domestic asset requirements EC8 The home supervisor is given on-site access to local offices and subsidiaries of a banking group in order to facilitate their assessment of the group’s safety and soundness and compliance with customer due diligence requirements. The home supervisor informs host supervisors of intended visits to local offices and subsidiaries of banking groups. Description and MoUs establish that the home authority should give the host authority advance notice of its findings re EC8 intention to conduct an on-site examination. There have been no impediments for CBRC access to local offices and subsidiaries of Chinese banks or for foreign supervisors to access its supervised banks operations in China. Access to customer accounts by home supervisors performing examinations in China is restricted due to confidentiality concerns. The Guidelines on the Consolidated Management and Supervision of Commercial Banks establishes that banking supervisory authority may conduct on-site examinations on commercial banks’ affiliates engaged in cross-border activities. During such examinations, commercial banks shall ensure their affiliates fully cooperate in the examination and implement corrective actions as required. In practice, CBRC systematically conducts cross-border on-site examinations, having conducted 2 examinations in 2016, 7 in 2015, 3 in 2014 and 16 in 2013. The supervisory plan for cross-border examinations take into account the materiality of operations, complexity, and particular supervisory concerns deriving from past examinations or overarching issues pertaining to the group. Plans to conduct cross border on-site examinations have been shared with host supervisors. 126 PEOPLE’S REPUBLIC OF CHINA EC9 The host supervisor supervises booking offices in a manner consistent with internationally agreed standards. The supervisor does not permit shell banks or the continued operation of shell banks. Description and There are no shell banks or booking offices operating in China. Although the law does not findings re EC9 explicitly prohibit shell banks, in practice CBRC has never authorized one. Booking offices are also not allowed, as conducting any type of banking activities is dependent upon a CBRC approval through a banking license for a subsidiary or a branch. Please refer to CP 4 for further details. EC10 A supervisor that takes consequential action on the basis of information received from another supervisor consults with that supervisor, to the extent possible, before taking such action. Description and CBRC determines whether and how to take supervisory actions mainly based on its findings re EC10 supervisory findings and therefore does not take consequential action solely on the basis of information received from another supervisor. Nevertheless, CBRC does take into account information received from foreign supervisors in preparing its supervisory plan and conducting on-site examinations and monitoring, including results from on-site examinations by foreign supervisors, which can trigger follow-up examinations by CBRC. The assessors were provided with an example of such case. Results of the follow up examination were shared with the foreign supervisor. Assessment of Compliant Principle 13 Comments CBRC has made significant efforts to improve its home-host relationship during the last few years including expressively increasing the number of MoUs in place over the last few years. In particular, the recent establishment of regular colleges for the four G-SIBs has enabled CBRC to reach out more effectively to a wider range of host supervisors. Resolution plans have been put in place. Given the increasing diversification of activities of Chinese banking groups and an enhanced focus on internationalization, the presence of Chinese banks abroad is expected to keep growing. CBRC is recommended to continue to improve its engagements and cooperation. In particular, CBRC should consider holding periodic colleges beyond G-SIBs for banks which from a home or host perspective is considered to be appropriate. Moreover, CBRC should consider taking a more proactive approach in communicating to home and host supervisory authorities’ significant findings or supervisory concerns. B. Prudential Regulations and Requirements Principle 14 Corporate governance. The supervisor determines that banks and banking groups have robust corporate governance policies and processes covering, for example, strategic direction, group and organizational structure, control environment, responsibilities of the banks’ Boards and senior management, 28 and compensation. These policies and processes are commensurate with the risk profile and systemic importance of the bank. Essential criteria 28 Please refer to footnote 27 under Principle 5. 127 PEOPLE’S REPUBLIC OF CHINA EC1 Laws, regulations or the supervisor establish the responsibilities of a bank’s Board and senior management with respect to corporate governance to ensure there is effective control over the bank’s entire business. The supervisor provides guidance to banks and banking groups on expectations for sound corporate governance. Description and The Company Law sets out basic provisions on the responsibilities of the board and senior findings re EC1 management of all companies, while the Corporate Governance (“CG”) Guidelines issued by CBRC establishes corporate governance requirements specific to banks, including the responsibilities of a bank’s board and senior management. There is a two-tier board system: a board of directors and a board of supervisors, both of which have responsibilities to shareholders and reporting obligations to CBRC. CBRC sets out its principles or expectations of sound corporate governance in Article 7 of the CG Guidelines. Sound corporate governance of a bank includes having a sound organizational structure with clear roles and responsibilities, appropriate business strategies, corporate values and social responsibilities, effective risk management and internal controls, a reasonable incentive and accountability framework, and sound information disclosures. A bank’s board is ultimately responsible for corporate governance and risk governance of the bank. In addition to the responsibilities prescribed by the Company Law, the board is responsible for the following as set out in Article 19 of the CG Guidelines: (a) approving the bank’s business and development strategies and overseeing the implementation; (b) the bank’s risk management, and the policies for risk appetite, risk management and internal control (also discussed in CP 15 EC1); (c) the bank’s capital plan and capital management; (d) regularly assessing and improving corporate governance of the bank; (e) information disclosure and the reliability and timeliness of financial reporting of the bank; (f) safeguarding the interest of depositors and other stakeholders; and (g) approving the policies and procedures for the identification, review and management of conflict of interest between the bank and its shareholders, particularly principal shareholders. The Internal Control Guidelines, the Comprehensive Risk Management Guidelines, the Capital Rules, and the Consolidated Management and Supervision Guidelines contain relevant and more specific provisions with regard to the board and senior management’s responsibilities. These are discussed in CP 15 and 16. Article 22 also stipulates that the board of directors shall, depending on the needs of the bank, set up specialized committees, such as a strategy committee, an audit committee, a risk management committee, an affiliated transaction control committee, a nominating committee and a remuneration committee. The responsibilities of senior management are set out in Articles 40 to 43 of the CG Guidelines. Specifically, the senior management shall manage the bank according to the 128 PEOPLE’S REPUBLIC OF CHINA powers as mandated by the articles of association and the board, and ensure that the bank’s operation is aligned with the strategies, risk appetite and other policies approved by the board. As for the board of supervisors, it is responsible under Article 32 of the CG Guidelines for supervising the board of directors and senior management, including assessing the reasonableness of their business strategies, reasonableness of remuneration policies, and whether adequate risk management systems and internal controls are put in place. The board of supervisors is responsible for performance evaluation of the directors (individually and of the board as a whole) and the results are to be reported to CBRC and the general meeting of shareholders. EC2 The supervisor regularly assesses a bank’s corporate governance policies and practices, and their implementation, and determines that the bank has robust corporate governance policies and processes commensurate with its risk profile and systemic importance. The supervisor requires banks and banking groups to correct deficiencies in a timely manner. Description and CBRC assesses a bank’s corporate governance on an ongoing basis through offsite review findings re EC2 and onsite examination. The range of supervisory activities include conducting fit and proper tests, attending banks’ board and board committee meetings, conducting interviews with board and senior management, meetings with internal and external auditors, collaboration with local governments and other regulatory agencies, reviewing documents to evaluate the decision-making process, the implementation of decision and the monitoring, and incentive and disciplinary framework of the bank. Besides onsite examinations targeted at reviewing corporate governance of a bank, other onsite examinations such as those on key business activities, risk management and internal controls will involve reviewing the delegation of authorities, decision making process, segregation of duties, etc. The outcome of these work serves as an input to supervisors’ assessment of the quality of management and corporate governance of the bank. The observations and conclusions drawn from these supervisory activities are incorporated into the bank’s supervisory rating as an important component of management performance. For issues and deficiencies identified during the supervisory process, CBRC issues supervisory letters to banks requiring them to take remedial measures and monitors their progress. More severe enforcement actions will be taken if banks failed to take corrective actions as required. The areas for improvement in corporate governance are also incorporated into CBRC’s annual supervisory briefings for the larger banks. CBRC devotes more time and resources on the five G-SIB commercial banks, including setting higher qualification requirements on director candidates; requiring Chief Risk Officer position and specific board committees to be established, and conducting more onsite examinations. EC3 The supervisor determines that governance structures and processes for nominating and appointing Board members are appropriate for the bank and across the banking group. Board membership includes experienced non-executive members, where appropriate. Commensurate with the risk profile and systemic importance, Board structures include 129 PEOPLE’S REPUBLIC OF CHINA audit, risk oversight and remuneration committees with experienced non-executive members. Description and The requirements on board governance and procedures for nominating and appointing findings re EC3 board members are contained in the CG Guidelines issued by CBRC in 2013 and the Guidelines on Board of Directors’ Due Diligence of Joint-Stock Commercial Banks (“Joint- Stock Banks CG Guidelines”) issued in 2005. BCP assessors understand that there are plans to rationalize and integrate the two in future review of rules and regulations. Board composition With regard to board composition, Article 54 of the Joint-Stock Banks CG Guidelines requires that a bank with registered capital exceeding RMB 1 billion shall have a board consisting of at least 3 independent directors. There is no requirement for the Board Chair to be non-executive or independent, but Article 55 requires the Chairman and the Chief Executive Officer of a bank to be separate persons. CSRC rules further require listed banks to have boards consisting of one-third independent directors. Board committees Article 22 of the Guidelines provides that a bank’s board shall, according to the situation of the bank, establish specialized board committees, including an audit committee, risk management committee, nominating committee, affiliated transaction control committee and remuneration committee. More prescriptive requirements are found in Article 40 of the Joint-Stock Banks CG Guidelines. Specifically, joint-stock banks are required to establish risk management committee and affiliated transaction control committee, and those with registered capital exceeding RMB 1 billion shall establish remuneration committee and nominating committee. Article 9 of the Internal Audit Guidelines issued in April 2016 further requires all banks to establish an audit committee consisting of majority independent directors and chaired by an independent director. Article 24 of the CG Guidelines requires the nominating committee, affiliated transaction control committee and remuneration committee to be chaired, in principle, by an independent director. The affiliated transaction control committee is to have a proper proportion of independent directors as members. Under the CG Guidelines, there is no requirement for nominating committee, remuneration committee and risk management committee to have a certain proportion of non-executive or independent directors. There is also no requirement for risk management committee to be chaired by or bear a certain proportion of non-executive or independent directors. CBRC explained that it adopts a proportionality approach in formulating the CG Guidelines and smaller banks can be given more flexibility to set up simpler board committee structure commensurate with their scale and complexity of operations. In practice, 78% of the banks in China are public listed and are required to comply with the Listing Rules in this aspect. Article 52 of the Corporate Governance Rules for Listed Companies issued by CSRC provides that the audit committee, nominating committee and remuneration committee should comprise a majority of independent directors and be chaired by an independent 130 PEOPLE’S REPUBLIC OF CHINA director. According to CBRC, these banks have boards that include experienced non- executive directors and have established audit committee, risk management committee, and remuneration committee, with a majority of members being either experienced non- executive directors or independent directors. Except for risk management committee, these banks’ board committees are chaired by independent directors. Supervisory Practice Supervisors reviews the procedures for nominating and appointing board members and review any changes in board and board committee. New director appointments are subject to fit and proper assessment by CBRC, which entails reviewing the academic qualification and relevant experience, conducting written tests and interviews. On an on-going basis, supervisors assess the functioning of the board and board committees by observing at board and board committee meetings, bilateral meetings with certain board committee chairs, review of minutes and the banks’ internal approval documents. Supervisors also review the assessment of the supervisory board on the performance and functioning of the board and board committees. These are incorporated into supervisory rating for “management” component. EC4 Board members are suitably qualified, effective and exercise their “duty of care” and “duty of loyalty”. 29 Description and The Administrative Rules on the Qualifications of Directors (Council Members) and Senior findings re EC 4 Managers of Banking Financial Institutions (“the Rules”) contain provisions on qualification requirements for board members in terms of integrity, reputation, knowledge, experience, capability, financial status and independence. In accordance with Article 8 and CBRC’s internal guidance, board members must meet the following criteria: - having good records in terms of conduct and compliance with laws and regulations - good personal virtues and reputation; - having the relevant expertise, experience and capability commensurate with the proposed positions. In this regard, the expectation is to have at least 5 years’ experience in legal, financial sector or accounting firms or other organizations that are useful for performing the duties as a board member; - having sound employment records in the financial sector; - stable individual and family financial situation; - having the independence required for the proposed positions. Independent directors have to be legal, financial, economic or accounting experts; - ability to exercise duty of care and loyalty for the bank; 29 The OECD (OECD glossary of corporate governance-related terms in “Experiences from the Regional Corporate Governance Roundtables”, 2003, www.oecd.org/dataoecd/19/26/23742340.pdf.) defines “duty of care” as “The duty of a board member to act on an informed and prudent basis in decisions with respect to the company. Often interpreted as requiring the board member to approach the affairs of the company in the same way that a ’prudent man’ would approach their own affairs. Liability under the duty of care is frequently mitigated by the business judgment rule.” The OECD defines “duty of loyalty” as “The duty of the board member to act in the interest of the company and shareholders. The duty of loyalty should prevent individual board members from acting in their own interest, or the interest of another individual or group, at the expense of the company and all shareholders.” 131 PEOPLE’S REPUBLIC OF CHINA - ability to make judgments on a financial institutions’ operation, management and risk profile based on its financial statements and statistical reports; and - understand the corporate governance structures, articles of association and boards’ responsibilities of the bank. There are certain prohibitive provisions for the qualification of directors in Article 80, 81 of the Licensing Manual for Chinese Commercial Banks and Article 9, 10, 12 of the Rules, such as willful misconduct, gross negligence, violation of law, etc. Articles 10 and 11 of the Rule also stipulate the conditions under which a director is considered non-independent. Article 8 of the Rules and Article 49 of the CG Guidelines provide that board members shall perform the duty of care and loyalty in accordance with the requirements of applicable laws and regulations as well as the bank’s articles of association. CBRC conducts fit and proper tests for board members and senior managers to ensure that they fulfil the qualification set out in the Rules. As mentioned in EC 3, this entails reviewing the academic qualification and relevant experience, conducting written tests and interviews. According to CBRC, it applies higher qualification requirements, in terms of academic background and years of experience, for the large banks and joint-stock banks. Directors are subject to annual appraisals including self-assessment, appraisal by the board and the supervisory board. Appraisal results may be categorized as competent, largely competent and incompetent. Banks are required to replace directors appraised to be incompetent, and board member assessed to be largely competent has to demonstrate improvement within a timeframe specified by the board and supervisory board. EC5 The supervisor determines that the bank’s Board approves and oversees implementation of the bank’s strategic direction, risk appetite 30 and strategy, and related policies, establishes and communicates corporate culture and values (e.g. through a code of conduct), and establishes conflicts of interest policies and a strong control environment. Description and The CG Guidelines, the Internal Control Guidelines and various relevant Guidelines issued findings re EC5 by CBRC make clear the responsibilities of a bank’s board of directors with regard to strategies, risk management, corporate culture and values, conflict of interest and internal control environment. As mentioned in EC1, the board is responsible for approving the bank’s business strategies, overseeing their implementation, and approving the bank’s risk appetite and comprehensive risk management policies. In this regard, Articles 82 and 83 of the CG Guidelines provides that the board and risk management committee shall regularly receive updates from senior management with regard to the banks’ risk profile and risk management matters and they should ensure that senior management effectively identify, estimate, monitor, control and manage or mitigate the risks for the bank. 30 “Risk appetite” reflects the level of aggregate risk that the bank’s Board is willing to assume and manage in the pursuit of the bank’s business objectives. Risk appetite may include both quantitative and qualitative elements, as appropriate, and encompass a range of measures. For the purposes of this document, the terms “risk appetite” and “risk tolerance” are treated synonymously. 132 PEOPLE’S REPUBLIC OF CHINA On corporate cultures, Articles 77 and 78 of the CG Guidelines provide that a bank shall establish principles and corporate cultures to encourage the fulfillment of social responsibility. The board is responsible for formulating work ethics and values and senior management shall formulate the code of conduct for all employees within the bank. On conflict of interest, Article 19 of the CG Guidelines provides that a bank’s board is responsible for establishing the policies and procedures for identification, verification and management of conflict of interest between the bank and the shareholders. Article 52 provides that a Board member who is directly or indirectly connected to bank’s existing and planned contracts, transactions or arrangements shall disclose the nature and extent of connection to the Board’s related party transaction control committee in a timely manner, and withdraw where necessary when the committee is reviewing relevant matters On internal control environment, Article 89 of the CG Guidelines provides that a bank’s board shall closely monitor the internal control of the bank, foster a good internal control culture, and oversee the senior management to develop policies and procedures for end- to-end risk management. As part of CBRC’s supervisory ratings for corporate governance, it assesses whether board establishes clear overall strategic direction and development strategies, risk appetite and related policies and regularly reviews and make adjustments in response to market conditions and macro-economic environment. It also assesses whether the board establishes clear framework, policies and procedures, and communicates corporate values and vision. During onsite examination, supervisors check on corporate governance practices, internal control environment and there is a strong emphasis on confirming whether the board has fulfilled its responsibilities. During the on-site examinations conducted by CBRC in recent years, certain banks were found to have deficiencies in strategic planning, implementation oversight and risk policies developed by the Board. Supervisory letters were issued to these banks requiring remediation and these were rectified by the banks accordingly. EC6 The supervisor determines that the bank’s Board, except where required otherwise by laws or regulations, has established fit and proper standards in selecting senior management, maintains plans for succession, and actively and critically oversees senior management’s execution of Board strategies, including monitoring senior management’s performance against standards established for them. Description and CBRC’s fit and proper standards for senior management of banks are set out in Articles 79, findings re EC6 85 and 86 of the Licensing Manual for Chinese Commercial Banks, while prohibitive provisions are set out in Articles 80 and 81. A bank’s board has to select senior management members who meet these fit and proper standards. The board may establish a nominating committee which is responsible, under Article 22 of the CG Guidelines, for establishing the procedures and standards for selecting and appointing board members and senior managers, and assessing whether they are fit and proper in accordance with the criteria as mentioned above, before submitting to the bank’s board. 133 PEOPLE’S REPUBLIC OF CHINA As set out in Article 19 and Articles 67 and 68 of the CG Guidelines, the board has the responsibility of supervising and ensuring the effective performance of the senior management, and the latter has to report to the board in a timely, accurate and complete manner on operational performance, significant contracts, financial status, risk profile of the bank. On succession planning, Article 97 of the Licensing Manual requires banks to identify suitable candidates who meet the fit and proper standards to temporarily perform the duties on an acting basis for no more than 6 months. Article 75 of the CG Guidelines also requires that banks establish a framework and process for recruitment and development of talent to support the bank’s business activities and operations in a sustainable manner. During its supervisory process, CBRC assesses the decision-making process, execution and supervision mechanisms and how well the board oversees senior management’s execution of board strategies and policies. This is done via reviewing corporate governance policies and procedures, minutes of meetings, internal audit reports, attending board and board committee meetings, and review of the banks’ internal risk management reports and approval memos onsite. According to CBRC, it encourages banks to establish fit and proper standards for senior management that are more stringent than regulatory standards. EC7 The supervisor determines that the bank’s Board actively oversees the design and operation of the bank’s and banking group’s compensation system, and that it has appropriate incentives, which are aligned with prudent risk taking. The compensation system, and related performance standards, are consistent with long-term objectives and financial soundness of the bank and is rectified if there are deficiencies. Description and CBRC’s requirements and expectations of a bank’s compensation practices are set out in findings re EC7 the Supervisory Guidelines on Sound Compensation of Commercial Banks. Under Article 17 of the Guidelines, a bank’s board of directors is responsible for the design of the bank’s remuneration management systems and polices in accordance with applicable laws and regulations and assumes ultimate responsibility for compensation management. Article 4 requires banks to establish a compensation system commensurate with the bank’s strategic goals and aligned with the bank’s talent development and risk control efforts. A bank’s compensation practice should comply with the following principles: (i) aligned with the bank’s corporate governance requirements; (ii) conducive in facilitating the bank’s competitive strengths and business continuity; (iii) commensurate with the bank’s risk- adjusted performance; and (iv) provides an appropriate mix of short term and long term incentives. Articles 14 and 16 of the Guidelines on Sound Compensation further requires that more than 40% of performance-based remuneration of senior management and material risk takers should be deferred over a term not less than 3 years. CBRC conducts onsite examinations on compensation management practices, focusing on the banks’ implementation of appropriate key performance indicators such as risk control, 134 PEOPLE’S REPUBLIC OF CHINA and whether compensation payouts are aligned with the time horizon of risks. For the senior management and key risk takers, supervisors check for compliance with the deferral requirements stipulated in the Guidelines on Sound Compensation. Such assessments are incorporated in the supervisory ratings for “management” component. Article 25 of the Guidelines on Sound Compensation provides that where a bank’s compensation practices and related performance assessment indicators are not in compliance with applicable rules and regulations, CBRC has the power to require the bank to take corrective actions. EC8 The supervisor determines that the bank’s Board and senior management know and understand the bank’s and banking group’s operational structure and its risks, including those arising from the use of structures that impede transparency (e.g. special-purpose or related structures). The supervisor determines that risks are effectively managed and mitigated, where appropriate. Description and Article 33 of the Comprehensive Risk Management Guidelines requires banks to put in findings re EC8 place policies and procedures to evaluate risks arising from new business and products, establishing new institutions, major acquisition or investment, with internal approval process and exit strategies. Articles 21 and 23 of the Consolidated Management and Supervision of Commercial Banks set out the requirements of the Board and senior management with respect to improving the organizational structure of the group for consolidated management and overseeing the effectiveness of consolidated management of the banking group including its affiliates. During its supervisory processes, CBRC assesses whether a bank’s board and senior management can understand and manage major risks of the bank and banking group, including business lines, customer groups and entities under consolidated management. Greater attention is given to new business activities and services. For instance, CBRC requires banks to submit information prior to establishing, making equity investment in or acquiring a domestic incorporated financial institution. By reviewing the documents and conducting interviews and onsite examinations, supervisors assess whether the board and senior management is informed of the investment structure and understand, manage and mitigate the related risks. EC9 The supervisor has the power to require changes in the composition of the bank’s Board if it believes that any individuals are not fulfilling their duties related to the satisfaction of these criteria. Description and Article 37 of the Banking Supervision Law provides that where a bank fails to meet findings re EC9 prudential rules and regulations and fails to take corrective actions within prescribed timeline, or the safety and soundness of the bank is likely to be severely threatened, and the interest of depositors or other customers are likely to be jeopardized, CBRC may require the bank to replace board members. Article 33 of the Rules for Performance Appraisal of Directors also requires banks to immediately replace board members assessed to be incompetent. According to CBRC, it has disqualified a number of board members and senior managers who severely violated prudential rules and guidelines, and asked banks to replace incompetent board members. Assessment of Largely Compliant Principle 14 135 PEOPLE’S REPUBLIC OF CHINA Comments CBRC has progressively updated its corporate governance regime, keeping pace with international developments. Specifically, the CG Guidelines was issued in 2013 after close consultation with CSRC, taking into consideration CSRC’s CG Rules for listed companies. The latter is applicable to listed banks, which in total constitute about 80% of the banking system. Further, the Internal Audit Guidelines containing requirements on audit committees was issued in 2016. Given the diversity in scale and complexity of banks, the policy intention is to adopt a proportionate approach with the large/listed banks being subject to the highest requirements while some flexibility accorded to the smaller ones such as the rural banks. On supervisory practices, there is a clear and consistent emphasis on assessing corporate governance of banks across CBRC’s onsite examinations and offsite surveillance, and the assessment constitutes one of the key components of the supervisory ratings of banks. Where there are corporate governance issues or concerns, supervisory actions taken include formal communication to the bank, monitoring of remedial measures and in severe cases, removal of directors. The current regime for corporate governance is based on a combination of Commercial Banks CG guidelines, internal audit guidelines, Guidelines on the Board of Directors’ Due Diligence of Joint-stock Commercial Banks and CG Rules for listed companies, etc. While they are rather comprehensive taken together, there are areas that can be enhanced. For instance, while the non-listed banks are required to have an independent chair for nominating committee and remuneration committee, it is not clear if there is a requirement for there to be majority non-executive or independent directors, or other means of ensuring the needed objectivity in these committees. CBRC assessed that this is not a significant risk because in practice, the boards of the small banks currently comprise 10% of independent directors and 70% non-executive directors. There has been greater emphasis on the effectiveness of risk management committee (RMC) and the expectations on role and responsibilities, composition and expertise of RMC are added in the revised BCBS Principles for Enhancing Corporate Governance in 2015 (“BCBS CG Principles 2015”). In this regard, CBRC’s requirement for banks to establish a risk management committee with members who have experience in risk management issues and practices, is set out in the CG Guidelines. There is also a dedicated chapter of “Risk Management and Internal Control” to emphasize on the importance of the Board and risk management committee in risk management. However, both the CG Guidelines and CSRC’s CG Rules for Listed Companies do not have an explicit requirement for risk management committee to be chaired by an independent director and to bear a majority of independent directors. CBRC assessed that notwithstanding the absence of mandatory requirement, the G-SIBs have voluntarily established risk management committees with a composition that meet the standards set out in BCBS CG Principles 2015. Since the previous assessment, there has been a heightened emphasis on corporate governance, risk governance and on promoting sound corporate cultures within banks. Internationally, there are ongoing developments as regulators continue to enhance their CG regime and supervisory processes in this respect. For such a large and growing banking 136 PEOPLE’S REPUBLIC OF CHINA system in China, there are benefits in having consolidated, clear and concise guidelines in line with international standards to ensure that CBRC’s supervisory expectations are well understood, and to establish a clear minimum standard for the smaller and less complex banks in line with the proportionate approach taken. Principle 15 Risk management process. The supervisor determines that banks 31 have a comprehensive risk management process (including effective Board and senior management oversight) to identify, measure, evaluate, monitor, report and control or mitigate 32 all material risks on a timely basis and to assess the adequacy of their capital and liquidity in relation to their risk profile and market and macroeconomic conditions. This extends to development and review of contingency arrangements (including robust and credible recovery plans where warranted) that take into account the specific circumstances of the bank. The risk management process is commensurate with the risk profile and systemic importance of the bank. 33 Essential criteria EC1 The supervisor determines that banks have appropriate risk management strategies that have been approved by the banks’ Boards and that the Boards set a suitable risk appetite to define the level of risk the banks are willing to assume or tolerate. The supervisor also determines that the Board ensures that: (a) a sound risk management culture is established throughout the bank; (b) policies and processes are developed for risk-taking, that are consistent with the risk management strategy and the established risk appetite; (c) uncertainties attached to risk measurement are recognized; (d) appropriate limits are established that are consistent with the bank’s risk appetite, risk profile and capital strength, and that are understood by, and regularly communicated to, relevant staff; and (e) senior management takes the steps necessary to monitor and control all material risks consistent with the approved strategies and risk appetite. Description and CBRC has issued various rules and guidelines in relation to corporate governance, internal findings re EC1 control, comprehensive risk management, capital management and consolidated management, stipulating that a bank’s board has the ultimate responsibilities for its risk management. Specifically, the board is required to establish risk management culture, approve risk management strategies, define risk appetite and limits, approve risk management policies and procedures and oversee the work of senior management to ensure that they take steps to identify, measure, monitor and control risks. These are set 31 For the purposes of assessing risk management by banks in the context of Principles 15 to 25, a bank’s risk management framework should take an integrated “bank-wide” perspective of the bank’s risk exposure, encompassing the bank’s individual business lines and business units. Where a bank is a member of a group of companies, the risk management framework should in addition cover the risk exposure across and within the “banking group” (see footnote 19 under Principle 1) and should also take account of risks posed to the bank or members of the banking group through other entities in the wider group. 32 To some extent the precise requirements may vary from risk type to risk type (Principles 15 to 25) as reflected by the underlying reference documents. 33 It should be noted that while, in this and other Principles, the supervisor is required to determine that banks’ risk management policies and processes are being adhered to, the responsibility for ensuring adherence remains with a bank’s Board and senior management. 137 PEOPLE’S REPUBLIC OF CHINA out in Article 11 of the Comprehensive Risk Management Guidelines, Articles 19, 72, 73, 82 and 83 of the Corporate Governance Guidelines, Article 21, 23 and 35 of the Consolidated Management and Supervision Guidelines. CBRC supervisors carry out a range of supervisory activities to assess how well a bank’s board and senior management discharge their responsibilities in the above-mentioned areas. They attend board meetings, interview board and senior management members, review assessment by supervisory board, and review minutes of board and risk management committee meetings. CBRC has conducted a number of targeted and full-scope on-site examinations on banks’ and banking groups’ corporate governance. By reviewing internal documents such as minutes of the Board and its risk management committee, rules and policies, business files, and reports and information submitted by various departments to the Board and senior management, and by holding interviews with staff, senior managers and Board members, supervisors determine: -whether the risk management strategies have been approved by the board; - whether the board has established a set of suitable risk appetite; -whether there is a sound risk management culture throughout the bank; -whether there is effective communication between the board and senior management; and -whether the board has given guidance to senior management in developing risk policies, risk limits and risk management policies in line with the strategies endorsed by the board. EC2 The supervisor requires banks to have comprehensive risk management policies and processes to identify, measure, evaluate, monitor, report and control or mitigate all material risks. The supervisor determines that these processes are adequate: (a) to provide a comprehensive “bank-wide” view of risk across all material risk types; (b) for the risk profile and systemic importance of the bank; and (c) to assess risks arising from the macroeconomic environment affecting the markets in which the bank operates and to incorporate such assessments into the bank’s risk management process. Description and Article 26 of the Comprehensive Risk Management Guidelines requires banks to establish findings re EC2 comprehensive risk management policies and procedures, include those for risk identification, measurement, assessment, monitoring, reporting, controlling or mitigation and risk aggregation. Article 4 provides that banks’ risk management system shall cover bank-wide material risks, be commensurate with the risk profile and systemic importance of the bank, and take into consideration risks arising from the macroeconomic environment. CBRC supervisors monitors the risk profile of banks and assess the effectiveness of banks’ risk management processes, via review of regulatory returns, risk management reports, meetings with external auditors, attendance at board meetings and onsite examinations. The frequency and scope of onsite examinations are determined largely according to the risk profile, the business scope, size and complexity and systemic importance of the banks Onsite examinations focus on risk management policies and procedures and review the following: 138 PEOPLE’S REPUBLIC OF CHINA - methodology and procedures for risk identification, measurement, monitoring, reporting, mitigation and risk aggregation; - risk management reports and stress tests performed; - banks’ assessment of risks associated with new products, major businesses and institutional changes; and -adequacy of capital, liquidity and contingency plans and recovery plans. When reviewing banks’ risk management reports or interviewing the board and senior management, supervisors look into whether the banks’ risk identification, assessment and management processes take into account changes in macro-economic environment to identify and manage emerging risks. Assessors sighted CBRC’s examination reports which contained findings on completeness of banks’ risk data aggregation in including all material risks, and risk alerts to banks to require heightened risk assessment and controls in response to certain developments in macro-economic environment. Banks that assessors met are also conscious of the need to incorporate macroeconomic environment in their risk management process. CBRC devotes more resources and attention to systemically important institutions in its supervision, with more frequent submission of returns and onsite examinations, and quarterly meetings being held to analyze the risk features of these large banks. CBRC also requires the systemically important banks to establish a risk data aggregation system that covers all material risks, to improve the comprehensiveness, timeliness and accuracy of risk identification and reporting. EC3 The supervisor determines that risk management strategies, policies, processes and limits are: (a) properly documented; (b) regularly reviewed and appropriately adjusted to reflect changing risk appetites, risk profiles and market and macroeconomic conditions; and (c) communicated within the bank The supervisor determines that exceptions to established policies, processes and limits receive the prompt attention of, and authorization by, the appropriate level of management and the bank’s Board where necessary. Description and Chapter 3 and 4 of the Comprehensive Risk Management Guidelines set out provisions on findings re EC3 risk management strategies, risk appetite and limits, and policies and processes. Specifically, Articles 14, 20, 25 and 40 require risk management strategies, policies and procedures and risk limits to be properly documented, regularly reviewed and adjusted when necessary, and communicated within the bank. There should be proper authorization of limits, monitoring of adherence and reporting of positions and limit excesses to senior management, supervisory board and the Board as appropriate. As well, Article 59 of the Consolidated Management and Supervision Guidelines provides that banks shall establish risk limits, risk thresholds, and limit management processes at the bank group level. Supervisors review the risk management strategies, major policies and procedures submitted by the banks, giving attention when there are significant changes. During onsite examination, exceptions to established procedures and limits have been one of the key areas of focus. By reviewing written documents and holding interviews, the supervisors 139 PEOPLE’S REPUBLIC OF CHINA determine whether established policies, procedures and limits are effectively communicated and implemented. By reviewing transactional records of business activities, the supervisors also determine whether the policies, processes and limits are complied with. Supervisors assess how exceptions are identified, reported and whether they are dealt with or authorized at appropriate levels. EC4 The supervisor determines that the bank’s Board and senior management obtain sufficient information on, and understand, the nature and level of risk being taken by the bank and how this risk relates to adequate levels of capital and liquidity. The supervisor also determines that the Board and senior management regularly review and understand the implications and limitations (including the risk measurement uncertainties) of the risk management information that they receive. Description and As set out in Article 83 of the Corporate Governance Guidelines, a bank’s board and risk findings re EC4 management committee are to be updated regularly on the bank’s risk profile and risk management responses and give guidance and direction for comprehensive risks management. In addition, Article 11 and 14 of the Comprehensive Risk Management Guidelines provide that the board and senior management are responsible for obtaining and regularly reviewing information on the bank’s risk profile and risk management. When conducting fit and proper tests on proposed board or senior management members, CBRC conducts written tests and interviews and assess proposed board members’ ability to understand the nature and level of risk as well as the relationship with capital adequacy. As part of on-going supervision, CBRC evaluates the board and senior management in the following ways: (a) attends board meetings, board committee meetings and shareholders meeting. Based on presentations and discussions at these meetings, supervisors assess whether the board members understand the nature and level of risks undertaken by the bank. (b) reviews the minutes of board and board committee meetings, and holding supervisory meetings with the board and senior management. (c) Conducts onsite examinations to determine whether a bank has put in place a management information system (MIS) that cover all business activities, whether the board and senior management are able to obtain information through the MIS, and whether the reports are reliable and meaningful. (d) review of banks’ ICAAPs focusing on capital management governance structure (board and senior management’s role), risk assessment, risk measurement, risk aggregation and implementation of capital plans. In the course of this review, supervisors assess whether bank’s board and senior management obtain adequate and timely information and understand the risks undertaken by the bank, and the linkages to capital, liquidity and risk limits. EC5 The supervisor determines that banks have an appropriate internal process for assessing their overall capital and liquidity adequacy in relation to their risk appetite and risk profile. The supervisor reviews and evaluates banks’ internal capital and liquidity adequacy assessments and strategies. Description and Chapter 7 of the Capital Rules sets out that a bank shall establish sound risk management findings re EC5 systems and robust ICAAPs, formulate capital plans and robust capital management framework to ensure that the bank holds adequate capital to support its risk and ongoing 140 PEOPLE’S REPUBLIC OF CHINA business plans. The Liquidity Risk Rules also requires banks to put in place a robust liquidity risk management system to ensure adequate liquidity. Article 26 of the Comprehensive Risk Management Guidelines also requires banks to establish risk management policies and procedures to assess capital and liquidity adequacy. Capital and Liquidity are two of the key components in CBRC’s supervisory ratings of banks, which take into account both quantitative indicators and qualitative factors. The latter includes the outcome of CBRC’s evaluation of the banks’ internal capital and liquidity adequacy assessment and management processes. On capital management, banks are required to establish ICAAPs at least annually, taking into account their business size and complexity and submit them to CBRC annually. CBRC devotes more resources in the review of ICAAP for the large banks and joint-stock commercial banks. In particular, CBRC pays attention to: (a) effectiveness of capital management governance structure (b) robustness of risk assessment (c) whether an information management system supporting risk and capital measurement has been established and (d) whether a monitoring and reporting system has been put in place to monitor and report capital levels and changes of main determinants. During onsite examinations, supervisors review internal documents on capital management plans and verify CAR computation methodologies. Supervisors also assess whether appropriate processes have been put in place to assess capital adequacy and prepare capital management plan in light of the bank’s risk profile, and whether CAR targets are determined in line with risk appetite approved by the board. On liquidity risk management, CBRC’s evaluation is based on regular reviews of liquidity risk returns and stress tests conducted by banks, and onsite examinations. Please refer to CP 25 for more details on supervisory practices. EC6 Where banks use models to measure components of risk, the supervisor determines that: (a) banks comply with supervisory standards on their use; (b) the banks’ Boards and senior management understand the limitations and uncertainties relating to the output of the models and the risk inherent in their use; and (c) banks perform regular and independent validation and testing of the models. The supervisor assesses whether the model outputs appear reasonable as a reflection of the risks assumed. Description and The Capital Rules set out requirements on the use of models to measure credit risks, market findings re EC6 risk and operational risks. Banks are expected to regularly validate models, assess their limitations, monitor the model outputs and continue to improve model performance. Articles 114, 115, 117 and 118 and Annex 14 prescribe overall requirements on the use of models to measure risks for banks that adopt the advanced measurement approaches. In addition, Article 17 and 20 of the Guidelines on Market Risk Management of Commercial Banks set out provisions on the use of market risk-related models and independent validation. 141 PEOPLE’S REPUBLIC OF CHINA In April 2014, CBRC approved six commercial banks for the adoption of advanced approaches (including IRB and IMM), following three rounds of supervisory assessments from 2009 to 2014. Post approval, CBRC conducted ongoing supervision of the models being used, which includes reviewing model performance reports. If and when there is a significant deterioration in model performance, supervisors follow up with the bank to investigate and monitor how the bank addresses the issue, including the possibility of modifying or recalibrating the model. Over the years, CBRC has developed a team of specialists to support its supervisory assessments prior to approvals of advanced approaches of banks and to support ongoing supervision of models used by the banks post CBRC’s approval. During onsite examinations on market risk management, supervisors review relevant validation programs of risk models to determine whether the bank conducts independent model validation and regular back testing on models. EC7 The supervisor determines that banks have information systems that are adequate (both under normal circumstances and in periods of stress) for measuring, assessing and reporting on the size, composition and quality of exposures on a bank-wide basis across all risk types, products and counterparties. The supervisor also determines that these reports reflect the bank’s risk profile and capital and liquidity needs, and are provided on a timely basis to the bank’s Board and senior management in a form suitable for their use. Description and The Guidelines on Comprehensive Risk Management and the Guidelines on Consolidated findings re EC7 Management and Supervision provide that banks shall have in place IT infrastructures commensurate with their risk profile. The IT systems should support the needs of consolidated management at group level, and used for identifying, monitoring and reporting risks, and for supporting managerial decision-making, and assessing capital and liquidity needs. During onsite examinations, CBRC supervisors review the banks’ internal information systems, the accuracy, reliability and appropriateness of risk reports generated and the timeliness of reporting to the banks’ boards and senior management. Supervisors also review the regulatory returns submitted by banks, discuss with banks to better understand the effectiveness and capacity of the banks’ IT systems. Supervisors assessment is incorporated in “I” component of the supervisory ratings of banks. This is an assessment of whether the bank has in place management information systems that are implemented throughout the bank, whether board and senior management are able to obtain relevant information via such systems on a timely basis, and whether comprehensive information or reports provided by the systems are reliable and meaningful. EC8 The supervisor determines that banks have adequate policies and processes to ensure that the banks’ Boards and senior management understand the risks inherent in new products, 34 material modifications to existing products, and major management initiatives (such as changes in systems, processes, business model and major acquisitions). The supervisor determines that the Boards and senior management are able to monitor and manage these 34 New products include those developed by the bank or by a third party and purchased or distributed by the bank. 142 PEOPLE’S REPUBLIC OF CHINA risks on an ongoing basis. The supervisor also determines that the bank’s policies and processes require the undertaking of any major activities of this nature to be approved by their Board or a specific committee of the Board. Description and Article 33 of the Comprehensive Risk Management Guidelines requires banks to put in findings re EC8 place policies and processes to assess and evaluate risks inherent in new products, material modifications to existing products, and major management initiatives. Any major activities of this nature should be approved by the board or a specific board committee. Article 15 of the Guidelines on Financial Innovation of Commercial banks specifies that the board and senior management should regularly assess and approve financial innovation policies and the limits for such new products or initiatives. When conducting onsite examinations, CBRC supervisors review the policies and processes of introducing new products or businesses, minutes of meetings of the bank’s board or relevant board committees to determine whether the risk is adequately assessed, whether proper approvals were obtained and whether post-launch review was conducted where necessary. CBRC’s approval process for new products also provides an opportunity for it to assess the adequacy of the bank’s processes. Assessors’ discussion with certain banks indicated that their engagement with CBRC during the new product approval process is quite extensive. The discussion involves understanding of the features and characteristics of the product, the inherent risks identified by the bank and whether the bank has put in place policies, procedures and controls to manage these risks, and the internal governance process. EC9 The supervisor determines that banks have risk management functions covering all material risks with sufficient resources, independence, authority and access to the banks’ Boards to perform their duties effectively. The supervisor determines that their duties are clearly segregated from risk-taking functions in the bank and that they report on risk exposures directly to the Board and senior management. The supervisor also determines that the risk management function is subject to regular review by the internal audit function. Description and Article 84 of the Corporate Governance Guidelines sets out that banks are required to findings re EC9 establish an independent risk management function with authority, resources and access to the banks’ board. Banks are also required to subject its risk management functions to internal audit reviews, as set out in Article 5 of the Guidelines on Internal Audit for Commercial Banks. CBRC’s onsite examinations place clear emphasis on the independence of risk management functions. Supervisors review the banks’ organizational structure and segregation of duties, to determine whether the functions responsible for assessing, monitoring, controlling and mitigating risks are segregated from business functions and that there are no conflict of interests. Supervisors also review reporting lines of risk management function to determine whether it provides risk reports directly to the board and senior management. Corrective actions are required if a bank’s risk management function is not independent. Supervisors also interview banks’ internal auditors and review internal audit reports to ensure that risk management functions are subject to regular audit. 143 PEOPLE’S REPUBLIC OF CHINA EC10 The supervisor requires larger and more complex banks to have a dedicated risk management unit overseen by a Chief Risk Officer (CRO) or equivalent function. If the CRO of a bank is removed from his/her position for any reason, this should be done with the prior approval of the Board and generally should be disclosed publicly. The bank should also discuss the reasons for such removal with its supervisor. Description and Article 15 of the Comprehensive Risk Management Guidelines provides that larger or findings re EC10 complex banks are required to have in place a Chief Risk Officer to be responsible for overall risk management of the bank and reports on risk management matters directly to the board and risk management committee. The CRO should be a senior management member and independent of business functions. In the absence of a CRO, other senior managers appointed to lead the risk management unit should remain independent of business lines. Removal of CRO requires prior approval of the board and has to be disclosed to the public. Reasons for such removal are to be reported to and reviewed by CBRC. EC11 The supervisor issues standards related to, in particular, credit risk, market risk, liquidity risk, interest rate risk in the banking book and operational risk. Description and CBRC has issued various regulatory guidelines relating to the major risk types, namely, findings re EC11 credit risk, market risk, liquidity risk, operational risk and interest rate risk in the banking book. Please refer to CPs 17 and 22 to 25. EC12 The supervisor requires banks to have appropriate contingency arrangements, as an integral part of their risk management process, to address risks that may materialize and actions to be taken in stress conditions (including those that will pose a serious risk to their viability). If warranted by its risk profile and systemic importance, the contingency arrangements include robust and credible recovery plans that take into account the specific circumstances of the bank. The supervisor, working with resolution authorities as appropriate, assesses the adequacy of banks’ contingency arrangements in the light of their risk profile and systemic importance (including reviewing any recovery plans) and their likely feasibility during periods of stress. The supervisor seeks improvements if deficiencies are identified. Description and Article 40 of the Consolidated Management and Supervision Guidelines requires that a findings re EC12 bank periodically undertake stress tests for various risks under different scenarios at the banking group level and formulate sound and detailed contingency plans in light of the test results. Article 83 provides that a bank shall develop and regularly update group-level recovery plans and incorporate them into their governance and risk management processes. The recovery plan formulation and implementation is subject to review by the banking supervisory authority for effectiveness and appropriateness. Articles 35 and 36 of the Comprehensive Risk Management Guidelines provides that a bank shall have in place contingency plans to respond to and address emergencies and crises in a timely manner, and develop and update the recovery plans in light of its risk profile and systemic importance. Article 25 of the Guidelines on Stress Tests of Commercial Banks and Article 129 of the Capital Rules stipulate the use of stress test results in contingency plans. 144 PEOPLE’S REPUBLIC OF CHINA CBRC supervisors regard review of contingency arrangements as being part of their assessment of the effectiveness of banks’ risk management policies and procedures. As part of supervising a bank’s individual risks, supervisors review the meeting minutes of the Board and its risk management committee, the banks’ internal risk management reports, and interview relevant persons (including the board members and senior managers) to determine whether the bank has taken into account risks and stress scenarios that may materialize in its contingency plan. Supervisors’ reviews of the banks’ contingency plans are often performed together with the review of the banks’ stress tests. Supervisors review aspects such as scenario setting, whether the scenarios are reasonably severe, whether the assumptions on sources of funds under stress situations are realistic, and banks are asked to take on board CBRC’s comments and make necessary adjustments. Given that Bank of China (BOC), Industrial and Commercial Bank of China (ICBC), Agricultural Bank of China (ABC), and China Construction Bank (CCB) are G-SIBs, CBRC has required them to develop and submit recovery and resolution plans (RRPs) annually to CBRC for review. Given the importance of RRP, there is a need to extend this requirement to the other large banks, in particular those assessed to be systemically important in the domestic market. CBRC has set up a cross-border crisis management group (CMG) for each G-SIB, comprising senior officials from national authorities including CBRC, MOF and PBC, as well as some foreign authorities. The CMG is mainly responsible for effective management and resolution of the bank in the event of cross-border financial crisis. It reviews and assesses the bank’s recovery and resolution plan at least once a year, and discusses the feasibility of the RRP. To date, CMGs have been established for each G-SIB, including BOC, ICBC, ABC and CCB, and have started to review and discuss banks’ RRPs annually. In respect of recovery plans, they are subject to review by PBC and CBRC. The assessment involves reviewing the governance process, the identification of critical business functions, the indicators for triggering crisis management actions, stress test scenarios, and recovery options. The team from CBRC comprises representatives from supervision, legal department, prudential policy bureau and international department. Issues identified from the review are communicated to the bank for necessary action and rectification. EC13 The supervisor requires banks to have forward-looking stress testing programs, commensurate with their risk profile and systemic importance, as an integral part of their risk management process. The supervisor regularly assesses a bank’s stress testing program and determines that it captures material sources of risk and adopts plausible adverse scenarios. The supervisor also determines that the bank integrates the results into its decision-making, risk management processes (including contingency arrangements) and the assessment of its capital and liquidity levels. Where appropriate, the scope of the supervisor’s assessment includes the extent to which the stress testing program: (a) promotes risk identification and control, on a bank-wide basis (b) adopts suitably severe assumptions and seeks to address feedback effects and system- wide interaction between risks; (c) benefits from the active involvement of the Board and senior management; and 145 PEOPLE’S REPUBLIC OF CHINA (d) is appropriately documented and regularly maintained and updated. The supervisor requires corrective action if material deficiencies are identified in a bank’s stress testing program or if the results of stress tests are not adequately taken into consideration in the bank’s decision-making process Description and The Stress Test Guidelines revised by CBRC in 2014 sets out requirements for banks to findings re EC13 establish stress tests framework and programs, at both the bank and bank group level (Article 6), that are commensurate with their risk profile and systemic importance. It emphasizes that stress test plays an important role in risk management (Article 7), by assessing the bank’s asset quality, profitability, capital level and liquidity position and its ability to withstand stress conditions, and it provides a reference for setting risk appetite and develop capital and liquidity plans. The Stress Test Guidelines sets out CBRC’s expectations of banks’ stress testing framework, including the governance structure, methodology, process, scenario design, and internal validation and assessment. Articles 42 and 43 also contain provisions on CBRC’s supervisory reviews of the banks’ stress testing and industry-wide stress tests to be organized by CBRC. CBRC’s review is to assess whether the banks’ stress tests are commensurate with their size, business complexity and risk profile and to facilitate banks to improve their stress test and risk management capabilities. Supervisory requirements on stress tests are also prescribed in various other guidelines such as the Comprehensive Risk Management Guidelines, the Consolidated Management and Supervision Guidelines, the Capital Rules and the Liquidity Risk Rules. There are a number of stress tests organized by CBRC in recent years, including stress tests covering major risk types and targeted ones on real estate credit risk and liquidity risk. These focus more on the identification of systemic risks with the scenario design considering more about the risk pervasiveness and contagion. Some large and medium-sized banks also conduct internal full-scope stress tests or targeted stress tests on their own. Banks that BCP assessors met highlighted that stress testing has become an important part of their risk management framework and processes, particularly given the uncertainties and volatilities in the global and domestic economic environment in recent years. As part of supervisory process, supervisors review stress tests undertaken by banks, discuss with banks on the risk factors, underlying assumptions of scenarios, methodologies, transmission mechanisms, data sources, stress test results and related management actions. As discussed in EC 12, these are often carried out together with review of contingency plans and recovery plans. Risks and issues identified during this process are closely monitored by CBRC and taken into consideration in the supervisory assessment and rating. Banks are required to identify risks and improve contingency plan with the help of stress test results and submit reports to CBRC. In line with the progress towards adopting enterprise-wide risk management approach, CBRC and the banks should work on enhancing the robustness of stress testing programs, including stress scenarios design, stress parameters and assumptions, stress testing techniques and interaction of risks under stress. 146 PEOPLE’S REPUBLIC OF CHINA EC14 The supervisor assesses whether banks appropriately account for risks (including liquidity impacts) in their internal pricing, performance measurement and new product approval process for all significant business activities. Description and Article 39 of the Comprehensive Risk Management Guidelines provides that banks shall findings re EC14 take account of risk management strategy, risk appetite, risk limits, as well as risk management policies and processes in their capital and operation management, in particular internal pricing, performance measurement, and new product approval process for significant business activities. Article 116 of the Capital Rules provides that a bank shall designate relevant departments to perform capital management duties, including developing the framework for assessing and managing the measurement and allocation of internal capital and calculation of risk- adjusted returns on capital. During onsite examinations, supervisors review the bank’s policies and procedures to assess whether the banks account for relevant risks in their internal pricing, performance appraisal and new product approval process. CBRC assessed that the majority of banks have accounted for relevant risks in their internal pricing, performance appraisal and new product approval. For instance, banks’ internal funds transfer pricing (FTP) takes into account product maturity mismatch, interest rate option, special product features, liquidity gaps of assets and liabilities, and interest rate sensitivity, and FTP is adjusted to guide business portfolio changes. Their performance appraisal focuses on the balancing between risks and benefits. Assessment of Largely Compliant Principle 15 Comments While much of banking in China is lending and deposit taking, the market is complex by virtue of its scope and diversity, and banks are getting into new areas of lending and other activities, in response to competition and changes in macro-economic environment. There is also an increasing contribution from the small-and-medium sized banks to the banking system over the past years. Since the previous assessment, there has been significant progress in the banks’ risk management capabilities. The five large banks have moved on to adopting advanced approaches for capital measurement, and internal capital assessment program (ICAAP) and stress tests have become an important part of their risk management. For the other large and medium sized banks, while their risk management capabilities may vary depending on the scale and complexity of activities and risk profile, their management of individual credit risks, market risk, liquidity risks and operational risk have also evolved over time. CBRC issued the Comprehensive Risk Management Guidelines in September 2016, and have been in discussions with banks for months prior to that. Full enterprise-wide risk approaches that integrate strategy setting, monitoring, management and stress testing in ways that consider interactions among risks are challenging, particularly for banks with business activities across geographical regions, with diverse products or non-standard credit posing different types of risks. Some banks are still working on fully complying with 147 PEOPLE’S REPUBLIC OF CHINA the comprehensive risk management guidelines, addressing challenges in IT systems, aggregating non-standard credit, overseas exposures, etc. Assessing whether the banks are fully effective in adopting enterprise-wise risk approaches and fully identify, monitor and manage the risk interactions should continue to be a focus area of supervision for CBRC. CBRC has thus far required the four globally systemically important banks to prepare and submit recovery plans annually for review, with resolvability assessment being conducted for three. Given the importance of RRP, there is a need to extend this requirement to the other large banks, in particular those assessed to be systemically important in the domestic market. In line with the progress towards adopting enterprise-wide risk management approach, CBRC and the banks should work on enhancing the robustness of stress testing programs, including stress scenarios design, stress parameters and assumptions, stress testing techniques and interaction of risks under stress. Principle 16 Capital adequacy. 35 The supervisor sets prudent and appropriate capital adequacy requirements for banks that reflect the risks undertaken by, and presented by, a bank in the context of the markets and macroeconomic conditions in which it operates. The supervisor defines the components of capital, bearing in mind their ability to absorb losses. At least for internationally active banks, capital requirements are not less than the applicable Basel standards. Essential criteria EC 1 Laws, regulations or the supervisor require banks to calculate and consistently observe prescribed capital requirements, including thresholds by reference to which a bank might be subject to supervisory action. Laws, regulations or the supervisor define the qualifying components of capital, ensuring that emphasis is given to those elements of capital permanently available to absorb losses on a going concern basis. Description and In June 2012, CBRC issued the Capital Rules of Commercial Banks (Provisional), which came findings re EC1 into effect in January 1, 2013.The Capital Rules regulation has 10 chapters with 17 annexes encompassing the core requirements of the Basel II and III. In recent years, CBRC has successively issued a series of supplementary documents to provide further clarifications on the framework. The Capital Rules apply to all banks operating in China. Article 2 of the Capital Rules provides that these rules shall apply to commercial banks established within the territory of the People’s Republic of China, Chapters 2 and 3 of the Capital Rules establish the scope, definition of capital and thresholds for prescribed requirements. 35 The Core Principles do not require a jurisdiction to comply with the capital adequacy regimes of Basel I, Basel II and/or Basel III. The Committee does not consider implementation of the Basel-based framework a prerequisite for compliance with the Core Principles, and compliance with one of the regimes is only required of those jurisdictions that have declared that they have voluntarily implemented it. 148 PEOPLE’S REPUBLIC OF CHINA Chapter 2 establishes that minimum requirement of common equity tier 1 (CET1) ratio shall not be less than 5 percent (compared to 4.5 percent in Basel III), minimum requirement of Tier 1 ratio no less than 6 percent and minimum requirement of total CAR no less than 8 percent. Requirements also include the capital conservation buffer, countercyclical capital buffer and SIB capital surcharge in addition to the minimum requirements are 2.5 percent, 0-2.5 percent and 1 percent respectively, to be met with Common Equity. In addition, CBRC may impose Pillar II capital add-on to individual banks based on their risk profiles and risk management capacities, based on the ICAAP and the supervisory review process. Banks are also required to comply with a leverage ratio of 4 percent (above the Basel III requirement of 3 percent) In practice, at end-2015 the average CAR was 13.45 percent, with a CET1 CAR of 10.91 percent. The average leverage ratio was 6.33 percent. Chapter 3 (Definition of Capital) and Annex 1 (Criteria for Inclusion of Capital Instruments of the Capital Rules) sets out eligibility criteria for capital instruments to ensure capital components are defined based on loss-absorbency. The Supervisory Guidance on Capital Instruments Innovation of Commercial Banks has further clarified eligibility criteria to insure loss-absorbency of Additional Tier 1 and Tier 2 capital instruments. In addition, Chapter 4 Calculation of Credit RWAs, Chapter 5 Calculation of Market RWAs and Chapter 6 Calculation of Operational RWAs of the Capital Rules have respectively set criteria for the calculation of credit risk, market risk and operational RWAs, and are further detailed in the Annexes to the capital rules. EC2 At least for internationally active banks, 36 the definition of capital, the risk coverage, the method of calculation and thresholds for the prescribed requirements are not lower than those established in the applicable Basel standards. Description and China has adopted the Basel III framework, including the option for banks to use the findings re EC2 advanced approaches for credit and market risk. The definition of capital, the risk coverage and method of calculation and thresholds for the prescribed requirements are aligned with the Basel standards. In September 2013, BCBS released the report on its Regulatory Consistency Assessment Program (RCAP) of China, grading China’s implementation as ‘Compliant’. Among the 15 components of the assessment, 13 were rated as ‘compliant’, including scope of application, transitional arrangement, definition of capital, credit risk (IRB approach), credit risk (securitization), counterparty credit risk, market risk (standardized approach), market risk (IMA), operational risk, capital buffer (conservation buffer and countercyclical capital) and Pillar Ⅱ supervisory review. Credit risk (standardized approach) and Pillar III disclosure were graded as “Largely Compliant”. Non-material deviations on credit risk broadly related to the fact that exposures to the sovereign, banks and PSEs are assigned fixed risk weights, 36 The Basel Capital Accord was designed to apply to internationally active banks, which must calculate and apply capital adequacy ratios on a consolidated basis, including subsidiaries undertaking banking and financial business. Jurisdictions adopting the Basel II and Basel III capital adequacy frameworks would apply such ratios on a fully consolidated basis to all internationally active banks and their holding companies; in addition, supervisors must test that banks are adequately capitalized on a stand-alone basis. 149 PEOPLE’S REPUBLIC OF CHINA not linked to external credit assessments (which currently do not result in lower risk weights) and the treatment of past due loans and eligible collateral, in particular the treatment of debt securities issued by foreign banks and PSEs. Pillar III deviations relate to lack or requirement to disclose certain information, such as credit quality, securitization and employees remuneration. On this issue, CBRC reported that intends to revise its overall disclosure framework, in line with Basel recent developments, expecting to have a new set of disclosures by mid-2017. In 2016, BCBS released its RCAP report on G-SIB framework (G-SIB RCAP), in which China is graded as compliant. In order to ensure adequate implementation, from 2013 to 2015, CBRC carried out annual comprehensive assessments on banks’ implementation of the Capital Rules. EC3 The supervisor has the power to impose a specific capital charge and/or limits on all material risk exposures, if warranted, including in respect of risks that the supervisor considers not to have been adequately transferred or mitigated through transactions (e.g. securitization transactions) 37 entered into by the bank. Both on-balance sheet and off- balance sheet risks are included in the calculation of prescribed capital requirements. Description and Under the Capital Rules, CBRC has the power to impose Pillar II capital add-ons to ensure findings re EC3 the full coverage of risks. Such add-ons can include specific capital requirements for certain asset portfolios on the basis of risk assessment and for individual banks based on results of supervisory review. For banks that have not yet established an internal capital adequacy assessment process or whose internal capital adequacy assessment processes fail to meet the requirements, CBRC can apply Pillar II add-ons based on the risk assessment. Article 51 of the Capital Rules provides that credit RWAs are the sum of credit risk- weighted on- and off-balance sheet assets in the banking book. Article 53 provides that when calculating risk-weighted off-balance sheet RWAs, a bank shall first use CCFs to convert off-balance sheet items into on-balance sheet credit exposure equivalents, and then calculate RWAs in the way applicable to on-balance sheet assets. CCFs are specifically provided in Article 71 and Annex 2. Since the implementation of the capital rules in 2013, CBRC has reported to have conducted comprehensive assessments of the implementation of the Capital Rules examining CAR accuracy, as well as reviewing banks’ capital management of banks, ensuring full coverage of on- and off-balance sheet risk exposures. In practice, so far, Pillar 2 add-ons have been mostly used for the largest banks operating in China. 37 Reference documents: Enhancements to the Basel II framework, July 2009 and: International convergence of capital measurement and capital standards: a revised framework, comprehensive version, June 2006. (continued) 150 PEOPLE’S REPUBLIC OF CHINA EC4 The prescribed capital requirements reflect the risk profile and systemic importance of banks 38 in the context of the markets and macroeconomic conditions in which they operate and constrain the build-up of leverage in banks and the banking sector. Laws and regulations in a particular jurisdiction may set higher overall capital adequacy standards than the applicable Basel requirements. Description and The introduction of the Basel III framework, as discussed in previous ECs, has strengthened findings re EC4 the overall capital framework, further reflecting banks risk profile and systemic importance. It does take into account macroeconomic conditions, aiming at constraining the build-up of leverage in banks and the banking sector through the introduction of a more risk-sensitive capital requirement framework, including the capital conservation buffer, the countercyclical capital buffer, SIB surcharge, the leverage ratio and the full implementation of ICAAP within the supervisory review process. On certain components, namely CET1 and the leverage ratio, the CBRC has adopted a more stringent approach in comparison to Basel III. Discussions on the implementation of a D-SIBs methodology have already started. Despite the increase in capital levels over the last few years CBRC still expect banks to maintain a relatively low dividend distribution ratio. In 2014 and 2015, distribution ratio generally stayed at around 30 percent. Specifically, large banks have lowered their dividend payout ratio in recent years, on average from 35 percent to 30 percent. EC5 The use of banks’ internal assessments of risk as inputs to the calculation of regulatory capital is approved by the supervisor. If the supervisor approves such use: (a) such assessments adhere to rigorous qualifying standards; (b) any cessation of such use, or any material modification of the bank’s processes and models for producing such internal assessments, are subject to the approval of the supervisor; (c) the supervisor has the capacity to evaluate a bank’s internal assessment process in order to determine that the relevant qualifying standards are met and that the bank’s internal assessments can be relied upon as a reasonable reflection of the risks undertaken; (d) the supervisor has the power to impose conditions on its approvals if the supervisor considers it prudent to do so; and (e) if a bank does not continue to meet the qualifying standards or the conditions imposed by the supervisor on an ongoing basis, the supervisor has the power to revoke its approval. Description and Chapter 4 (Calculation of Credit RWAs), Chapter 5 (Calculation of Market RWAs) and findings re EC5 Chapter 6 (Calculation of Operational RWAs) of the Capital Rules have respectively set out 38 In assessing the adequacy of a bank’s capital levels in light of its risk profile, the supervisor critically focuses, among other things, on (a) the potential loss absorbency of the instruments included in the bank’s capital base, (b) the appropriateness of risk weights as a proxy for the risk profile of its exposures, (c) the adequacy of provisions and reserves to cover loss expected on its exposures and (d) the quality of its risk management and controls. Consequently, capital requirements may vary from bank to bank to ensure that each bank is operating with the appropriate level of capital to support the risks it is running and the risks it poses. 151 PEOPLE’S REPUBLIC OF CHINA rules for IRB approach to credit risk, IMA to market risk and AMA to operational risk (although no bank has been approved thus far for the use of AMA). Meanwhile, detailed requirements for these advanced approaches are listed in Annex 3, 4, 5, 6, 7, 9, 11, 12, 14 and16. The use of internal assessments of risks as inputs to the calculation of regulatory capital is contingent upon approval by CBRC. Annex 14 of the Capital Rules – Supervisory Review of Advanced Capital Measurement Approaches details the requirements for application for implementation, as well as CBRC approval process, parallel run arrangements (minimum of 3 years) and ongoing supervisory review. Prior application, banks that intend to qualify for the advanced approaches are subject to an assessment by CBRC with regard to the bank’s preparation for implementation, including governance structure, policies and procedures, measurement models, data and information systems, the latest self-assessment report of compliance, results of at least two quantitative impact studies, validation and auditing reports and others that might help CBRC understand the status of implementation preparation (Annex 14 – 1.2.1). The CBRC assessment process of an application is required to encompass the analysis of the role of advanced capital measurement approaches in improving the bank’s risk management, if the bank has established self-improving mechanisms to promote continuous improvements of risk management, if all supervisory requirements are met, if validation is sufficient and effective (Annex 14 - 2.1.2). CBRC has the power to impose conditions on its approvals if considers it prudent to do so and has done it in the past in the case of one bank. Annex 14 (2.17) provides that should a bank fail to fully meet the supervisory requirements but have met eligibility criteria concerning core items and have in place plans to meet left eligibility criteria during the parallel run period in areas where non-substantial shortfalls exist, CBRC can grant the bank with conditional approval for implementation. In those cases, CBRC can extend the parallel run period if the bank fails to address the identified shortcomings. Where a commercial bank makes material adjustments to its approaches, including adjusted key definitions, parameters, models it is required to seek approval from CBRC (Annex 14 (4.2). Cessation of the use of internal assessments is contingent upon CBRC approval (Article 46). Annex 14 (4), - Ongoing Supervisory Review - require banks to submit a validation report annually (4.3). In addition, CBRC supervisory can perform an in depth review of the validation procedure for banks internal approaches (4.4). In case the advanced capital measurement approaches are found to have severe deficiencies and the bank fails to address those within a given period of time the CBRC can revoke the bank’s approval. So far, six banks, including Industrial and Commercial Banks of China (ICBC), Agricultural Bank of China (ABC), Bank of China (BoC), China Construction Bank (CCB), Bank of Communications and China Merchants Bank (CMB) have been granted the approval to adopt Advanced Approaches, including IRB for credit risk, IMA for market risk, exclusive of 152 PEOPLE’S REPUBLIC OF CHINA AMA for operational risk. CBRC reported that a few other banks are in the process of qualifying for the advanced approaches. Between 2007 and 2009 CBRC issued guidelines to support banks’ preparation to implement advanced models, receiving application from 6 banks in 2009. Within the approval process of those six banks, from 2009 to 2014, CBRC performed three rounds of supervisory assessments on their advanced approaches, including pre-assessment, follow- up assessment and assessment for approval. In April 2014, CBRC officially granted them the approval to adopt the advanced approaches for credit and market risk. After approval, as part of its supervisory oversight, CBRC has been performing further assessments of banks’ framework. To that end, CBRC has established a specific team and pool of experts to ensure adequate expertize. CBRC reports that currently, the expert team has around 60 core members, who are responsible for different modules of advanced capital measurement approaches, covering on-site assessment of risk measurement models and use test. EC6 The supervisor has the power to require banks to adopt a forward-looking approach to capital management (including the conduct of appropriate stress testing). 39 The supervisor has the power to require banks: (a) to set capital levels and manage available capital in anticipation of possible events or changes in market conditions that could have an adverse effect; and (b) to have in place feasible contingency arrangements to maintain or strengthen capital positions in times of stress, as appropriate in the light of the risk profile and systemic importance of the bank. Description and Chapter 7 of the Capital Rules – Internal Capital Adequacy Assessment - lays down findings re EC6 comprehensive provisions on capital management, including governance structure, comprehensive risk assessment, as well as capital planning, monitoring and reporting. More specifically, Article 105 require banks to establish bank-wide risk management framework and a sound internal capital adequacy assessment process (ICAAP), develop a clearly- defined risk governance structure, prudently assess various risks, capital level and capital quality, develop capital planning and capital adequacy management plan, and thereby ensuring that the bank holds adequate capital to support its risks and ongoing business operations. The ICAAP is expected to ensure that all major risks are identified, measured/assessed, monitored and reported, ensuring capital levels are commensurate with risk appetite and risk management capacity and that capital planning is in line with the status and trend of the bank’s operational risk profile, as well as its long term development strategy (Article 106). In addition, Article 107 states that a commercial bank shall use stress test as a key element into their ICAAP, as an indication of how much capital the bank needs to hold. Stress test shall cover the material risks of various business lines, taking into account the impact of economic cycle on the bank’s CAR. Section 3 of Chapter 7 has sets out criteria for the 39 “Stress testing” comprises a range of activities from simple sensitivity analysis to more complex scenario analyses and reverses stress testing. 153 PEOPLE’S REPUBLIC OF CHINA identification and assessment of major risks, as well as risk aggregation policies and methods. Annex 13 to the Capital Rules provides specific requirements on risk assessment and stress test. Article 108 of the Capital Rules provides that a bank shall use the ICAAP as a component of internal management and decision-making process, and apply the result of ICAAP in capital budgeting and allocation, credit decision-making and strategic planning. Article 125 provides that a bank shall develop capital planning by comprehensively considering risk assessment results, future capital needs, regulatory capital requirements and capital accessibility, with a view to ensuring that banks’ capital level constantly meets the regulatory requirements. Capital planning shall at least cover the internal capital targets for 3 years. Article 129 sets out that a bank shall, via stringent and forward-looking stress test, calculate capital demand and availability under different stress scenarios and develop contingency plans to meet the unexpected capital demand, with a view to ensuring that the bank has adequate capital to withstand any adverse movements in market conditions. Section 4 of Chapter 7 in the Capital Rules specifically has requirements on capital planning, stress test methods and capital contingency arrangements. Banks are required to perform the ICAAP on an annual basis, promptly reviewing and updating it in the event of major changes in operating conditions, risk profile and external environment. (Article 110). Chapter 8 Supervisory Review of the Capital Rules specifically sets out details on the supervisory review process, including its components, procedures, Pillar II and supervisory actions. For oversight purposes, banks are divided into 4 categories according to their fulfillment of capital adequacy requirements and each category is subject to specific supervisory actions. Banks with weaker capital base are subject to more intensified supervisory measures. The Notice on Strengthening Supervisory Review of the Capital Adequacy Ratio of Commercial Banks further pinpoints criteria of ICAAP, Pillar Ⅱ capital requirements and operational procedures. Where a bank does not have ICAAP or its ICAAP fails to meet the criteria, CBRC will perform supervisory assessments to determine Pillar Ⅱ capital add-ons. For the top 5 large banks, CBRC requires them to submit ICAAP report every year and set different capital add-ons under Pillar II framework. In addition, targeted on-site examinations have been conducted for selected banks. Overall, China adopts a proportional approach, taking into account the level of complexity and development of the various types of banks operating in China. In practice, CBRC indicated that while the largest banks have a fully functional ICAAP framework, middle size banks are still in the process of improving their processes. Small banks are still at a very early stage. Particularly in the case of small and mid-size banks, after the issuance of the capital rules, giving the rapid growth of those banks, CBRC took three major initiatives specifically targeted to the segment, requiring banks to establish mid-term capital plans (two years), to 154 PEOPLE’S REPUBLIC OF CHINA ensure capital calculations under Pillar 1 were correct and to further enhance their capital base by restricting dividends. Assessment of Compliant Principle 16 Comments China has implemented Basel III, setting higher requirements for CET1 and leverage ratio. Capital is calculated on a solo and consolidated basis and CBRC has the authority to impose additional capital requirements on individual banks, as deemed necessary. The CBRC is to be commended for requiring, in principle, the ICAAP to be implemented for all banks, in a proportionate basis. Discussions on defining a D-SIBs methodology are under way towards establishing a formal D-SIBs framework. While continuing focusing efforts on the proper and effective implementation in the five largest banks, a next step should include commensurate efforts toward mid-sized banks, irrespectively if joint stock, city or rural banks. For a detailed discussion and recommendations on stress testing please refer to CP 15. Principle 17 Credit risk. 40 The supervisor determines that banks have an adequate credit risk management process that takes into account their risk appetite, risk profile and market and macroeconomic conditions. This includes prudent policies and processes to identify, measure, evaluate, monitor, report and control or mitigate credit risk 41 (including counterparty credit risk) 42 on a timely basis. The full credit lifecycle is covered including credit underwriting, credit evaluation, and the ongoing management of the bank’s loan and investment portfolios. Essential criteria EC1 Laws, regulations or the supervisor require banks to have appropriate credit risk management processes that provide a comprehensive bank-wide view of credit risk exposures. The supervisor determines that the processes are consistent with the risk appetite, risk profile, systemic importance and capital strength of the bank, take into account market and macroeconomic conditions and result in prudent standards of credit underwriting, evaluation, administration and monitoring. Description and There are a number of regulatory requirements on credit risks, covering credit granting, findings re EC1 due diligence, asset classification, impairment provisioning, and management of on- and off-balance sheet credit activities. CBRC’ requirements on the banks’ credit risk management processes are set out in Article 3 of the Comprehensive Risk Management Guidelines, and Article 1 in Annex 13 of the Capital Rules. Banks are required to establish a comprehensive risk management system, and adopt quantitative and qualitative measures to identify, measure, evaluate, monitor, reporting, and control or mitigate various risks, including credit risk. Banks’ comprehensive risk management processes are to be commensurate with their risk profile and systemic 40 Principle 17 covers the evaluation of assets in greater detail; Principle 18 covers the management of problem assets. 41 Credit risk may result from the following: on-balance sheet and off-balance sheet exposures, including loans and advances, investments, inter-bank lending, derivative transactions, securities financing transactions and trading activities. 42 Counterparty credit risk includes credit risk exposures arising from OTC derivative and other financial instruments. 155 PEOPLE’S REPUBLIC OF CHINA importance and responsive to external changes. Comprehensive risk management should include at least the following elements: (a) risk governance structure, (b) risk management strategy, risk appetite and limit, (c) risk management policies and procedures, (d) management information system and data quality control mechanism, and (e) internal control and auditing system. In addition, Annex 13 of the Capital Rules provides that a bank shall establish sound comprehensive risk management system in co-ordination with its internal capital adequacy assessment process to ensure sound operation and sustainable development of the bank. In this regard, comprehensive risk management shall include: (a) effective oversight by the board and senior management, (b)appropriate risk management policies, procedures and limits, (c) comprehensive and timely risk identification, measurement, monitoring, mitigation and control, (d)sound management information system and (d)comprehensive internal controls. Given that credit risks is the most significant risk type for most banks, the assessment of banks’ credit risk management is a key focus of CBRC’s supervisory rating for banks. CBRC’s assessment is based on both offsite reviews and onsite examinations. Offsite reviews include meetings with banks, analysis of data submitted, review of the banks’ risk management policies and procedures and risk management reports. These facilitate trend analysis and identification of any heightened credit risk and monitoring of major changes in credit risk strategies and appetite, and changes in policies and procedures. Onsite examinations focus on the banks’ credit risk management processes, and assess whether they are commensurate with the bank’s risk appetite and profile. These can be a full scope examination of entire credit processes, or targeted examination focusing on areas of concern identified from offsite surveillance. CBRC assessed that most commercial banks have established credit risk management systems consistent with their risk characteristics, reflecting their risk appetite, setting risk limits to control the size and structure of credit exposures, restricting selected industries and geographic regions. EC2 The supervisor determines that a bank’s Board approves, and regularly reviews, the credit risk management strategy and significant policies and processes for assuming, 43 identifying, measuring, evaluating, monitoring, reporting and controlling or mitigating credit risk (including counterparty credit risk and associated potential future exposure) and that these are consistent with the risk appetite set by the Board. The supervisor also determines that senior management implements the credit risk strategy approved by the Board and develops the aforementioned policies and processes. Description and On the supervisory expectations of a banks’ board, Article 11 of the Comprehensive Risk findings re EC2 Management Guidelines and Article 19 of the Corporate Governance Guidelines sets out that a bank’s Board has the ultimate responsibility for the bank’s comprehensive risk management and for establishing the bank’s risk tolerance and policies for risk 43 “Assuming” includes the assumption of all types of risk that give rise to credit risk, including credit risk or counterparty risk associated with various financial instruments. 156 PEOPLE’S REPUBLIC OF CHINA management and internal control. These include fostering risk management culture, developing risk management strategy, setting risk appetite and limits, approving management policies and procedures for large risk exposures, and review comprehensive risk management reports and disclosures. The bank’s board shall set up specialized committees where necessary, including the risk management committee, to conduct regular assessments on risk policies, risk tolerance and management, and give advice on the improvement of risk management and internal control. On the supervisory expectations of a bank’s senior management, under Article 14 of the Comprehensive Risk Management Guidelines, a bank’s senior management is responsible for implementing comprehensive risk management and the decisions of the Board, including: (a) developing a comprehensive risk management framework, with clear segregation of responsibilities and inter-department coordination and checks and balances mechanism; (b) establishing clear implementation and accountability mechanisms, and ensuring risk management strategy, risk appetite and limits are fully communicated and effectively implemented; (c) setting risk limits in line with the risk appetite approved by the Board; (d) developing and regularly review the risk management policy and procedures; (e) assessing the management of overall risk and various material risks and reporting to the Board; (f) establishing comprehensive management information system and data quality control; (g) monitoring exceptions to risk appetite and limits as well as violations of risk management policies and procedures, and taking actions as authorized by the Board. Article 10 of the Internal Control Guidelines sets out similar requirements on a bank’s senior management. During CBRC’s supervisory process, it assesses whether a bank’s board and senior management have fulfilled the above-mentioned responsibilities with respect to risk management. CBRC conducts a large number of onsite examinations on corporate governance and internal control of commercial banks. As credit risk is a key risk of banks, supervisors examine and evaluate the board’s understanding of credit risk management, their development of the bank’s risk appetite and strategies, and oversight of senior management’s implementation. Besides onsite examinations, supervisors also review the banks’ major credit risk management policies and meeting minutes to determine whether these have been duly reviewed and approved by the board. Assessors saw examination reports to banks highlighting concerns that certain credit policies have not been duly approved at the authorized levels within the banks. The assessment of whether board and senior management fulfil their risk management responsibilities is a key input to the “Management” component of CBRC’s supervisory ratings of banks. CBRC assessed that banks’ procedures for managing and approving credit and use of credit are generally prudent. If there are imprudent activities identified, the CBRC will take appropriate supervisory actions in light of the circumstance. In the case of non-compliance with regulations, the bank will be required to suspend the business. In addition, the CBRC will urge the bank to take corrective actions in accordance with supervisory requirements, including putting in place more prudent business strategies, improving its policies and 157 PEOPLE’S REPUBLIC OF CHINA procedures, and re-engineering its business processes. The CBRC will also impose penalties and hold relevant persons and managers accountable. EC3 The supervisor requires, and regularly determines, that such policies and processes establish an appropriate and properly controlled credit risk environment, including: (a) a well documented and effectively implemented strategy and sound policies and processes for assuming credit risk, without undue reliance on external credit assessments; (b) well defined criteria and policies and processes for approving new exposures (including prudent underwriting standards) as well as for renewing and refinancing existing exposures, and identifying the appropriate approval authority for the size and complexity of the exposures; (c) effective credit administration policies and processes, including continued analysis of a borrower’s ability and willingness to repay under the terms of the debt (including review of the performance of underlying assets in the case of securitization exposures); monitoring of documentation, legal covenants, contractual requirements, collateral and other forms of credit risk mitigation; and an appropriate asset grading or classification system; (d) effective information systems for accurate and timely identification, aggregation and reporting of credit risk exposures to the bank’s Board and senior management on an ongoing basis; (e) prudent and appropriate credit limits, consistent with the bank’s risk appetite, risk profile and capital strength, which are understood by, and regularly communicated to, relevant staff; (f) exception tracking and reporting processes that ensure prompt action at the appropriate level of the bank’s senior management or Board where necessary; and (g) (g) effective controls (including in respect of the quality, reliability and relevancy of data and in respect of validation procedures) around the use of models to identify and measure credit risk and set limits. Description and The applicable rules and guidelines set out provisions on the establishment of credit risk findings re EC3 management policies, procedures, as follows: (a) Article 20 of the Comprehensive Risk Management Guidelines provides that banks shall develop clear risk management strategy and evaluate its effectiveness at least annually. These risk management strategies shall reflect the risk appetite, risk profile as well as market and macro-economic developments and be fully communicated within the bank. Article 26 prescribes the aspects to be included in banks’ risk management policies and procedures. Articles 1 and 3 of the Notice on Regulating the use of External Credit Ratings and Article 1 in Annex 17 of the Capital Rules provide that banks shall prudently use external credit ratings including prudent selection of eligible external rating agencies, and the use of more conservative data from at least two external rating agencies. (b) Articles 23 to 25 and 28 of the Due Diligence Guidelines on Credit Issuance set out requirements in the course of granting credit, including the review of financial statements, qualitative factors and secondary source of repayment and analysis of related risks. In addition, Article 3 of the Notice on Further Enhancing Credit Risk Management provides that banks shall specify detailed criteria, policies and procedures for the approval of new credit, roll over of existing loans and revolving credit, and 158 PEOPLE’S REPUBLIC OF CHINA define the various levels of approval authority according to the size and complexity of risk exposures. (c) Article 41 of the Due Diligence Guidelines on Credit Issuance provides that after granting credit, banks shall continue to monitor all factors that would possibly impact repayment on an ongoing basis, including borrower’s fulfilment of contract, underlying project progress, changes in customer’s legal and financial status, and the quality and value of collaterals. More specific to securitization exposures, Annex 9 of the Capital Rules provides that banks shall comprehensively understand their on-and off-balance sheet securitization exposures, as well as the risk characteristics of the underlying assets. (d) Various Rules and Guidelines contain provisions on the requirement to have an effective information system for risk identification, aggregation and reporting to board and senior management. These include Articles 41 and 42 of the Comprehensive Risk Management Guidelines, Article 27 of the Internal Control Guidelines, and Annex 13 of the Capital Rules. Those with specific reference to credit risk are set out in Article 2.4 of Annex 5 of the Capital Rules. (e) &(f) The Comprehensive Risk Management Guidelines provides that banks shall have policies and processes for risk limit management, as well as rules for setting and adjusting limits as well as the handling and reporting of exceptions. Risk limits should be set according to established risk appetite and take into account capital, risk concentration, etc and be fully communicated to staff. (g) Annex 5 of the Capital Rules stipulates that commercial banks shall be capable of identifying model limitations, checking and controlling model errors and improving model performance. Banks should understand underlying model limitations and make adjustments to model outputs where necessary. Numerous onsite examinations have been conducted in recent years, involving review of credit controls. Generally, two thirds of CBRC’s onsite examinations in a year are related to credit risk, half of which are directly relevant to credit risk, including specific or comprehensive credit risk examinations. In 2015, among all onsite examinations conducted by CBRC, 54 were thematic ones dedicated to credit risk examinations, and 121 covered credit risk management, among other areas. Based on CBRC’s approach, all banks are subject to a full scope inspection at least once every 5 years and given that credit risk remains the predominant risk of most banks in China, the full scope inspections would have included credit risk and asset quality. When prioritizing the banks to be examined, considerations will be given to CBRC’s offsite assessment of the banks’ quality of credit risk management, including corporate governance, policy, process, system, as well as asset classification and adequacy of provisions. In addition, more attention is given to banks with exposures to industries, regions, customers and business activities of heightened risks. Examiners focus on the following aspects as set out in CBRC’s internal examination guidance: • Organizational structure of the credit business. Banks should put in place clear segregation of duties and effective checks and balances. Risk management function should be independent with adequate resources and expertise. 159 PEOPLE’S REPUBLIC OF CHINA • Credit risk management policies should reflect and support the risk management strategies and risk appetite approved by the board. • Comprehensive credit assessment – banks should assess the credit worthiness of borrowers based on comprehensive sources of information. • Banks should have in place a centralized credit management system, with established process for risk limit setting and changes, monitoring, reporting and handling of limit excesses or deviations. • Credit approval authorities should be clearly established and differentiated according to risk levels, and clear penalties and consequences for non-compliance with approval policies. • Rigorous credit underwriting process, loan review, loan monitoring and collateral management procedures, with clear documentation requirements. • Banks should conduct risk-based asset classification on a timely basis and in accordance with regulatory requirement. • Risk management system should be capable of effectively monitoring, managing and reporting credit risks and detecting deviations or credit limit excesses. The system should provide adequate and timely information to support credit decisions. • Banks should establish clear credit risk reporting requirements so that senior management can obtain information on the bank’s firm-wide credit risks or portfolio- specific risk to formulate appropriate risk mitigation plans. • Banks adopting advanced approaches under the Capital Rules should ensure that their models are subject to regular checks and validation for ongoing accuracy and prudence. CBRC’s observations at the on-site examinations are that the credit risk management practices of the large and medium-sized banks are well established with not many issues. In contrast, deficiencies were noted in credit risk management practices of small banks, as follows: (a) Credit risk management of bond investment and other financing activities are not consistent with that for conventional credit facilities. (b) Weaknesses in managing concentration risk and determining group customers. Some banks find it challenging to comprehensively review the affiliation of group customers. (c) Use of loan proceeds was not properly monitored and resulted in the funds of some banks being misappropriated by borrowers. Assessors discussed with CBRC regarding its supervisory approach towards banks’ financing of projects or sectors that are encouraged by the government, in line with the national policy objectives for economic and social progress, for instance, small-and-medium sized enterprises (SMEs) or the agricultural sector. CBRC confirmed that its first and foremost consideration is that banks have to exercise prudence and sound credit judgement in lending to these sectors. Whilst certain loan growth targets are given to banks, these are not strictly enforced by CBRC. This is corroborated by a few banks that the assessors met. CBRC also considers that venturing into these sectors to finance real economic activities is a good way of helping banks to diversify away from large state-owned enterprises, encouraging them to have better risk differentiation and also reduce concentration risks in the banking system. 160 PEOPLE’S REPUBLIC OF CHINA Specifically on SMEs, as many of these small enterprises do not have reliable or timely financial statements, additional due diligence is required for banks to better differentiate the risks. Hence, CBRC expects banks to put in place the necessary framework, policies and processes prior to commencing SME lending, for instance, having separate and specialised credit team with necessary expertise, more detailed credit evaluation and monitoring processes tailored to analyzing such credit, etc. Separately, CBRC also works with other public agencies including tax authorities to explore having data on small proprietorships or enterprises that can be shared with banks as an additional source of information to facilitate their risk identification and differentiation. Overall, while CBRC takes into account the national policy objectives for economic and social progress, assessors did not find evidence that CBRC has compromised its regulatory requirements over banks’ lending activities in pursuit of developmental objectives. EC4 The supervisor determines that banks have policies and processes to monitor the total indebtedness of entities to which they extend credit and any risk factors that may result in default including significant unhedged foreign exchange risk. Description and The Due Diligence Guidelines on Credit Issuance prescribes requirements on borrower findings re EC4 investigation, due diligence on business, analysis and evaluation, credit approval and extension, post-loan management, problem credit handling, including oversight of borrowers’ total indebtedness and any risk factors that may result in default. Article 24 of the Guidelines on Credit Risk Management of Corporate Groups provides that before extending credit to a corporate group, a bank shall obtain adequate information on the borrowers’ indebtedness, affiliated parties, guarantees and litigation. Article 2 of the Notice on Further Enhancing Credit Risk Management stresses information sharing among banks, in particular on non-standard or non-traditional financing activities of borrowers to help monitor and assess the overall indebtedness of borrowers. Whether a bank has obtained information on borrowers’ aggregate indebtedness (including unhedged foreign exchange exposures) is regarded by CBRC supervisors as being an important criterion to assess the adequacy of the bank’s credit evaluation process. During onsite examinations, supervisors evaluate whether banks have in place effective credit monitoring policies and procedures, including whether the bank ascertains the full indebtedness of the borrower at credit underwriting, and regularly monitor and investigates relevant changes. Supervisors also assess whether banks have taken actions on a timely basis to mitigate the risk factors identified, including excessive indebtedness, involvement in guarantee chains, participation in unregulated financing activities and other funding projects, etc. CBRC has upgraded and launched the Obligor Risk Monitoring System (ORMS) in 2013 to collect and collate information on banks’ large credit and retail loan defaults for analysis and monitoring. Among other features, the new ORMS fully captures on-and off-balance sheet credit facilities, collects detailed information on financial indicators of customers, and collects detailed information on collateral and guarantors. According to CBRC, the national Credit Reporting system established by PBC also facilitates banks in checking borrowers’ credit status and history online. Both systems serve as additional sources of information for the banks to check on their borrowers’ total indebtedness. 161 PEOPLE’S REPUBLIC OF CHINA EC5 The supervisor requires that banks make credit decisions free of conflicts of interest and on an arm’s length basis. Description and Article 40 of the Commercial Bank Law prohibits banks from extending unsecured loan to findings re EC5 related parties. Secured loans to a related party are required to be extended on an arm’s length basis. Article 41 provides that a bank shall have the right to refuse any entities or individuals that forces it to extend loans or provide guarantees. The Related Party Transaction Rules further contained detailed provisions on related party, related party transaction, management of such transactions and relevant information disclosures. It provides that related party transactions of commercial banks shall be undertaken in accordance with business principles and the terms and conditions shall not be more favorable than transactions of the same category to non-related parties. As part of CBRC’s supervisory process, supervisors check whether (a) banks establish policies and procedures for related party transaction management; (b) banks ensure the independence of credit approval functions and establish controls to avoid conflict of interest during credit extension, (c) banks comply with the regulatory limits on related party transactions and (d) related party transactions are reviewed and approved by the Board and/or its related party transaction control committee. Significant related party transactions are reported to CBRC for review. Dealing with potential conflict can be challenging in an economy where banks are owned by government bodies which also have extensive commercial interest. This is further discussed in CP 20 on Transactions with Related Parties. EC6 The supervisor requires that the credit policy prescribes that major credit risk exposures exceeding a certain amount or percentage of the bank’s capital are to be decided by the bank’s Board or senior management. The same applies to credit risk exposures that are especially risky or otherwise not in line with the mainstream of the bank’s activities. Description and The Rules on Authorization and Underwriting Management and the Guidelines on findings re EC6 Implementing Standardized Credit Issuance System contain provisions that banks shall set credit limits and corresponding authority levels for the purposes of internal management. More prescriptive requirements are set out in Article 3 of CBRC’s Notice on Further Enhancing Credit Risk Management. It requires that total exposures to corporate group borrowers exceeding 10% of a bank’s capital or total exposures to single borrower exceeding 5% of capital shall be treated as large exposure and shall be approved by the board or senior management. During onsite examinations, CBRC reviews banks’ policies and procedures to ensure that credit approval authorities are established clearly and differentiated according to the risk level of the exposures. CBRC also checks on the implementation, and any failure on the bank’s part in identifying and addressing unauthorized transactions is regarded as an important risk signal. Certain onsite examinations targeted at large loans are also conducted from time to time. EC7 The supervisor has full access to information in the credit and investment portfolios and to the bank officers involved in assuming, managing, controlling and reporting on credit risk. 162 PEOPLE’S REPUBLIC OF CHINA Description and Relevant Articles in the Banking Supervision Law (Articles 33, 34 and 46) and the findings re EC7 Commercial Bank Law (Articles 61, 62 and 75) provide that CBRC has the right to require banks to submit information and to conduct onsite examination, for the purpose of discharging its supervisory responsibilities. The range of information includes balance sheets, income statements and other financial records, operation and management information and audit reports. CBRC also has the power to conduct onsite examinations and require any information and explanation related to the examination. In practice, besides the regulatory returns on the banks’ credit and investment portfolios, CBRC enjoys full access to banks’ internal management and accounting information and relevant bank management and staff involved in credit decisions or processes. EC8 The supervisor requires banks to include their credit risk exposures into their stress testing programs for risk management purposes. Description and Article 17 of the Stress Testing Guidelines requires banks to conduct comprehensive stress findings re EC8 tests, covering major risks and all major on-and off-balance sheet activities. The tests shall fully consider the interactions and feedback effects between businesses, possible correlation between risk factors and the stress tests for various risks should be effectively integrated to reflect the bank’s and bank groups’ overall risk profile. Article 31 of the Stress Testing Guidelines further stipulates that the stress scenarios aiming at credit risks include but are not limited to the following: the declining of the macro- economic growth of main domestic and international economies, the large downward fluctuations of real estate prices, the deterioration of credit quality and quality of real estate collaterals, the credit downgrading or default of the borrowers with concentrated credit lines and those of their main transaction counterparties, the concentrated defaults in certain industries, international business exposures facing country risks or transferring risks, other events which bring material effects to banks’ credit risks. Banks conduct stress test regularly according to supervisory requirements and also participate in stress tests organized by CBRC. Some large and medium-sized banks conduct internal full scope stress tests or targeted stress tests on their own, with credit risk being one of the focus risk areas. In recent years, banks participated in various stress tests organized by CBRC, including stress tests for overall credit risk, targeted stress tests for real estate loan risk and liquidity risk in 2014, and a stress test covering credit risk, market risk and liquidity risk in 2015. Stress testing is also discussed in EC 13 of CP 15. Assessment of Largely Compliant Principle 17 Comment Credit risk is the most significant risk factor in the Chinese banking sector. The framework of laws and requirements governing credit risk activities taken together are comprehensive, and specific Notices and policy consultations were issued in recent years as and when necessary to address emerging risks, including off-balance sheet activities such as wealth management, interbank investments and SPV investments. These requirements urge banks to abide by the principle of substance over form, incorporate business that pose ultimate 163 PEOPLE’S REPUBLIC OF CHINA credit risks into the bank-wide credit granting system, and ensure accurate risk measurement and provisioning. CBRC’s offsite surveillance has benefitted from enhanced data gathering and information system, and it identifies and monitors credit risk trends and vulnerabilities of banks for further action. Numerous onsite examinations have been conducted on credit risk, with those in recent years being more focused on non-credit assets and loan classification and provisioning. The assessors were able to review supervisory letters and inspection reports that highlighted key issues with attention to details. On the other hand, there has been an increase in the scale and complexity of the banks’ credit risk origination activities since the previous assessment. At the system level, there has been an average 15% asset growth, with some small- and-medium-sized banks continuing to register more than 20% growth in assets annually, and there is reportedly a shift towards non-standard credit activities such as investments in structured products, off-balance sheet activities, interbank investments, etc. Various guidelines and consultation papers were issued by CBRC in late 2016, namely, Comprehensive Risk Management Guidelines, Guidelines on Further Enhancing Credit Risk Management, and the Management of Off- balance sheet Business, setting out important requirements and proposed policies to address these issues that have emerged in recent years. Banks that assessors met highlighted that these were formulated by CBRC following onsite examinations and industry engagement. Given the large number and the diversity of banks and the increasing complexity of activities, it is challenging to ensure that these supervisory expectations have now been effectively communicated to all banks across all regions and implemented effectively by them on a timely basis. It is also noteworthy that banks needed reminders and scrutiny from CBRC to subject these activities to similar credit risk measurement/management and regulatory requirement that apply to standard credit activities. This suggests that there is room for banks to have a better appreciation of risk principles and to be more robust and comprehensive in identifying, monitoring and managing bank-wide credit risks. CBRC has made commendable efforts aimed at addressing these challenges and containing specific risks. Banks’ compliance with these recently issued guidelines and proposed policy positions, and more importantly, their ability to evaluate, monitor and manage overall credit risks comprehensively should continue to be the focus of CBRC’s supervisory activities. The existing set of standards dealing with credit risk management comprises a collection of guidelines and rules covering different aspects of credit management processes and different products, capital adequacy and the Comprehensive Risk Management Guidelines which is intended to cover all risk types. Piecemeal guidelines were also issued in response to specific risks that emerged. Most regulators have issued broad supervisory guidance on credit risk management. Given the size and complexity of the banking sector, CBRC should consider developing a comprehensive guidance on credit risk management in line with 164 PEOPLE’S REPUBLIC OF CHINA international standards to ensure that its supervisory expectations and minimum standards are well understood. Principle 18 Problem assets, provisions and reserves. 44 The supervisor determines that banks have adequate policies and processes for the early identification and management of problem assets, and the maintenance of adequate provisions and reserves. 45 Essential criteria EC1 Laws, regulations or the supervisor require banks to formulate policies and processes for identifying and managing problem assets. In addition, laws, regulations or the supervisor require regular review by banks of their problem assets (at an individual level or at a portfolio level for assets with homogenous characteristics) and asset classification, provisioning and write-offs. Description and There are various laws and guidelines governing banks’ management of asset quality, findings re EC1 provisioning and write-off. Specifically: - Article 13 of the Guidelines on Risk-based Loan Classification provides that a bank shall formulate and update policies and procedures for the risk-based asset classification, and establish an effective credit administration and internal control system to ensure the independence, continuity and reliability of loan classification. - Article 5 requires banks to classify loans into at least five categories, namely, normal, special mentioned, substandard, doubtful and loss, with the last three categories being defined as non-performing loans (NPLs). Article 17 clarifies that these are minimum requirements and banks are required to establish loan classification policies, procedures and detailed methodology that are commensurate with their scale and complexity. - Article 14 provides that a bank shall classify all its loans at least quarterly and as and when there are material changes to borrowers’ financial strength or loan repayment factors. Banks shall closely monitor NPLs, increase the frequency of analysis and classification, and take management measures according to the risk profile of loans. - Article 16 provides that a bank’s internal audit department shall review and assess the credit asset classification policies and procedures and their implementation at least annually. On provisioning, Article 8 of the Guidelines on Loan Loss Provisioning provides that a bank shall establish a prudent loan loss provisioning system based on risk-based loan classification, and that banks should regularly assess the adequacy of loan loss provisions and set aside provisions based on the loan classification in a timely manner and establish a loan write-off process. EC2 The supervisor determines the adequacy of a bank’s policies and processes for grading and classifying its assets and establishing appropriate and robust provisioning levels. The reviews supporting the supervisor’s opinion may be conducted by external experts, with the 44 Principle 17 covers the evaluation of assets in greater detail; Principle 18 covers the management of problem assets. 45 Reserves for the purposes of this Principle are “below the line” non-distributable appropriations of profit required by a supervisor in addition to provisions (“above the line” charges to profit). 165 PEOPLE’S REPUBLIC OF CHINA supervisor reviewing the work of the external experts to determine the adequacy of the bank’s policies and processes Description and CBRC’s internal Guidelines on the Supervisory Ratings of Commercial Banks provides that findings re EC2 asset quality is an important component of supervisory rating and that the assessment of a bank’s asset classification and provisioning level is a reference for supervisory rating. Various Rules and Guidelines on loan loss provisioning also contain provisions that CBRC shall regularly review the banks’ loan classification and provisioning policies and procedures and the adequacy of provisions though offsite surveillance and onsite examinations. For purposes of offsite surveillance, CBRC requires banks to regularly submit supervisory returns and reports on asset quality classification, impairment provisions and write-off of asset losses. The supervisors review these materials to analyze the profile and changes of banks’ asset quality, adequacy of impairment provisions and write-offs. If there are significant changes in a bank’s asset quality, the supervisors obtain more details from the bank and hold supervisory meetings with the bank’s board of directors and senior management to understand their analysis and countermeasures. During on-site examinations, supervisors assess whether banks have in place effective loan quality monitoring policies and procedures, whether problem assets are classified, assessed, monitored and reported, whether there are accurate and regular internal reports on loan quality, and whether effective steps have been taken in the recovery of problem assets. Supervisors also pay attention to whether banks conduct regular internal reviews on policies and procedures for asset classification, impairment provision and write-off of asset losses as well as their implementation, and whether identified issues are rectified on a timely basis. On provisioning, CBRC assesses whether banks’ provisioning policies are adequate, and whether the impairment testing approaches are in compliance with applicable regulations. Supervisors also check on the adequacy of impairment provisions and write-offs. CBRC does not rely on external auditors for this assessment, but maintains communication with them to discuss issues on asset classification and provisioning. Issues identified by CBRC including deficiencies in policies and procedures, ineffective implementation, imprudent asset classification, and inadequate provisions are highlighted to the banks for rectification. Articles 23 and 24 of the Rules on Loan Loss Provisioning provide that the supervisory authority shall issue risk alerts, require corrections, and take necessary supervisory actions, if a bank’s provisioning level falls below the regulatory requirement for a prescribed period; or impose administrative penalty in accordance with the Banking Supervision Law if a bank’s is deemed to have reached regulatory requirements by fraudulent means. 166 PEOPLE’S REPUBLIC OF CHINA EC3 The supervisor determines that the bank’s system for classification and provisioning takes into account off-balance sheet exposures. 46 Description and Article 18 of the Guidelines on Risk-based Loan Classification provides that various assets findings re EC3 other than loans, including direct credit substitutes of the off-balance sheet items, shall also be subject to loan classification. In addition, Article 7 of the Notice on Further Enhancing Credit Risk Management stipulates that a bank shall clearly reflect the underlying credit risks of all on- and off-balance sheet (including non-credit) businesses that it undertakes and subject them to classification policies and procedures. Banks are required to submit supervisory returns on asset classification, including the off- balance sheet items, to CBRC on a regular basis. When reviewing these returns, supervisors monitor the classification of the off-balance sheet items. During on-site examinations, CBRC pays particular attention to whether a bank has classified off-balance sheet items in accordance with the criteria of risk-based loan classification and whether the classification is accurate. During tripartite meetings with banks and their external auditors, CBRC urges external auditors to pay adequate attention to banks’ off-balance sheet assets. EC4 The supervisor determines that banks have appropriate policies and processes to ensure that provisions and write-offs are timely and reflect realistic repayment and recovery expectations, taking into account market and macroeconomic conditions. Description and Article 2 of the Guidelines on Loan Loss Provisioning provides that banks shall make findings re EC4 reasonable estimation of possible loan losses and set aside provisions in a timely manner. Article 8 provides that a bank shall establish a prudent loan loss provisioning system based on risk-based loan classification, including a risk identification process, a provisioning assessment process and a loan loss writing-off process to ensure timely provisioning and timely writing-off of the losses. The Rules on Loan Loss Provisions provides that a bank’s management is responsible for formulating sound management policies and procedures to identify, measure, monitor and report loan risks, prudently assess loan risks, and ensure that loan loss provisions can adequately cover loan risks. If a bank’s provisioning level is lower than regulatory requirement, CBRC will take supervisory actions accordingly. The Rules on Financial Institutions Provisioning prescribes the types of provisions as well as the provisioning scope, approaches and frequency, and provides that financial institutions shall set aside adequate provisions on a timely basis according to the risk level of assets. During onsite examinations, CBRC reviews and assesses whether banks have in place adequate and sound asset classification, provisioning and write-off policies and procedures and whether they are implemented effectively. 46 It is recognized that there are two different types of off-balance sheet exposures: those that can be unilaterally cancelled by the bank (based on contractual arrangements and therefore may not be subject to provisioning), and those that cannot be unilaterally cancelled. 167 PEOPLE’S REPUBLIC OF CHINA For credit cases or portfolios selected, CBRC assesses whether the loan classification and provisions made are accurate and prudent. Specifically, supervisors review whether impairment evidence is objective and whether the present value computations are performed prudently, and whether grouping of homogeneous loans are reasonable. Through interviews with bank staff, CBRC also assesses whether their judgments are sound, with all relevant facts taken into consideration. For write-offs, CBRC focuses on banks’ compliance with relevant rules and standards, and whether the write-offs are properly reviewed and approved within the bank. In selecting loan samples for review, examiners pay attention to loans to industry sectors that are under stress. BCP assessors saw inspection reports which gave high attention to details. CBRC monitors and analyses changes in banks’ non-performing assets, provisions and write-offs on a monthly basis. CBRC will heighten supervisory attention and actions for banks with unusual changes in provision coverage level. CBRC also holds tripartite meetings with banks and their external auditors to seek their opinion on whether the banks’ provisions and write-offs reflect realistic repayment and recovery expectations. EC5 The supervisor determines that banks have appropriate policies and processes, and organizational resources for the early identification of deteriorating assets, for ongoing oversight of problem assets, and for collecting on past due obligations. For portfolios of credit exposures with homogeneous characteristics, the exposures are classified when payments are contractually in arrears for a minimum number of days (e.g. 30, 60, 90 days). The supervisor tests banks’ treatment of assets with a view to identifying any material circumvention of the classification and provisioning standards (e.g. rescheduling, refinancing or reclassification of loans). Description and The Guidelines on Due Diligence in Credit Issuance of Commercial Banks provides that after findings re EC5 extending a credit, banks shall monitor all the factors that may affect repayment on an ongoing basis, and accurately classify granted credits. Banks shall identify potential risks of the borrower in a timely manner, and take necessary steps to address problem credits, if any, including seeking opinions from relevant experts, requiring additional guarantee, or enforcing the guarantee. Article 33 of the General Rules for Loans provides that banks shall establish and update its system of controls over the monitoring of loan quality, loan classification and repayment of bad loans. Article 14 of the Guidelines on Risk-based Loan Classification provides that a bank shall classify all its loans at least quarterly and as and when there are material changes to borrowers’ financial strength or loan repayment factors. Banks shall closely monitor the NPLs, increase the frequency of analysis and classification, and take administrative actions according to the risk profile of loans. Article 13 sets out the requirements on policies, processes and organization structures within the banks with respect to loan classification. These include having staff with relevant knowledge and expertise, effective organization structure to ensure independence, continuity and reliability of loan classification, and accurate and complete information system and records. Article 16 requires the internal audit function of banks to assess loan classification policies and procedures at least annually and to report to the bank’s board and CBRC. 168 PEOPLE’S REPUBLIC OF CHINA The Guidelines on Risk-based Loan Classification provides guidance on the classification of loans, as follows: - A loan shall be classified as at least “special mention” if its principal or interest payment is overdue (Article 10); - A loan shall be classified at least as “substandard” if it is overdue (including rollover) for a certain period of time (typically 90 days in accordance with accounting rules) and the interest ceases to accrue (Article 11). - A loan shall be classified as “doubtful” if the borrower is unable to pay the principal and interest of a loan and a big loss will be caused without any doubt even if the security provided is executed (Article 5). - A loan shall be classified as “loss” if the principal and interest still cannot be recovered, or, only an extremely small part thereof can be recovered after all possible measures or all necessary legal actions have been taken (Article 5). - Classification of retail loans, comprising loans to personal and small enterprises, shall be based on the number of past due days. Specifically, NPLs include unsecured loans over 30 days past due, guaranteed loans over 90 days past due and collateralized or pledged loans over 180 days in arrears (Article 8 of the Guidelines on Risk-based Loan Classification for Small Enterprises), as follows: Classification Matrix of Small Enterprises’ Past-due Loans Dpd 181-360 ≥361 normal 1-30 days 31-90 days 91-180 days Loan Type days days Unsecured Special normal substandard doubtful doubtful loss loans mention Guaranteed Special normal normal substandard doubtful loss loans mention Collateralized Special Special normal normal substandard doubtful loans mention mention Special Pledged loans normal normal normal substandard doubtful mention During offsite supervision process, supervisors monitor closely the migration of NPLs and analyses the causes and factors affecting the re-aging and reduction of NPLs, including collection and liquidation, restructuring, transfer and conversion of debts to equity. Unusual trends are followed up via various means including interviews with senior management, onsite investigation and verification. Through inspections and off-site reviews (including review of internal audit reports), supervisors also assess whether banks put in place sound asset quality management framework and processes, clearly defined duties and authorities, adequate and experienced personnel, and strong internal audit to ensure early identification, ongoing monitoring and recovery or managing of problem assets. Given the rise in NPLs in recent years, CBRC has intensified its onsite examinations with focus on the accuracy of asset classification and adequacy of provisions. According to CBRC’s records, there are on average more than 200 onsite examinations per year, at least 169 PEOPLE’S REPUBLIC OF CHINA 80% have a credit risk focus, and 60% of which include a review of asset quality. Based on CBRC’s approach, all banks are subject to a full scope inspection at least once every 5 years and hence all banks have been subject to an inspection from 2011 to 2016. Given that credit risk remains the predominant risk of most banks in China, the full scope inspections would have included credit risk and asset quality. Thematic inspections were also conducted for instance, on banks with exposures to steel industry and loan syndications. Annual planning of onsite examinations are conducted with participation from all regional offices, to ensure that resources are allocated to areas identified collectively as being of higher risks as well as specific banks exhibiting risk profiles that warrant earlier attention, while keeping to the 5 year cycle as mentioned above. Examiners pay close attention to roll-over, restructuring, refinancing and upgrading of loans and when selecting samples for review, examiners also place greater focus on the pass and special mention categories to identify cases of slow downgrading. Accuracy of loan classification and provisioning is also subject to reviews by banks’ internal audit and is a key focus of annual external audit on financial statements. In terms of NPL trends, CBRC observed that they arose from different regions and sectors year to year. For instance, in 2011 to 2012, they were concentrated in international trade, and from 2013, NPLs were concentrated in the manufacturing sector but this has reduced from 2016 onwards. There were imprudent lending practices noted at some banks and corrective actions and penalties were meted out. CBRC also issued policy documents focused on sharing issues uncovered during inspections, to discourage such practices in the industry. 90 days past due (“dpd”) loans is an indicator closely tracked by CBRC, and actions are taken to follow up with banks that has shown significant increase in 90 dpd loans. Assessors noted from certain banks’ financial statements that there are sizable amounts of 90 dpd loans that are not classified as NPLs. According to CBRC, loans that are more than 90dpd but classified as special mention constitute about 0.4% of total loans of the banking system, and CBRC assessed that they are attributable to the following situations in equal proportions: (a) loans permitted under the Guidelines for Small Enterprises as mentioned above. Such loans are classified as NPL when they are more than 180 dpd; (b) loans with acceptable collaterals (property or financial collaterals). These can be to counterparties in addition to SMEs/rural household; and (c) imprudent or incorrect loan classification practices of banks, for which administrative sanctions have been applied by CBRC. With regard to (b), there are no formal rules or guidelines stipulating the criteria for collaterals to be deemed acceptable risk mitigant to justify classifying the loan as Special Mention. In practice, CBRC evaluates the prudence of the banks’ treatment and criteria as part of onsite examination. CBRC observed that these are typically liquid assets with a good credit rating, subject to independent valuation, and can be liquidated or realised without losses or significant costs. 170 PEOPLE’S REPUBLIC OF CHINA On (c), supervisory actions taken by CBRC with respect to imprudent or inaccurate loan classification will generally include conveying CBRC’s concerns to bank management, issuing risk alerts, increasing regulatory requirements, raising the issue in tripartite meetings with the bank and the auditor, directing the auditor to examine loan classification, requiring rectification by the bank, adjusting CBRC’s supervisory rating of the bank and levying fines. EC6 The supervisor obtains information on a regular basis, and in relevant detail, or has full access to information concerning the classification of assets and provisioning. The supervisor requires banks to have adequate documentation to support their classification and provisioning levels. Description and Articles 33 and 34 of the Banking Supervision Law provide CBRC with full access to a broad findings re EC6 range of information of the banks for purpose of performing CBRC’s supervisory role, in both offsite surveillance and onsite examinations. Article 13 of the Guidelines on Risk-based Loan Classification provides that banks shall keep complete credit files in the course of loan classification to ensure accurate, consistent and complete classification information. Article 20 provides that banks shall submit loan classification data and information to CBRC in accordance with applicable regulations. Article 18 of the Rules on Loan Loss Provisions provides that banks shall provide information on loan loss provisions to the supervisory authority on a monthly basis. Article 21 provides that the supervisory authority shall monitor and analyze loan provision ratio and provision coverage ratio on a monthly basis and conduct investigation or on-site examinations on abnormal changes in loss provisions. As part of its supervisory process, CBRC requires banks to submit regular returns and reports in relation to asset quality, classification, provisioning and loan quality migration. In cases where there are significant changes in asset quality and provisions, supervisors require banks to submit detailed information, conduct supervisory visits or onsite verification, or interview bank management. CBRC enjoys full access to loan files and other reports related to asset quality. EC7 The supervisor assesses whether the classification of the assets and the provisioning is adequate for prudential purposes. If asset classifications are inaccurate or provisions are deemed to be inadequate for prudential purposes (e.g. if the supervisor considers existing or anticipated deterioration in asset quality to be of concern or if the provisions do not fully reflect losses expected to be incurred), the supervisor has the power to require the bank to adjust its classifications of individual assets, increase its levels of provisioning, reserves or capital and, if necessary, impose other remedial measures. Description and As discussed in EC 2, Articles 23 and 24 of the Rules on Loan Loss Provisioning provide that findings re EC7 the supervisory authority shall issue risk alerts, require corrections, and take necessary supervisory actions, if a bank’s provisioning level falls below the regulatory requirement for a prescribed period; or impose administrative penalty in accordance with the Banking Supervision Law if a bank’s is deemed to have reached regulatory requirements by fraudulent means. In addition, the Guidelines on Loan Loss Provisioning provide that banks whose loss provisions are not adequate may not distribute after-tax profits. 171 PEOPLE’S REPUBLIC OF CHINA The Guidelines on Loan Loss Provisioning prescribes a minimum provisioning level for each category of loans, i.e. 1% for Pass, 2% for Special Mention, 25% for Substandard, 50% for Doubtful and 100% for Loss. In addition, according to the Rules on Loan Loss Provisions, the minimum requirement for loan provision is 2.5% and the minimum requirement for provision coverage ratio (i.e. loan loss provisions/non-performing loan balance) is 150%. Banks have to maintain loan provisions at higher of the two requirements. As part of offsite surveillance, supervisors review reports and returns submitted by banks to monitor the banks’ aggregate NPA, NPA ratio, loan concentration by industry and by customer, as well as levels of provisioning, and identify outliers, analyze the trends and reasons for changes. As discussed in EC 5, onsite examinations are conducted to assess whether banks’ NPA management policies and procedures are well established and implemented, whether banks’ asset classifications accurately reflect the asset quality, and whether provisions are adequate. During an onsite examination, the examiners review and assess the robustness of credit granting process including the necessary due diligence on the credit worthiness of the borrower, whether necessary internal approval process has been adhered to, and the post-disbursement credit monitoring process and practices. Onsite examinations take a sampling approach that reflects the composition of sources of NPLs within the bank. Examiners have access to detailed materials and information for the loans selected and perform verification against with external data such as those from PBC, tax reports and collateral registration system. In practice, in cases where CBRC assesses that a bank’s asset classifications are inaccurate or provisions are deemed to be inadequate for prudential purposes, it issues supervisory recommendation for the bank to improve its asset classification policies and procedures, to adjust the classification or increase the provisions. CBRC also expects a root cause analysis of the issues noted, for instance, whether these were due to lack of clarity of the banks’ policies and procedures, IT system design, etc and banks are to take actions to address these root causes. If the bank fails to do so within the prescribed period of time, CBRC will take further supervisory actions, such as restrictions on business, restrictions on dividend distributions, replacement of senior management, etc. The bank will also be required to deduct the shortfall of provisions from its regulatory capital in its CAR computation. EC8 The supervisor requires banks to have appropriate mechanisms in place for regularly assessing the value of risk mitigants, including guarantees, credit derivatives and collateral. The valuation of collateral reflects the net realizable value, taking into account prevailing market conditions. Description and Article 8 of the Notice on Further Enhancing Credit Risk Management requires that banks findings re EC8 formulate risk mitigation policies and procedures, and regularly assess the effectiveness of risk mitigants, paying attention to the authenticity, legitimacy and enforceability of collateral and pledge, prudence of valuation, completeness of documents and rigor of contractual clauses. When changes in the value of collateral and pledge severely affect the effectiveness of risk mitigation, the bank shall take effective actions in a timely manner. The impact of macro economy, financial markets and volatility of related industries shall be taken into full account in assessing the effectiveness of risk mitigants. 172 PEOPLE’S REPUBLIC OF CHINA In addition, Annex 6 “IRB Approach: Supervisory Requirements on Risk Mitigation” to the Capital Rules, sets out requirements on the determination of eligible pledges and collateral, and requires banks to have in place a pledge/collateral management system, including well-established policies, valuation approaches, management processes and related information systems. It requires that banks estimate the value of collateral under the principles of objectivity, independence and prudence. The Annex also clearly specifies the scope of eligible guarantees and credit derivatives and management requirements. Banks are required to calculate credit risk weighted assets and charge capitals accordingly. With respect to provisioning, in compliance with Chinese Accounting Standard No. 22 – Financial Instrument Identification and Measurement, banks estimate the recoverable value of impaired loans by discounting future cash flows including primary and secondary sources of repayment. The market value of collateral and pledged assets is therefore discounted and recognized as a secondary source of repayment. Based on CBRC’s estimates, 60% of corporate loans are secured, of which 50% are secured by real estate. During onsite examinations, CBRC reviews whether banks have in place sound policies and procedures for the valuation of guarantees and collaterals, whether valuations are conducted regularly, whether staff in charge of valuation has the necessary professional expertise, and whether external valuation companies engaged by banks have appropriate qualifications. CBRC also reviews relevant assessment reports, and evaluate whether the judgments are prudent, whether valuation approaches are appropriate, and whether possible restrictions on the collateral at time of disposal and future losses are taken into account in the valuation. CBRC’s technical expertise with regard to collateral valuation lies with the specialist team involved in performing model validation, in particular, validation of LGD models of banks. CBRC expects banks to assess borrowers’ repayment capability primarily based on cash flows from its operational revenue. However, such cash flow projection may be less reliable or accurate in cases of small and medium enterprises and rural households, and hence collaterals are important in serving as a secondary source of repayment and helps provide risk mitigants in lending decisions. In addition to existing requirements as set out above, the CBRC had, at the time of the assessment, recently issued draft guidelines on collateral management for public consultation, setting out its expectations on governance process, quality of collaterals, valuation methodology and frequency, concentration management and stress testing. EC9 Laws, regulations or the supervisor establish criteria for assets to be: (a) identified as a problem asset (e.g. a loan is identified as a problem asset when there is reason to believe that all amounts due, including principal and interest, will not be collected in accordance with the contractual terms of the loan agreement); and (b) reclassified as performing (e.g. a loan is reclassified as performing when all arrears have been cleared and the loan has been brought fully current, repayments have been made in a timely manner over a continuous repayment period and continued collection, in accordance with the contractual terms, is expected). Description and Article 2 of the Guidelines on Risk-based Loan Classification requires classification of loans findings re EC9 into different categories according to the risk level, based on the likelihood of borrowers to 173 PEOPLE’S REPUBLIC OF CHINA make full payment of principal and interest in a timely manner. Loans are to be classified into five categories, namely, normal, special mention, substandard, doubtful and loss, with the last three categories defined as non-performing loans, or problem assets. Restructured loans are to be classified at least as “substandard”. In addition, the Chinese Accounting Standard No. 22 – Financial Instrument Identification and Measurement, issued by MOF, sets out that a financial asset is deemed impaired if its future cash flow is expected to reduce due to events that happen after its initial recognition, and the value can be reliably measured. Article 6 of the Notice on Further Enhancing Credit Risk Management stipulates that an NPL can be reclassified as performing only when the following criteria are met: - All amounts due, including principal and interest, have been paid; - Principal and interest payments have been made according to contractual terms in the subsequent six months or two repayment periods, whichever is longer; - Continued payments in accordance with the contractual terms are expected. Reclassification of NPLs as performing requires the approval of a bank’s Head Office or Tier-one branches authorized by the Head Office. EC10 The supervisor determines that the bank’s Board obtains timely and appropriate information on the condition of the bank’s asset portfolio, including classification of assets, the level of provisions and reserves and major problem assets. The information includes, at a minimum, summary results of the latest asset review process, comparative trends in the overall quality of problem assets, and measurements of existing or anticipated deterioration in asset quality and losses expected to be incurred. Description and Article 67 of the Corporate Governance Guidelines requires that the senior management findings re EC10 provide comprehensive and accurate reports on the bank’s operational performance, important contracts, financial strengths, risk profile and business prospect to the Board in a timely manner. Article 83 provides that the Board and its risk management committee shall regularly attend risk profile presentations by the senior management. CBRC supervisors evaluate the timeliness and adequacy of information on asset quality and provisioning that has been provided to the banks’ boards, through review of minutes of board meetings, and other internal reports submitted to the board. During onsite examinations, supervisors assess whether material information on banks’ business activities and risks is effectively communicated internally. Where necessary, supervisors hold meetings with the board to assess whether the board has been promptly and adequately informed of the conditions of the bank’s asset quality, as well as their views, analyses and responses. EC11 The supervisor requires that valuation, classification and provisioning, at least for significant exposures, are conducted on an individual item basis. For this purpose, supervisors require banks to set an appropriate threshold for the purpose of identifying significant exposures and to regularly review the level of the threshold. Description and Article 43 of the Chinese Accounting Standard No 22 – Financial Instrument Identification findings re EC11 and Measurement provides that significant financial assets shall be subject to impairment test at an individual level. For insignificant financial assets, impairment test can be 174 PEOPLE’S REPUBLIC OF CHINA conducted on individual basis, or at a portfolio level for assets with homogeneous characteristics. CBRC assesses that the banks’ practice in subjecting significant exposures to valuation, classification and provisioning on an individual basis is adequate. In general, corporate loans are classified individually while personal loans and credit card overdrafts are classified on a portfolio basis. With respect to provisioning, provisions for performing loans, personal loans and credit card facilities are made on a portfolio basis, while provisions for corporate NPLs are drawn on individual basis. Some banks have set criteria for significant exposures and make provisions for significant corporate NPLs on an individual basis. EC12 The supervisor regularly assesses any trends and concentrations in risk and risk build-up across the banking sector in relation to banks’ problem assets and takes into account any observed concentration in the risk mitigation strategies adopted by banks and the potential effect on the efficacy of the mitigant in reducing loss. The supervisor considers the adequacy of provisions and reserves at the bank and banking system level in the light of this assessment. Description and The CBRC conducts ongoing offsite surveillance and analysis on monthly and quarterly findings re EC12 basis, based on reports submitted by the banks. As discussed in CP 9, CBRC relies on the Risk Early-warning Analysis and Supporting System (REASS) system which uses leading indicators and vulnerability indicators to monitor potential risks on an on-going basis. There is also the Examination & Analysis System Technology (EAST) which gathers bank- specific information during onsite examinations and the Obligor Risk Monitoring System (ORMS), which contains obligor data. These systems are available to all CBRC offices. Trends and risk identification across the banking sector, as well as the macro-economic outlook, are taken into account in CBRC’s supervision. Particular attention is given to credit risk profiles and trends of key customers, key industries and key regions. For instance, since 2011, export-driven companies are particularly impacted by the global trend of slow economic recovery. From 2012, there has been a slower rate of growth in the Chinese economy, and an on-going shift away from reliance on energy resources, trade and investment to a more consumption-led economy. A number of companies in the affected industries including steel and coal sectors therefore faced challenges in sustaining their business and servicing their loans. CBRC adjusts its supervisory intensity of banks with exposures to industries, regions and corporates that are affected by the macro-trends. These include increasing frequency of meetings with senior management of banks, require more information from banks such as their overdue loans and Special mention loans and corporate borrowers’ characteristics. At a more micro level, supervisors made use of these more detailed information to find out more about the banks’ corporate borrowers’ characteristics, the nature of their collaterals, identify inter-correlation between these corporates, and the banks’ credit underwriting policies, for instance, whether there are heightened standards on higher risk corporates such as those that expand rapidly, corporates that engage in cross-sectoral business, corporates that have high leverage, etc. 175 PEOPLE’S REPUBLIC OF CHINA Meetings are conducted with CBRC regional offices to promote understanding of credit risk trends, to facilitate participation in policy making while encouraging identification of credit risks that may be unique to local circumstances in their regions. CBRC Chairman also conducts quarterly meetings with banks to share the key risk trends and issues. Where necessary, CBRC conducts onsite examinations to assess important areas such as prudence of valuations, ability to liquidate the collateral, whether risk mitigation strategies are legally enforceable, and the effectiveness of guarantees. For activities with high risk concentration, CBRC heightens the intensity of monitoring, analysis and onsite examinations and organize stress testing. The latter was conducted with respect to real estate loans, given that real estate accounts for larger share of collaterals. BCP assessors note that based on its offsite surveillance and observations at onsite examinations, CBRC issues risk alerts to individual banks or groups of banks from time to time, to serve as warning against high credit growth, common risk trends and/or control deficiencies noted at the bank and in the industry Assessment of Largely Compliant Principle 18 Comments Given the slower macro-economic growth and deepening economic structural adjustments, Special Mention loans and NPL have been on an increasing trend since 2013 and provision coverage (over NPL) ratios of banks have declined, albeit still higher than 150% at end 2016. As of end 2016, rural commercial banks have higher NPL ratio than other banks. 2011 2012 2013 2014 2015 2016 Special 3.13% 2.92% 2.44% 3.11% 3.79% 3.87% Mention NPL 0.96% 0.95% 1.00% 1.25% 1.67% 1.74% Provision 278% 296% 283% 232% 181% 176% Coverage over NPL 2016 Large Joint-stock City Rural Foreign Commercial Commercial Commercial Commercial banks Banks Banks Banks Banks NPL ratio 1.68% 1.74% 1.48% 2.49% 0.93% Provision 163% 170% 220% 199% 250% Coverage CBRC has taken a lot of efforts, through offsite surveillance and onsite examinations, to ensure that banks classify loans correctly and maintain provisions in line with accounting and regulatory requirements. Industry representatives that assessors met supported the view that loan classification and provisioning have been the focus of CBRC’s supervision and external audit in recent years. Considering the strains that have emerged in several sectors coping with high indebtedness and overcapacity, there is a need for CBRC to continue its focus on the accuracy of banks’ loan classification and provisions. In particular, close attention should be accorded to 176 PEOPLE’S REPUBLIC OF CHINA special mention and overdue loans to ensure there is no undue delay in classifying loans as non-performing which may lead to inadequate provisions. CBRC should review the current loan classification requirement which permits banks to use good quality collaterals to support categorizing loans more than 90 days past dueas Special Mention (discussed in EC 5), and the lack of clarity in what constitutes a good quality collateral for this purpose. While the impact of collateral in NPL classification currently affects only 0.4 percent of total loans of the banking system based on CBRC’s estimates, such loan classification practice makes it difficult to properly assess increase in credit risk at individual bank level and at a system-wide level. Also, in those cases where collateralized loans past due are not in fact classified as NPLs, it could also potentially result in lower provisions being held under CBRC’s minimum requirements (requirements as mentioned in EC 7). It is noteworthy that the recently issued BCBS’ Guidelines on Prudential Treatment of Problem Assets provides that collateralisation should play no direct role in the categorisation of nonperforming exposures. Collateral may be one of the inputs towards the assessment of a borrower’s unlikeliness to pay, only to the extent that it may influence the borrower’s economic incentive to repay. CBRC should also review the requirement permitting loans granted to small enterprises to be classified as NPL only when they are more than 180 dpd. This was established in 2007 as a minimum requirement and banks are encouraged to classify such loans more accurately according to their internal risk management practices. The review should assess whether this practice results in slow downgrading of problem loans and delays the detection of increase in credit risks in this micro-lending segment. Principle 19 Concentration risk and large exposure limits. The supervisor determines that banks have adequate policies and processes to identify, measure, evaluate, monitor, report and control or mitigate concentrations of risk on a timely basis. Supervisors set prudential limits to restrict bank exposures to single counterparties or groups of connected counterparties. 47 Essential criteria EC1 Laws, regulations or the supervisor require banks to have policies and processes that provide a comprehensive bank-wide view of significant sources of concentration risk. 48 Exposures arising from off-balance sheet as well as on-balance sheet items and from contingent liabilities are captured. Description and Banks are required, under Article 121 of the Capital Rules to establish criteria for findings re EC1 identifying, assessing and monitoring concentration risks as well as other material risks. Further details are set out in Part 3, Annex 13 of the Capital Rules. Concentration risk is 47 Connected counterparties may include natural persons as well as a group of companies related financially or by common ownership, management or any combination thereof. 48 This includes credit concentrations through exposure to: single counterparties and groups of connected counterparties both direct and indirect (such as through exposure to collateral or to credit protection provided by a single counterparty), counterparties in the same industry, economic sector or geographic region and counterparties whose financial performance is dependent on the same activity or commodity as well as off-balance sheet exposures (including guarantees and other commitments) and also market and other risk concentrations where a bank is overly exposed to particular asset classes, products, collateral, or currencies. 177 PEOPLE’S REPUBLIC OF CHINA comprehensively defined therein, including but not limited to concentrations of counterparties, geographical regions, industries, collaterals, etc. and include both on- and off-balance sheet items and contingent liabilities. Banks have to understand the overall concentration risk arising from common risk exposures of different business lines, evaluate the concentration risk generated from connections among different risks, and also assess concentration risk emerging under stress scenarios like economic downturns and market liquidity strains. More specifically on the inclusion of off-balance sheet items, Article 4 of Guidelines on Credit Risk Management of Corporate Groups of Commercial Banks stipulates that credit extension means providing funding support directly to banks’ customers or guarantees for customers’ indemnification and payment liabilities, covering both on- and off-balance sheet activities such as loan, trade finance, acceptance of bill, bill discounting, overdraft, factoring, guarantee, loan commitment and letter of credit. Credit risk exposures arising from derivative trading and securities holding shall be incorporated into the total credit lines for overall risk management. EC2 The supervisor determines that a bank’s information systems identify and aggregate on a timely basis, and facilitate active management of, exposures creating risk concentrations and large exposure 49 to single counterparties or groups of connected counterparties. Description and Banks are required to establish a sound information system for risk measurement, findings re EC2 management and reporting to the board and senior management. They shall also aggregate exposures of business lines accurately and timely, identify concentration risks as well as potential ones, monitor the compliance of exposure limits. Concentration risks and interactions of risks shall be considered when aggregating risks. These requirements are set out in Article 131 and Annex 13 of the Capital Rules. Similar expectations on information system, but more specifically in respect of large exposures to single corporate groups, are set out in Article 23 to 25 of the Guidelines on Credit Risk Management of Corporate Groups of Commercial Banks. In addition, Article 16 of the Guidelines on Internal Audit of Commercial Banks provides that internal audit should cover the continuity, reliability and safety of information system. During offsite supervision, CBRC reviews reports on credit concentration submitted by banks and follows up with banks to analyze significant movements or differences. Specifically, on identifying companies within a corporate group, banks are able to benefit from sharing of borrower information by participating in CBRC’s credit reporting system, the ORMS, thereby improving the accuracy and completeness of their identification of corporate groups. BCP assessors reviewed a number of supervisory reports that highlighted issues on industry segment concentration, geographical concentration and large exposures. During onsite examinations, CBRC assesses the accuracy and timeliness of banks’ management information system, and whether they are capable of supporting the 49 The measure of credit exposure, in the context of large exposures to single counterparties and groups of connected counterparties, should reflect the maximum possible loss from their failure (i.e. it should encompass actual claims and potential claims as well as contingent liabilities). The risk weighting concept adopted in the Basel capital standards should not be used in measuring credit exposure for this purpose as the relevant risk weights were devised as a measure of credit risk on a basket basis and their use for measuring credit concentrations could significantly underestimate potential losses (see “Measuring and controlling large credit exposures, January 1991). 178 PEOPLE’S REPUBLIC OF CHINA aggregation, monitoring, analysis and control of risk concentrations. This may be performed as part of full scope examinations or targeted examinations. EC3 The supervisor determines that a bank’s risk management policies and processes establish thresholds for acceptable concentrations of risk, reflecting the bank’s risk appetite, risk profile and capital strength, which are understood by, and regularly communicated to, relevant staff. The supervisor also determines that the bank’s policies and processes require all material concentrations to be regularly reviewed and reported to the bank’s Board. Description and Annex 13 of the Capital Rules provides that commercial banks shall establish bank-wide findings re EC3 concentration risk management framework including concentration risk limits. Banks are required to set limits on concentration risks in line with risk appetite, capital base, assets, profit and overall risk profile. It also stipulates that the Board and senior management shall regularly review the profile of concentration risk to ensure effective management and control. These requirements are also to be fulfilled at bank group level under the Consolidated Management and Supervision Guidelines. CBRC requires banks to effectively manage concentration risks and maintain adequate Pillar II capital add-on. Specifically on management of large exposures, Article 7 of the Corporate Groups Guidelines requires that banks shall have in place risk management policies for lending to corporate groups, including governance structures, criteria and exposure limit for a single corporate group, internal reporting procedures and assignment of responsibilities, etc. BCP assessors noted from discussions with banks that concentration risk is addressed through setting strategic planning and business objectives, establishing and monitoring counterparty specific, portfolio, product and other limit structures. During onsite examinations, CBRC holds supervisory interviews and review meeting minutes, risk reports and internal policies and processes to assess the effectiveness in identifying, monitoring, managing and reporting credit concentration risks. Supervisors also evaluate the bank staff’s understanding of these policies and procedures. The review also evaluates whether internal limits take into account concentration factors such as counterparties, industries, geographical regions and specific products and whether concentration risk is reported on a timely basis to the board or risk management committee, and whether effective steps have been taken to diversify or mitigate risks. Where there are concerns of risk concentrations particularly to sectors of higher risks, CBRC issues risk alerts or supervisory letters to urge banks to exercise caution and take mitigating actions. EC4 The supervisor regularly obtains information that enables concentrations within a bank’s portfolio, including sectoral, geographical and currency exposures, to be reviewed. Description and CBRC regularly collects information on banks’ top 10 largest corporate borrower groups, findings re EC4 top 10 single borrowers and top 10 interbank lending. Information on banks’ sectoral, geographical and currency exposures are also collected regularly. The credit reporting system, ORMS, developed by CBRC also contains information on all borrowers including those to whom banks have large exposures. 179 PEOPLE’S REPUBLIC OF CHINA Supervisors review such information to assess the risk level, monitor significant trends and requires banks to perform stress tests, and incorporate the assessment results in supervisory ratings. On-site examinations are also conducted to assess the banks’ data quality management. EC5 In respect of credit exposure to single counterparties or groups of connected counterparties, laws or regulations explicitly define, or the supervisor has the power to define, a “group of connected counterparties” to reflect actual risk exposure. The supervisor may exercise discretion in applying this definition on a case by case basis. Description and Article 3 of CBRC’s Guidelines on Credit Risk Management of Corporate Groups of findings re EC5 Commercial Banks (“Corporate Groups Guidelines”) defines a corporate group as one that includes entities that meet any of the following criteria: (i) there are direct or indirect controlling relationship with other entities in terms of equity stake or management decision making; (ii) being controlled by the same entity within the group; (iii) being directly or indirectly controlled by another group entity’s major natural person shareholders or key managers, individually or jointly with close family members; or (iv) there are other forms of affiliations that may lead to a transfer of assets or profits on a non-arm’s length basis. The term “entity” mentioned above does not include commercial banks. In addition, under Article 217 of the Company Law, entities with common local government ownership (i.e. meeting criteria (ii)) are not considered connected parties by virtue of local government ownership alone. However, if the entities with common local government ownership meet any of the remaining criteria above, they will be included in the definition of connected parties. BCP assessors were told that in practice, criterion (iv) includes having any form of economic interdependence, for instance, one government-owned entity providing significant guarantee to the other government-owned entity. In this regard, CBRC issued Notice on Further Enhancing Credit Risk Management in September 2016 to clarify the concept of economic interdependence – that there is economic interdependence between two parties if the bankruptcy of one party is likely to have a significant impact on the repayment capability of the other. During onsite examinations, supervisors review banks’ management information systems as well as credit approval records to examine banks’ definition, identification and monitoring of corporate group borrowers, is one of key areas of a full scope or credit risk inspection. Assessors saw inspection reports with CBRC’s findings on banks’ omission of names from connected party grouping. In addition, through the credit reporting system, ORMS, CBRC urges banks to check lists of connected counterparties submitted by different institutions, thereby facilitating the identification of group borrowers by individual banks. CBRC may exercise supervisory judgment in determining “groups of connected counterparties” on a case-by-case basis, based on the substance over form principle in accordance with the above criterion (iv). In practice, banks make an assessment of the connectedness between counterparties, and the supervisor will review such identification of corporate group during on-site examinations or off-site surveillance. If there is a difference 180 PEOPLE’S REPUBLIC OF CHINA in opinion, the supervisor will discuss it with banks and ask banks to provide more supporting evidence, but the final decision lies with the supervisor. From CBRC’s experience, the most commonly discussed case between supervisors and banks is guarantee relationship, i.e. what sort of guarantee relationship is strong enough to be categorized as corporate group. Generally, a bank will be required to deem the entities as a group if large amounts of guarantee are offered that may cause the guarantor to default upon the occurrence of a claim. EC6 Laws, regulations or the supervisor set prudent and appropriate 50 requirements to control and constrain large credit exposures to a single counterparty or a group of connected counterparties. “Exposures” for this purpose include all claims and transactions (including those giving rise to counterparty credit risk exposure), on-balance sheet as well as off- balance sheet. The supervisor determines that senior management monitors these limits and that they are not exceeded on a solo or consolidated basis. Description and Under the Commercial Bank Law, a bank’s total outstanding loans to a single borrower shall findings re EC6 not exceed 10% of the bank’s capital. In addition, CBRC’s Corporate Groups Guidelines stipulates that total credit exposures to a single corporate borrower group shall not exceed 15% of the bank’s capital. Such credit exposures include both on- and off-balance sheet businesses. Under CBRC’s Notice on Further Enhancing Credit Risk Management, a bank is required to obtain the approval of its board and senior management for credit extended to any corporate borrower group exceeding 10% of the bank’s capital and to single borrower exceeding 5% of the bank’s capital (“large exposures”). The above requirements are to be applied on a solo and on consolidated basis, in accordance with Article 4 and 9 of the Key Indicators for Risk-based Supervision of Commercial Banks. With respect to exposures to commercial banks, Article 14 of the Notice of PBC, CBRC, CSRC, CIRC and SAFE on Regulating the Interbank Business of Financial Institutions requires that interbank lending (excluding interbank deposits for settlement and deducting assets with no risk weight) to a single incorporated financial institution shall not exceed 50 percent of the bank’s tier 1 capital. A bank’s outstanding interbank borrowings shall not exceed one-third of its total liabilities. The Notice requires banks to set internal limits and prevent interbank concentration risks in accordance with its own concentration risk profile. The above regulatory limits on interbank exposures appear excessive. Under the BCBS large exposures framework published in April 2014 and which will take effect from 1 January 2019, a bank’s interbank exposures (except intraday interbank exposures) are to be limited to 25% of its Tier 1 capital and in the case of a G-SIB’s exposures to another G-SIB, the large exposure framework prescribes a limit of 15% of Tier 1 capital. CBRC should review and adopt these interbank limits prescribed under the Basel large exposures framework. 50 Such requirements should, at least for internationally active banks, reflect the applicable Basel standards. As of September 2012, a new Basel standard on large exposures is still under consideration. 181 PEOPLE’S REPUBLIC OF CHINA During its supervisory process, CBRC reviews large exposures information submitted by banks to assess banks’ compliance with prudential requirements, monitors trends of risk concentration, and examines the effectiveness of risk management policies and processes over large exposures during onsite examinations. Banks with more large exposures receive greater supervisory attentions and/or risk alerts from CBRC. EC7 The supervisor requires banks to include the impact of significant risk concentrations into their stress testing programs for risk management purposes. Description and The Stress Test Guidelines requires banks to include material concentration risks into their findings re EC7 stress testing programs, and set out a minimum list of the stress scenarios to be considered. These include the declining macro-economic growth of main domestic and international economies, the large downward fluctuations of real estate prices, the deterioration of lending quality and mortgaged property quality, the downgrading or default of concentrated credits and main counterparties, defaults in some industries, etc. Articles 25 and 26 of the Stress Test Guidelines provide that a bank shall use the test results in setting risk appetite, adjusting risk limits, formulating risk mitigation actions and contingency plans, etc. In the Consolidated Management and Supervision Guidelines, CBRC requires banks to regard stress testing as an important part of their internal capital adequacy assessment process (ICAAP), and decide internal CAR target in light of the testing results. Supervisors review the stress tests and discuss with banks regarding their methodology, stress test results, and management action plans. Risks and issues reflected by the stress test results are closely monitored by supervisors in their risk assessment and supervisory ratings of the banks. CBRC’s internal guidance for reviewing stress tests specifically requires assessing whether the bank has taken into account concentration risks. Assessment of Largely Compliant Principle 19 Comments CBRC has enhanced its supervision of concentration risks and monitors concentration risks of banks by industries, geographies, corporate groups, etc. Banks are required to include significant risk concentrations in their stress testing programs for risk management purposes. On large exposures, it remains that (under the Company Law) entities with common local government ownership are not considered connected parties by virtue of local government ownership alone. Other relationship has to be considered, one of which is criterion (iv), namely, other forms of affiliations that may lead to a transfer of assets or profits on a non- arm’s length basis. CBRC clarified in September 2016 that this includes consideration of “economic interdependence”. In line with moving towards adopting Basel large exposures framework, CBRC should: - further review and clarify the application of criterion (iv) in identifying relationships between entities with common local government ownership. 182 PEOPLE’S REPUBLIC OF CHINA - reduce the regulatory limit on a bank’s interbank exposures (excluding intraday interbank exposures) to 25% of its Tier 1 capital and establish a lower limit of 15% of Tier 1 capital on a G-SIB’s exposures to another G-SIB. Principle 20 Transactions with related parties. In order to prevent abuses arising in transactions with related parties 51 and to address the risk of conflict of interest, the supervisor requires banks to enter into any transactions with related parties 52 on an arm’s length basis; to monitor these transactions; to take appropriate steps to control or mitigate the risks; and to write off exposures to related parties in accordance with standard policies and processes. Essential criteria EC1 Laws or regulations provide, or the supervisor has the power to prescribe, a comprehensive definition of “related parties”. This considers the parties identified in the footnote to the Principle. The supervisor may exercise discretion in applying this definition on a case by case basis. Description and The definition of “related parties” is provided in Articles 6 to 11 of the Rules on Related findings re EC1 Party Transactions of Commercial Banks with Insiders and Shareholders which specifies that related parties include related natural persons, legal persons or other organizations. These are defined quite comprehensively as follows: Related natural persons include: (a) insiders of a commercial bank (including Board members, senior managers, and other persons who are entitled to decide on or participate in the bank’s exposure granting and asset transfer activities); (b) the bank’s major individual shareholders who hold or control over 5 percent of the bank’s shares or voting rights; (c) close family members of the above-mentioned persons; (d) other individual controlling shareholders, board members, and key management staff of the bank’s related legal persons or other organizations, and (e) other natural persons who have significant influence on the bank. Related legal persons or organizations include: (a) a bank’s major non-individual shareholders (i.e. non-individual shareholders who are able to directly, indirectly, jointly hold or control over 5 percent of the bank’s shares or voting rights); (b) legal persons or other organizations that are under common control, direct or indirect, with the bank; 51 Related parties can include, among other things, the bank’s subsidiaries, affiliates, and any party (including their subsidiaries, affiliates and special purpose entities) that the bank exerts control over or that exerts control over the bank, the bank’s major shareholders, Board members, senior management and key staff, their direct and related interests, and their close family members as well as corresponding persons in affiliated companies. 52 Related party transactions include on-balance sheet and off-balance sheet credit exposures and claims, as well as, dealings such as service contracts, asset purchases and sales, construction contracts, lease agreements, derivative transactions, borrowings, and write-offs. The term transaction should be interpreted broadly to incorporate not only transactions that are entered into with related parties but also situations in which an unrelated party (with whom a bank has an existing exposure) subsequently becomes a related party. 183 PEOPLE’S REPUBLIC OF CHINA (c) legal persons or other organizations that are controlled directly or indirectly, or can be significantly influenced by the bank’s insiders, or major individual shareholders together with their close family members; and (d) other legal persons or other organizations that have direct or indirect controls on the bank, or are capable of significantly influencing the bank. Furthermore, under Article 11, where natural persons, legal persons or other organizations that have influence on a bank do not conduct transactions with the bank on an arm’s length basis, and hence obtain benefits from the transactions or result in bank’s losses, the bank shall apply the principle of substance over form and deem them as related parties. Article 17 of the Related Party Transaction Rules also provides that CBRC has the discretion to define commercial banks’ related natural persons, legal persons or other organizations. Under Article 8, the two exclusions from the above definition of related parties are commercial banks and state-owned asset management companies. Pursuant to Article 217 of the Company Law, in the case of a commercial bank owned by the local government, it’s exposures to government owned entities will likewise not be considered related party transactions by virtue of local government ownership alone. (please refer to the discussion at CP 19, EC5). The intragroup exposures to related commercial banks are addressed under the Consolidated Management and Supervision Guidelines. Specifically, Article 64 stipulates that a commercial bank shall manage internal transactions within the banking group on a consolidated basis, and that intragroup transactions should be at arm’s length. The definition of “related party transaction” is comprehensive and it covers all transfer of resources or obligations between the bank and the related parties, such as granting of credit, transfer of assets, providing services, and other related party transactions prescribed by CBRC. EC2 Laws, regulations or the supervisor require that transactions with related parties are not undertaken on more favorable terms (e.g. in credit assessment, tenor, interest rates, fees, amortization schedules, requirement for collateral) than corresponding transactions with non-related counterparties. 53 Description and The Commercial Bank Law and the Related Party Transaction Rules prohibit banks from findings re EC2 granting unsecured loans to related parties, and provide that secured loans shall not be based on more favorable terms than those granted to third party borrowers, and banks shall not accept own equity as pledge for credit or provide guarantees for related parties’ financing. In addition, Article 67 of the Consolidated Management and Supervision Guidelines requires intra-group transactions are to be undertaken on an arm’s length basis or at market prices as appropriate. 53 An exception may be appropriate for beneficial terms that are part of overall remuneration packages (e.g. staff receiving credit at favorable rates). 184 PEOPLE’S REPUBLIC OF CHINA CBRC regularly reviews supervisory returns, management reports and authorization documents submitted by banks to identify related party transactions that are not conducted on an arm’s length basis. During onsite examinations, CBRC also checks on whether banks’ related party transactions comply with applicable regulations. BCP assessors were told that given the challenge in checking on completeness of reporting of related party transactions and determination of “arm’s length” basis, this area is often assigned to more experienced onsite examiners. EC3 The supervisor requires that transactions with related parties and the write-off of related- party exposures exceeding specified amounts or otherwise posing special risks are subject to prior approval by the bank’s Board. The supervisor requires that Board members with conflicts of interest are excluded from the approval process of granting and managing related party transactions. Description and The Related Party Transaction Rules requires significant related party transactions of banks findings re EC3 to be reviewed by the related party transaction control committee and approved by the board. A significant related party transaction refers to a single transaction with one related party that accounts for over 1% of the bank’s capital, or one transaction resulting the total exposure to the related party to exceed 5% of the bank’s capital. Other related party transactions are to be reported to and approved by the related party transaction control committee. Article 26 of the Related Party Transaction Rules also provides that when approving related party transactions at the Board and related party transactions committee, all conflicted members should be excluded from the approval process. In practice, CBRC conducts on-site examinations and supervisory interviews to see whether banks follow approval procedures on related party transactions. Where related Board members or senior managers fail to recuse, CBRC has the power to, pursuant to Article 40, order the bank to rectify within a prescribed timeframe. If such violation is regarded as material or the bank fails to rectify within the specified period of time, CBRC has the power to order the bank to replace the Board members or senior managers. EC4 The supervisor determines that banks have policies and processes to prevent persons benefiting from the transaction and/or persons related to such a person from being part of the process of granting and managing the transaction. Description and Article 4 of the Credit Issuance Guidelines provide that related banks’ employees shall be findings re EC4 excluded when granting credit for related parties. Supervisors review related party transactions reports reflecting the amounts and pricing of such transactions submitted by banks, review meeting minutes of related party transaction control committee, examines the approval process to see whether related persons are involved in the decision-making process, to determine if such transactions are at arms’ length and subject to independent approval and managing process. CBRC can take enforcement actions on banks and related persons that violate Articles 4 and 26 of the Related Party Transactions Rules. EC5 Laws or regulations set, or the supervisor has the power to set on a general or case by case basis, limits for exposures to related parties, to deduct such exposures from capital when assessing capital adequacy, or to require collateralization of such exposures. When limits are set on aggregate exposures to related parties, those are at least as strict as those for single counterparties or groups of connected counterparties. 185 PEOPLE’S REPUBLIC OF CHINA Description and Article 32 of the Related Party Transactions Rules sets limits on exposures to related parties. findings re EC5 Specifically, a bank’s exposures to a single related party shall not exceed 10% of its capital and exposures to a corporate group with a related legal person or other organizations within the group shall not exceed 15% of the bank’s capital. When calculating the exposures balance, the margin deposit, pledged deposit receipt and treasury bonds provided by related parties can be excluded. Article 32 further states that aggregate exposures to all related parties shall not exceed 50% of the bank’s capital. As a result, the permissible aggregate exposure to these related parties is twice the allowable large exposure limit for a single counterparty. Article 33 provides CBRC with the power to reduce these limits, depending on the risk profile of the related party transactions of a bank. EC6 The supervisor determines that banks have policies and processes to identify individual exposures to and transactions with related parties as well as the total amount of exposures, and to monitor and report on them through an independent credit review or audit process. The supervisor determines that exceptions to policies, processes and limits are reported to the appropriate level of the bank’s senior management and, if necessary, to the Board, for timely action. The supervisor also determines that senior management monitors related party transactions on an ongoing basis, and that the Board also provides oversight of these transactions. Description and Article 23 of the Related Party Transaction Rules requires banks to establish policies and findings re EC6 processes for related party transactions. These should cover oversight by the Board, composition and responsibilities of the related party transaction control committee, identification of related parties, types and pricing of such transactions, approval authorities and process, collection and management of related party information, risk monitoring and control, absence requirements to address conflict of interest, internal audit, information disclosures, etc. Article 36 provides that every year the Board shall report to the general meeting of shareholders about the implementation of related party transaction policies and the exposures to related parties. Article 38 provides that commercial banks shall disclose information on related parties and related party transactions in the notes to the financial statements. Article 14 of the Rules on the Information Disclosure of Commercial Banks specifies that commercial banks shall disclose information on the aggregate exposures to related parties and significant related party transactions in the notes to the financial statements. CBRC supervisors review supervisory returns and quarterly reports on related party transactions to assess whether banks identify and monitor exposures to related parties and whether related party transactions are approved, disclosed and reported in accordance with supervisory requirements Banks’ policies and procedures on related party transactions are evaluated during CBRC’s onsite examinations. These include review of the minutes of the board and relate party transaction control committee, internal audit reports, credit files for related party 186 PEOPLE’S REPUBLIC OF CHINA transactions to assess the approval process, reporting systems and internal controls, and to confirm that the board and senior management discharge their responsibilities under the Related Party Transaction Rules. EC7 The supervisor obtains and reviews information on aggregate exposures to related parties. Description and CBRC obtains information on related party transactions regularly. This includes quarterly findings re EC7 reports on significant related party transactions, and a quarterly return on transactions with Top 10 largest related parties providing details on the shareholding structure of these related parties, credit granted to the largest related party group, detailed credit reviews, and aggregate exposures to related parties. CBRC also conducts onsite examinations to check on the accuracy and completeness of these returns and reports submitted by the banks. Assessment of Principle 20 Comments As in the previous FSAP assessment, while the definition of related party is comprehensive, there are several exclusions, namely, related commercial banks, and the fact that ownership by the state government is not treated as a trigger for related party reporting, limits or approvals. Thus in theory, a commercial bank owned by the local government can lend to local government-owned entities without being covered by the extra diligence required for related parties. It is recommended that this issue be reviewed and such transactions be brought under the discipline of enhanced diligence and limits applicable to related parties, and thus be covered by internal governance and supervisory focus of a related party transaction. This could be done above a threshold. The Related Party Transactions Rule also sets a limit on the aggregate exposures to all related parties of 50% of the bank’s capital, and hence are not as strict as the allowable large exposure limit for a single counterparty or groups of connected counterparties (EC6). Principle 21 Country and transfer risks. The supervisor determines that banks have adequate policies and processes to identify, measure, evaluate, monitor, report and control or mitigate country risk 54 and transfer risk 55 in their international lending and investment activities on a timely basis. Essential criteria EC1 The supervisor determines that a bank’s policies and processes give due regard to the identification, measurement, evaluation, monitoring, reporting and control or mitigation of country risk and transfer risk. The supervisor also determines that the processes are consistent with the risk profile, systemic importance and risk appetite of the bank, take into account market and macroeconomic conditions and provide a comprehensive bank-wide 54 Country risk is the risk of exposure to loss caused by events in a foreign country. The concept is broader than sovereign risk as all forms of lending or investment activity whether to/with individuals, corporate, banks or governments are covered. 55 Transfer risk is the risk that a borrower will not be able to convert local currency into foreign exchange and so will be unable to make debt service payments in foreign currency. The risk normally arises from exchange restrictions imposed by the government in the borrower’s country. (Reference document: IMF paper on External Debt Statistics – Guide for compilers and users, 2003.) 187 PEOPLE’S REPUBLIC OF CHINA view of country and transfer risk exposure. Exposures (including, where relevant, intra- group exposures) are identified, monitored and managed on a regional and an individual country basis (in addition to the end-borrower/end-counterparty basis). Banks are required to monitor and evaluate developments in country risk and in transfer risk and apply appropriate countermeasures. Description and According to CBRC’s estimates, the country and transfer risk exposures of the banking findings re EC1 system is relatively insignificant, estimated to be 2% of total banking system assets, with the majority of the exposures being to United States and countries in Asia. The large banks account for the majority (98%) of the total country risk exposure of the banking system. These country risk exposures in turn account for about 4% of the banks’ total assets. Detailed supervisory expectations for banks’ country risk management is set out in the Guidelines on Country Risk Management of Banking Institutions (“Country Risk Guidelines”), issued in 2010. Article 9 of the Guidelines requires banks to integrate country and transfer risks into their risk management systems. Banks are expected to establish country risk management system consistent with their strategies, and commensurate with their size and complexity. This should include the following elements: (i) effective oversight by board and senior management; (ii) appropriate policies and procedures; (iii) sound processes to identify, measure, monitor and control country risks; and (iv) effective internal control and audit. Article 17 requires banks to establish a country risk rating system, based on country risk assessment that takes into consideration qualitative and quantitative factors of a country’s political and economic conditions. The Guidelines also requires that banks monitor developments in country risks on a solo and consolidated group level on an ongoing basis, and heighten the frequency of review of country risk ratings and limits in respect of countries experiencing significant changes in risk profiles. CBRC has reviewed the major banks’ country risk management policies and procedures, and monitored the banks’ country risk exposures in specific countries, via both offsite review and onsite examinations. Supervisors also require banks to evaluate country risks as part of their applications for establishing, making equity investments or acquiring institutions overseas. CBRC assessed that major banks have put in place systems to support country risk rating, limit setting, and to monitor and report country risk to their boards and to CBRC on a regular basis. EC2 The supervisor determines that banks’ strategies, policies and processes for the management of country and transfer risks have been approved by the banks’ Boards and that the Boards oversee management in a way that ensures that these policies and processes are implemented effectively and fully integrated into the banks’ overall risk management process. Description and Article 10 of the Country Risk Guidelines specifies that the Board shall assume overall findings re EC2 responsibility for the effectiveness of a bank’s country risk management. Specifically, the Board shall regularly review and approve the strategies, policies, procedures and limits for country risk management, ensures that the senior management implement policies and procedures to identify, measure, monitor and control country risks effectively, regularly review country risk reports, and ensure that the bank’s country risk management practices are subject to internal audit. 188 PEOPLE’S REPUBLIC OF CHINA CBRC conducts onsite examinations and supervisory interviews to determine that boards discharge their above-mentioned responsibilities effectively. Certain banks were required to take corrective actions where the bank boards did not obtain adequate information on overall country risk and relevant internal audit reports on a timely basis. EC3 The supervisor determines that banks have information systems, risk management systems and internal control systems that accurately aggregate, monitor and report country exposures on a timely basis; and ensure adherence to established country exposure limits. Description and Article 18 of the Country Risk Guidelines requires that banks put in place policies and findings re EC3 procedures to monitor adherence with country risk limits, to report country risk exposures on a regular and timely basis and to deal with limit excesses. Articles 21 to 24 of the Guidelines require banks to establish accurate and reliable management information systems to identify, measure, monitor and control country risks, and to have in place a comprehensive country risk internal control system. A bank’s internal audit function is expected to independently and regularly review the effectiveness of country risk management system and the bank’s adherence with policies and limits. The large banks have set up specific departments or teams to undertake country risk management and have introduced systems to monitor limits and exposures on a country basis. CBRC has conducted onsite examinations and has required banks to address issues identified during examinations such as timeliness of country risk reports and completeness of risk classification. EC4 There is supervisory oversight of the setting of appropriate provisions against country risk and transfer risk. There are different international practices that are all acceptable as long as they lead to risk-based results. These include: (a) The supervisor (or some other official authority) decides on appropriate minimum provisioning by regularly setting fixed percentages for exposures to each country taking into account prevailing conditions. The supervisor reviews minimum provisioning levels where appropriate. (b) The supervisor (or some other official authority) regularly sets percentage ranges for each country, taking into account prevailing conditions and the banks may decide, within these ranges, which provisioning to apply for the individual exposures. The supervisor reviews percentage ranges for provisioning purposes where appropriate. (c) The bank itself (or some other body such as the national bankers association) sets percentages or guidelines or even decides for each individual loan on the appropriate provisioning. The adequacy of the provisioning will then be judged by the external auditor and/or by the supervisor. Description and Articles 25 to 27 of the Country Risk Guidelines requires banks to develop written policies findings re EC4 on provisions for country risks and ensure that the impact of country risks is taken into account in provisions for asset impairment. Article 28 of the Guidelines further prescribes minimum provisioning levels ranging from 0.5% to 50%, for various country risk classifications of low, relatively low, medium, relatively high and high risk. CBRC has reviewed and maintained these provisioning requirements, taking into account prevailing global environment. External auditors, as part of the statutory audit on financial statements of banks, are to assess the provisioning methodologies and the adequacy of provisioning against country and transfer risks. 189 PEOPLE’S REPUBLIC OF CHINA EC5 The supervisor requires banks to include appropriate scenarios into their stress testing programs to reflect country and transfer risk analysis for risk management purposes. Description and Article 20 of the Country Risk Guidelines require banks to establish stress testing findings re EC5 approaches for country risks and conduct regular stress tests to assess the potential impact of different scenarios on country risk profile. Stress test results are to be reported regularly to the board and senior management. Major banks with large country risk exposures have performed a number of stress tests incorporating country risk scenarios. During onsite examinations, supervisors noted areas requiring improvement in the stress testing policies and procedures, clarity in the required frequency of stress tests and the comprehensiveness of the stress test programs. Banks are required to address these issues within timelines prescribed by CBRC. EC6 The supervisor regularly obtains and reviews sufficient information on a timely basis on the country risk and transfer risk of banks. The supervisor also has the power to obtain additional information, as needed (e.g. in crisis situations). Description and Article 32 of the Country Risk Guidelines requires banks to submit reports on country risk findings re EC6 exposures and provisioning to CBRC annually, and to submit more detailed information or increase the reporting frequency when needed. When a specific country is experiencing significant economic, political or social events that have material adverse impact on a bank’s risk profile, the bank is required to promptly report relevant country risk exposures to CBRC. CBRC collects major banks’ country risk management policies and procedures and requires them to submit information on country risk limits, exposures and provisions on a semi- annual basis. Supervisors review this information to assess and monitor the country and transfer risks of the major banks. Assessment of Compliant Principle 21 Comments Country and transfer risk exposures at banking system level have increased slightly over the past few years, and are expected to increase further as Chinese banks expand their presence overseas or finance more overseas projects. Since the issuance of Country Risk Guidelines in 2010, banks now have better appreciation of country risk and many have included country risk in their risk management policies and procedures, risk limits and stress testing. Principle 22 Market risk. The supervisor determines that banks have an adequate market risk management process that takes into account their risk appetite, risk profile, and market and macroeconomic conditions and the risk of a significant deterioration in market liquidity. This includes prudent policies and processes to identify, measure, evaluate, monitor, report and control or mitigate market risks on a timely basis. Essential criteria EC1 Laws, regulations or the supervisor require banks to have appropriate market risk management processes that provide a comprehensive bank-wide view of market risk exposure. The supervisor determines that these processes are consistent with the risk appetite, risk profile, systemic importance and capital strength of the bank; take into account market and macroeconomic conditions and the risk of a significant deterioration in 190 PEOPLE’S REPUBLIC OF CHINA market liquidity; and clearly articulate the roles and responsibilities for identification, measuring, monitoring and control of market risk. Description and The Market Risk Guidelines (Articles 6 and 7) set out the requirements for banks to have a findings re EC1 sound and reliable market risk management system commensurate with their business nature, size and complexity, and consider the correlation between market risk and other risks. Requirements addressing formulation and implementation of market risk management policies and procedures, and to identify, measure, monitor and control market risk, and define the roles and responsibilities of the Board, senior management, departments responsible for market risk management, business departments, and internal audit department are set out in Sections 2 and 3 of these Guidelines. In terms of supervisory engagement, the Market Risk Guidelines and the Supervisory Ratings Guidelines require the CBRC to regularly assess: (a) whether banks have put in place sound market risk management framework and written out the duties and powers of the Board, senior management, market risk management department, and business departments assuming markets risks, as well as whether the Board and senior management have adopted appropriate approaches to ensure the effectiveness of their market risk management framework; (b) whether banks have written policies and procedures for market risk management as well as independent and better-targeted policies and procedures for businesses with higher market risks (e.g. derivatives); and (c) whether the above policies and procedures are practical, feasible and commensurate with banks’ business nature, size, complexity and risk characteristics. The Market Risk Examination Manual requires the CBRC to determine whether banks have in place sound written policies and procedures during on-site examinations and assess whether above policies and procedures are clear, explicit, comprehensible, consistent, as well as compliant with regulatory requirements item by item. Further, there are overarching requirements iterated in the Comprehensive Risk Management Guidelines which sets out standards for the management of all risks including market risk (and is addressed to all banking institutions). EC2 The supervisor determines that bank’ strategies, policies and processes for the management of market risk have been approved by the banks’ Boards and that the Boards oversee management in a way that ensures that these policies and processes are implemented effectively and fully integrated into the banks’ overall risk management process. Description and As noted above (for example CP12, EC3) the Guidelines on the Corporate Governance of findings re EC2 Commercial Banks (Article 82) places an obligation on the Board to develop comprehensive risk management strategy, policy and processes commensurate with the bank’s risk profile, size and growth rate. The creation of relevant risk committees is also covered (Article 22) and requires the Board to set up specialized committees as appropriate, with risk management committee responsible for overseeing senior management’s comprehensive risk management, including market risk. More specifically related to Market Risk, Article 8 of the Market Risk Guidelines requires the Board to assume ultimate responsibility for overseeing market risk management, including 191 PEOPLE’S REPUBLIC OF CHINA approving relevant strategies, policies and procedures, setting market risk tolerance, and urging senior management to take necessary measures to identify, measure, monitor and control market risk. According to the Guidelines, the Board must be regularly provided with reports on the bank’s market risk nature and level, and monitor and evaluate the effectiveness of its market risk management as well as the performance of senior management in this regard. The Market Risk Guidelines, the Supervisory Ratings Guidelines, etc., guide the CBRC in its assessment practices for OSS and requires the CBRC to assess whether banks have put in place reasonable market risk management framework; whether banks have documented the duties and powers of the Board, senior management, market risk management department, and business departments assuming market risks; and whether the Board and senior management have adopted appropriate approaches to ensure the effectiveness of banks’ market risk management. As is the case for other risk principles, the CBRC practice of observing banks’ Board meetings provides them with information on the extent to which the Boards are fulfilling their duties. Some banks commented on the strong pressure that the CBRC had exerted on them to ensure all policies, procedures and reports were in place. According to the Market Risk Examination Manual, the CBRC reviews the Board’s documents, such as written approvals or authorizations, to determine whether the Board has: (a) approved market risk management strategies, policies and procedures; (b) timely tracked market risk nature and level, and monitored and evaluated the effectiveness of market risk management and senior management’s performance in this regard; and (c) monitored and guided senior management as necessary. The supervisors are also tasked with examining whether the Board oversees senior management fulfilment of their roles in these areas including: (a) implementing market risk management policies approved by the Board; (b) putting in place a sound market risk management system and relevant requirements; and (c) (c) tracking policy implementation in a timely manner and performance of market risk management departments, and taking prompt actions as appropriate. EC3 The supervisor determines that the bank’s policies and processes establish an appropriate and properly controlled market risk environment including: (a) effective information systems for accurate and timely identification, aggregation, monitoring and reporting of market risk exposure to the bank’s Board and senior management; (b) appropriate market risk limits consistent with the bank’s risk appetite, risk profile and capital strength, and with the management’s ability to manage market risk and which are understood by, and regularly communicated to, relevant staff; (c) exception tracking and reporting processes that ensure prompt action at the appropriate level of the bank’s senior management or Board, where necessary; (d) effective controls around the use of models to identify and measure market risk, and set limits; and 192 PEOPLE’S REPUBLIC OF CHINA (e) sound policies and processes for allocation of exposures to the trading book. Description and The Market Risk Guidelines and the Market Risk Examination Manual in particular establish findings re EC3 expectations and obligations for banks and the CBRC in terms of regulation and also inspection and examination practices. Also the Comprehensive Risk Management Guidelines also sets overarching standards that reinforce the requirements to set risk appetite, and manage and control the full range of risks, including market risk. Information Systems The Market Risk Guidelines (Articles 24 and 26) require banks to have sound and reliable management information systems to measure, monitor and control market risk. The information systems must include relevant contents of market risk reports, and provide market risk information to the Board, senior management and other managers on a regular and timely basis. According to Article 35(3), (5) and (8), of the Guidelines, the CBRC is required to execute regular on the spot inspections, covering: • the effectiveness of the identification, measurement, monitoring and control of market risk; • the effectiveness of the market risk information management system; and • the independence, accuracy and reliability of the internal market risk reporting system and the authenticity and accuracy of the statements and reports submitted to CBRC with regard to market risk; Further, the Market Risk Examination Manual requires the CBRC to examine whether banks’ market risk monitoring systems, management information systems and relevant systems are able to: (a) monitor the compliance with market risk limits, prevent unapproved limit breaches, and provide market risk exposure reports based on sample inspections to the Board and senior management and ensure those reports are consistent with banks’ market risk appetite in terms of contents and frequency; and (b) provide timely, accurate and comprehensive market risk information for different departments and businesses, including the Board and senior management, thus enabling them to fulfill their duties and responsibilities. Limit Management The Market Risk Guidelines (Article 23) requires banks to set, regularly review and adjust market risk limits in light of their business nature, size, complexity and risk appetite, formulate limit approval processes and procedures, and have in place procedures to monitor and address limit breaches. Any exception to limit must be submitted to relevant management for them to decide whether to approve the exception and for how long. Unapproved breaches shall be handled according to relevant policies and procedures. The management shall decide whether to adjust limit management system as appropriate. Moreover, the Derivatives Trading Rules (Article 22) imposes requirements for limit approval and setting as well as breach handling of banks’ derivatives businesses. Based on Article 35(6) of the Guidelines, the CBRC is required to execute regular on the spot inspections, covering the effectiveness of the market risk limits management. 193 PEOPLE’S REPUBLIC OF CHINA In assessing limit management the CBRC looks at the banks’ reports on compliance with market risk limits, approval documents for exceptions, and reports on handling unapproved breaches. The CBRC also interviews staff in market risk-taking business departments to understand their awareness of market risk limits and the reporting and approval procedures for limit breaches, and emphasized the Board and senior management’s understanding of limit management. In addition, the independence, completeness and soundness of approval procedures and limit setting, and rationality of limit allocation are examined. Risk control: Exception tracking and escalation, Models The Market Risk Guidelines (Article 20) provides that banks adopting internal models shall select, regularly review and adjust modeling techniques, assumptions and parameters in line with their business size and nature. Besides, those banks shall have policies and procedures to introduce new models, adjust and validate existing models. Model validation shall be performed by the personnel independent of those responsible for model development and operation. Banks adopting internal models shall understand and apply outputs from models, recognize models’ limitations, and employ stress test and other non- statistical approaches. In addition, Article 21 requires banks to undertake back testing on a regular basis to compare valuation of market risk measurement approach or model with the actual results, and make adjustments and improvements to the approach or model accordingly. The Market Risk Guidelines do not impose explicit responsibilities on the CBRC with respect to banks’ performance concerning exceptions and models, but Article 35 is comprehensively drafted and includes the following requirements for the CBRC that are relevant to the sound management of the environment: • the performance of the board of directors and senior management in market risk management; • the establishment and implementation of the market risk management policies and procedures; • the effectiveness of the identification, measurement, monitoring and control of market risk; • the rationality and stability of the assumptions and parameters used by the market risk management system • the effectiveness of the market risk information management system; • the effectiveness of the internal control of market risk; • the independence, accuracy and reliability of the internal market risk reporting system and the authenticity and accuracy of the statements and reports submitted to CBRC with regard to market risk; • market risk capital adequacy; • the professional knowledge and abilities and performance of the personnel involved in market risk management; and • other matters relating to market risk management. 194 PEOPLE’S REPUBLIC OF CHINA The CBRC explained that on-site staff examine modeling methodologies, parameter setting, data application and validation records to assess whether banks’ market risk measurement models are reasonable and under effective control. Trading Book Boundary The Market Risk Guidelines (Article 14) requires banks to roll out policies and procedures to separate banking book from trading book according to CBRC’s requirements, and have in place internal policies and procedures in this regard. Articles 83 and 84 of the Capital Rules provide a detailed definition of trading book, and require banks to set separation standards and specify the financial instruments to be included in the trading book as well as the criteria for positions to move between banking and trading books. The CBRC explained that staff review banks’ trading book policies to determine whether they have accurate definitions and separation policies between banking and trading books, as well as for transfer between the two books. Off-site Surveillance CBRC takes supervisory actions in accordance with the Market Risk Guidelines and the Internal Guidelines on Supervisory Ratings and is required to make a regular assessment of whether banks have: (a) applied limit management to market risk, employed the value at risk (VaR) model to calculate risk limits, set different types of limits, including but not limited to trading limits, risk limits, and stop-loss limits, and regularly reviewed and adjusted limits in line with their business nature, size, complexity and capital strength; (b) regularly submitted market risk reports to the Board, senior management and other managers, and particularly whether the market risk management department (function) has an independent reporting line; (c) written policies and procedures as well as technical supports to monitor, handle and record limit breaches; and (d) sound and reliable management information system to support market risk measurement, back testing and stress test, monitor the compliance with market risk limits and provide content for market risk reports. (e) submitted model validation reports for CBRC’s review and analysis when adopting the internal models approach to calculate capital charge regularly. (f) developed and implemented internal policies and procedures to separate trading book from banking book; and (g) transferred positions between trading and banking books according to regulatory requirements and banks’ internal policies, and got approved by the authorized personnel and properly filed into record. The CBRC commented that major banks have established an appropriate market risk management environment. In addition, most large banks have created independent validation teams to upgrade market risk identification and measurement as well as the application of limit-setting models. By contrast some small and medium-sized banks do not necessarily have such resources and will hire a third party to do validation in this regard. EC4 The supervisor determines that there are systems and controls to ensure that banks’ marked-to-market positions are revalued frequently. The supervisor also determines that all transactions are captured on a timely basis and that the valuation process uses consistent 195 PEOPLE’S REPUBLIC OF CHINA and prudent practices, and reliable market data verified by a function independent of the relevant risk-taking business units (or, in the absence of market prices, internal or industry- accepted models). To the extent that the bank relies on modeling for the purposes of valuation, the bank is required to ensure that the model is validated by a function independent of the relevant risk-taking businesses units. The supervisor requires banks to establish and maintain policies and processes for considering valuation adjustments for positions that otherwise cannot be prudently valued, including concentrated, less liquid, and stale positions. Description and Valuation Independence and Model Validation findings re EC4 The Market Risk Guidelines (Articles 18 and 20) provide clear requirements that banks should revalue the mark-to-market positions on trading book on a daily basis. Valuation and data collection shall be independent of the front office or verified independently, and model validation shall be independent of model development and execution. The Derivatives Trading Rules (Article 24) provides that personnel in charge of risk measurement, monitoring and control shall be separated from those trading or selling derivatives, and none shall concurrently hold positions in the above two functions. also requires Banks are required (Article 16 of the Fair Value Valuation Guidelines) to set up an independent team to validate the valuation models before application or during significant adjustments. Valuation of Less Liquid Financial Instruments Article 15 of the Fair Value Valuation Guidelines requires banks to establish diversified valuation models and cross-verification mechanisms for complicated financial instruments or those with poor liquidity. The Q&A Regarding Capital Supervisory Policies of the Notice of CBRC on Issuing Regulatory Documents on Capital Regulation for Commercial Banks sets out concrete requirements for banks on internal valuation and adjustment of financial instruments with poor liquidity. In 2012, CBRC issued instructions on financial instruments valuation, targeted at securities, equities, forward contracts, currency swap contracts, interest rate swap contracts, cross currency interest rate swap contracts, etc. The off-site supervisory function principally considers the following elements with respect to valuation and timeliness: (a) whether banks have in place sound internal control policies for valuation of financial instruments’ fair value, appropriate valuation models, reliable valuation parameter sources, and sufficient valuation information disclosure. (b) whether banks have revalued mark-to-market trading positions on a daily basis, and whether revaluation policies and procedures are compliant with regulatory requirements. (c) whether banks have regularly undertaken back testing, and compared the valuation results based on risk measurement approach or models (including valuation model) with the actual results for further adjustment or improvement to the approach or model. 196 PEOPLE’S REPUBLIC OF CHINA Furthermore, the CBRC requires banks to include valuation date of positions on their supervisory returns on derivatives and bond trading. The CBRC conduct a quarterly analysis on large banks’ trading positions valuation and unrealized profits. The CBRC also holds tripartite or bilateral meetings with external auditors to understand bank’s problems or deficiencies in valuation of financial instruments’ fair value, and requires banks to take corrective actions. When conducting on-site examinations, and as required by the manual on market risk examinations, the CBRC reviews banks’ valuation approaches and procedures for trading positions as well as daily valuation reports, and interviews valuation personnel to see whether valuation is timely, data sources are independent or verified, pricing parameters rational, and valuation approaches appropriate. As with some other aspects of Market Risk, the CBRC’s opinion is that the valuation practices in the major banks is compliant with regulatory requirements, but some small and medium-sized banks need to improve the timeliness and accuracy of valuation. Some assets with poor liquidity are prohibited by some banks in their trading policies because of valuation uncertainties driven by illiquidity of the instrument. Therefore, the adjustments to valuation of less liquid assets have little impact on banks. As of end-June 2016, banks’ gains on changes in fair value of trading assets in China only accounted for an average of 0.04 percent of net capital. The CBRC shared extensive documents illustrating their findings and actions in relation to errors and deficiencies in banks’ valuation practices. Examples included, but were not limited to issues concerning reporting lines, independence of valuation data, independence of functional unit working on valuation and model parameters. EC5 The supervisor determines that banks hold appropriate levels of capital against unexpected losses and make appropriate valuation adjustments for uncertainties in determining the fair value of assets and liabilities. Description and The Capital Rules (Chapter 5 and the Annexes 10 and 11) set out requirements on banks’ findings re EC5 approaches and standards in measuring market risk weighted assets. All banks are required to calculate their capital charge using the standardized approach but internal models may be used subject to approval by the CBRC. The regulatory requirements, have been updated to meet the prevailing Basel market risk standard. It may be noted that the CBRC was subject to a Regulatory Consistency Assessment Programme assessment (RCAP) in 2013 and was found to be compliant. The Rules for Commercial Banks on Implementing Advanced Approach to Capital Management defines the effectiveness of valuation management as a prerequisite for adopting internal models approach to market risk. (See also CP 10 EC 3). With respect to valuation adjustment, Annex 13 to the Capital Rules requires banks to consider the impact of valuation uncertainties when assessing capital adequacy, and further clarifies regulatory requirements on internal control, valuation approaches, focuses, data sources and models. See EC 3 of CP 10. Article 27 of the Fair Value Valuation Guidelines provides that where banks refuse or fail to rectify issues on valuation of financial 197 PEOPLE’S REPUBLIC OF CHINA instruments’ fair value, the CBRC may, as appropriate, deduct unrealized earnings on changes in fair value from capital when calculating the CAR. The CBRC’ uses three tools to assess whether banks are vulnerable to unexpected losses or valuation uncertainties. These are: (a) supervisory returns on market risk RWA and related working papers to analyze the accuracy of banks’ calculation of capital charges and monitor relevant changes. (b) stress tests, conducted by the CBRC, to analyze whether banks have adequate capital against unexpected losses from market risk in stress scenarios. (c) regular bilateral or tripartite meetings between the CBRC and commercial banks and external auditors to obtain auditing results, including valuation adjustments on financial instruments. In terms of on-site work, according to the Market Risk Examination Manual, the CBRC is required to assess whether banks have established and implemented a sound ICAAP, and whether the Board and senior management have assumed responsibilities for capital adequacy management by: (a) interviewing senior management to understand their views on market risk capital requirements and relevant measures; (b) reviewing banks’ capital adequacy assessment policies and procedures; (c) checking reports on banks’ capital plans and market risk profile, with a focus on capital adequacy against market risk; (d) reviewing banks’ capital allocation programs to see if market risk is included; (e) evaluating whether banks’ market risk capital allocated as planned is consistent with capital charges calculated by models. Only five banks have approval to use internal models and the rest of the banking population is using the standardized approach to calculate market risk capital requirements. The CBRC compares the capital calculation results for the five model- approved large banks with that of the standardized approach on a regular basis. To date, the CBRC considers that the results have been prudent noting that there have been limited capital savings and in some cases the model outcomes were more conservative for some assets. EC6 The supervisor requires banks to include market risk exposure into their stress testing programs for risk management purposes. Description and The Market Risk Guidelines (Article 22) requires banks to establish comprehensive and findings re EC6 rigorous stress test programs, and regularly simulate and estimate potential losses from unexpected low-probability events so as to evaluate their loss tolerance under severe adverse scenarios. Banks must, based on the stress test results, develop contingency plans for scenarios with material impact on market risk, and decide whether and how to improve policies and procedures for limit management, capital allocation and market risk management. The Board and senior management shall regularly review the design and outcomes of stress test programs, and continuously improve stress test procedures. The Guidelines on Stress Tests of Commercial Banks (Article 30) requires that the comprehensive stress scenarios shall cover market risk and consider the correlation among different risks, and specifies the factors to be considered in designing market risk stress 198 PEOPLE’S REPUBLIC OF CHINA scenarios. While Article 31 indicates specific aspects of market risk that the stress tests must include, Article 25 sets out a use test, requiring banks to use their stress testing results in management decisions. For banks using an internal models approach, there are specific stress test requirements in the Capital Rules. According to the Guidelines on Stress Tests of Commercial Banks (Article 5) the CBRC is required to supervise and inspect commercial banks’ stress testing work, and take corresponding regulatory measures. Section 2 (Articles 42 -47) of these guidelines, elaborates on the supervision and inspection that is required in relation to stress testing. For example, Article 42 provides that the CBRC must regularly assess whether the banks’ stress testing approaches are suitable for their scale, business complexity and quality of risk management. Article 43 specifically considers whether stress testing results are applied in the course of operational decision making at different levels of management. CBRC requires banks to conduct stress tests and submit reports as required (an annual requirement is set out in Guidelines on Stress Tests of Commercial Banks - Article 24), as a way to understand banks’ risks and risk management. The supervisory process rests on a combination of submission of policies, reports and material, interview of staff at all levels (including Board and senior management if necessary) and also includes peer group analysis of stress test results (Guidelines on Stress Tests of Commercial Banks - Article 45) CBRC also assesses: (a) whether banks have stress test programs in place with the selected stress scenarios commensurate with market conditions, bank’s exposure and risk characteristics; and (b) whether they have developed contingency plans based on the stress test results, and decided whether and how to improve policies and procedures for limit management, capital allocation and market risk management. The assessors saw examples of the CBRC challenging stress test scenarios and contingency plans. In addition the CBRC also arranges supervisory stress tests where banks conduct stress tests under consistent requirements in order to assess the soundness of individual banks and the banking sector as a whole (Guidelines on Stress Tests of Commercial Banks - Article 48). The unified stress tests include comprehensive stress tests (covering market risk) and targeted market risk stress tests. The supervisors will review written policies and procedures for determining, monitoring, assessing, adjusting and implementing market risk measurement approaches, as well as for back testing and stress test, and interview the Board, senior management and relevant staff to determine whether the above policies and procedures are complete and implemented. Banks are also required to submit internal documents to demonstrate the analysis and test results are an integral part of banks’ risk planning, monitoring and management. The assessors were able to review examples of these documents. The CBRC noted that, as with other aspects of the market risk environment, the large banks out-performed the smaller and medium sized banks in terms of meeting regulatory requirements. Further improvements in scenario system supports and application of test results are needed in this tier of the market. Assessment of Compliant Principle 22 199 PEOPLE’S REPUBLIC OF CHINA Comments The CBRC is compliant for market risk. The assessors were able to review some very good quality work in terms of on and off-site analysis in market risk. The CBRC should be well placed to implement the revised Basel market risk standard that was published following the fundamental review of the trading book. Looking forward, however, it is imperative that the CBRC remain vigilant and continue its path in building its market risk capacity. While there is, at present, only a relatively weak business case (i.e. little profit incentive) for banks to develop their trading activities further, conditions may change over time. Increased on- site oversight of the foreign banks in market risk is recommended. Although there has been substantive growth in the Chinese banking system, the overall system-wide proportion of risk weighted assets (RWA) for market risk is low. Since 2013, the market risk RWA of Chinese banks have hovered around 1 percent of total RWA, and by end-June 2016, the assets on the trading books of 5 large banks and 12 national joint-stock banks accounted for 0.86 percent of the total assets on average, the bank with the largest trading book assets taking up 3.42 percent. Higher market risk profiles may be found in the foreign funded banks, however as at least one foreign bank has approximately 8 percent of RWA in market risk. The complexity of banks’ market risk profile, likewise, remains generally straightforward. The traded financial instruments are predominantly bonds and foreign exchange. As of end-June 2016, 58 commercial banks had conducted derivatives transactions, 29 of which only trade interest rate and exchange rate derivatives (including forward, swap, options, etc.). The nominal principals of the interest rate and exchange rate derivatives accounted for almost 99 percent of the total, with commodity, equity, credit and composite derivatives taking up the remainder. Very few banks have traded complex financial instruments, except for agent trading (back-to-back transactions). Indeed, derivatives trading is subject to specific licensing requirements, with specific criteria set in internal controls, risk management, staff qualifications, information system, permitting the CBRC to exercise close control on banks’ developments in this risk area. Nevertheless, there have been some important developments since the last BCP assessment. At present there are five banks that have been approved to use internal models for capital adequacy calculation. Some medium-sized banks have also adopted the internal models approach for market risk measurement, risk appetite setting, limit management and capital management. There are also pilot schemes to introduce securitization into the market, which, if it develops, could introduce new challenges, although the CBRC confirmed that complex transactions (including correlation trading, re- securitisation and synthetic products) are not permitted and there is no intention to ever permit such products. As in other risk areas, there are heightened regulatory standards in market risk for the five largest banks and the precise targets that each bank must meet is set on an individual case basis. Mirroring market developments, the CBRC has invested in its own supervisory capacity and since 2011, the CBRC has built up a team of over 30 experts on market risk supervision. In terms of supervisory intensity, Large banks are subject to on-site examinations every two years, and this covers their overseas institutions. Some medium-sized banks are inspected every two to three years, while foreign-funded banks, given low systemic importance albeit 200 PEOPLE’S REPUBLIC OF CHINA with higher market risk level, are examined every three to four years with a focus on market risk management and derivatives transactions. The assessors were able to review multiple analyses, summary reports, on-site inspections and the Market Risk manual. Principle 23 Interest rate risk in the banking book. The supervisor determines that banks have adequate systems to identify, measure, evaluate, monitor, report and control or mitigate interest rate risk 56 in the banking book on a timely basis. These systems take into account the bank’s risk appetite, risk profile and market and macroeconomic conditions. Essential criteria EC1 Laws, regulations or the supervisor require banks to have an appropriate interest rate risk strategy and interest rate risk management framework that provides a comprehensive bank-wide view of interest rate risk. This includes policies and processes to identify, measure, evaluate, monitor, report and control or mitigate material sources of interest rate risk. The supervisor determines that the bank’s strategy, policies and processes are consistent with the risk appetite, risk profile and systemic importance of the bank, take into account market and macroeconomic conditions, and are regularly reviewed and appropriately adjusted, where necessary, with the bank’s changing risk profile and market developments. Description and The main regulatory reference for banks is the Interest Rate Risk Guidelines which (Article 8) findings re EC1 requires commercial banks to establish IRRBB management framework consistent with their strategies, sizes, nature and complexity. An overarching requirement is imposed in Article 9 which provides that IRRBB management shall be incorporated into banks’ comprehensive risk management systems and implemented throughout business operations. Articles 10 to 13 and Chapter 3 set out specific requirements on interest rate risk management strategies and framework with respect to governance, risk identification, measurement, assessment, monitoring and reporting, and IT support. These articles also require banks to act in conformity with the Guidelines on Market Risk Management and emphasize independence in risk control and quality of management information systems. The Interest Rate Risk Guidelines also address the CBRC’s supervision and inspection. Article 30 to 34 provide that CBRC shall include IRRBB management of banks into their ongoing supervision, consider it as an important indicator in on-site examinations and OSS, review and assess IRRBB management systems, and determine whether they have complete procedures to identify, measure, monitor and control IRRBB, and require banks to take corrective actions within the prescribed timeframe for issues identified. In particular Article 32 iterates the range of information that the banks are expected to provide to the CBRC including but not limited to the documents on policies and processes, documents illustrating the banks identification, measurement, monitoring, evaluation control and reporting, management information and reports, including minutes of relevant meetings. The CBRC conducts OSS according to the Interest Rate Risk Guidelines, the Off-site Surveillance Rules, etc. The CBRC reviews banks’ organizational structure of interest rate risk management and examines the banks’ interest rate risk management strategies and risk 56 Wherever “interest rate risk” is used in this Principle the term refers to interest rate risk in the banking book. Interest rate risk in the trading book is covered under Principle 22. 201 PEOPLE’S REPUBLIC OF CHINA management frameworks. IRRBB management policies and risk management framework of banks are included in the supervisory ratings process. The role of on-site examination by the CBRC is to review banks’ policies and procedures of IRRBB identification, measurement, evaluation, monitor and mitigation, examines the implementation of such policies and procedures, and determine whether relevant policies and procedures are adequate and commensurate with banks’ overall risk appetite, risk profile and systemic importance. The CBRC noted that the major banks have put in place IRRBB management frameworks, including policies and procedures to identify, measure, assess, monitor, report and control/mitigate sources of material interest rate risk that are generally consistent with their risk appetites, risk profiles and systemic importance as well as the market and macro- economic environments. EC2 The supervisor determines that a bank’s strategy, policies and processes for the management of interest rate risk have been approved, and are regularly reviewed, by the bank’s Board. The supervisor also determines that senior management ensures that the strategy, policies and processes are developed and implemented effectively. Description and As noted in EC1, the Interest Rate Risk Guidelines (Article 10) provides that banks shall findings re EC2 follow the requirements of the Market Risk Guidelines to establish and improve IRRBB governance and IT management, and clarify the responsibilities of the Board, its specialized committees, senior management and dedicated IRRBB management function. Banks shall also allocate sufficient resources to IRRBB management, formulate relevant policies and procedures, and define the requirements of internal control, limit management, reporting, and auditing with respect to IRRBB management. The Market Risk Guidelines (Article 8) articulate the expectations placed on the Board in more detail: (a) shall assume ultimate responsibility for overseeing market risk management, ensuring effective identification, measurement, monitoring and control of all types of market risk inherent in business activities; (b) shall review and approve market risk management strategies, policies and procedures, determine market risk appetite, and urge the senior management to take necessary steps to identify, measure, monitor and control market risk; (c) shall regularly obtain reports on the nature and level of market risk, monitor and evaluate the comprehensiveness and effectiveness of market risk management and the performance of the senior management in market risk management; (d) may authorize its specialized committee to exercise part of such functions and the authorized committee shall submit relevant reports to the Board on a regular basis; and (e) shall require senior management to formulate, periodically review and monitor the implementation of market risk management policies and procedures, understand market risk exposures and management practices, as well as ensure adequate resources, appropriate organizational structure, management information systems and technical expertise. 202 PEOPLE’S REPUBLIC OF CHINA The CBRC conducts OSS according to the Interest Rate Risk Guidelines, the Off-site Surveillance Rules, etc. This includes review of the banks’ IRRBB governance structures and whether banks have clearly and appropriately defined the duties of the Board, senior management, risk management functions and risk-taking functions in writing. The CBRC reviews reports of the Board and attends the Board meetings to assess whether IRRBB strategies, policies and procedures have been effectively implemented by senior management. The Interest Rate Risk Guidelines indicate that the CBRC can request a range of information for supervisory and this includes: • Reports on the control of risks in bank account interest rate submitted to the board of directors and the senior management; and • Minutes or records of meetings relating to the control of risks in bank account interest rate which are held by the board of directors, commissions authorized by the board of directors, the senior management and other relevant departments; On-site examination practices include the assessment of the performance of the Board and senior management to determine whether they comply with regulatory requirements and the bank’s internal policies and procedures through interviews, reviewing written documents and accessing management information systems. EC3 The supervisor determines that banks’ policies and processes establish an appropriate and properly controlled interest rate risk environment including: (a) comprehensive and appropriate interest rate risk measurement systems; (b) regular review, and independent (internal or external) validation, of any models used by the functions tasked with managing interest rate risk (including review of key model assumptions); (c) appropriate limits, approved by the banks’ Boards and senior management, that reflect the banks’ risk appetite, risk profile and capital strength, and are understood by, and regularly communicated to, relevant staff; (d) effective exception tracking and reporting processes which ensure prompt action at the appropriate level of the banks’ senior management or Boards where necessary; and (e) effective information systems for accurate and timely identification, aggregation, monitoring and reporting of interest rate risk exposure to the banks’ Boards and senior management. Description and The key regulatory requirements governing the control environment for IRRBB are set out findings re EC3 in The Market Risk Guidelines and the Interest Rate Risk Guidelines dating from 2004 and 2009 respectively. Measurement systems. Article 18 of the Interest Rate Risk Guidelines provides that IRRBB measurement/assessment shall include the impact of major risks such as re-pricing risk, basis risk, yield curve risk and option risk, as well as interest rate risk associated with transactions denominated in major currencies, including all types of interest-rate sensitive assets and liabilities on and off balance sheet. Article 16 to 23 provide that banks shall set reasonable assumptions and parameters, adopt appropriate techniques and approaches of risk measurement, and evaluate the impact of interest rate movements on earnings and economic value. The Guidelines specify that approaches include but are not limited to gap analysis, duration analysis, sensitivity analysis, scenario simulation and stress testing. 203 PEOPLE’S REPUBLIC OF CHINA Moreover, these Articles specify measurement approaches to four types of risks and set out major requirements on stress test. Model validation. Article 29 of the Interest Rate Risk Guidelines provides that banks shall establish adequate measurement model validation procedures, regularly track models’ performance, constantly validate models, and make adjustments accordingly for reliable outputs. Article 28 provides that documentation supporting system shall be capable of providing adequate information for independent validation of IRRBB measurement. Limits setting and implementation. Article 23 requires banks to apply limit management to market risk and establish internal approval and operating procedures for all types and levels of limits. Such limits shall be commensurate with the nature, scale and complexity of banks’ business activities and risk tolerances, reviewed periodically and updated when necessary. The overall market risk limit, and the types and structure of limit shall be approved by the Board. Banks shall have procedures to monitor, control and handle exceptions to limits. All limit exceptions shall be reported in a timely manner to the appropriate level of management, while limit breaches without prior approval shall be dealt with in accordance with relevant policies and procedures. The management shall decide whether to adjust the limit management system in light of the occurrence of exceptions. Article 10 of the Interest Rate Risk Guidelines requires banks to define requirements of internal control, limit management, reporting and auditing with respect to IRRBB management as prescribed in the Market Risk Management Guidelines. Management information system. Article 12 of the Interest Rate Risk Guidelines provides that banks’ management information systems shall provide support for accurate, timely, continuous and adequate identification, measurement, monitoring, control and reporting of IRRBB. The systems shall at least have the following functions: (a) calculating re-pricing gap in line with the set maturities to reflect maturity mismatch, (b) calculating and analyzing IRRBB of transactions denominated in major currencies, (c) quantitatively assessing the impact of IRRBB on banks’ net interest income and economic value, (d) supporting examinations on compliance with limit policies, and (e) providing support for stress test and model validation. CBRC evaluates banks’ IRRBB management systems, including the adequacy of IRRBB measurement, soundness of assumptions and parameters, effectiveness of limit management policies, and completeness of management information systems. Annex 13 Risk Assessment Criteria for Commercial Banks to the Capital Rules further sets out requirements on IRRBB measurement, assessment, mitigation and management information systems. The CBRC uses a combination of on and off-site techniques to analyze, monitor, assess banks’ practices, and, if necessary risk warnings. Through its OSS the CBRC: • assesses whether banks’ IRRBB measurement systems fully cover major positions and potential risks associated therewith, whether the systems match banks’ business nature and complexity and can produce clear and reasonable measurements, and whether risk measurement procedures take full consideration the risks that may have impact on banks’ revenue and capital. 204 PEOPLE’S REPUBLIC OF CHINA • assesses whether banks understand the limitations of risk measurement tools, and whether an independent and effective audit function has been established to validate the reliability and validity of relevant models and procedures. • analyzes whether banks follow appropriate principles when setting risk limits and conducting regular risk assessment, and whether limits management policies are adequately communicated to related persons. • reviews compliance with limits and assesses whether banks have written and documented policies and procedures with appropriate techniques to monitor and handle exceptions, and whether the exception approval procedures are appropriate. • assesses whether banks’ management information systems can effectively provide timely, accurate and complete information. Through the on-site inspections, the examiners have the power to access banks’ management information systems to collect returns and data, and review all the materials on IRRBB measurement including: • policies, procedures and decisions to measure, monitor, evaluate, verify and manage IRRBB; • design and analysis of interest rate shock scenarios and model design and validation information; • limit management policies and procedures, reports on implementation of limit policies, • approval documents for exceptions to limits, and reports on the handling of unapproved exceptions; and • risk mitigation measures, etc. It is CBRC practice to test understanding and of the Board, senior management and risk management departments through interviews. EC4 The supervisor requires banks to include appropriate scenarios into their stress testing programs to measure their vulnerability to loss under adverse interest rate movements. Description and Article 24 of the Interest Rate Risk Guidelines provides that based on banks’ existing or findings re EC4 predicted business performance, development strategy, total assets and liabilities and changes in the structure thereof, and characteristics of interest rate risk, banks shall conduct stress tests and develop corresponding contingency plans as required. Stress test shall cover all material sources of risks. While developing and reviewing interest rate risk management policies, procedures and limits, the senior management shall consider stress test results. Article 33 stipulates that CBRC shall review and assess banks’ IRRBB management system, including the effectiveness of stress test and the application of measurement and stress test results. The Guidelines on Stress Tests of Commercial Banks provides more specific guidance and requirements on the scope and implementation of stress testing. For example, Article 17 stipulates that commercial banks shall conduct comprehensive stress tests, generally covering all types of risks and major on- and off-balance sheet businesses, and considering correlations between different businesses as well as possible non-linear relationships between risk factors and stress-bearing indicators. Stress tests for various types of risks are required be integrated to reflect banks’ and banking groups’ overall risk profile. Article 30 requires that the risk types covered by stress scenarios shall include IRRBB. Article 32 provides that stress scenarios for market risk shall include interest rate re-pricing, 205 PEOPLE’S REPUBLIC OF CHINA benchmark interest rate asynchronization, drastic fluctuations in yield curve and loss from exercising options, etc. The CBRC requires banks to report their net interest income and net value with an impact of 200 basis points parallel movement of interest rate in the Table on Interest Rate Re- pricing Risks, as well as with interest rate shock scenarios in region-specific supervisory returns. In the course of its supervisory processes the CBRC assesses whether banks have stress test programs and whether selected stress scenarios reflect market conditions and banks’ positions and risk features, and reviews whether banks develop necessary contingency plans and determine whether and how to improve limits management, asset allocation and other market risk management policies and procedures in accordance with the stress test results. The CBRC reviews stress test policies and reports and interviews risk management personnel to understand banks’ scenario designs, stress test programs, model designs and application of stress test results. As noted in CP22, the CBRC also organizes system wide unified stress tests to assess the soundness of individual banks and the banking sector as a whole. The unified stress tests include comprehensive stress tests and targeted stress tests, including full-scope stress tests that consider the changes in profit/loss caused by interest rate risk exposures under stress scenarios. Assessment of Compliant Principle 23 Comments One of the most significant changes to affect the financial sector in China since the last BCP assessment has been the liberalization of interest rates and the CBRC has worked to meet this challenge. The phased stages of liberalization appear to have given banks time to adapt to the greater latitude and the CBRC reports that banks’ behavior, so far, has been broadly conservative. Responding to recommendations from the last assessment, the CBRC has enhanced its resource specialization in respect of interest rate risk—there is a specialist team—and routinely analyses data to identify outliers. Taking the recent revised Basel standards on interest rate risk in the banking book (to be implemented by 2018) into consideration, the CBRC in Shanghai is piloting applying more extreme scenarios (e.g. 250 and 300 basis point shifts as well as twists). Banks are also required to undertake their own scenario analysis and interest rate sensitivity is incorporated in stress testing. The CBRC is, however, encouraged to use the adoption of the revised Basel standard as a springboard for issuing more extensive guidance to the industry. Principle 24 Liquidity risk. The supervisor sets prudent and appropriate liquidity requirements (which can include either quantitative or qualitative requirements or both) for banks that reflect the liquidity needs of the bank. The supervisor determines that banks have a strategy that enables prudent management of liquidity risk and compliance with liquidity requirements. The strategy takes into account the bank’s risk profile as well as market and macroeconomic conditions and includes prudent policies and processes, consistent with the bank’s risk appetite, to identify, measure, evaluate, monitor, report and control or 206 PEOPLE’S REPUBLIC OF CHINA mitigate liquidity risk over an appropriate set of time horizons. At least for internationally active banks, liquidity requirements are not lower than the applicable Basel standards. Essential criteria EC1 Laws, regulations or the supervisor require banks to consistently observe prescribed liquidity requirements including thresholds by reference to which a bank is subject to supervisory action. At least for internationally active banks, the prescribed requirements are not lower than, and the supervisor uses a range of liquidity monitoring tools no less extensive than, those prescribed in the applicable Basel standards. Description and All banks are subject to liquidity risk management regulations. The Banking Supervision Law findings re EC1 (Article 21) prescribes that banks shall strictly observe prudential rules and guidelines that cover, among other items, liquidity management. The Liquidity Risk Rules (Article 2) applies to commercial banks established in China, including both domestic and foreign funded banks and also (Article 59) to rural cooperative banks, village banks, rural credit cooperatives, branches of foreign banks. The quantitative supervisory requirements include the liquidity coverage ratio and liquidity ratio (liquid assets as a percentage of liquid liabilities). The liquidity ratio applies to all commercial banks but the Liquidity Coverage Ratio does not apply to institutions (commercial banks or rural cooperative institutions or foreign branches) below the threshold of CNY200bn assets. Qualitative requirements In summary, the Liquidity Risk Rules (Article 4) provides that a bank shall, establish and update liquidity risk management programs to effectively identify, measure, monitor and control liquidity risk for legal entity and banking group, all affiliates, branches and subsidiaries, and business lines, and ensure its liquidity needs can be satisfied timely at a reasonable cost. Further, Chapter 2 sets out specific requirements on liquidity risk management. Banks are required to improve liquidity risk governance structures, strategies, policies and procedures for better identification, measurement, monitoring and control of liquidity risk, and enhance the management information systems, in line with the sound practices advocated in the Principles for Sound Liquidity Risk Management and Supervision by the Basel Committee. If a bank’s liquidity risk management fails to meet the CBRC’s standards, Article 56 sets out the CBRC’s powers to require banks with deficiencies in liquidity risk management to make corrections within a specified period. Article 56 also prescribes a range of supervision measures available for the CBRC to adopt if a bank fails to do so or its liquidity risk management has material deficiencies. These measures range from interviews with the Board and senior management, more frequent (and stringent) reporting, enhancing on-site inspections, restricting planned business expansion or increased capital requirements. Quantitative requirements The Liquidity Risk Rules (Article 36) provides that the quantitative liquidity risk indicators include both the liquidity coverage ratio (LCR) and liquidity ratio. Banks must meet the minimum regulatory standards on an ongoing basis. The LCR is imposed through Article 37 and is still in the process of transition, consistent with the Basel timetable, as set out in Article 64. Annex 2 specifies the LCR in detail. The liquidity ratio is set out in Article 38, 207 PEOPLE’S REPUBLIC OF CHINA consistent with Article 39(2) of the Commercial Bank Law. The ratio of liquid assets of a bank over its liquid liabilities shall be no less than 25 percent. The details of this ratio are not set out in regulation but are found in the G22 liquidity return and instructions. The liquidity ratio is a ratio of liquid assets to liquid liabilities, over a one month horizon, reported at contractual maturity. Assets must be unencumbered and unimpaired. Should a bank fail to meet the quantitative liquidity standards, then the supervisory powers and actions specified in the Banking Supervision Law can apply, including fines. However, the CBRC will first give the bank the opportunity to correct its situation in a prescribed timeframe and if the breach of the LCR requirement occurred during a period of stress, or if other circumstances need to be taken into account, the CBRC has the discretion to apply its judgment (Article 55). In practice, in the first instance (and presuming no emergency) the CBRC would hold supervisory interviews, issue supervisory letters, issue risk alters and seek improvements. Liquidity risk monitoring requirements, that the CBRC must monitor and banks observe are specified in Articles 40-47: • Article 40 provides that CBRC shall regularly analyze and monitor the liquidity risk of banks and the banking system in terms of maturity mismatch between assets and liabilities, diversification and stability of funding sources, unencumbered assets, liquidity risk profile of significant currencies, and market liquidity. The prescribed dimensions for liquidity risk monitoring are consistent with the dimensions covered by the monitoring tools specified in the Basel III: The Liquidity Coverage Ratio and liquidity risk monitoring tools. • Articles 41 to 45 specify the monitoring requirements and reference indicators for contractual maturity mismatch, diversification and stability of funding sources, unencumbered assets, liquidity risk profile of significant currencies, and market liquidity. • Article 46 prescribes the monitoring requirements for the loan-to-deposit ratio. • Article 47 provides that CBRC may undertake liquidity risk analysis and monitoring by reference to banks’ internal liquidity risk management indicators or using other liquidity risk monitoring tools. LCR disclosure requirements Disclosure requirements for the LCR are set out separately in the Rules on the Information Disclosure of Liquidity Coverage Ratio of Commercial Banks based on the Basel standards. The disclosure standards cover frequency, contents and timeframe of LCR disclosure for banks to which the regulatory requirements on LCR are applicable. There are simplified disclosure requirements for banks to whom the LCR does not apply. EC2 The prescribed liquidity requirements reflect the liquidity risk profile of banks (including on- and off-balance sheet risks) in the context of the markets and macroeconomic conditions in which they operate. Description and The Liquidity Risk Rules, provide a range of requirements addressing strategy, policy, stress findings re EC2 scenarios, and a consideration of on and off-Balance Sheet risks. An annual revision of a bank’s liquidity risk appetite and liquidity risk management strategies, policies and procedures, taking into full account its business development, technical updates and market changes is required by Article 20. Stress testing programs are 208 PEOPLE’S REPUBLIC OF CHINA required under Article 28 and must give full regard to specific bank-wide impact and market-wide systemic impact (individually and in combination), and fully consider inherent correlations between liquidity risk and other types of risks as well as the impact of market liquidity on the bank’s liquidity risk. The stress testing frequency shall be commensurate with the bank’s size, risk level and market influence. Banks shall be able to satisfy liquidity needs and survive at least 30 days under market-wide systemic shock scenarios. The requirement to hold adequate high quality liquid assets (HQLAs) to ensure timely satisfaction of liquidity needs under stress scenarios is found in Article 30. The Liquidity Risk Rules (Article 45) impose a specific requirement on the CBRC to closely monitor and study the impact of macro-economic and financial market developments on the liquidity of the banking system, and analyze overall liquidity conditions of the financial markets. When CBRC detects strains on market liquidity, rise of funding cost, deterioration or loss of marketability of HQLAs, or liquidity transfer restrictions, it shall analyze the impact on banks’ funding capability in a timely manner. Article 52 provides that in the case of significant events with adverse effect on banks’ liquidity risk, for example, material adverse changes of market liquidity conditions, or material adverse changes of political or economic conditions in countries/jurisdictions where the parent company or group is operating, the bank shall report to the CBRC in a timely manner. In terms of on- and off-balance sheet risks, banks’ liquidity risk management strategies, policies and procedures must cover all on- and off-balance sheet activities (Article 17). On- and off-balance sheet risks are taken into account in cash flow estimation, setting of early- warning indicators, and stress scenarios design (Article 22 and 23, and Annex 1). The CBRC is required to consider on- and off-balance sheet items in monitoring banks’ contractual maturity mismatch and concentration of funding under Articles 41 and 42. In addition, banks which are subject to LCR requirements shall hold adequate eligible HQLAs to satisfy liquidity needs for at least 30 days under liquidity stress scenarios. The calculation of total net cash outflows for the subsequent 30 calendar days shall consider both on- and off- balance sheet items. The calculation of liquidity gap and liquidity gap ratios must reflect the different maturities of on- and off-balance sheet assets and liabilities. The CBRC obtains data through the OSSRS to monitor liquidity maturity gaps as well as off-balance sheet inflows and outflows of different maturities. The CBRC stress testing programs for liquidity risk also contain scenarios for off-balance sheet items. While the Liquidity Risk Rules include a number of elements that require banks to take consideration of the macroeconomic environment, the CBRC also provides quarterly briefings to the industry sharing views on macroeconomic conditions and risks that the banks are facing and supervisory requirements. Banks are instructed, at these forums, to monitor and analyse the impact of macroeconomic conditions and factor them into management. Major banks attend these briefings in person in Beijing but the briefings are accessible to all banks on a nationwide basis through videoconference facilities through the CBRC’s national network of offices. The most recent briefing was in January 2017. EC3 The supervisor determines that banks have a robust liquidity management framework that requires the banks to maintain sufficient liquidity to withstand a range of stress events, and includes appropriate policies and processes for managing liquidity risk that have been 209 PEOPLE’S REPUBLIC OF CHINA approved by the banks’ Boards. The supervisor also determines that these policies and processes provide a comprehensive bank-wide view of liquidity risk and are consistent with the banks’ risk profile and systemic importance. Description and The Liquidity Risk Rules (Article 6) requires banks to have a liquidity risk management findings re EC3 system commensurate with their business size, characteristics and complexity both on the entity and group levels. The system shall comprise: effective governance structure; sound strategies, policies and procedures; effective identification, measurement, monitoring and control of liquidity risk; and comprehensive management information systems. Board oversight is prescribed by Article 8 and requires that the Board shall review and approve liquidity risk appetite as well as the strategies, important policies and procedures for liquidity risk management. All banks, irrespective of balance sheet size are subject to the requirement (Article 30) to hold adequate HQLAs to satisfy liquidity needs in times of stress. HQLAs shall be unencumbered assets including liquid assets that can be sold or pledged (secured) to obtain funds in times of stress. Banks shall determine the scale and composition of the HQLA on a conservative basis, in line with their liquidity risk appetite and taking into account the severity and duration of stress scenarios, cash flow gaps and marketability of HQLAs. Banks’ liquidity risk management policies and procedures must (Article 16 and 17) be based on their defined liquidity risk appetite that shall be in line with the bank’s business strategies, characteristics, financial strength, funding capability, overall risk appetite and market influence. The policy should specify the liquidity risk that the bank is willing and able to take under both normal and stress circumstances. In addition, the liquidity risk management strategies, policies and procedures must cover on- and off-balance sheet activities, as well as all business departments, branches, subsidiaries and affiliates, domestic and overseas, which may have material impact on its liquidity risk, and shall include liquidity risk management under both normal and stress circumstances. As supervisory requirements on LCR apply to banks with total assets no less than RMB 200 billion, those banks shall have in place policies and procedures to calculate and manage LCR, and information systems to support LCR management. The CBRC evaluates banks’ overall liquidity risk profile and liquidity risk management programs through its on-site examinations and OSS. Important topics of the evaluation include: liquidity risk management framework, liquidity risk appetite, management strategies, policies and procedures, management information systems and reporting processes. In discussion with the assessors, the CBRC noted that liquidity stress in 2013 had been instrumental in focusing banks’ attention on the potential for stress events. EC4 The supervisor determines that banks’ liquidity strategy, policies and processes establish an appropriate and properly controlled liquidity risk environment including: (a) clear articulation of an overall liquidity risk appetite that is appropriate for the banks’ business and their role in the financial system and that is approved by the banks’ Boards; 210 PEOPLE’S REPUBLIC OF CHINA (b) sound day-to-day, and where appropriate intraday, liquidity risk management practices; (c) effective information systems to enable active identification, aggregation, monitoring and control of liquidity risk exposures and funding needs (including active management of collateral positions) bank-wide; (d) adequate oversight by the banks’ Boards in ensuring that management effectively implements policies and processes for the management of liquidity risk in a manner consistent with the banks’ liquidity risk appetite; and (e) regular review by the banks’ Boards (at least annually) and appropriate adjustment of the banks’ strategy, policies and processes for the management of liquidity risk in the light of the banks’ changing risk profile and external developments in the markets and macroeconomic conditions in which they operate. Description and Risk appetite. Risk appetite, subject to Article 8 of the Liquidity Risk Rules shall be reviewed findings re EC4 and approved by the Board. The liquidity risk appetite, subject to Article 16 must be commensurate with the bank’s operational strategies, business characteristics, financial strengths, funding capability, overall risk appetite and market influence. Similarly, and as mentioned in other risk CPs, there are overarching requirements for the setting and operationalization of risk appetite in the Comprehensive Risk Management Guidelines. Day-to-day risk management. The Liquidity Risk Rules (Article 10) provide that a bank shall designate a department to take charge of liquidity risk management, including identifying, measuring and monitoring liquidity risk, continuously monitoring the conditions of HQLAs, monitoring the compliance with liquidity risk limits and ensuring the timely reporting of exceptions, organizing and undertaking stress tests for liquidity risk, and organizing test and assessment of liquidity risk contingency plans. Intra-day liquidity risk is addressed by Article 27 and requires that banks shall strengthen intra-day liquidity risk management and ensure adequate intra-day liquidity positions and relevant funding arrangements to meet intra-day payment needs in a timely manner under normal circumstances and in periods of stress. Generally, day-to-day and intra-day liquidity risk management is undertaken by the bank’s Assets and Liabilities Management Department and/or Planning and Finance Department. Effective IT systems. (Article 34) of the Liquidity Risk Rules requires that banks shall have in place sound management information systems to measure, monitor and report liquidity risk profile accurately, timely and comprehensively. Additionally Article 34 states that banks’ management information systems shall at least have 7 functions, including: (a) to calculate cash inflows, outflows and gaps during set time horizons on a daily basis, (b) to calculate regulatory and monitoring indicators for liquidity risk in a timely manner and increase the monitoring frequency where necessary, (c) to support the monitoring and control of liquidity risk limits, (d) to support real-time monitoring of large-amount funding flows, (e) to support the monitoring of the types, quantities, currencies, locations, entities, and escrow accounts of HQLAs and other unencumbered assets, (f) to support the monitoring of the types, quantities, currencies, locations, entities, and escrow accounts of collateral, and (g) to support stress testing under different hypothetical scenarios. 211 PEOPLE’S REPUBLIC OF CHINA Oversight by the Board. (Article 8) of the Liquidity Risk Rules requires that the Board shall assume ultimate responsibility for liquidity risk management and ensure that senior management effectively manages and controls liquidity risk. Article 9 provides that the senior management shall establish and regularly assess liquidity risk appetite, and strategies, policies and procedures for the management of liquidity risk, and oversee the implementation. Under Article 17 banks shall have written liquidity risk management strategies, policies and procedures commensurate with their liquidity risk appetite. According to Articles 14 and 15, banks’ internal audit function shall regularly audit and assess the adequacy and effectiveness of liquidity risk management, and submit internal audit reports to the Board and supervisory board. The Board shall urge the senior management to correct the issues identified during internal auditing promptly. The internal audit function shall monitor the corrective progresses and report in a timely manner to the Board accordingly. Regular review. The Board’s responsibility, as indicated in the above paragraphs, is set out in Article 8 (and the Comprehensive Risk Management Guidelines) and provides that the Board shall review and approve the strategies and important policies and procedures for liquidity risk management. Strategy must be considered by the Board at least once a year and Article 20 requires that banks shall assess their management strategies, policies and procedures at least annually and make revisions thereto where necessary; concerning their business development, technical updates and market changes. In addition, the Corporate Governance Guidelines sets out requirements on the Board’s and senior management’s performance of risk management duties. The CBRC obtains information on banks’ liquidity risk indicators and collects materials such as liquidity risk management strategies, policies and procedures from supervisory returns submitted by banks at regular intervals. Through on-site examinations, CBRC monitors and oversees the implementation of liquidity risk management strategies, policies and procedures, development of management information systems, and assess performance of the Board and senior management. By observing Board meetings, the CBRC is able to determine the understanding and performance of the Board. EC5 The supervisor requires banks to establish, and regularly review, funding strategies and policies and processes for the ongoing measurement and monitoring of funding requirements and the effective management of funding risk. The policies and processes include consideration of how other risks (e.g. credit, market, operational and reputation risk) may impact the bank’s overall liquidity strategy, and include: (a) an analysis of funding requirements under alternative scenarios; (b) the maintenance of a cushion of high quality, unencumbered, liquid assets that can be used, without impediment, to obtain funding in times of stress; (c) diversification in the sources (including counterparties, instruments, currencies and markets) and tenor of funding, and regular review of concentration limits; (d) regular efforts to establish and maintain relationships with liability holders; and (e) regular assessment of the capacity to sell assets. Description and Funding requirements Several articles of the Liquidity Risk Rules (Articles 17, 18 and 20) set findings re EC5 out the requirements for banks to put in place written liquidity risk management policies and procedures which shall cover, among other items, funding management, assess such 212 PEOPLE’S REPUBLIC OF CHINA policies and procedures at least annually and make revisions where necessary. Article 33 provides that banks shall prudently assess the impact of credit risk, market risk, operational risk, reputation risk and other risks on the liquidity risk. HQLA Cushion Banks must hold adequate HQLAs to satisfy liquidity needs in times of stress (Article 30). HQLAs shall be unencumbered assets including liquid assets that can be sold or pledged (secured) to obtain funds in times of stress. Applicable regulations on LCR (Article 37 and Annex 2) state that the purpose of LCR is to make sure that banks have adequate eligible HQLAs to ensure satisfaction of liquidity needs for at least 30 days by liquidating such assets under prescribed liquidity stress scenarios. Eligible HQLAs refer to cash and cash equivalents and other assets that meet appropriate criteria and can be liquidated quickly in financial markets with no or negligible loss. Banks’ internal liquidity risk management policies, processes and procedures spell out contents relating to management of funding and HQLAs. Diversification Article 25 provides that banks shall establish and update their funding strategies to increase the diversification and stability of funding sources. Banks’ funding management shall meet the following requirements: (a) analyzing the funding demands and sources in different time horizons under both normal circumstances and stress scenarios, (b) strengthening the management of concentrations in terms of liability types, maturity, counterparties, currencies, collaterals and funding markets, and setting appropriate concentration limits, Relationships with counterparties. Article 25 (3) requires banks to strengthen their management of funding channels, actively maintaining the relationship with major funding counterparties. Capacity to sell assets. Article 25 (3) also requires banks to remain appropriately active in the market, and assess their ability to obtain funding in the market as well as the marketability of their assets. Article 25(4) requires banks to closely monitor changes in trading volume and prices of major financial markets, and assessing any impact of market liquidity on their ability to obtain funding. The CBRC reviews internal liquidity risk management policies and procedures submitted by banks and conducts on-site examinations to assess banks’ management of funding and liquid assets. the CBRC regularly monitors the diversification and stability of banks’ funding sources and analyzes its impact on liquidity risk. Through the OSS returns, the CBRC monitors the excess reserve ratio, core funding ratio, interbank funding ratio, top 10 depositors ratio and top ten interbank funding ratio, and obtain information on the composition of banks’ eligible HQLAs through LCR returns. With respect to banks with higher funding risks, the CBRC will issue risk alerts as needed. EC6 The supervisor determines that banks have robust liquidity contingency funding plans to handle liquidity problems. The supervisor determines that the bank’s contingency funding plan is formally articulated, adequately documented and sets out the bank’s strategy for addressing liquidity shortfalls in a range of stress environments without placing reliance on lender of last resort support. The supervisor also determines that the bank’s contingency funding plan establishes clear lines of responsibility, includes clear communication plans (including communication with the supervisor) and is regularly tested and updated to 213 PEOPLE’S REPUBLIC OF CHINA ensure it is operationally robust. The supervisor assesses whether, in the light of the bank’s risk profile and systemic importance, the bank’s contingency funding plan is feasible and requires the bank to address any deficiencies. Description and Contingency plans are addressed in Article 29 of the Liquidity Risk Rules. The plan must be findings re EC6 commensurate with the bank’s size, characteristics, complexity, risk profiles, organizational structures and market influence, and consider stress test results, so as to meet the liquidity needs in times of emergencies. Banks must test and assess the plan at least annually and make revisions as necessary. The plan must satisfy the following requirements: • Set a range of scenarios as triggers; • Specify the sources of contingency funding, and reasonably estimate possible size and duration of funding, taking into account restrictions on cross-border, cross-institutional liquidity transfer, and ensures the reliability and adequacy of contingency funding sources; • Contain contingency procedures and actions, at least covering the perspectives of asset, liability, actions to strengthen internal and external communication, and actions to reduce adverse impact on the bank arising from information asymmetry; • Articulate the authorities and responsibilities for the Board, senior management and relevant departments in implementing contingency procedures; and • Contain separate contingency plans both on the entity and group levels, and establishes specific contingency plans for significant currencies and major overseas geographic areas where necessary. Specific contingency plans are required for branches, subsidiaries or affiliates that are subject to liquidity transfer restrictions. Furthermore, Annex 1 Explanatory Notes on Liquidity Risk Management specifies reference contents for banks’ liquidity risk contingency plans, comprising 7 scenarios as triggers, contingent actions for asset side and liability side, internal and external information communication and reporting requirements during crisis (including communication with government agencies and supervisory authorities). To determine whether banks have met requisite standards for contingency planning the CBRC requires banks to submit liquidity risk management policies, processes and procedures, including liquidity risk contingency plans, and any updates. Through OSS and on-site examinations, the CBRC assesses banks’ compliance with the above requirements, requires them to take corrective actions, or takes supervisory actions where necessary. During the assessment, the CBRC mainly focuses on (a) whether the scenarios contained in the plans are comprehensive, reasonable and prudent; (b) whether the contingency funding sources are reliable and adequate; (c) whether the contingency actions are explicit and feasible; (d) whether the demarcation of responsibilities is clear and effective; and (e) whether the reporting and communication is smooth. Banks have generally established internal liquidity risk contingency plans covering emergency events, demarcation of responsibilities, monitoring and early-warning, information communication and reporting, contingency actions, and updated these plans according to the test and assessment results. 214 PEOPLE’S REPUBLIC OF CHINA EC7 The supervisor requires banks to include a variety of short-term and protracted bank- specific and market-wide liquidity stress scenarios (individually and in combination), using conservative and regularly reviewed assumptions, into their stress testing programs for risk management purposes. The supervisor determines that the results of the stress tests are used by the bank to adjust its liquidity risk management strategies, policies and positions and to develop effective contingency funding plans. Description and Stress testing requirements are set out in the Liquidity Risk Rules (Article 28) and provide findings re EC7 that banks shall have in place liquidity stress test programs to analyze their ability to withstand short-term, and medium and long-term stress scenarios. Such programs need to satisfy the following requirements: (a) The stress scenarios are reasonably and prudently designed and periodically reviewed. The stress scenarios need to take account of specific bank-wide impact and market- wide systemic impact, either respectively or collectively, as well as the level of stress, including mild, medium and severe; (b) Banks should reasonably and prudently set the minimum time horizon during which the bank meets its liquidity needs and survive in stress scenarios. The time horizon shall be no less than 30 days under the market-wide systemic shock scenarios; (c) Inherent correlations between liquidity risk and other types of risks, as well as the impact of market liquidity on the banks liquidity risk, are taken into account; (d) Stress tests are conducted periodically at both entity and group levels, and separate stress tests of branches, subsidiaries or affiliates are also undertaken when they are subject to liquidity transfer restrictions; (e) The frequency of stress tests is commensurate with the bank’s size, risk profile and market influence, at least quarterly. The frequency is expected to increase in times of severe market fluctuations; (f) Where possible, ex-post tests are carried out to verify stress test results by reference to past bank-wide or market-wide liquidity shocks. Test results and ex-post verifications are recorded in writing; and (g) The bank has taken full account of test results in establishing liquidity risk appetite, strategies, policies and procedures, business and financial plans, and adjustments are made where necessary. Furthermore, Article 29 provides that banks shall fully consider the stress test results when implementing liquidity risk contingency plans. Finally, Article 14 requires the internal audit function to regularly review and assess whether the assumptions for stress tests are reasonable. Indicative stress test scenarios for banks to refer to are set out in Annex 1 Explanatory Notes on Liquidity Risk Management to the Liquidity Risk Rules and Article 33 of the Guidelines on Stress Tests of Commercial Banks. These include (banks are not expected to limit themselves to these scenarios): • significant decrease in liquidity of traded assets, major outflow of wholesale and retail deposits, declining availability of wholesale and retail funding, default or bankruptcy of a major counterparty, credit rating downgrade or increase in reputational risk, material adverse change in market liquidity conditions, damage arising from off-balance sheet 215 PEOPLE’S REPUBLIC OF CHINA business, complex and illiquid products, disruption to the bank’s payment and clearing system, etc. In designing scenarios Article 35 of the Guidelines on Stress Tests of Commercial Banks provides that when designing scenarios, banks shall consider the spillover effects of reputation risk, and pay attention to the impact of that on credit risk, liquidity risk and market risk, including contractual and non-contractual off-balance sheet exposures or securitization exposures, which might be transferred into on-balance sheet due to reputation concerns. During on-site examinations, CBRC assesses liquidity stress tests undertaken by banks to see whether the stress scenarios are reasonable and prudent, and whether the test results are made full use of, and issues supervisory opinions accordingly. During OSS, CBRC assesses stress test programs and reports, and requires banks to improve the test approaches and enhance the application of test results. A focus on stress testing and contingency plans has been one of the most significant developments in the CBRC’s practices in recent years. Under the regulatory requirements banks have to perform stress tests frequently but report only regularly. The CBRC indicated that stress testing was quarterly in the banks but the CBRC received results typically on an annual basis. EC8 The supervisor identifies those banks carrying out significant foreign currency liquidity transformation. Where a bank’s foreign currency business is significant, or the bank has significant exposure in a given currency, the supervisor requires the bank to undertake separate analysis of its strategy and monitor its liquidity needs separately for each such significant currency. This includes the use of stress testing to determine the appropriateness of mismatches in that currency and, where appropriate, the setting and regular review of limits on the size of its cash flow mismatches for foreign currencies in aggregate and for each significant currency individually. In such cases, the supervisor also monitors the bank’s liquidity needs in each significant currency, and evaluates the bank’s ability to transfer liquidity from one currency to another across jurisdictions and legal entities. Description and Management of significant currencies. The Liquidity Risk Rules require banks to disaggregate findings re EC8 currencies if the currencies are significant to its business profile. Hence, Article 62 of the Liquidity Risk Rules provides that a currency is considered “significant” if the aggregate liabilities denominated in that currency amount to 5 percent or more of the bank’s total liabilities. Article 22 requires banks to separately estimate and analyze the cash flows by significant currency. Article 29 provides that banks shall develop specific contingency plans for each significant currency as needed. Article 32 requires banks to identify, measure, monitor and control liquidity risk for domestic and foreign currencies in aggregate and for each significant currency individually. Management of individual currencies. Article 25 and 26 provide that banks shall strengthen the management of concentrations in currencies in which liabilities are denominated and set appropriate concentration limits, and monitor and analyze the currencies in which unencumbered assets available for use as collaterals are denominated. 216 PEOPLE’S REPUBLIC OF CHINA Liquidity transfer restrictions refer to impediment to cross-border or cross-entity transfer of funds or collateral due to legal, supervisory, taxation and foreign exchange controls or due to currency inconvertibility (see Article 60). The stress tests, contingency plans, consolidated management and LCR calculation shall take liquidity transfer restrictions into account (see Articles 28, 29, 31 and 39). Additionally, the Guidelines on the Consolidated Management and Supervision of Commercial Banks (Article 42) requires banks to adequately assess their ability to carry out liquidity transformation across jurisdictions, entities and currencies, pay close attention to various restrictions on capital movements, and focus on the impact of cross-border or cross-sector capital controls, foreign exchange controls, market differences and ring-fencing actions on the banking group’s liquidity management. Significant currencies. The Liquidity Risk Rules also sets out supervisory requirements for supervisors with respect to currencies and significant currencies. For example, Article 40 requires CBRC to regularly analyze and monitor the liquidity risk of banks and the banking system from the perspective of liquidity risk profile in significant currencies. Additionally, Article 44 requires the CBRC to decide whether or not to monitor the liquidity risk in each significant currency individually, according to the size of foreign exchange business, mismatches in currencies, and market influence of banks. Applying a materiality principle, Article 42 requires CBRC to analyze the concentrations of on- and off-balance sheet liabilities in terms of funding instruments, counterparties and currencies. The CBRC uses its data collection on banks’ liabilities denominated in foreign currencies as an aid to identifying banks that are more active in liquidity transformation in foreign currencies. Secondary indicators, are also used, including the gap between deposits and loans in foreign currencies, the gap between interbank assets and liabilities in foreign currencies, and the sum of the above gaps plus paid-in capital in foreign currencies. The CBRC has been intensifying its efforts to monitor LCR by significant currencies, and requires banks to provide data on LCR in each single currency if the aggregate liabilities denominated in that currency amount to 3 percent or more of the bank’s total liabilities. When banks are active in fx transactions—frequently the foreign-funded banks—the CBRC strengthens its monitoring of liquidity indicators by currency and gives considers to liquidity risk in each significant currency. Currently, the majority of banks have small-sized foreign currency-denominated transactions. Only a few large banks have significant currencies, predominantly U.S. dollar. Foreign currencies held by banks are freely convertible and actively traded in international markets, including U.S. dollar, Hong Kong dollar, Euro, Japanese Yen, and British pound. Large banks include liquidity requirements for foreign currencies and significant currencies in their liquidity risk management programs, monitor mismatches of cash flows in major foreign currencies, and set appropriate limits where necessary. Large banks analyze cash flows in foreign currencies and undertake foreign currencies liquidity stress tests on a regular basis. Assessment of Compliant Principle 24 Comments The CBRC approach to liquidity risk supervision is more sophisticated and intense than at its last assessment. As with other related risks—market risk and interest rate risk—the CBRC has developed a pool of specialist resources. All banks with assets no less than RMB200bn 217 PEOPLE’S REPUBLIC OF CHINA are subject to the LCR and this represents about 90 percent of the assets of the banking system. All banks, including those below the LCR threshold must meet the liquidity ratio and all without exception, are subject to the liquidity risk management standards and monitoring tools which are based on the Basel standard. The strengthening of liquidity supervision is particularly welcome given market developments, as lower tier banks are becoming increasingly dependent on wholesale funding and to the extent that this sector is not subject to the LCR, the CBRC should devote a particular supervisory focus. Also, and as noted in CP 12, the CBRC should ensure that all banks adopt stringent and severe stress test scenarios and parameters and develop appropriate contingency plans and credible, actionable arrangements should such scenarios develop. Wholesale funding reliance in small banks—which should in any case be discouraged on the basis of diversification in funding sources—and contagion risk in WMPs merit particular attention in these scenarios and in banks’ planning. In order to illustrate the supervisory work carried out under this principle, the CBRC shared a wide range of materials including redacted examination reports, analyses, supervisory alerts and requirements and reports prepared for senior CBRC management. The supervisory work was of a very high standard. Finally, should be noted that the BCP assessment mission took place several months before the Basel Committee RCAP assessment mission for the LCR regulations in China, which was planned for June 2017. The BCP and RCAP assessments have an overlapping but not identical focus and are not substitutes for each other. Principle 25 Operational risk. The supervisor determines that banks have an adequate operational risk management framework that takes into account their risk appetite, risk profile and market and macroeconomic conditions. This includes prudent policies and processes to identify, assess, evaluate, monitor, report and control or mitigate operational risk 57 on a timely basis. Essential criteria EC1 Law, regulations or the supervisor require banks to have appropriate operational risk management strategies, policies and processes to identify, assess, evaluate, monitor, report and control or mitigate operational risk. The supervisor determines that the bank’s strategy, policies and processes are consistent with the bank’s risk profile, systemic importance, risk appetite and capital strength, take into account market and macroeconomic conditions, and address all major aspects of operational risk prevalent in the businesses of the bank on a bank-wide basis (including periods when operational risk could increase). Description and The Operational Risk Guidelines sets out the main supervisory requirements that banks findings re EC1 must meet. All banks are subject to the Guidelines. Several articles, including Article 5 and 6(4) of the Operational Risk Guidelines require banks to have in place operational risk management framework and policies in proportion to their business models, sizes, business complexity, and risk profiles. Banks are expected to 57 The Committee has defined operational risk as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. The definition includes legal risk but excludes strategic and reputational risk. 218 PEOPLE’S REPUBLIC OF CHINA effectively identify, assess, monitor, control and mitigate operational risk. Again, as for other risks, the Guidelines on Comprehensive Risk Management also applies. Also, banks are required to have effective procedures to regularly monitor and report operational risk profile and material losses (Article 15). In response to accumulation of potential risks, banks are expected to have an early-warning system so that steps can be taken to control and mitigate risks and to reduce the frequency and severity of losses in a timely manner. From the capital perspective, Articles 105 and 106 of the Capital Rules provide that banks shall have sound risk management framework and internal capital adequacy assessment process (ICAAP) that are commensurate with their risk appetites, risk management capacities, operation performance, risk trends, and long-term strategies. The Heightened Regulatory Standards (HRS - Article 14) for the five large banks imposes higher target standards for operational risk incidents and operational losses. Consistent with the Operational Risk Guidelines (for example, Articles 4, 5 and 25) supervisors are required to focus on the following areas during the assessment of operational risk management: (a) oversight by the Board; (b) responsibilities and duties of the senior management; (c) appropriate organizational structure; (d) policies, processes and approaches of operational risk management; and (e) adequate capital coverage. The CBRC indicated that it pays close attention to the following issues while reviewing the policies and processes of operational risk management: • whether the bank has clear definition of operational risk consistent with regulations; • whether the bank has a sound organizational structure and clear lines of powers and responsibilities for operational risk management; • whether the bank has appropriate processes to identify, assess, monitor and control and mitigate operational risk; • whether the bank has an effective operational risk reporting framework, including reporting line, responsibility and frequency, as well as reporting responsive mechanisms; and • whether the bank has in place requirements to timely assess risks associated with new products, new business activities, key business procedures, IT systems, HR management, external impact factors and their developments. Given range of banks in the Chinese banking system, the CBRC emphasizes the principle of proportionality for operational risk management. For example, Articles 5 and 12 stress that the requirements must take account of the bank’s nature, size and complexity. Also, Article 11 includes a specific reference that applies only to banks that are complex and substantial and Article 14 imposes requirements to adopt more advanced risk management techniques specifically on banks that have significant and complex volumes of business. Similarly, Annex 12 to the Capital Rules provides that large banks shall have operational risk management systems taking account of their business sizes and complexity. As for banks that have adopted standardized approaches to calculate capital charge against operational risk, the Rules for Commercial Banks on Implementing Advanced Approach to Capital Management sets out more stringent qualitative standards and introduced additional regulatory indicators though it should be observed that no banks are using AMA for capital 219 PEOPLE’S REPUBLIC OF CHINA adequacy calculations. With respect to small and medium-sized banks, the CBRC focuses more on effects of their internal controls and compliance management, and strengthens the oversight of key risks such as internal and external frauds. Also, the Provincial Offices of the CBRC have the right—subject to scrutiny of the head office (Legal Department in consultation with the Prudential Regulation Department)—to issue more detailed guidance that is tailored to the specific issues of their region. In the field of operational risk, for example, some inland provinces have issued guidelines to assist banks with such issues as earthquakes, while some coastal provinces have more guidance focused on events such as typhoons. The central approvals that are required for all such provincial level regulations ensures that there is quality control, no dilution of minimum standards, no exceeding the perimeters of the regulation and also the opportunity to disseminate guidance that might be more broadly applicable nationwide through risk alerts and other forms of regulatory notices. In terms of specific supervisory approaches, the CBRC incorporates OSS, on-site examinations and market access into an interactive practice. Based on supervisory activities including reviewing documents, systems, interviews, reviewing the capital measurement process and outcomes, etc., the CBRC assesses the banks’ organizational structures, policies, tools, processes and reporting lines for operational risk management. Where banks are expected to develop risk management tools, the CBRC assesses the use test of operational risk and control self-assessment (RCSA), key risk indicators (KRIs), and loss data collection (LDC) tools. Where a bank has experienced severe loss events, the CBRC would require the bank to submit specific improvement plans and to take punitive measures on responsible individuals in accordance with supervisory rules. The assessors discussed some cases. According to the Internal Guidelines on Supervisory Rating of Commercial Banks and the Rules of the CBRC on Off-site Surveillance, operational risk management and IT risk management are components of supervisory assessment and are key factors in determining supervisory ratings of individual banks. For standardized approach banks, the CBRC has integrated loss data metrics into the OSSRS. Operational risk is a regular component of on-site examination plans and has featured prominently in thematic and targeted examinations in the past three years. There are three kinds of examinations. First, operational risk is included in full-scope on-site examinations, which, according to Article 7 of the On-site Examinations Rules, shall be conducted at least once every 5 years. Full-scope examinations include corporate governance, management and risk profile. In fact, the frequency of examination is adjusted in light of banks’ risk profile and systemic importance. Second, the CBRC undertakes thematic examinations based on common risks of the banking industry and risk profiles of individual banks, covering key processes and risk areas. Third, for standardized approach banks, the CBRC undertakes full-scope assessment and ongoing monitoring of the risk management and measurement systems. The CBRC monitors fraudulent loss events and issues supervisory letters to affected banks when necessary. Relevant banks are expected to report progresses on a timely basis. When 220 PEOPLE’S REPUBLIC OF CHINA detecting common trends in risk, the CBRC issues risk alerts to the industry as an early warning. Where a risk event has caused severe losses, there is individual accountability including persons directly liable for the events, and the persons in charge as well as managers up to two levels higher. Internal auditors are also penalized. The CBRC noted that banks have been operationalizing the three lines of defense approach, comprising business lines, operational risk management functions, and internal auditors. Banks are using a range of tools including—mainly for the larger banks—RCSA, KRIs and LDA, to identify and assess risks and monitor risk profile and trends. The major banks have developed loss data pools to assist risk management analysis, as well as decision making and capital measurement. The assessors noted that although Advanced Measurement Approaches are not permitted for capital adequacy purposes, some of the major banks have been using these approaches to enhance risk management and internal capital allocation. EC2 The supervisor requires banks’ strategies, policies and processes for the management of operational risk (including the banks’ risk appetite for operational risk) to be approved and regularly reviewed by the banks’ Boards. The supervisor also requires that the Board oversees management in ensuring that these policies and processes are implemented effectively. Description and The Board’s responsibility is established in Article 6 of the Operational Risk Guidelines findings re EC2 provides that the Board shall consider operational risk as one of the major risks and assume ultimate responsibility for overseeing the effectiveness of operational risk management. In particular Article 6(1) articulates the Board’s role in establishing the strategies and policies for operational risk management. Regular review by the Board is not explicitly specified but as operational risk is demarcated as a major risk for the bank, it would be straightforward for the CBRC to question why a bank had not refreshed its policies and strategies. Operational risk also falls into the remit of the 2016 Comprehensive Risk Management Guidelines (Article 3) and the articles covering risk governance (Chapter 2) set out the expectations that the Board must meet. Risk appetite is addressed in the Capital Rules (Article 111) and also, more recently, under the 2016 Comprehensive Risk Management Guidelines. The Capital Rules require that the Board shall decide risk appetite commensurate with the bank’s strategies and external environment and ensure adequate capital that covers all major risks. The Comprehensive Risk Management Guidelines require that the Board articulates the risk appetite and ensures an operational framework is put in place to support it. In addition, other supervisory rules and standards on corporate governance also set out requirements on the Boards’ responsibility and due diligence. CBRC carries out on-site examinations and OSS to assess the Board’s role in operational risk management framework. Methods include reviewing documents and regular meetings with the Board. While reviewing the Board’s role in operational risk management, CBRC focuses on the following aspects: (a) whether the Board has established appropriate bank-wide operational risk management policies and processes consistent with the overall strategic goals; (b) 221 PEOPLE’S REPUBLIC OF CHINA whether the Board effectively oversees senior management’s implementation of operational risk management policies; (c) whether the Board reviews operational risk reports provided by senior management, understands overall operational risk profile, assesses the effectiveness of the senior management in dealing with significant operational risk events, and evaluates the effectiveness of ongoing management of operational risk; (d) whether the Board plays its role in ensuring operational risk management system be effectively reviewed and overseen by internal audit department; and (e) whether the Board establishes appropriate incentive mechanism that promotes a sound operational risk management culture in the bank. EC3 The supervisor determines that the approved strategy and significant policies and processes for the management of operational risk are implemented effectively by management and fully integrated into the bank’s overall risk management process. Description and The Operational Risk Guidelines establish the senior management’s role and responsibility findings re EC3 (Articles 6 (2-4) and 7). This includes responsibility for implementing strategies, policies and process for the operational risk management approved by the Board and clearly defining the roles and responsibilities of different departments. Again, these requirements are further reinforced by the overarching provisions of the Comprehensive Risk Management Guidelines. Banks are required to designate a department to be responsible for the establishment and implementation of bank wide operational risk management (Operational Risk Guidelines – Article 8). The department shall be independent to ensure consistency and effectiveness of operational risk management throughout the bank. Further, the Capital Rules (Article 113) provide that a bank’s senior management shall be responsible for establishing and organizing the implementation of Internal Capital Adequacy Assessment Process (ICAAP), assigning roles and responsibilities to relevant departments, establishing and updating the assessment framework, process and management policies, and ensure the consistency of comprehensive risk management, capital measurement and allocation across the bank. To assess the performance of the senior management in operational risk management, CBRC focuses on the following aspects: • whether the senior management follows the operational risk management strategies and policies approved by the Board to regularly review and oversee the implementation of policies and processes, and provides information on the bank’s operational risk profile to the Board at regular intervals; • whether the senior management understands the bank’s operational risk profile, especially material risk events and factors; • whether the senior management has clearly defined responsibilities for all relevant departments regarding operational risk management, including defining the reporting lines, frequency and contents, and ensuring due diligence of different departments in fulfilling their respective responsibilities; • whether the senior management properly allocates resources to different functional departments, including providing necessary financial and human resources, offering 222 PEOPLE’S REPUBLIC OF CHINA necessary trainings, and granting necessary authorizations to relevant staff in implementing operational risk management policies and processes; and • whether the senior management reviews and updates the operational risk management policies and processes in a timely manner, in order to address operational risks associated with the changes in internal procedures, products, business activities, IT systems, staff, as well as external events and other factors. In recent years, the CBRC notes that banks have made concrete progress in the development of operational risk management tools (including RCSA, KRIs, LDC), and the CBRC further requires banks to incorporate these tools into bank’s general risk monitoring and analysis framework. The CBRC has been able to observe, over recent years, that the involvement of the senior management has been increasingly more active. Some large banks have established a weekly reporting mechanism, requiring relevant units to prepare and submit risk monitoring reports to the senior management. These reports are also communicated to business lines to reveal significant risks. Risk alerts are issued if necessary. The operational risk profile, risk trends, and major pitfalls are analyzed quarterly to provide support for the senior management in taking decisions. EC4 The supervisor reviews the quality and comprehensiveness of the bank’s disaster recovery and business continuity plans to assess their feasibility in scenarios of severe business disruption which might plausibly affect the bank. In so doing, the supervisor determines that the bank is able to operate as a going concern and minimize losses, including those that may arise from disturbances to payment and settlement systems, in the event of severe business disruption. Description and A number of guidelines, notices and standards have been issued by the CBRC to impose findings re EC4 requirements and provide guidance to banks in the field of disaster recovery and business continuity. The Operational Risk Guidelines (Article 19) provides that a bank shall formulate contingency and business continuity plans commensurate with its size and complexity, put in place business recovery arrangements, and regularly hold exercises to test disaster recovery and business continuity plans. More detailed requirements are set out in the Guidelines on Business Continuity Supervision of Commercial Banks which applies to all banks and provides (Article 2) that a bank shall effectively address disruptions of critical business activities, and put in place emergency response and recovery framework to ensure the continuity of critical business activities. Such a framework must include strategies, organizational structure, approaches, standards and procedures. Article 32 requires that banks shall have in place business continuity plans covering all critical activities consistent with business recovery objectives. Systems concerns are included in the Management Standards on Emergency Response of Banks' Important IT Systems (Provisional) which provides (Article 4) that banks shall undertake risk assessment and make contingency plans for events impacting critical information systems, such as power support and communication facilities. 223 PEOPLE’S REPUBLIC OF CHINA Further, the CBRC has issued the Notice on Strengthening the Safety of Significant Information Systems, requiring banks to strengthen the prevention of system disruption risks. This document highlights key nodes and time points of common system disruptions. The Operational Risk Guidelines (Article 25) requires the CBRC to regularly examine and assess the quality and comprehensiveness of banks’ disaster recovery systems and the business continuity plans. Banks are required (Guidelines on Business Continuity Supervision – Article 92) to submit a report on business continuity management to the CBRC or its local offices, including the assessment report and audit report on business continuity management for the previous year in the first quarter of each year. The CBRC carries out on-site examinations to assess the quality and comprehensiveness of banks’ business resumption and contingency plans, focusing on the following aspects: (a) whether there is a business continuity management process and framework with clear assignment of responsibilities; (b) whether there are arrangements and procedures for emergency responses and business recovery; (c) whether banks have conducted impact analysis of disruptions and undertaken risk assessment; (d) whether there are contingency plans for critical areas; (e) whether there are in place back-up centers on alternative sites for critical business systems, and whether banks have sufficient disaster recovery facilities and adequate recovery capability; and (f) reporting on occurrences and responses to disruptions of critical business activities. In recent years, the CBRC has strengthened ongoing supervision and on-site examinations over business continuity. The CBRC not only requires banks to develop disaster recovery facilities and perform exercises, but also evaluates the effectiveness and analyzes weaknesses exposed. Each year, banks report to the CBRC their business continuity plans, summaries of impact analysis and disaster recovery exercises. Business disruptions should be reported to the CBRC in a timely manner. With respect to on-site examinations, the CBRC not only includes business continuity as a part of IT risk examinations, but also carried out specific continuity examinations on selected banks. Since 2014, the CBRC have conducted specific examinations on some large banks and joint-stock banks covering all the components of business continuity management. As some general observations, the large banks would organize appropriately 1,000 drills every year. In order to diversify risks, large banks have been moving to ‘two-site, three- center’ disaster recovery infrastructure, including local operational back-up centers and data back-up centers at alternative cities. The CBRC observed that it has seen banks make substantial progress in a range of aspects of business continuity management. Banks with whom the assessors met noted that the CBRC was careful to consider business continuity arrangements. As noted in EC, the ability of Provincial Offices of the CBRC to offer more specific guidance based on the national standards permits provincial regulations to reflect local conditions that banks should take into consideration. EC5 The supervisor determines that banks have established appropriate information technology policies and processes to identify, assess, monitor and manage technology risks. The supervisor also determines that banks have appropriate and sound information technology infrastructure to meet their current and projected business requirements (under normal 224 PEOPLE’S REPUBLIC OF CHINA circumstances and in periods of stress), which ensures data and system integrity, security and availability and supports integrated and comprehensive risk management. Description and The Information Technology Risk Management Guidelines require that banks’ IT risk findings re EC5 management framework shall encompass following aspects: (a) governance structures; (b) effective internal control; and (c) risk controls. The process should cover system development, testing, operation and maintenance. The Guidelines also require that a bank shall have in place: • IT strategies, IT operation plans and IT risk assessment plans commensurate with its overall business plans and allocate sufficient financial and human resources to maintain a stable and secure IT environment. (Article 14) • Comprehensive IT risk management strategies covering the following aspects: (a) information classification and protection; (b) IT system development, testing and maintenance; (c) system operation and maintenance; (d) IT system access authorization; (e) physical security; (f) personnel safety; and (g) business continuity and contingency plans. Banks shall undertake comprehensive risk preemptive measures according to their IT risk management strategies and risk assessment results. (Article 15) Additionally, a bank’s IT department shall be responsible for establishing and implementing information classification and protection processes. It should also perform the function of information security management (Articles 20 and 21). The Dynamic Monitoring Indicators for IT Risk of Commercial Banks specifies 8 monitoring indicators of 3 categories including stability, security and size. Stability indicators include system availability, the transaction success rate and success rate of system updates. Security indicators include the phishing websites blocking rate, the external attack case change rate and the number of information security events. Size indicators include the electronic- channel transactions change rate and the main electronic active users or accounts change rate. These indicators are dynamically monitored to reflect banks’ IT risk level and risk management capability. The CBRC On-site Examination Manual on IT Risk Management provides detailed information on 300 key risk factors, covering information security and system development, and establishes detailed methods and procedures for supervisors to confirm whether the information security and system development are in line with the CBRC’s rules and banks’ policies. The CBRC has strengthened supervision of IT risk in recent years, evidenced by setting up the CBRC IT risk supervision team, increasing number of experts, and improving the methods and procedures of on-site examinations. Since 2011, on-site examinations on IT risk have covered all aspects of IT risk, mainly focusing on business continuity, IT outsourcing risk, information security, and electronic banking. the CBRC has organized and undertaken 38 on-site examination programs involving 36 banking institutions, including policy banks, large banks, joint-stock banks, rural financial institutions, city commercial banks and locally-incorporated foreign banks, thereby effectively driving banks to establish solid arrangements for IT risk management and enhance the capability of IT risk prevention and control. 225 PEOPLE’S REPUBLIC OF CHINA In 2015, the CBRC established On-site Examination Bureau to enhance examination. IT risk has been one of the key focuses in full-scope examinations and targeted examinations on key businesses. The examinations cover IT risk governance, information security, business continuity, IT outsourcing, and system development, operation and maintenance. In 2016, the CBRC expanded coverage to effective interactions between businesses, decision making and IT risks. EC6 The supervisor determines that banks have appropriate and effective information systems to: (a) monitor operational risk; (b) compile and analyze operational risk data; and (c) facilitate appropriate reporting mechanisms at the banks’ Boards, senior management and business line levels that support proactive management of operational risk. Description and The Operational Risk Guidelines (Article 18) requires banks to establish and update findings re EC6 operational risk management systems which shall at least record and store data related to operational risk losses and information on operational risk events. The purpose is to support operations of tools such as RCSA, KRIs and LDC, for the banks that use these tools, as well as operational risk reporting. The CBRC’s supervisory responsibilities are set out chiefly in Articles 25 and 26 of the Operational Risk Guidelines and the quality of supervision and reporting of operational risk within the bank is a major theme. In practice, the CBRC seeks to focus on the role of the system in supporting the risk management framework, including: (a) whether operational risk management system supports the storage of and access to operational risk information; (b) whether the system supports operation of RCSA, KRIs, LDC and other management tools; and (c) whether the system supports operational risk management function, the senior management and the Board in performing their roles. Please see also EC7. EC7 The supervisor requires that banks have appropriate reporting mechanisms to keep the supervisor apprised of developments affecting operational risk at banks in their jurisdictions. Description and Reporting requirements are set out in the Operational Risk Guidelines where Articles 15 and findings re EC7 16 require banks to set up effective procedures to regularly report operational risk profile and loss events internally. The operational risk reporting framework should clearly define the responsibilities, reporting line and frequency. Significant loss events related to operational risk must be reported timely to the Board, senior management and relevant managers. These requirements are complemented by Articles 23 and 24 which prescribe that banks shall submit operational risk reports to the CBRC and report significant events related to operational risk to the CBRC. Should there be a major event, the Significant Emergency Reporting Procedures prescribes the standards, channel and format for reporting significant operational risk events to the CBRC. As part of standard supervisory reporting, banks submit to the CBRC: information on cases that have occurred; information on IT risk events; and internal loss data classified by 226 PEOPLE’S REPUBLIC OF CHINA business line and event types. This data also identifies issues that are “boundaries” with market and credit risk. The CBRC is aware that, at this stage of development, many banks’ operational risk arises from the execution of their credit function and the reporting on “case prevention” gathers data on indicators that can signal possible issues, looking at areas of personnel (including staff changes and training), internal audit, compliance and litigation. IT indicators have been collected since 2015. Operational risk information is collected and analyzed by the CBRC using the OSSRS. As noted above, internal models are not permitted for capital adequacy but the CBRC has recognized that banks’ ability to generate internal loss estimates assists with greater risk sensitivity and not only supports internal capital allocation but can also support the business case for enhancing risk management practices. While the GSIBs are, as expected, at the forefront of internal approaches to operational risk measurement and management, and at the other end of the spectrum banks are focused more on the need to understand key risk and control policies. From conversations with the industry, it is clear that the CBRC favours a zero tolerance to internal control failures but encourages collection of loss data because when banks begin to expand and upgrade, it is necessary to develop a more nuanced concept of risk appetite and use its data to identify appropriate levels of tolerance. The CBRC reviews bank’s operational risk reporting framework from two angles: (a) reviewing the reports submitted by banks to monitor and understand changes in operational risk; and (b) when examining the effectiveness of banks’ operational risk reporting frameworks, supervisors focus on whether the reporting frequency and reporting line comply with the policies approved by the Board and senior management; whether key risk indicators and loss data are monitored and reported; and whether there is responsive action plans and how and whether corrective measures are taken accordingly. EC8 The supervisor determines that banks have established appropriate policies and processes to assess, manage and monitor outsourced activities. The outsourcing risk management program covers: (a) conducting appropriate due diligence for selecting potential service providers; (b) structuring the outsourcing arrangement; (c) managing and monitoring the risks associated with the outsourcing arrangement; (d) ensuring an effective control environment; and (e) establishing viable contingency planning. Outsourcing policies and processes require the bank to have comprehensive contracts and/or service level agreements with a clear allocation of responsibilities between the outsourcing provider and the bank. Description and It should be noted that in China, outsourced businesses are mainly functions that support findings re EC8 the bank’s operation, such as IT system, customer service, and document maintenance. Banks may not outsource strategic management, core businesses and internal auditing functions or key procedures (the Guidelines on the Outsourcing Risk Management – Articles 7 and 17(4)). The IT system is the most common area of outsourcing. The Guidelines apply to all financial institutions in the banking sector. Due diligence requirements are set out in Article 13, while the structuring of the arrangement is covered chiefly in Articles 14 to 16. The control environment is detailed in 227 PEOPLE’S REPUBLIC OF CHINA Section III, Risk Management and contingency planning is addressed in Article 14(3) and Article 20. As an overarching requirement, Article 5 of the Guidelines on the Outsourcing Risk Management of Banking Financial Institutions states that banks shall have a framework, including policies and procedures for the management of outsourcing risks and incorporate such framework and policies into the comprehensive risk management system. More broadly, according to the Operational Risk Guidelines (Article 20), a bank shall establish risk management policies to ensure the safety, soundness and legitimacy of outsourcing activities. These policies should address contract or service agreements, and clarify responsibilities between outsourcing providers and the bank. With specific respect to IT issues, the Information Technology Risk Management Guidelines, (Chapter) 8 specifies that a bank’s IT outsourcing contract shall be approved by its IT risk management department, legal department and IT Management Committee. A bank shall have processes in place to regularly review and revise the service agreement, and maintain appropriate oversight over outsourced activities. Banks shall retain their IT management responsibilities and oversee the performance of outsourcing providers with due diligence. Banks shall remain prudent when outsourcing important activities (such as data center and IT infrastructures). Prior to outsourcing, a written report shall be submitted to the CBRC. Banks are expected to be sufficiently prepared prior to signing outsourcing contracts or making material changes to outsourcing contracts. In common with the Guidelines on Outsourcing Risk (where Article 15 requires a strict customer protection system) the IT Guidelines require banks to maintain the confidentiality of any sensitive data such as customer personal information. Banks must establish a contingency plan to minimize losses associated with emergency situations such as outsourcing providers’ financial deterioration, key staff run-off or unexpected termination of the contract. A bank should file an official report to the CBRC about significant outsourcing activities such as IT infrastructure and database. The IT Risk Management Guidelines provides explicitly that IT risk management function should not be outsourced. When examining outsourcing management process, the CBRC assesses whether banks have established the outsourcing scope and contents, evaluated outsourcing risk, set up comprehensive policies, and developed risk prevention measures. The CBRC does not have the right to assess the outsourcing provider directly. Regarding banks’ outsourcing management policies, the CBRC focuses on the appropriateness of organizational structure and performance of the Board and senior management; and the comprehensiveness and effectiveness of outsourcing risk management. Specifically, the CBRC assesses banks’ outsourcing management to see: (a) whether contents and scope are clearly defined in the outsourcing policies and procedures; (b) whether procedures for outsourcing activities have been reviewed and approved by the legal department and the department in charge; (c) whether there are written requirements on the qualifications of potential outsourcing service providers; (d) whether responsibilities and obligations in outsourcing agreements are clearly defined with regard to security, confidentiality, and intellectual property rights; (e) whether service level agreements include 228 PEOPLE’S REPUBLIC OF CHINA indicators of performance evaluation as well as corrective measures; (f) whether security and confidentiality measures in outsourcing agreements can protect customers’ sensitive data; and (g) whether documentation is properly managed. Regarding outsourcing assessment and supervision, the CBRC focuses on the following aspects: (a) whether banks conduct due diligence on potential outsourcing providers, establishing an evaluation mechanism to review their business conditions, financial strength, credit history, security qualifications, service capacity, actual risk control capacity and accountabilities; and (b) whether banks have proper oversight over the outsourced activities with regular evaluation on the service and contingency plans of the outsourcing provider. Every year, the CBRC prepares Summary Report on Outsourcing Risk and distributes it to local offices and banks. Since 2011, the CBRC has examined outsourced activities of a full range of banks, covering large banks, joint-stock banks, city commercial banks and foreign-funded banks. Additionally, the CBRC monitors banks’ use of outsourcing services to identify instances of vendors to whom there may be concentrated exposures in the sector. In 2013, the banking IT outsourcing supervision platform was established, comprising supervisory authorities and banking institutions. The platform provides a channel for over 100 banks to share information concerning IT outsourcing risk management. The platform was designed to help banks check the stability of the vendors of outsourced services. The CBRC, lacking the ability to inspect the vendors directly has sought to guide the banks in how to assess the risk. The CBRC has flagged major risk areas and asks banks to carry out inspections targeted at these risk areas. Some of the larger banks also participate and have shared their expertise with smaller institutions as part of the exercise. Assessment of Compliant Principle 25 Comments Operational risk is assuming a greater proportion of the banking system’s aggregate risk weighted assets at just over 7 percent. As with market risk, there is a considerable variation in the sophistication of banks’ approach to operational risk, with the most sophisticated banks using internal approaches to drive forward their risk management approaches, while less complex, typically local and regional banks are more focused on internal controls. As the less complex banks expand their businesses, the challenge for them, as the CBRC is fully aware, is to develop their approach to operational risk in a commensurate manner with their growth. It was striking that some banks are seeking to develop internal approaches for credit risk but remain content with analytical approaches to operational risk based on the basic indicator approach. There should be scope, possibly through the implementation of the expected revised Basel standard on operational risk, to encourage development of operational risk standards within banks that is not limited to the perspective of high quality internal controls and stable IT functions. Principle 26 Internal control and audit. The supervisor determines that banks have adequate internal control frameworks to establish and maintain a properly controlled operating environment for the conduct of their business taking into account their risk profile. These include clear arrangements for delegating authority and responsibility; separation of the functions that involve committing the bank, paying away its funds, and accounting for its assets and liabilities; reconciliation of these processes; safeguarding the bank’s assets; and appropriate 229 PEOPLE’S REPUBLIC OF CHINA independent 58 internal audit and compliance functions to test adherence to these controls as well as applicable laws and regulations. Essential criteria EC1 Laws, regulations or the supervisor require banks to have internal control frameworks that are adequate to establish a properly controlled operating environment for the conduct of their business, taking into account their risk profile. These controls are the responsibility of the bank’s Board and/or senior management and deal with organizational structure, accounting policies and processes, checks and balances, and the safeguarding of assets and investments (including measures for the prevention and early detection and reporting of misuse such as fraud, embezzlement, unauthorized trading and computer intrusion). More specifically, these controls address: (a) organizational structure: definitions of duties and responsibilities, including clear delegation of authority (e.g. clear loan approval limits), decision-making policies and processes, separation of critical functions (e.g. business origination, payments, reconciliation, risk management, accounting, audit and compliance); (b) accounting policies and processes: reconciliation of accounts, control lists, information for management; (c) checks and balances (or “four eyes principle”): segregation of duties, cross-checking, dual control of assets, double signatures; and (d) safeguarding assets and investments: including physical control and computer access. Description and Article 5 of the Internal Control Guidelines sets out that the internal control framework of findings re EC1 banks should be comprehensive in coverage, prudent, with the necessary check and balance, and should be commensurate with the bank’s size and complexity. Article 8 to 10 of the Internal Control Guidelines specify the roles and responsibilities of the board and senior management. Specifically, the board of directors is responsible for ensuring that an effective internal control system is established, approving risk appetite and organizational structure, and ensuring compliance with relevant law and regulations. Senior management is responsible for formulating the policies and establishing the organization structure and procedures to ensure effective implementation of internal controls. On the specific areas of controls: - Articles 7 and 17 to 21 of the Internal Control Guidelines requires banks to establish a clear organization structure, reporting lines and responsibilities. Banks are required to segregate incompatible duties, establish clear delegation of authorities, compulsory leave policies and policies and procedures to guide and monitor staff conduct. - Article 22 of the Internal Control Guidelines requires banks to comply with accounting standards and practices and ensure that financial and accounting information are authentic, reliable and complete. - Article 23 of the Internal Control Guidelines requires banks to monitor and check on inventory of cash, negotiable securities and other tangible assets, while Article 28 requires banks to strengthen control and management over information security and confidentiality. 58 In assessing independence, supervisors give due regard to the control systems designed to avoid conflicts of interest in the performance measurement of staff in the compliance, control and internal audit functions. For example, the remuneration of such staff should be determined independently of the business lines that they oversee. 230 PEOPLE’S REPUBLIC OF CHINA Similar emphasis on internal control can be found in Article 17 of the Guidelines on Operational Risk Management of Commercial Banks. CBRC has also issued a Notice on the internal control management for over-the-counter business processes such as cash transactions, remittance transfers, updating of account information, etc. EC2 The supervisor determines that there is an appropriate balance in the skills and resources of the back office, control functions and operational management relative to the business origination units. The supervisor also determines that the staff of the back office and control functions have sufficient expertise and authority within the organization (and, where appropriate, in the case of control functions, sufficient access to the bank’s Board) to be an effective check and balance to the business origination units. Description and During CBRC’s supervisory process, including onsite examinations, CBRC evaluates the staff findings re EC2 competencies of and resources allocated to back office, control functions and operational management and whether they are accorded sufficient authority within the organization. CBRC also evaluates whether there are well-established human resources polices and training programs to ensure that back office and control functions continue to have sufficient expertise and knowledge to fulfil their roles and responsibilities, and whether these functions have effective communication channels to the bank’s board. EC3 The supervisor determines that banks have an adequately staffed, permanent and independent compliance function 59 that assists senior management in managing effectively the compliance risks faced by the bank. The supervisor determines that staff within the compliance function are suitably trained, have relevant experience and have sufficient authority within the bank to perform their role effectively. The supervisor determines that the bank’s Board exercises oversight of the management of the compliance function. Description and Article 10 of the Guidelines on Compliance Risk Management specify that the bank’s Board findings re EC3 is responsible for exercising oversight over the management of the compliance function. Articles 8 and 19 require banks to have an independent and permanent compliance function, with staff that have relevant professional qualification, experience and expertise. During its supervisory process, the CBRC reviews the compliance policies and procedures, the reporting lines, whether resources allocated to compliance function are commensurate with the bank’s risk profile and complexity, and the role of board and senior management in the bank’s compliance risk management. CBRC also determines whether internal audit conducts independent assessment of the compliance function. The overall assessment of the effectiveness of compliance function is an input to the “Management” component of the supervisory rating of banks. EC4 The supervisor determines that banks have an independent, permanent and effective internal audit function 60 charged with: 59 The term “compliance function” does not necessarily denote an organizational unit. Compliance staff may reside in operating business units or local subsidiaries and report up to operating business line management or local management, provided such staff also have a reporting line through to the head of compliance who should be independent from business lines. 60 The term “internal audit function” does not necessarily denote an organizational unit. Some countries allow small banks to implement a system of independent reviews, e.g. conducted by external experts, of key internal controls as an alternative. 231 PEOPLE’S REPUBLIC OF CHINA (a) assessing whether existing policies, processes and internal controls (including risk management, compliance and corporate governance processes) are effective, appropriate and remain sufficient for the bank’s business; and (b) ensuring that policies and processes are complied with. Description and Article 93 of the Corporate Governance Guidelines requires banks to have independent findings re EC4 internal audit function which reports to the board, the audit committee and the supervisory board. Article 8 of the Internal Audit Guidelines specifies that the board is responsible for the independence and effectiveness of the Internal Audit. Articles 16 and 18 the Internal Audit Guidelines require that a bank’s internal audit should assess the appropriateness and effectiveness of processes and internal controls across all businesses and entities, in aspects including risk management, corporate governance, information systems and financial reporting. During its supervisory process, CBRC reviews the banks’ internal audit plans and reports, to assess the adequacy of their work and whether they provide constructive suggestions on deficiencies identified in audits. CBRC highlights to the internal auditors the areas requiring improvement or attention, either in the form of supervisory letters or at meetings. EC5 The supervisor determines that the internal audit function: (a) has sufficient resources, and staff that are suitably trained and have relevant experience to understand and evaluate the business they are auditing; (b) has appropriate independence with reporting lines to the bank’s Board or to an audit committee of the Board, and has status within the bank to ensure that senior management reacts to and acts upon its recommendations; (c) is kept informed in a timely manner of any material changes made to the bank’s risk management strategy, policies or processes; (d) has full access to and communication with any member of staff as well as full access to records, files or data of the bank and its affiliates, whenever relevant to the performance of its duties; (e) employs a methodology that identifies the material risks run by the bank; (f) prepares an audit plan, which is reviewed regularly, based on its own risk assessment and allocates its resources accordingly; and (g) has the authority to assess any outsourced functions. Description and The requirements with respect to the internal audit function of banks are set out in the findings re EC5 Internal Audit Guidelines, as follows: (a) Articles 8 and 11 provide that a bank’s board and senior management shall ensure that the resources of internal audit function are sufficient. Article 14 further prescribes that the number of internal auditors of a bank shall account for at least 1% of the total headcount, and that the internal auditors shall have the relevant professional knowledge skills and practical experience. (b) Article 12 sets out that the head of internal audit function shall report to the board, audit committee and the supervisory board. Article 11 requires that the senior management shall support the internal audit function in independently performing its duties and should take effective corrective measures in a timely manner to address the issues identified by internal audit. On (c), (d) and (g), Article 17 provides that the internal audit function is authorized to access necessary information and attend relevant meetings, in relation to its audit. Article 18 prescribes that internal audit has the authority to examine the business and 232 PEOPLE’S REPUBLIC OF CHINA management activities (including outsourced functions) conducted by various operating entities and interview relevant persons as necessary. On (e) and (f), Article 21 sets out that the internal audit function shall develop an audit plan and determine the scope and frequency, having regard to the business activities, risk profile, and management needs, and allocate resources accordingly. The plan should fully address regulatory concerns and include areas such as comprehensive risk management, capital adequacy, liquidity, internal control compliance, and financial reporting. CBRC evaluates the independence and effectiveness of banks’ internal audit function through its ongoing supervisory process. CBRC focuses on assessing the reporting lines and adequacy of resources of the internal audit function, whether the audit methodologies, audit plan and procedures are effective in identifying material risks, and whether internal audit evaluates the bank’s management of outsourced activities. Supervisors meet with internal auditors of banks at least annually to discuss key audit observations and monitor the timeliness of corrective measures taken by management. Supervisory assessment of the effectiveness of internal audit function is incorporated in the “Management” component of CBRC’s supervisory ratings. Assessment of Compliant Principle 26 Comments CBRC has a strong supervisory focus for banks to maintain a control environment that is commensurate with the risk profile and scale of their business activities. It has put in place requirements for banks to ensure the independence and authority of the head of internal audit and head of compliance. Further, banks are required to notify CBRC if there are changes to the individuals holding these positions. BCP Assessors’ meetings with industry representatives supported the view that the CBRC pays close attention to the internal control systems, compliance and internal audit functions, and the effectiveness of the three lines of defence. CBRC uses onsite examinations to verify that standards are upheld and observed. Principle 27 Financial reporting and external audit. The supervisor determines that banks and banking groups maintain adequate and reliable records, prepare financial statements in accordance with accounting policies and practices that are widely accepted internationally and annually publish information that fairly reflects their financial condition and performance and bears an independent external auditor’s opinion. The supervisor also determines that banks and parent companies of banking groups have adequate governance and oversight of the external audit function. Essential criteria EC1 The supervisor 61 holds the bank’s Board and management responsible for ensuring that financial statements are prepared in accordance with accounting policies and practices that are widely accepted internationally and that these are supported by recordkeeping systems in order to produce adequate and reliable data. Description and Article 4 of the Accounting Law of the People’s Republic of China provide that the board of findings re EC1 directors and senior management are responsible for the accuracy, authenticity and 61 In this Essential Criterion, the supervisor is not necessarily limited to the banking supervisor. The responsibility for ensuring that financial statements are prepared in accordance with accounting policies and practices may also be vested with securities and market supervisors. 233 PEOPLE’S REPUBLIC OF CHINA completeness of the banks’ financial statements and accounting records. Article 55 of the Commercial Bank Law provides that banks shall truly record and fairly reflect their operational activities and financial positions in annual financial reports. Article 28 of the Rules on the Information Disclosure of Commercial Banks prescribes that the board shall be responsible for the reliability, accuracy and completeness of disclosed information. The banks’ annual financial statements are to be prepared in accordance with the Chinese Accounting Standards (CAS) and are to be audited by qualified auditors. MOF is responsible for the registration and supervision of accounting firms. The CAS is issued by the Accounting Regulatory Department of the Ministry of Finance and is substantially converged with international financial reporting standards. This is confirmed with the external auditors that the BCP assessors met, and the assessors noted from a review of the public financial reports of a few Chinese listed banks that the reported results are similar in respect of financial statements prepared under CAS and under IFRS. In accordance with the Regulations on Information Disclosure of Companies Offering Securities to the Public No. 15 – General Provisions on financial reports, group companies should disclose financial reports both at the consolidated level and at the parent entity level. Hence, public listed banks in China, which account for about 80% of total banking system assets, comply with this requirement. The remaining, unlisted banks in China are mostly single entities. EC2 The supervisor holds the bank’s Board and management responsible for ensuring that the financial statements issued annually to the public bear an independent external auditor’s opinion as a result of an audit conducted in accordance with internationally accepted auditing practices and standards. Description and Article 56 of the Commercial Bank Law requires banks to publish its audited financial findings re EC2 statements annually. Article 6 of the Information Disclosure of Commercial Banks further requires that the disclosed annual financial statements of banks with total assets of RMB 1 billion or more to be audited by qualified accounting firms. Articles 116 and 119 of the Corporate Governance Guidelines stipulate that the board of directors of a commercial bank is responsible for the information disclosure of the bank, and information disclosure documents include the annual financial statements which must be audited by an accounting firm with relevant qualification. Article 125 further requires the directors and senior management of banks to sign a written confirmation opinion for an annual report, stating whether the preparation of the report conform to the laws and regulations, whether the contents of the report reflect the actual situation of the commercial bank in an authentic, accurate and complete manner. Chinese auditing standards are substantially in line with international auditing standards. As set out in the joint statement in 2010 by the Chinese Auditing Standards Board (“CASB”) and the International Auditing and Assurance Standards Board (IAASB), CASB made limited additional requirements during the process of international convergence and these were accepted by IAASB where they did not conflict with International Standards on Auditing (“ISA”). In addition, according to CBRC’s estimates, listed banks, which account for about 234 PEOPLE’S REPUBLIC OF CHINA 76% of total banking system assets, have appointed international accounting firms as their external auditors and audits are conducted in accordance with ISA. EC3 The supervisor determines that banks use valuation practices consistent with accounting standards widely accepted internationally. The supervisor also determines that the framework, structure and processes for fair value estimation are subject to independent verification and validation, and that banks document any significant differences between the valuations used for financial reporting purposes and for regulatory purposes. Description and Articles 8 to 10 of CBRC’s Supervisory Guidelines on the Fair Value Valuation of Financial findings re EC3 Instruments of Commercial Banks require banks to put in place independent structure and processes for fair value estimation, to identify and document material differences between valuations for financial reporting and for risk management, and to conduct internal review regularly on internal control, valuation models and parameters, and information disclosure of fair value estimation. Article 16 requires that banks’ valuation models be independently validated. The applicable Chinese Accounting Standard on valuation is CAS 39 which is consistent with IFRS, prescribing methods for recognition and measurement of fair value of assets and liabilities. Article 12 of the Practicing Standards for Certified Public Accountants of China provides that certified public accountants shall rely on adequate and appropriate evidence to determine whether the accounting estimation (including fair value estimation for accounting purposes) is reasonable. Banks’ policies and procedures on valuation of financial instruments and valuation methodologies are subject to reviews by CBRC and by external auditors. These include review of valuation model and methodology during onsite examinations and stress testing. CBRC’s processes with respect to valuation adjustments for uncertainties in determining the fair value of assets and liabilities are discussed in CP 22 EC 5. Regular bilateral or tripartite meetings are conducted between the CBRC and commercial banks and external auditors to obtain auditing results, including valuation adjustments on financial instruments. In practice, banks recognize and measure fair value of financial instruments according to Chinese Accounting Standards No. 39 for their financial reporting and for regulatory reporting purposes. EC4 Laws or regulations set, or the supervisor has the power to establish the scope of external audits of banks and the standards to be followed in performing such audits. These require the use of a risk and materiality based approach in planning and performing the external audit. Description and External auditors conduct audit of financial statements of banks in accordance with the findings re EC4 Practicing Standards for Certified Public Accountants (CPAs) issued by the MOF, which specify technical standards and specific requirements to be followed in relation to audit Specifically, Practicing Standards No.1211 requires auditors to understand audited entities, their business activities, operating and control environment to identify and assess the risk of material misstatement, No. 1221 Importance in Planning and Conducting Audit, and No. 1231 sets out actions that auditors should undertake to address the identified risk of significant misreporting. 235 PEOPLE’S REPUBLIC OF CHINA In addition, other Practicing Standards such as No.1611 Auditing Financial Statements of Commercial Banks, No,1613 Relationship with Banking Supervisor and No 1632 Auditing Derivatives prescribe additional requirements specific to external audit of banks. For instance, No. 1611 highlights various inherent risk characteristics of banks’ business activities, and requires auditors to perform testing of the bank’s internal controls, effectiveness of management oversight and information systems, and emphasizes on certain areas such as loan provisions, off-balance sheet activities, related party transactions, etc. Taken together, these require auditors to use a risk and materiality based approach in planning and performing the external audit of banks. As discussed in EC 8 below, CBRC meets external auditors at least annually and highlights to the external auditors the supervisory concerns as well as key areas that they should pay particular attention to during their audits. These could be generic risks at industry level or bank-specific. EC5 Supervisory guidelines or local auditing standards determine that audits cover areas such as the loan portfolio, loan loss provisions, non-performing assets, asset valuations, trading and other securities activities, derivatives, asset securitizations, consolidation of and other involvement with off-balance sheet vehicles and the adequacy of internal controls over financial reporting. Description and External auditors conduct audit of banks in accordance with the Practicing Standards for findings re EC5 Certified Public Accountants (CPAs) issued by the MOF to express an opinion on whether the financial statements of the bank provides a true and fair view. As discussed in EC 4, the local auditing standards relating specifically to audit of banks include the Practicing Standards No. 1321 Auditing Accounting Estimates, No. 1611 Auditing Financial Statements of Commercial Banks, No. 1613 Relationship with Banking Supervisor, and No. 1632 Auditing Derivatives. These provide detailed audit requirements for areas covering valuation of on and off balance sheet items, non-performing assets, loan loss provisions, trading activities and derivatives.There are also detailed requirements on internal control and technical standards and methodologies for auditing these items. As the audit is based on a risk and materiality-based approach (EC 4), the areas in the EC will be covered by audit as long as those areas are deemed material in the context of the financial statements as a whole. Article 16 of the Practicing Standard 1611 also sets out the expectation for auditors to perform test of internal controls and not rely entirely on substantive procedures. EC6 The supervisor has the power to reject and rescind the appointment of an external auditor who is deemed to have inadequate expertise or independence, or is not subject to or does not adhere to established professional standards. Description and Under the Law of the People’s Republic of China on Certified Public Accountants, if an findings re EC6 accounting firm fails to comply with auditing standards, MOF has the power to issue a warning or suspend the accounting firm from performing audit services. CBRC has no direct power to reject or rescind the appointment of an external auditor that is deemed to have inadequate expertise or independence. Seeking to address this issue, CBRC issued the Guidelines on External Audit of Banks and the Administrative Rules on Accounting Firm Selection by Financial Enterprises in 2010 to prescribe certain 236 PEOPLE’S REPUBLIC OF CHINA requirements on the qualification of external auditor of banks and the selection process. Specifically, under Article 6 of the External Audit Guidelines, banks are prohibited from appointing accounting firms which are found to have inadequate expertise, have been subject to disciplinary actions or to be non-independent from the bank. Under Article 14 of the Guidelines, whenever violation of regulations or severe problems about the audit are detected, either by the bank or during CBRC’s supervisory process, banks are required to take necessary actions to address the issues, including termination of the audit contract. When CBRC has concerns that the external auditor has inadequate expertise or independence or does not adhere to established professional standards, it can issue a supervisory letter asking that the bank replace its auditor. The assessors note that there have been such cases in practice. CBRC could also raise the identified issues to MOF, where further investigation and actions may be taken, though the assessors are not aware of such cases in practice. EC7 The supervisor determines that banks rotate their external auditors (either the firm or individuals within the firm) from time to time. Description and Article 29 of the Administrative Rules on Accounting Firm Selection by Financial Institutions findings re EC7 require that banks rotate their external audit firm after five years, except that in the case of an accounting firm that ranks within top 15 by Chinese Institute of Certified Public Accountants, the tenure can be extended to eight years. In addition, Article 30 further requires that the Certified Public Accountant responsible for signing off audit reports must be rotated after five years. EC8 The supervisor meets periodically with external audit firms to discuss issues of common interest relating to bank operations. Description and CBRC holds bilateral or tripartite meetings with banks and external auditors at least findings re EC8 annually, to exchange views on major issues identified in the audit and supervision and analyze the implications on the bank’s overall risk profile, and highlight areas requiring further actions by the banks. CBRC also highlights to the external auditors the issues that they need to pay particular attention to. These interactions take place more frequently for the systemically important banks. The requirements for such meetings are set out in the Article 17 of the Information Disclosure Rules, Article 16 of the External Audit Guidelines and Notice on Strengthening the Communication with External Audit Firms. EC9 The supervisor requires the external auditor, directly or through the bank, to report to the supervisor matters of material significance, for example failure to comply with the licensing criteria or breaches of banking or other laws, significant deficiencies and control weaknesses in the bank’s financial reporting process or other matters that they believe are likely to be of material significance to the functions of the supervisor. Laws or regulations provide that auditors who make any such reports in good faith cannot be held liable for breach of a duty of confidentiality. Description and Article 22 of the Practicing Standards for Certified Public Accountants No 1613 – findings re EC9 Relationship with Banking Supervisors stipulates that external auditors should report to CBRC, any material breaches of laws and regulations, issues disrupting bank’s continuing operation, or issuance of qualified opinion. Article 17 of the External Audit Guidelines provides that banks shall not impede external auditors from reporting to CBRC any non- compliance with laws, issues disrupting the bank’s continuing operation and misconduct by senior management. 237 PEOPLE’S REPUBLIC OF CHINA Article 7 of the Notice on Strengthening the Communication with External Audit firms provides that CBRC shall make necessary protective arrangements for external audit firms which actively report audit issues to CBRC. Assessment of Largely Compliant Principle 27 Comments The authorities have made significant progress in strengthening the quality of financial reporting and external audit. Since the previous FSAP assessment, CBRC has issued several Rules, Guidelines and Notice to prescribe the required qualification and independence of external auditors, mandate rotation of external audit firm after a prescribed timeframe, strengthen the communication between supervisors and the external auditors, and requiring external auditors to report to the supervisor matters of material significance. BCP Assessors’ dialogue with industry supported the view that there is regular communication between CBRC and the external auditors, discussing audit findings, areas of audit focus and risk profile of the banks. In addition, the Chinese accounting standards and auditing standards have been revised and are now substantially in line with the international standards. According to CBRC’s estimates, listed banks, which account for about 76% of total banking system assets, have appointed international accounting firms as their external auditors. The Chinese Institute of Certified Public Accountants (CICPA) conducts audit quality review of the accounting firms, with greater focus on the audit of listed corporates, including listed banks. There continues to be a need to increase oversight of the audit of small-to-medium sized banks. As indicated in EC6, CBRC does not have the direct power to reject or rescind the appointment of an external auditor who is deemed unfit to perform a reliable and independent audit. While CBRC has demonstrated that in practice it was able to indirectly remove the external auditors by recommending the banks to do so, the lack of direct legal power is, nevertheless, not in compliance with Essential Criteria 6. It is recommended that CBRC be given the direct power to reject or rescind the appointment of external auditors who have inadequate expertise or independence, or who do not follow professional standards. Principle 28 Disclosure and transparency. The supervisor determines that banks and banking groups regularly publish information on a consolidated and, where appropriate, solo basis that is easily accessible and fairly reflects their financial condition, performance, risk exposures, risk management strategies and corporate governance policies and processes. Essential criteria EC1 Laws, regulations or the supervisor require periodic public disclosures 62 of information by banks on a consolidated and, where appropriate, solo basis that adequately reflect the bank’s true financial condition and performance, and adhere to standards promoting comparability, relevance, reliability and timeliness of the information disclosed. Description and Article 36 of the Banking Supervision Law provides that CBRC shall require banking findings re EC1 institutions, in accordance with applicable national rules and regulations, to faithfully 62 For the purposes of this Essential Criterion, the disclosure requirement may be found in applicable accounting, stock exchange listing, or other similar rules, instead of or in addition to directives issued by the supervisor. 238 PEOPLE’S REPUBLIC OF CHINA disclose to public accounting reports, risk management positions, replacement of Board and senior management members, and other material information. Broadly, banks in China are subject to the following disclosure requirements: (a) Information required to be disclosed in the financial statements in accordance with Chinese accounting standards (which is substantially converged with IFRS, as discussed in CP27); (b) Information disclosure rules established by CBRC and specifically for publicly listed banks, by CSRC. CBRC has issued several guidelines and rules governing information disclosure of banks. Specifically, Chapter 7 of CBRC’s Guidelines on Corporate Governance of Commercial Banks sets forth requirements on information disclosure from various aspects including establishment of internal policies, disclosure principles, duties and responsibilities, and contents of disclosure. In addition, Article 25 of the Information Disclosure Rules of Commercial Banks require banks to publish audited financial statements within four months after the end of each fiscal year. Article 5 states that information disclosure should adhere to principles of accuracy, faithfulness, completeness and comparability, and Chapter 2 of the Rules sets out detailed provisions on contents and formats to improve comparability and relevance (the required contents of disclosure is further discussed in EC2). Article 27 requires that commercial banks must place the annual report at the business location and post the same on the Internet for public access in a timely manner. In addition, CSRC also has specific requirements on information disclosures of publicly listed banks, as set out in the Regulations on Information Disclosure of Companies Offering Securities to the Public No. 26 – Special Provisions on Information Disclosure of Commercial Banks. CSRC requires annual, semi-annual and quarterly financial reports in order to provide relevant and useful information with higher frequency. These include requirements to disclose the following, amongst others: - major accounting data for 3 years total assets and structure, total liabilities and structure, shareholders' equity, total deposits and structure, total loans and structure, net capital and its composition, risk weighted assets, net loan losses; - major financial indicators including profitability ratio, non-performing loan ratio, loan-to- deposit ratio, capital adequacy ratio, etc; -movements in loan regulatory categories and provisions and related analyses; -loan distribution by industries and areas, large customer loan ratio; -analysis of changes in risk profile (quantitative and qualitative information), risk measurement policies and systems covering credit risk, market risk, liquidity risk, operational risk and other major risks.; -related party transactions and significant events. For public listed banks, the information disclosure requirements are applicable both at the consolidated banking group level and at the parent entity level. In accordance with the Regulations on Information Disclosure of Companies Offering Securities to the Public No. 239 PEOPLE’S REPUBLIC OF CHINA 15 – General Provisions on financial reports, group companies should disclose financial reports both at the consolidated level and at the parent entity level. Hence, public listed banks in China, which account for about 80% of total banking system assets, comply with this requirement. The remaining, unlisted banks in China are mostly single entities. a) Basel Pillar III requirements and other disclosure requirements. In this regard, CBRC has issued a number of prudential rules including the Capital Rules for Commercial Banks (Provisional), the Notice on Issuing Regulatory Documents on Capital Regulation for Commercial Banks, the Leverage Ratio Rules for Commercial Banks, the Rules on the Information Disclosure of Liquidity Coverage Ratio of Commercial Banks and the Guidelines on the Disclosure of Global Systemic Importance Indicators by Commercial Banks etc. These rules require banks to conform to BCBS Pillar III requirements of information disclosure on capital, compensation, leverage ratio, liquidity coverage ratio and indicators for assessing global systematic importance, and to adopt uniform templates for information disclosure, so as to improve their comparability. EC2 The supervisor determines that the required disclosures include both qualitative and quantitative information on a bank’s financial performance, financial position, risk management strategies and practices, risk exposures, aggregate exposures to related parties, transactions with related parties, accounting policies, and basic business, management, governance and remuneration. The scope and content of information provided and the level of disaggregation and detail is commensurate with the risk profile and systemic importance of the bank. Description and The Information Disclosure Rules of Commercial Banks require banks to disclose both findings re EC2 qualitative and quantitative information, covering financial performance, risk management strategies and practices, risk exposures, related party transactions and exposures, accounting policies, business activities, corporate governance and remuneration. More specific disclosure requirements on related party transactions and remuneration are set out in Article 38 of the Administrative Rules on Related Party Transactions of Commercial Banks with Insiders and Shareholders and Article 22 of the Sound Compensation Guidelines, respectively. In addition, Article 161 of the Capital Rules provides that banks should disclose, at the minimum: (a) risk management system, covering management objectives, policies, processes, etc. (b) measurement approaches for major risks and substantial changes in risk measurement and corresponding capital requirements; (c) qualitative and quantitative information on major risks; and (d) qualitative and quantitative information on remuneration. The scope and content of information disclosures required is commensurate with the scale and complexity of banks. Article 168 of the Capital Rules for Commercial Banks provides that non-listed banks with a deposit size smaller than RMB 200 billion and with operations contained within one province may simplify the contents of its information disclosure subject to CBRC’s approval. On the other hand, globally systemically important banks are subject to information disclosure in line with international standards including leverage 240 PEOPLE’S REPUBLIC OF CHINA ratio, liquidity coverage ratio and systemic importance assessment indicators. Listed banks are further required to meet disclosure requirements for listed companies. On Pillar III disclosure, it was highlighted in China RCAP 2013 report that while most of the core Pillar 3 requirements had been implemented, they were incomplete in respect of detailed disclosure of relevant data about credit quality and securitization. In particular, regarding credit quality, a breakdown of impaired loans and loan loss allowances by industry was not explicitly required by domestic regulation, although such a breakdown had been found in banks’ annual reports. For securitization, the disclosure requirements had been somewhat simplified, based on the limited development of the market then. As part of the annual supervisory rating process, CBRC checks the banks’ information disclosure against the above-mentioned rules. Banks are required to monitor difference between publicly disclosed information and supervisory returns and supervisors investigate into causes of any significant differences. Onsite examinations are conducted of the banks’ internal governance and controls processes that support compliance with information disclosure requirements. EC3 Laws, regulations or the supervisor require banks to disclose all material entities in the group structure. Description and There are several requirements governing the disclosure of material group entities, as findings re EC3 follows: • Article 21 of the Information Disclosure Rules provides that banks shall disclose corporate governance information including organizational structure of all departments and branches. Article 22 provides that banks shall, at a minimum, disclose annually the following issues: (a) names of top 10 shareholders and changes in the reporting period; (b) registered capital increase or decrease, spin-offs and mergers; and (c) other important information that should be known by public. • Annex 15 to the Capital Rules provides that banks shall disclose information on the top 10 invested institutions in terms of outstanding equity investments, either being consolidated or being deducted in the capital adequacy calculation. • Article 5 of the Regulations on Information Disclosure of Companies Offering Securities to the Public No. 26 - Special Provisions on Information Disclosure of Commercial Banks provides that banks shall, based on their own operation and management characteristics, reasonably disclose information of management hierarchy, number of branches and their geographical distributions, as well as names, addresses, staff numbers and asset size, etc. • Article 9 of Chinese Accounting Standard no. 36 also requires disclosures on ultimate controlling company, parent company and subsidiaries. Taken together, the requirements on disclosure of all material entities are generally adequate. CBRC provided assessors with the annual reports of a few banks, which show that the disclosures are generally adequate, containing specific chapters with organization charts and fundamental information of group entities and major shareholders. 241 PEOPLE’S REPUBLIC OF CHINA EC4 The supervisor or another government agency effectively reviews and enforces compliance with disclosure standards. Description and Disclosures contained in banks’ annual financial statements are reviewed by external findings re EC4 auditors. The CBRC assesses banks’ compliance with information disclosure requirements and incorporates the assessment in the supervisory ratings of banks. Specifically, CBRC monitors whether banks regularly disclose information as per prescribed requirements, as part of its supervisory processes. Article 25 of the Information Disclosure Rules requires that banks submit annual reports to CBRC at least 5 days prior to public disclosure. During offsite supervision, supervisors check and identify whether there are inconsistencies between publicly disclosed information and regulatory reporting data submitted to CBRC. Where significant difference is identified, supervisors check the cause and take corresponding supervisory measures if necessary. CBRC also conducts onsite examinations on supervisory statistic data to ensure authenticity of the data and reports submitted by banks and examine information disclosure compliance by banks. Information disclosure quality is also incorporated as part of examinations on banks’ corporate governance and internal control. During supervisory interviews, tripartite meetings with banks and auditors, supervisors would highlight concerns with regard to banks’ information disclosure. CBRC’s Internal Guidelines on Supervisory Ratings of Commercial Banks includes information disclosure quality in the assessment. Supervisors form an assessment of the banks’ compliance with information disclosure requirements based on the above- mentioned supervisory activities. Failure to meet prudential rules on information disclosure will directly affect the supervisory rating of the bank. Non-compliance will also be subject to various enforcement actions by CBRC depending on the severity. Article 46(4) of the Banking Supervision Law prescribes that where a bank fails to comply with applicable rules on information disclosure, CBRC shall order the bank to take corrective actions and shall impose a fine ranging from RMB 200,000 to RMB 500,000. If the violation is regarded as material or the bank fails to make corrections within prescribed period of time, CBRC can further suspend business for rectification, or revoke its banking license. If the violation involves criminal behaviors, criminal liability shall be pursued according to law. Article 7 of the Information Disclosure Rules provides that CBRC shall monitor information disclosure in accordance with applicable laws and regulations. Article 29 stipulates that banks providing false information or concealing important facts in accounting reports shall be subject to administrative penalties by CBRC in accordance with Article 75 of the Commercial Bank Law, and persons in charge shall be subject to penalties according to Article 48 of the Banking Supervision Law. Accounting firms and persons in charge 242 PEOPLE’S REPUBLIC OF CHINA providing false auditing reports shall be subject to corresponding actions in accordance with applicable laws and regulations. For public listed banks, CSRC and the stock exchanges are responsible for monitoring the listed companies' (including listed banks’) compliance with relevant information disclosure requirements and taking appropriate enforcement actions. Article 27 of the Regulations on Information Disclosure of Companies Offering Securities to the Public No. 26 - Special Provisions on Information Disclosure of Commercial Banks provides that banks violating the rules shall be punished in accordance with Article 193 of the Securities Law of the People’s Republic of China and Chapter 6 of the Interim Rules for the Information Disclosure of Listed Companies. EC5 The supervisor or other relevant bodies regularly publishes information on the banking system in aggregate to facilitate public understanding of the banking system and the exercise of market discipline. Such information includes aggregate data on balance sheet indicators and statistical parameters that reflect the principal aspects of banks’ operations (balance sheet structure, capital ratios, income earning capacity, and risk profiles). Description and The Banking Supervision Law requires that CBRC compile and disclose aggregate statistics findings re EC5 for overall banking industry. CBRC has progressively increased the content of disclosure over the years, addressing all issues raised in the previous FSAP report. It currently discloses on a quarterly basis a range of over 30 indicators on its official website, including aggregate assets, liabilities, loan classification, provisioning, profitability, liquidity, CAR, leverage ratio and market risk, etc. Major indicators are disclosed with breakdown by category of banks. Data on micro and small-enterprises loans, government-subsidized affordable housing loans etc are also disclosed. More information is disclosed in CBRC’s annual report, including the composition of deposits and loans, the classification of NPL by industry and by region, as well as time series of major indicators. Assessment of Largely Compliant Principle 28 Comments The accounting disclosures of banks are in line with international standards. Disclosures by listed banks, which constitute close to 80% of total banking system, is comprehensive. In addition, CBRC has issued additional information disclosure requirements on banks, and the scope and content of information and the level of details required is commensurate with the risk profile and systemic importance of the banks. Given the size and complexity of the banking sector, there is room for more disclosures on aggregate statistics and risk indicators for overall banking industry to facilitate a better understanding among market participants, analysts and the public of issues affecting the financial system. For instance, this could entail providing more detailed breakdown of balance sheet structure of banks and their risk profiles including liquidity profile, deposit composition, breakdown of loans, concentrations, etc. This can possibly be done with collaboration between PBC and CBRC. 243 PEOPLE’S REPUBLIC OF CHINA Principle 29 Abuse of financial services. The supervisor determines that banks have adequate policies and processes, including strict customer due diligence (CDD) rules to promote high ethical and professional standards in the financial sector and prevent the bank from being used, intentionally or unintentionally, for criminal activities. 63 Essential criteria EC1 Laws or regulations establish the duties, responsibilities and powers of the supervisor related to the supervision of banks’ internal controls and enforcement of the relevant laws and regulations regarding criminal activities. Description and With respect to AML initiatives, laws and regulations include findings re EC1 • the Criminal Law, • the Antimoney Laundering Law, • the Law on the People’s Bank of China, (Article 4(10)) • the Banking Supervision Law, • the Interpretation of the Supreme People’s Court on Several Matters concerning the Specific Application of Law in the Trial of Money Laundering and Other Criminal Cases, • the Provisions on Anti-money Laundering of Financial Institutions, • the Administrative Rules on the Reporting of Large-sum and Suspicious Transactions of Financial Institutions and • the Administrative Rules on the Preservation of Client Identification Documents and Transaction Records of Financial Institutions. Both the PBC and CBRC have roles and powers with respect to the supervision of AML/CFT though in practice it appears that the CBRC is only exercising prudential supervision. Under Article 4(10) of the Law on the People’s Bank of China the PBC’s functions include: “Directing and disposing the anti-money-laundering work of the financial industry, being responsible for capital supervision and measurement over anti-money-laundering;” Hence the PBC has the responsibility of overseeing the AML activities of financial institutions and organizing and coordinating AML work throughout the country. Its responsibilities are: (a) monitoring funds for AML purpose; (b) formulating, by itself or jointly with relevant financial supervisory authorities under the State Council, AML rules for financial institutions; (c) supervising and examining financial institutions on performing their AML duties; (d) investigating suspicious transactions within its responsibilities and reporting transactions suspected of money laundering to investigation authorities; and (e) sharing information with foreign financial supervisory authorities. 63 The Committee is aware that, in some jurisdictions, other authorities, such as a financial intelligence unit (FIU), rather than a banking supervisor, may have primary responsibility for assessing compliance with laws and regulations regarding criminal activities in banks, such as fraud, money laundering and the financing of terrorism. Thus, in the context of this Principle, “the supervisor” might refer to such other authorities, in particular in Essential Criteria 7, 8 and 10. In such jurisdictions, the banking supervisor cooperates with such authorities to achieve adherence with the criteria mentioned in this Principle. 244 PEOPLE’S REPUBLIC OF CHINA For its part, the CBRC is responsible for reviewing internal AML control regimes during the approval process for establishing banks, branches or subsidiaries, examining the sources of contributed capital of banks’ shareholders, and developing and enforcing banks’ prudential policies on AML. With respect to CFT initiatives, the Decision on Issues Related to Strengthening Counter- terrorism Work issued by the Standing Committee of the NPC in 2011 and the Counter- Terrorism Law that took effect on January 1, 2016 provide that the High-level Counter- Terrorism Task Force shall take the lead in nationwide efforts. The PBC and the CBRC shall, according to the terrorist watch lists provided by Ministry of Public Security (MPS), instruct financial institutions and specific non-financial institutions to strengthen the monitoring of daily transactions, and oversee such institutions’ performance of their CFT duties. The PBC and the CBRC are authorized to conduct lawful investigations and impose temporary funds freezing measures once suspicious transactions are identified. With respect to preventing financial crimes for other criminal activities and preventing and controlling crimes within banks or against banks, their staff and customers, the Law on Banking Supervision grants the CBRC the power to supervise and oversee banks’ domestic and overseas business activities, require banks to prevent, identify and report criminal activities against their overall risk management, internal control, compliance, and ethical standards for banking practitioners. EC2 The supervisor determines that banks have adequate policies and processes that promote high ethical and professional standards and prevent the bank from being used, intentionally or unintentionally, for criminal activities. This includes the prevention and detection of criminal activity, and reporting of such suspected activities to the appropriate authorities. Description and With respect to AML/CFT, the PBC leads the formulation of policies on AML analysis and findings re EC2 risk alerts, and implements risk-based AML approaches. To establish more effective AML initiatives, the PBC has launched pilot programs for large-sum and suspicious transaction reporting by financial institutions, guiding such institutions to establish their own monitoring and analysis indicators, update the reporting procedure, and improve internal AML control regimes. The PBC explained that the pilot program has helped produce a fewer number of reports with higher quality, and a higher number of cases in identifying investigation clues from such reports. At the time of the assessment, the PBC was revising the Administrative Rules on the Reporting of Large-sum and Suspicious Transactions of Financial Institutions based on the results from the pilot program so as to improve the usability of suspicious transaction reports. General standards: To guard against malpractices and frauds, among other criminal activities, the CBRC issued the Guidelines on Internal Control of Commercial Banks and the Guidelines on Operational Risk Management of Commercial Banks, requiring banks to clearly define internal control responsibilities, improve internal control programs, provide more support and have ongoing assessment and oversight. Banks are required to strengthen the three lines of defense, i.e. business management, risk and compliance, as well as audit and oversight, to properly monitor, report and examine abnormal suspicious transactions, and update the accountability and follow-up policies and procedures. 245 PEOPLE’S REPUBLIC OF CHINA Specific standards: Regarding high-risk areas, the CBRC has issued targeted internal control and operational guidelines, including the Notice of the CBRC General Office on Strengthening the Internal Control Management of Banking Financial Institutions and Effectively Preventing Operational Risks of Counter Business, requiring banks to follow the “Know-Your-Customer” (KYC) principle, strengthen the review in account opening and authenticity verification, formulate policies for identifying unusual and suspicious transactions to strengthen the monitoring of bank accounts, the control over authorization and conducts of staff who have access to customer information, and the management of audio and video recording, business outlets and staff conduct. The Administrative Rules on the Reporting of Large-sum and Suspicious Transactions of Financial Institutions provides that financial institutions shall immediately report, in writing, to the China Anti-Money Laundering Monitoring and Analysis Center (CAMLMAC) or the PBC or the PBC local offices any suspected criminal activities they identify or reasonably suspect when performing AML duties. The rules also provide that financial institutions shall report large-sum and suspicious transactions to CAMLMAC. The CBRC has also formulated policies for handling cases of suspicious transactions and criminal activities and urged banks to put in place policies and procedures to prevent, identify, report and handle criminal activities. The Notice on Revising the Definition and Classification of Cases Involving Banking Financial Institutions classifies criminal cases that may involve banks into three categories: crimes committed independently by bank staff, crimes that bank staff participate in and crimes committed by external parties. Pursuant to the Procedures for Handling Cases involving Banking Financial Institutions, the Rules on Reporting and Registering Information of Cases (Risks) involving Banking Financial Institutions, the Coordinated Committee for the Prevention and Control of Cases involving Banking Financial Institutions and the Major Emergency Reporting Policy, the CBRC requires banks to have in place policies and procedures for case handling, and standardized practices on reporting, registration, investigation, review and conclusion of cases, accountability and supervisory returns. Banks are required to submit information on cases that have been filed with judicial authorities and on risk events that have been identified but not yet determined to be cases. The PBC, in its Notice on Effectively Conducting Examinations for Antimoney Laundering Enforcement in 2016, required its local offices to strengthen the supervision over systemically important financial institutions with higher terrorist financing risks, and further required financial institutions to enhance CFT controls and improve risk management against terrorist financing. From 2011 to 2015, the PBC carried out over 4,000 on-site examinations on banking financial institutions and imposed over 500 administrative penalties as required by law. As the banking supervisor, the CBRC requires banks to comply with the AML Law, regulations and applicable requirements. Banks are expected to continuously optimize suspicious transactions monitoring system to better monitor movements of large-sum and suspicious funds, routinely reconcile large-sum accounts and timely report irregularities. 246 PEOPLE’S REPUBLIC OF CHINA The CBRC conducts supervisory interviews requires banks to improve their comprehensive risk management capabilities and AML “blacklist” controls. In the context of CBRC’s supervision of bank’s cross border activities, the supervisor encourages banks to strengthen the management of their overseas branches, subsidiaries and affiliates, strictly comply with AML laws and regulations in host countries, improve information sharing and management coordination within banking groups, and ensure ongoing tracking and timely monitoring of cross-border transactions/customer fund flows. For banks that apply for establishment, the CBRC and its local offices review the source/legitimacy of paid-in capital and prohibit capital from unknown sources. Consistent with the policy applying to domestic banks, foreign banks that apply for establishing institutions in China must submit the AML policies of their parent banks. If the AML policies are not deemed effective, establishment of branches or subsidiaries will be denied. The CBRC undertakes targeted examinations on effectiveness of internal controls and case prevention on an ongoing basis. In respect of telecom frauds that have been a frequent occurrence in recent years, the CBRC has required banks to freeze and blacklist bank accounts involved, prohibiting such accounts from remitting, transferring or withdrawing within or outside China. EC3 In addition to reporting to the financial intelligence unit or other designated authorities, banks report to the banking supervisor suspicious activities and incidents of fraud when such activities/incidents are material to the safety, soundness or reputation of the bank. Description and With respect to AML concerns, banks are required to report large-sum and suspicious findings re EC3 transactions to the PBC’s China Antimoney Laundering Monitoring and Analysis Center (CALMAC) pursuant to a number of laws and regulations, notably Article 4 of the Anti- Money Laundering Law and the Administrative Rules on the Reporting of Large-sum and Suspicious Transactions of Financial Institutions. With respect to CFT issues, the Counter-Terrorism Law provides that financial institutions must immediately freeze funds or other assets of terrorist organizations and individuals as announced by the national counter-terrorism task force and make a timely report to the administrative authority of AML. Furthermore, the CBRC has issued the Procedures for Handling Cases involving Banking Financial Institutions and the Rules on Reporting and Registering Information of Cases (Risks) involving Banking Financial Institutions, requiring banks to report information on frauds and cases to the CBRC regularly (see the Statistical Procedures of Cases involving Banking Financial Institutions). Information to be reported includes criminal cases committed by bank staff and crimes committed against banks (the crimes are classified into three categories. See EC 2), such as robbery, fraud, physical damage, leak or loss of confidential information, etc. EC4 If the supervisor becomes aware of any additional suspicious transactions, it informs the financial intelligence unit and, if applicable, other designated authority of such transactions. In addition, the supervisor, directly or indirectly, shares information related to suspected or actual criminal activities with relevant authorities. 247 PEOPLE’S REPUBLIC OF CHINA Description and The Chinese authorities have set up frameworks to support coordination and cooperation findings re EC4 as described below. In 2004, the AML Joint Ministerial Committee AML JMC) was established, led by the PBC and comprising 23 members. The membership of the AML JMC is widely drawn and includes: the Supreme People’s Court, Supreme People’s Procuratorate, General Office of the State Council, Ministry of Foreign Affairs, MPS, Ministry of State Security, Ministry of Supervision, Ministry of Civil Affairs, Ministry of Justice, Ministry of Finance, Ministry of Housing and Urban-Rural Development, Ministry of Commerce, the PBC, General Administration of Customs, State Administration of Taxation, State Administration for Industry and Commerce, State Administration of Press, Publication, Radio, Film and Television, the Legal Affairs Office of the State Council, the CBRC, CSRC, CIRC, SAFE and People’s Liberation Army General Political Department. The Procedures for Anti-money Laundering Joint Ministerial Committee was issued in 2004, prescribing the duties of the members. To date, the Committee has held eight meetings to discuss major cross-ministerial tasks including AML duties, supervisory coordination, international cooperation, strategic planning, national money laundering risk assessment plan, etc. There is also an AML Cooperation Mechanism between the PBC, the CBRC, CSRC, CIRC and SAFE to coordinate work. In 2013, 2014 and 2015, the Committee held the sixth, seventh and eighth sessions respectively, in which members discussed the Overall Plan for Improving China’s Anti- money Laundering System, the Overall Plan on Risk Assessment of Anti-money Laundering and Terrorist Financing and the Work Plan on the Fourth Round of AML/CFT Cross- assessment of Financial Action Task Force respectively, and exchanged information about their AML work. In March 2005, MPS and the PBC jointly issued the Provisions of MPS and the PBC on Jointly Verifying Clues of Suspicious Transactions, setting out the cooperation arrangement. In April 2016, MPS and the PBC jointly issued the Notice on Establishing Mechanism Against Drug- related Money Laundering, coordinating the efforts against drug-related money laundering. On CFT, the PBC is required to immediately report information to the public security authorities upon identifying large-sum and suspicious transactions involving individuals on the terrorist watch lists. For key counter-terrorism regions, the PBC, the CBRC and MPS have established an intelligence exchange mechanism for sharing purpose. To address telecom and Internet frauds, the CBRC issued, jointly with Supreme People’s Procuratorate, MPS and Ministry of State Security, the Provisions on Assisting the People’s Procuratorates, Public Security Organs and State Security Organs with Asset Inquiry or Freezing by Banking Financial Institutions, which provide that state security organs and public security organs may set up protocols with banks for fast inquiry and freezing of accounts and for electronic information transmission via special channels, and adopt new approaches such as cross-region collaborative inquiry, large-scale centralized inquiry, in- 248 PEOPLE’S REPUBLIC OF CHINA bank collaborative inquiry, etc. to improve the efficiency of inquiring and controlling funds involved in suspicious cases. Banking institutions are required to report suspicious transactions to CALMAC. There is no requirement to report to, or copy or notify the CBRC of such reports. EC5 The supervisor determines that banks establish CDD policies and processes that are well documented and communicated to all relevant staff. The supervisor also determines that such policies and processes are integrated into the bank’s overall risk management and there are appropriate steps to identify, assess, monitor, manage and mitigate risks of money laundering and the financing of terrorism with respect to customers, countries and regions, as well as to products, services, transactions and delivery channels on an ongoing basis. The CDD management program, on a group-wide basis, has as its essential elements: (a) a customer acceptance policy that identifies business relationships that the bank will not accept based on identified risks; (b) a customer identification, verification and due diligence programme on an ongoing basis; this encompasses verification of beneficial ownership, understanding the purpose and nature of the business relationship, and risk-based reviews to ensure that records are updated and relevant; (c) policies and processes to monitor and recognize unusual or potentially suspicious transactions; (d) enhanced due diligence on high-risk accounts (e.g. escalation to the bank’s senior management level of decisions on entering into business relationships with these accounts or maintaining such relationships when an existing relationship becomes high-risk); (e) enhanced due diligence on politically exposed persons (including, among other things, escalation to the bank’s senior management level of decisions on entering into business relationships with these persons); and (f) clear rules on what records must be kept on CDD and individual transactions and their retention period. Such records have at least a five year retention period. Description and There are a number of instruments that apply in the area of customer due diligence, which findings re EC5 are noted below. The most germane of these instruments for this criterion are the Administrative Rules on the Preservation of Customer Identification Documents and Transaction Records of Financial Institutions and the Guidelines on the Risk Assessment and Customers Classifications of Money Laundering and Financing of Terrorism for Financial Institutions. The requirements in these two instruments are reinforced in a range of respects in the other rules, notices and laws noted below. In respect of (a) customer acceptance, (c) suspicious transactions, (d) high risk accounts, (e) politically exposed persons, and (f) record keeping and retention, the Rules on the Preservation of Customer Identification Documents provides the more comprehensive set of requirements (notably Articles 3, 19 and Chapter 3 for these sub-criteria). Meanwhile the Guidelines on the Risk Assessment sets out the framework for analyzing the nature and risk of the bank’s business relationships. While the Comprehensive Management Guidelines require all business to have Board approval, the body of regulations and Guidelines lacks a specific requirement guiding banks to ensure that there is enhanced due diligence, including, for example, requiring specific Board approval when initiating a new business relationship. Nevertheless, it should be noted that the Administrative Rules on the 249 PEOPLE’S REPUBLIC OF CHINA Preservation of Customer Identification Documents and Transaction Records of Financial Institutions issued by the PBC in 2007 requires that before establishing correspondent or similar relationships with overseas institutions, banks shall collect adequate information on the business, reputation, internal control and supervision of such institutions, and assess the AML supervision such institutions are subject to as well as the soundness and effectiveness of their AML/CFT measures. The establishment of correspondent bank relationship shall be approved by the Board or other senior management. The Antimoney Laundering Law requires financial institutions to establish customer identification policies, including customer identification when entering into business relationship for the first time or providing one-off financial services above prescribed amount (Article 16). This information must be updated throughout business relationship (Article 19). The Antimoney Laundering Law also requires records to be retained for 5 years after the business relationship or transaction has concluded (Article 19). The Provisions on Antimoney Laundering of Financial Institutions provide that financial institutions shall have in place customer identification policies and procedures to conduct initial identification, and have effective customer identification of overseas financial institution with which it has correspondent or similar relationship (Article 9). In 2007, the PBC issued: • Administrative Rules on the Preservation of Customer Identification Documents and Transaction Records of Financial Institutions. In addition to requirements for the banks to be diligent in knowing and understanding their customers, the Rules are clear that the policies and processes have to extend over the entire group network of the institution, both domestic and overseas if applicable. • However, the PBC confirmed that there are no explicit requirements for banks to report ultimate beneficiary of a transaction/client to the authorities but the PBC expect such information to be obtained and available for on-site examinations. Article 7 of these rules requires banks to “understand which natural person is actually controlling the customer and the actual beneficiary of the transaction.” The same article requires senior management approval for transactions/accounts with foreign PEPs. In more recent years, the PBC has issued: • Guidance on Verifying the Authenticity of Identity Information Related to Existing Renminbi Deposit Accounts in China, • the Guidelines on the Risk Assessment and Customers Classifications of Money Laundering and Financing of Terrorism for Financial Institutions, and • the Notice on Applying Organizational Credit Codes to Facilitate Customer Identification. These documents further regulate CDD by financial institutions and guides them to assess the money laundering and terrorist financing risks from customers, geographical areas, business activities and industries, in order to have a reasonable determination of risk profile and enhancing AML effectiveness. The PBC noted that from 2008, these regulations have elaborated on Natural Persons controlling the client and refers to but not limited to – controller of the company and those who have the ultimate economic interest or who control the processes. The Administrative 250 PEOPLE’S REPUBLIC OF CHINA Rules on KYC and record keeping require banks to be continuously up to date at any point in time but do not require reporting to the PBC. From 2011 to 2015, the PBC imposed administrative penalties on the financial institutions that did not perform the duties of customer identification or keeping customer identity information and transaction records as required. The Guidelines on Internal Control of Commercial Banks, (Articles 4 and 5) issued in 2007 and revised by the CBRC in 2014 respectively, requires banks to have internal control throughout the entire process of decision making, implementation and oversight, covering all business processes, departments and positions. In 2010, the CBRC issued the Guidelines on Country Risk Management of Banking Financial Institutions, requiring (Article 15) banks, with respect to CDD, to strictly comply with the AML/CFT laws and regulations, execute relevant United Nations (UN) resolutions on sanctions, stay alert to business activities and transactions related to sensitive countries/jurisdictions, timely check relevant international incidents including UN resolutions on sanctions, establish and improve information mechanisms to upload and update information including sanctions lists and suspicious transaction customers, in a timely manner, so as to prevent banks from being abused by organizations or individuals for terrorism, money laundering or other criminal activities. Banks are also required to have complete and reliable management information systems for identification, measurement, monitoring and control of country risks so as to identify inappropriate customers and transactions. The Notice on Further Enhancing the Management of Banking Business and Staff Conduct, issued by the CBRC in 2014, requires (Section I (1)) banks to strengthen the review of applications for opening personal deposit accounts. Banks shall comply with regulations on personal deposit account opening, apply real-name registration and KYC principle to account opening, and implement the requirement of contacting principals of the accounts for verification. Banks are further required (Section I (7)) to establish suspicious transaction early-warning mechanisms and strengthen the monitoring of suspicious transactions, including frequent opening and closure of personal accounts without proper reasons, frequent transfer of same amount or large amount of funds, and immediate transfer of funds following opening of online banking services. The Notice of the CBRC General Office on Strengthening the Internal Control Management of Banking Financial Institutions and Effectively Preventing Operational Risks of Counter Business, issued by the CBRC in 2015, requires banks to: (a) implement internal control guidelines and other policies and assess the effectiveness of internal control regularly (Section I); (b) strengthen the authenticity review based on the KYC principle and conduct door-to-door verification before opening accounts for special attention or non-local customers (Section IV); (c) have in place policies to verify unusual and suspicious 251 PEOPLE’S REPUBLIC OF CHINA transactions, and verification, feedback and handling mechanisms (Section VI); and (d) strengthen the management of audio and video recording at business outlets (Section XI). With respect to politically exposed persons, the Chinese regulations do not encompass domestic PEPs. Foreign PEPs are broadly identified covering political, civil service and military. In the PBC’s experience, banks are also applying consistent standards to domestic PEPs but there is, as yet, no formal requirement to do so. EC6 The supervisor determines that banks have in addition to normal due diligence, specific policies and processes regarding correspondent banking. Such policies and processes include: (a) gathering sufficient information about their respondent banks to understand fully the nature of their business and customer base, and how they are supervised; and (b) not establishing or continuing correspondent relationships with those that do not have adequate controls against criminal activities or that are not effectively supervised by the relevant authorities, or with those banks that are considered to be shell banks. Description and The Administrative Rules on the Preservation of Customer Identification Documents and findings re EC6 Transaction Records of Financial Institutions, promulgated by the PBC in 2007, requires that before establishing correspondent or similar relationships with overseas institutions, banks must collect adequate information on the business, reputation, internal control and supervision of such institutions, and assess the AML supervision such institutions are subject to as well as the soundness and effectiveness of their AML/CFT measures. The establishment of correspondent bank relationship shall be approved by the Board or other senior management. The Notice on Strengthening Anti-money Laundering Efforts by Financial Institutions in Cross-border Cooperation, issued by the PBC in 2012, further prescribes AML measures that should be adopted by financial institutions when establishing correspondent or similar relationships with overseas financial institutions. Financial institutions are prohibited from establishing business relationships with shell financial institutions. They are required to conduct enhanced due diligence (EDD) and risk assessment on respondent financial institutions, and heightened AML risk management measures on high-risk overseas partners. Financial institutions are encouraged to set AML compliance and risk control standards at the group level, thereby enhancing their risk control capabilities in international business. As described in EC 5, the Internal Control Guidelines, issued by the CBRC, requires banks to implement internal controls throughout the entire process of decision making, execution and oversight, covering all business processes, functions and positions. The Country Risk Guidelines requires banks to comply with the AML/CFT laws and regulations when conducting CDD. The PBC examines the due diligence policies for correspondent banks during AML supervision and on-site examinations. In terms of trends in correspondent banking, the PBC has carried out some investigations and has noted that some Chinese banks are de-risking and that there is compliance 252 PEOPLE’S REPUBLIC OF CHINA pressure from the international regulatory requirements, which includes refusing to establish or indeed terminating correspondent banking relationships or closing or restricting the remittance operations. Nevertheless, the number of refusals or terminations so far were quite low and appeared to be commensurate with risk based requirements and did not appear to reflect excessive caution. The Chinese banks that have been most affected due to de-risking policies have been the smaller and mid-sized commercial banks. Overall, the PBC considered that although some overseas banks might be reducing their volume of business with the smaller and mid-size Chinese banks due to the costs of enhanced due diligence or because they do not wish to take reputational risks, it is not yet statistically observable. EC7 The supervisor determines that banks have sufficient controls and systems to prevent, identify and report potential abuses of financial services, including money laundering and the financing of terrorism. Description and There is a range of legislative and regulatory instruments applying to the adequacy of findings re EC7 control systems, chief among which is the Anti-money Laundering Law where Chapter 3 provides that financial institutions shall have in place sound AML internal control programs, set up a AML specific function or designate an internal department and Chapter 6 sets out the legal liabilities for institutions failing to set up the function as required. As described in EC 3, the CBRC issued the Internal Control Guidelines, the Operational Risk Guidelines, and the Guidelines on Compliance Risk Management of Commercial Banks, requiring banks to clearly define internal control responsibilities and provide more support to internal control, and setting out the procedures for handling cases and requiring banks to have procedures for reporting the three types of cases. In practice, the PBC requires that a financial institution with a suspicion that a transaction is related to money laundering, terrorism or other criminal activities shall report it to the PBC local offices. The PBC also requires financial institutions to support its administrative AML investigations, thereby jointly preventing and cracking down on money laundering and related criminal activities. From 2012 to 2015, financial institutions submitted 20,237 reports on transactions suspected of money laundering, terrorism or other criminal activities (of which over 98 percent are from banks). After analysis and investigations, the PBC reported 3,370 leads to competent investigation authorities, assisted with the investigation of 4,071 case, and helped solve 1,025 cases. Facing counter-terrorism challenges abroad and at home, the PBC has established a model to monitor and analyze terrorist financing, and required banks to improve the monitoring, analysis and reporting of terrorism-related fund transactions. The the details of the model are confidential but the framework and indicators were developed by the PBC based on their analysis of types and incidence of AML data. Banks are required to embed this model in their own monitoring systems and are permitted to fine tune it based on their own business practices and experience. For CTF a sub-model has been developed which has been piloted in one region and will be rolled out nationwide over 2017. A simplified version of the model has been submitted to FATF and may be shared more widely. 253 PEOPLE’S REPUBLIC OF CHINA From 2014 to 2015, banks submitted 615 reports on transactions suspected to be terrorism-related to the PBC. After analysis and investigation, the PBC reported 245 clues to competent investigation authorities, assisted with the investigation of 596 case clues, and helped solve a number of major terrorism-related cases. In 2013, 2014 and 2015, the CBRC reported 25, 62 and 29 criminal cases to competent investigation authorities respectively. EC8 The supervisor has adequate powers to take action against a bank that does not comply with its obligations related to relevant laws and regulations regarding criminal activities. Description and Both the PBC and the CBRC have the power to impose measures on violations against AML findings re EC8 law and regulations or other criminal offenses. Chapter 6 of the Antimoney Laundering Law, the Provisions on Antimoney Laundering of Financial Institutions and the Provisions on Customer Due Diligence prescribe violations and sanctions on financial institutions or their staff. Article 83 of the Counter-terrorism Law prescribes administrative liabilities and criminal liabilities against a financial institution or specific non-financial institution that fails to immediately freeze funds or other assets of terrorist organizations or individuals announced by the national counter-terrorism task force. Article 37 of the Banking Supervision Law provides that where a bank fails to follow the prudential guidelines and rules, the CBRC has the power to suspend its current businesses, restrict dividend distribution or transfer of assets, require controlling shareholders to transfer ownership, or demand replacement of senior management. Chapter 5 of the Banking Supervision Law and Chapter 8 of the Commercial Bank Law prescribe penalties on banks with non-compliances or involvement in frauds or other criminal activities. To date there have been no sanctions applied by the CBRC based on proposals or information from the PBC as AML cases. Although Chinese banks have been involved in, and fined for, AML breaches, these incidents took place in overseas jurisdictions. The CBRC indicated that, nonetheless, there was serious follow up by the CBRC with the senior management and directors. From 2011 to 2015, the PBC and its local offices conducted over 4,000 on-site examinations on banking financial institutions. In over 500 of these examinations, financial institutions were imposed with administrative penalties for not performing duties including customer identification, retaining customer identity information and transaction records, establishing AML internal control policies and procedures and reporting large-sum or suspicious transactions as required. the CBRC has also conducted supervisory reviews on banks with respect to AML internal controls and compliance. Under the AML law, there are seven violations that can lead to fines. The maximum pecuniary sanction that can be applied for a single breach of the preventive measure regime is RMB 5,000,000. The average value of sanctions applied during the period 2013 to 2015 was RMB 164,135. The highest fine ever imposed by the PBC was RMB 3,000,000. Should there be multiple offences, fines may be aggregated. Should there be repeat offences there is no limit to the number of times that a fine may be imposed but such patterns of deficiency would lead the PBC to recommend to the CBRC that additional supervisory measures were taken. The PBC makes semi-annual public disclosure reports of 254 PEOPLE’S REPUBLIC OF CHINA the number of inspections per year, the number of institutions covered, and any sanctions that are imposed. Fines are therefore made public but there is no separate notification or pre-notification mechanism to alert the CBRC. EC9 The supervisor determines that banks have: (a) requirements for internal audit and/or external experts to independently evaluate the relevant risk management policies, processes and controls. The supervisor has access to their reports; (b) established policies and processes to designate compliance officers at the banks’ management level, and appoint a relevant dedicated officer to whom potential abuses of the banks’ financial services (including suspicious transactions) are reported; (c) adequate screening policies and processes to ensure high ethical and professional standards when hiring staff; or when entering into an agency or outsourcing relationship; and (d) ongoing training programs for their staff, including on CDD and methods to monitor and detect criminal and suspicious activities. Description and Please see also the descriptions in CP 9 and CP 26 for the CBRC’s internal audit findings re EC9 requirements and supervisory practices with respect to risk management. The supervisors have access to all internal and external audit reports. Meetings with banks confirmed that the CBRC pays close attention to internal audit reports. At an overarching level, the Compliance Risk Guidelines requires banks to set up a compliance department and appoint an independent compliance officer who shall develop internal compliance guidelines including code of conduct, and report material non- compliance to the Boards or their specialized committees and supervisory boards. Banks are required to define the procedures of reporting compliance risk as well as the elements, format and frequency of the reports. On AML, the Notice on Further Strengthening Anti-money Laundering by Financial Institutions, issued by the PBC, requires banks to appoint a dedicated officer at the banks’ senior management to take charge of AML compliance. The Provisions on Anti-money Laundering of Financial Institutions provides that financial institutions shall, as required by the PBC, submit AML supervisory returns, documents, as well as AML-related information mentioned in audit reports to the PBC. The Guidance on the Code of Conduct of Banking Financial Institutions’ Employees, revised by the CBRC in 2011, sets out ethical and professional standards for bank staff and requires banks to incorporate such standards into their management of compliance and operational risk, training programs and human resource standards, including screening of new hires, and establish ongoing evaluation and oversight mechanisms. In 2014, the CBRC issued the Notice on Further Enhancing the Management of Banking Business and Staff Conduct, requiring banks to establish sound management on all staff, strengthen oversight on unusual staff conducts, enhance the management of business outlets using electronic monitoring devices, and give more weights to compliance and risk management indicators in banks’ assessment programs. 255 PEOPLE’S REPUBLIC OF CHINA The Notice on Regulating the Agency Sales of Commercial Banks, issued by the CBRC in 2016, sets forth standards and requirements for banks’ agency business on recommending and selling financial products lawfully offered by partner institutions via banks’ own channels, thereby preventing misleading sales, unauthorized agent sales and undefined risk responsibilities between banks and their partners, etc. The Guidelines on the Outsourcing Risk Management of Banking Financial Institutions and the Guidelines on the IT Outsourcing Risks of Banking Financial Institutions, issued by the CBRC in 2010 and 2013 respectively, require banks to establish outsourcing risk management framework and relevant policies incorporated into overall risk management systems, develop strategic plans for outsourcing in accordance with prudential operation principles, and determine the scope of outsourcing activities commensurate with their risk management capabilities. Banks shall also conduct due diligence on service providers and provide specific requirements on IT outsourcing. The requirement to provide training for staff, both for new professional entrants and on a continuing basis is established in the AML Law (Article 22) and supported by a 2012 Notice on Performance management of professionals of controls. The Notice also requires financial institutions to have in place mechanisms so that training/information is provided in a timely manner on policies, internal control requirements, new approaches and techniques and changes in AML risks. For individuals who are in higher risk positions the intensity and frequency of training must be increased. The PBC also delivers training including online training and to date over 400,000 courses have been delivered through this medium. The PBC noted that in their onsite inspections they considered AML training and effectiveness and might even give staff tests. In 2015, the PBC imposed administrative penalties on 119 banking financial institutions, among which 68 failed to establish AML internal control policies and procedures as required, 7 failed to set up a dedicated AML function or appoint an internal department to take charge of AML work as required, and 23 failed to provide AML training for staff as required. EC10 The supervisor determines that banks have and follow clear policies and processes for staff to report any problems related to the abuse of the banks’ financial services to either local management or the relevant dedicated officer or to both. The supervisor also determines that banks have and utilize adequate management information systems to provide the banks’ Boards, management and the dedicated officers with timely and appropriate information on such activities. Description and The regulatory framework provides guidance to banks in respect of requirements for findings re EC10 policies and processes. The Guidelines on Internal Control of Commercial Banks, the Guidelines on Compliance Risk Management of Commercial Banks, etc., issued by the CBRC, require a bank to establish governance and organizational structures comprising the Board, supervisory board, senior management, business departments, internal audit departments and compliance departments with clearly-defined roles, responsibilities and reporting lines. The three policies for handling cases and the mechanism for reporting matters of significance, issued by the CBRC, provide that banks shall clearly define reporting lines, roles and 256 PEOPLE’S REPUBLIC OF CHINA responsibilities for reporting suspicious transactions, situations and suspected criminal activities. Major banks and non-bank financial institutions including trust companies and AMCs, screen, identify and report suspicious transactions by using automatic systems and manual work together. Certain banks have deployed big data analytics to develop the Anti-money Laundering Monitoring and Analysis System (AMLMAS), improved the AML monitoring models to automatically screen unusual transactions. With respect to manual work, some banks have set up dedicated screening functions and professional screening teams. In 2015, CAMLMAC received 11.19 million reports on suspicious transactions, 51 percent of which were related to the banking sector. In terms of confirming whether banks are following the practices required, both the CBRC and PBC use their on-site examinations. Off-site checks can also determine whether the terms of reference for senior management encompass an an obligation to receive the reports of major or sensitive incidents. In on-site review the PBC investigates whether the Board has acted on reports and helped to resolve issues. EC11 Laws provide that a member of a bank’s staff who reports suspicious activity in good faith either internally or directly to the relevant authority cannot be held liable. Description and The Anti-money Laundering Law (Article 6) provides that the organizations performing AML findings re EC11 duties and their staff that submit reports on large-sum and suspicious transactions shall be protected by law, and administrative authorities and related units receiving such reports shall keep the informants and the reports confidential. EC12 The supervisor, directly or indirectly, cooperates with the relevant domestic and foreign financial sector supervisory authorities or shares with them information related to suspected or actual criminal activities where this information is for supervisory purposes. Description and The PBC, the CBRC and other financial supervisory authorities have established a high-level findings re EC12 policy coordination mechanism--the AML Joint Ministerial Committee led by the PBC (Governor of the PBC serves as the chair) and comprising members from supervisory authorities and related government agencies. the PBC, the CBRC, CSRC, CIRC and SAFE also have established an AML Cooperation Mechanism. In recent years, China has made steady progress in international AML cooperation. Since joining FATF in 2007, China has maintained contact with FATF and its members, and completed the Action Plan of China to Improve AML/CTF Systems as scheduled. In 2012, FATF officially completed the follow-up cross-assessment procedures for China, marking that China had largely complied with the core and key clauses recommended by FATF. In July 2014, as one of the co-chairs, China hosted the 16th APG Annual Conference in Shanghai. In 2013, the PBC signed a MOU on AML supervision with the Central Bank of Argentina, and it is contacting with other countries/jurisdictions on strengthening bilateral supervisory cooperation. To add to the wider picture, by the end of 2015, CALMAC had signed MOUs on AML/CFT information exchange and cooperation with 35 overseas counterparts, including the Financial Crimes Enforcement Network (US Treasury Department), Monetary Authority of Macao SAR, etc. Notable among these relationships is 257 PEOPLE’S REPUBLIC OF CHINA that of the G2 as AML is anchored in a ministerial level mechanism and annual meetings are held with the US Treasury, Department of Justice and others. In 2015, the center received 565 international AML letters and sent out 353 letters. According to the Provisions on Transferring Suspected Criminal Cases by Administrative Law-enforcement Organs and the Provisions of the CBRC on Transferring Suspected Criminal Cases, the CBRC has established transfer mechanisms with public security authorities and people’s procurate at all levels. Where the CBRC finds a bank, its staff, customers and/or other related entities are suspected of criminal offenses, it will appoint two or more supervisors to investigate and refer the case to competent public security authorities and/or the people’s procurate. EC13 Unless done by another authority, the supervisor has in-house resources with specialist expertise for addressing criminal activities. In this case, the supervisor regularly provides information on risks of money laundering and the financing of terrorism to the banks. Description and The PBC prepares an annual analysis report on types of money laundering based on the findings re EC13 suspicious transactions reported by financial institutions, money laundering cases provided by investigation authorities, as well as the research findings, analysis, working data and cases published by FATF, Eurasian Group on combating money laundering and terrorism financing (EAG), Asia Pacific Group on Money Laundering (APG) among other international organizations and major countries/jurisdictions. The report is shared with financial institutions so that they can understand the types and risk distribution and then take preventive measures in time. Second, based on its AML work, the PBC analyzes the cases, summarizes the features of suspicious transactions, and releases money laundering risk alerts to keep financial institutions informed of new trends and methods so that they can strengthen internal controls and risk prevention in a timely manner. As noted above, the PBC has launched large-sum/suspicious transaction reporting pilot program by financial institutions, guiding them to establish indicators for monitoring and analyzing suspicious transactions, update the reporting procedure and improve internal AML controls. In CFT practices, the PBC and the CBRC, based on the terrorist watch lists announced by MPS and fund transaction models, instruct financial institutions and specific non-financial institutions to monitor daily transactions, and guide them to improve the monitoring system and thereby capabilities. To prevent individuals suspected of financing terrorism from escaping, hiding or transferring criminal proceeds, financial institutions and specific non-financial institutions are required to support public security authorities and customs anti-smuggling departments to inquire and freeze the accounts involved in criminal cases (e.g. Article 26 of the AML Law). According to the Provisions of the CBRC on Transferring Suspected Criminal Cases, where the CBRC identifies a suspicious criminal case, it will appoint two or more supervisors to investigate and prepare an investigation report. If the case is complicated, it may ask relevant internal departments to provide legal opinions or consult competent public security authorities and/or the people’s procurate. 258 PEOPLE’S REPUBLIC OF CHINA In addition, the CBRC forwards the UN resolutions sanctioning the South Sudan, Yemen, North Korea, Al-Qaeda, etc., to banks in a timely manner and requires them to implement the financial sanctions prescribed therein, including freezing funds as required. Assessment of Largely Compliant Principle 29 Comments Both regulatory framework and supervisory practices have continued to develop since the last assessment but some gaps still remain. An important initiative since the last assessment has been the establishment of the AML JMC. This body has been a valuable cross-body authority to consider and develop policies and strategies in respect of AML/CFT issues. Cooperation between the PBC and the CBRC is also strong at a policy level and the quality of the working relationships supporting this dialogue is very strong. Nevertheless, until recently, the PBC and CBRC have not focused on information exchange or coordination with respect to findings or concerns with respect to individual institutions. The recent decision for the CBRC and PBC AML Bureau to conduct joint on-site examinations is very welcome and can be expected to yield valuable results and insights for both authorities. The governance, risk management, risk culture, operational risk environment in firms, are areas where the CBRC will have particular insights and critical for the objectives of both the PBC and CBRC. By contrast, the risk based framework, based on self-evaluation and monitoring by banks that the PBC has developed and is now rolling out on a nationwide basis, will provide a different perspective on the management and control environment. Information gained from the joint inspections can and should guide future supervisory programs and assist the authorities in targeting any needed rectification measures more efficiently and effectively. A systematic sharing of information that is relevant to common supervisory objectives should be agreed and operationalized. At the international level, and while acknowledging the more than 60 MoUs signed with overseas supervisors, there may be more scope to develop bilateral supervisory cooperation more specifically in relation to AML supervision. While the authorities have issued extensive guidance and requirements to financial institutions, there is scope for fine tuning. Two issues that merit amendment are: first, the broadening of requirements related to PEPs to domestic individuals as well as foreign persons. While a number of banks are voluntarily adopting this approach, it is unlikely to be across the board. Second, requirements should be enhanced in relation to banks’ obligation to identify the beneficiaries of transactions. A clearer expectation that evidence should be available for review by the PBC at any time should be imposed. It is clear that the authorities are willing to act against firms and levy fines. However, the maximum penalty under the AML Law—which has never been applied—is modest in relation to the scale of many banks, and are in stark contrast to some major fines imposed by other international authorities. A risk of modest fines, even if frequently imposed, is that firms can regard such fines as part of the “cost of doing business” as the costs of upgrading the requisite risk management and control environment can be very much higher than the fine. It was also not clear to the assessors that the authorities are, as of now, using their data on sanctions to build a cumulative picture of individual institutions to which more 259 PEOPLE’S REPUBLIC OF CHINA supervisory attention—by both PBC and the CBRC—should be paid. A re-calibration of the severity of the fines permitted under the AML Law and a more explicit linkage between multiple offences and repeat offences and additional measures being imposed by the CBRC might be very useful. 260 PEOPLE’S REPUBLIC OF CHINA SUMMARY COMPLIANCE WITH THE BASEL CORE PRINCIPLES Core Principle Grade Comments The legal framework clearly establishes CBRC 1. Responsibilities, objectives and powers C responsibilities and also defines the objectives for banking regulation and supervision, granting CBRC powers to authorize banks, regulate, and conduct ongoing supervision and undertake corrective actions to address safety and soundness concerns. Although the powers to access parent companies and their affiliates are not explicitly stated in the legal framework, CBRC has in practice the powers to require information on significant shareholders as it deems necessary. The primary objective of banking supervision from a legal perspective, is to promote the safety and soundness of banks and the banking system. This is set out in law, as is a subsidiary objective whereby the CBRC is required, “towards the objectives” of stability and soundness, to protect fair competition in the banking industry as well as to promote the competitiveness of the banking industry. Hence, CBRC strategy and objectives include market and economy development considerations, support toward internationalization of Chinese enterprises and in particular preferential treatment to SMEs. Assessors did not however find concrete evidence that CBRC has jeopardized its primary mandate of safety and soundness in the pursuit of those objectives. Nevertheless, the assessors also acknowledge that CBRC is acting in a context where references within the Commercial Banks Law to developmental considerations for banks when conducting their business might result in additional pressures, in time of stress, for both banks and supervisors to prioritize those considerations over safety and soundness concerns. 261 PEOPLE’S REPUBLIC OF CHINA Core Principle Grade Comments 2. Independence, accountability, resourcing MNC The CBRC has a legal basis for independence but and legal protection for supervisors not in operational terms leading to the potential for it to fail to execute its legal mandate and ensure that soundness and stability considerations are the primary motivation of the CBRC’s work. Factors contributing to this potential outcome include the fact that the CBRC’s decisions can be overturned by the State Council, and the fact that there is no requirement to disclose publicly the reasons for the dismissal of the Chair of the CBRC. Although the CBRC has confirmed the central importance of soundness and stability in its work, the assessors are concerned that the CBRC’s independence is sufficiently compromised to call into question whether the supervisor would always be able to act on its primary, stability, objective, particularly if government policies, such as growth and social protection, conflicted with prudential considerations. Resource constraint is another mode of stifling a supervisor from performing its role effectively. The CBRC has autonomy over neither its staffing numbers nor its organizational design. The financial sector growth does not require a linear increase in resources, but the growing complexities and interconnectedness of the system, which includes four Global Systemically Important Banks (GSIBs), create a significant risk that the CBRC’s supervisory oversight will be impaired thus creating the potential for system- wide vulnerabilities to emerge. While the CBRC is to be highly commended on enhancing its specialist skillsets, refreshing its supervisory techniques, and adapting its tools with insight and creativity, the complement of staff has been static for a decade and key staff are increasingly attractive to and attracted by industry opportunities. Increased resources, in salary scale and staffing for the more specialist fields, is an urgent need. 262 PEOPLE’S REPUBLIC OF CHINA Core Principle Grade Comments 3. Cooperation and collaboration C Legal and regulatory provisions, as well the arrangements currently in place, provide for a sound framework for cooperation and collaboration with relevant domestic authorities and foreign supervisors, reflecting the need to protect confidential information. Cooperation and collaboration arrangements are in place and seem to be functioning as envisioned by the authorities. 4. Permissible activities C The permissible activities for banks operating in China are clearly defined and the use of the word “bank” in names is controlled, with stringent punishment for the use of the word bank or deposit taking by unauthorized entities. Powers are in place for CBRC to set criteria and 5. Licensing criteria C reject licensing applications. CBRC licensing processes encompass the assessment of the ownership structure, including the fitness and propriety of Board members and senior management, as well as feasibility study, financial projections, internal controls, risk management etc. Prior consent or non-objection from the home supervisor is required in the case of foreign banks. CBRC licensing framework has been mostly used in the conversion of rural cooperatives into rural banks, as well as in the establishment of operations of foreign banks in China. Since 2014, fully private Chinese banks have been allowed into the system, which can significantly increase the complexity of the analysis necessary to ensure that the assessment of the ownership structure and governance of the wider group do not impose undesired risks to the bank and the banking system. 263 PEOPLE’S REPUBLIC OF CHINA Core Principle Grade Comments CBRC has the power to review and reject any 6. Transfer of significant ownership MNC proposal to transfer significant ownership above 5 percent held directly in existing banks to other parties. The legal framework, nevertheless does not require authorization for changes of de facto control, i.e. controlling interests held indirectly or circumstances where although holdings are below five percent, can entail significant influence. CBRC collect through various means information on significant holdings in banks. Nonetheless, there is no systematic process for regularly receiving/collecting information on names and holdings of all significant shareholders or those that exert controlling influence. In addition, the legal framework, regulations and procedures do not require Chinese or Rural (i.e. domestic) banks to notify CBRC as soon as they become aware of any material information which may negatively affect the suitability of a major shareholder. 7. Major acquisitions C Investments and acquisitions by banks are tightly controlled in China. CBRC requires approval of all acquisitions and investments. Banks are not allowed to invest in or acquire broker dealers, trusts, non-bank financial institutions or commercial enterprises unless prescribed by the State Council. So far pilots for investments asset management, insurance, leasing and finance companies have been established and are subject to specific approval. With the increasing sophistication of the Chinese banking system and expansion abroad, CBRC should ensure that is prepared to properly assess joint ventures and other strategic investments that banks may consider. 264 PEOPLE’S REPUBLIC OF CHINA Core Principle Grade Comments 8. Supervisory approach LC The CBRC plans and executes a high quality supervisory approach. Effective use is made of broad sources of information and the CBRC’s supervisory approach seeks to be forward looking and responsive to systemic issues, focusing on key emerging risks and trends such as the provision of wealth management products and interbank activity. Assessing the resolvability of banks is one field which is still work in progress. 9. Supervisory techniques and tools C The CBRC’s supervisory practices are of high quality and continue to develop. While the supervisory approach is more balanced towards the off-site (OSS) techniques, there is good use made of the on-site examinations and there is good coordination between the on and off-site departments and bureaus. Since the last assessment there has been intensive investment in the quality of the supervisory data and analytical systems and a refreshing of the analytical methodologies. Supervisory expectations are clearly communicated to banks and are followed up. There is scope for further development in the use of supervisory judgment and proactive supervisory actions. 10. Supervisory reporting C The CBRC has put extensive efforts into its supervisory reporting regime and enhancing the analytical systems that depend on it. There has been an almost wholescale overhaul of the reporting data and considerable care is taken, using on and off-site methods, not only to ensure that the data received is reliable, that banks are accountable for the information they provide, but also to ensure that the CBRC continues to obtain the data that is most relevant for its evolving supervisory tasks. 265 PEOPLE’S REPUBLIC OF CHINA Core Principle Grade Comments 11. Corrective and sanctioning powers of C CBRC has a range of powers than enables early supervisors action to address unsafe and unsound practices and has exercised them extensively over the last few years, having at its disposal several tools to enforce corrective actions. The deposit insurance fund has been established in 2014 but has not been accessed thus far. 12. Consolidated supervision LC The CBRC has refreshed its practice in consolidated supervision, and is starting to reap the benefits. Priority is placed on the knowledge of intra-group and related party connections, exercise of influence over a group, the structure, risk profile, and risk management of banking group. The CBRC is increasingly probing groups in terms of group activities, risk management and strategy. With the advent of less straightforward banking group structures, however, it is essential for the supervisor to consider not only the internal group structure and activities but activities and entities in the wider group that could have an impact on the banking entity and its group. Continuous monitoring of the wider group structure and activities is needed, including stronger notification and approval powers for the CBRC. More attention is needed on cross-sectoral developments, such as the growth of WMPs. 13. Home-host relationships C CBRC has made significant effort to improve its home-host relationships during the last few years including increasing the number of MoUs in place. In particular, the recent establishment of regular colleges for the G-SIBs has enabled CBRC to reach out more effectively to a wider range of host supervisors. Recovery plans have been put in place. 266 PEOPLE’S REPUBLIC OF CHINA Core Principle Grade Comments CBRC has progressively updated its corporate 14. Corporate governance LC governance guidelines, keeping pace with international developments. Given the diversity in scale and complexity of banks, the policy intention is to adopt a proportionate approach with the large/listed banks being subject to the highest requirements while some flexibility is accorded to the smaller ones such as the rural banks. On supervisory practices, there is a clear and consistent emphasis on assessing corporate governance of banks across CBRC’s onsite examinations and offsite surveillance, and the assessment constitutes one of the key components of the supervisory ratings of banks. The current regime for corporate governance is based on a combination of various guidelines issued by CBRC and CG Rules for Listed Companies issued by CSRC. While they are rather comprehensive taken together, there are areas that can be enhanced. For instance, there should be clearer requirements on independence of the nominating committee and remuneration committee in respect of non-listed banks. There should also be explicit requirements for risk management committee to be chaired by, and bear a majority of, independent directors. Internationally, there are ongoing developments as regulators continue to enhance their CG regime and supervisory processes in this respect. For such a large and growing banking system in China, there are benefits in having consolidated, clear and concise guidelines in line with international standards to ensure that CBRC’s supervisory expectations are well understood, and to establish a clear minimum standard for the smaller and less complex banks in line with the proportionate approach taken. 267 PEOPLE’S REPUBLIC OF CHINA While much of banking in China is lending and 15. Risk management process LC deposit taking, the market is complex by virtue of its scope and diversity, and banks are getting into new areas of lending and other activities, in response to competition and changes in macro- economic environment. There is also an increasing contribution from the small-and- medium sized banks to the banking system over the past years. Since the previous assessment, there has been significant progress in the banks’ risk management capabilities. The five large banks have moved on to adopting advanced approaches for capital measurement, and internal capital assessment program (ICAAP) and stress tests have become an important part of their risk management. For the other large and medium sized banks, while their risk management capabilities may vary depending on the scale and complexity of activities and risk profile, their management of individual credit risks, market risk, liquidity risks and operational risk have also evolved over time. CBRC issued the Comprehensive Risk Management Guidelines in September 2016, and have been in discussions with banks for months prior to that. Full enterprise-wide risk approaches that integrate strategy setting, monitoring, management and stress testing in ways that consider interactions among risks are challenging, particularly for banks with business activities across geographical regions, with diverse products or non-standard credit posing different types of risks. Some banks are still working on fully complying with the comprehensive risk management guidelines, addressing challenges in IT systems, aggregating non-standard credit, overseas exposures, etc. Assessing whether the banks are fully effective in adopting enterprise-wise risk approaches and fully identify, monitor and manage the risk interactions should continue to be a focus area of supervision for CBRC. CBRC has thus far required only the four globally systemically important banks to prepare and 268 PEOPLE’S REPUBLIC OF CHINA Core Principle Grade Comments submit recovery plans annually for review. There is a need to extend this requirement to the other large banks, in particular those that CBRC assess to be systemically important in the domestic market. In line with the progress towards adopting enterprise-wide risk management approach, CBRC and the banks should further develop their stress testing capabilities, and enhance the robustness of stress testing programs, including stress scenarios design, stress parameters and assumptions, stress testing techniques and interaction of risks under stress 16. Capital adequacy C China has implemented Basel III, setting higher requirements for CET1 and leverage ratio. Capital is calculated on a solo and consolidated basis and CBRC has the authority to impose additional capital requirements on individual banks, as deemed necessary. The CBRC is to be commended for requiring, in principle, the ICAAP to be implemented for all banks, in a proportionate basis. D-SIBs methodology and regulation are under development. 269 PEOPLE’S REPUBLIC OF CHINA Credit risk is the most significant risk factor in 17. Credit risk LC the Chinese banking sector. CBRC’s offsite surveillance has benefitted from enhanced data gathering and information systems, and it identifies and monitors credit risk trends and vulnerabilities of banks for further action. Numerous onsite examinations have been conducted on credit risk. On the other hand, there has been an increase in the scale and complexity of the banks’ credit risk origination activities since the previous assessment, including a shift towards non- standard credit activities such as investments in structured products, off-balance sheet activities, interbank investments, etc. Various guidelines and consultation papers were issued by CBRC in late 2016, setting out important requirements and proposed policies to address these issues that have emerged in recent years. CBRC has made commendable efforts aimed at addressing these challenges and containing specific risks. Given the large number and the diversity of banks and the increasing complexity of activities, it is challenging to ensure that these supervisory expectations have been effectively communicated to all banks across all regions and implemented effectively by them on a timely basis. The fact that banks needed reminders and scrutiny from CBRC to subject these activities to consistent credit risk measurement/management and regulatory requirement also suggests that there is room for banks to have a better appreciation of risk principles and to be more robust and comprehensive in identifying, monitoring and managing bank-wide credit risks. Banks’ compliance with these recently issued guidelines and proposed policy positions, and more importantly, their ability to evaluate, monitor and manage overall credit risks comprehensively should continue to be the focus of CBRC’s supervisory activities. Most regulators have issued broad supervisory 270 PEOPLE’S REPUBLIC OF CHINA Core Principle Grade Comments guidance on credit risk management. Given the size and complexity of the banking sector, CBRC should consider developing a comprehensive guidance on credit risk management in line with international standards to ensure that its supervisory expectations and minimum standards are well understood. CBRC has taken a lot of efforts, through offsite 18. Problem assets, provisions, and reserves LC surveillance and onsite examinations, to ensure that banks classify loans correctly and maintain provisions in line with accounting and regulatory requirements. Industry representatives that assessors met supported the view that loan classification and provisioning have been the focus of CBRC’s supervision and external audit in recent years. There is a need for CBRC to continue its supervisory focus in this area, given the strains that have emerged in several highly indebted corporate sectors coping with overcapacity. It is particularly important to review the current loan classification requirements permitting the use of collateral in influencing NPL classification. While the impact of collateral in NPL classification currently affects only a small proportion of total loans, based on CBRC’s estimate, permitting such practice makes it difficult to properly assess the increase in credit risk at individual bank level and at a system-wide level. Also, in those cases where collateralized loans past due are not in fact classified as NPLs, it could also potentially result in lower provisions being held under CBRC’s minimum requirements (requirements as mentioned in EC 7). Likewise, CBRC should review the requirement permitting loans granted to small enterprises to be classified as NPL only when they are more than 180 days past due. The review should assess whether this practice results in slow downgrading of problem loans and delays the detection of increase in credit risks in this segment. 271 PEOPLE’S REPUBLIC OF CHINA Core Principle Grade Comments CBRC has enhanced its supervision of 19. Concentration risk and large exposure LC concentration risks and monitors concentration limits risks of banks by industries, geographies, corporate groups, etc. Banks are required to include significant risk concentrations in their stress testing programs for risk management purposes. On large exposures, it remains that (under the Company Law) entities with common local government ownership are not considered connected parties by virtue of local government ownership alone. In order for two parties to be deemed as connected, at least one additional relationship has to exist and in September 2016 the CBRC clarified that there should be a consideration of “economic interdependence” between the two parties in making a determination. Since 2014, exposures to banks are subject to a regulatory limit of 50 percent of a bank’s tier 1 capital. This appears excessive, in view of the lower inter-bank limits and inter-G-SIB limits as set out in the BCBS large exposures framework which will take effect from 1 January 2019. As in the previous FSAP assessment, while the 20. Transactions with related parties LC definition of related party is comprehensive, it does not include related banks, and ownership by the state government is not treated as a trigger for related party reporting, limits or approvals. Thus in theory, a commercial bank owned by the local government can lend to local government-owned entities without being covered by the extra due diligence required for related parties. The Related Party Transactions Rule also sets a limit on the aggregate exposures to all related parties of 50% of the bank’s capital, and hence are not as strict as the allowable large exposure limit for a single counterparty or groups of connected counterparties (EC6). 272 PEOPLE’S REPUBLIC OF CHINA Core Principle Grade Comments Country and transfer risk exposures at banking 21. Country and transfer risks C system level have increased slightly over the past few years, and are expected to increase further as Chinese banks expand their presence overseas or finance more overseas projects. Since the issuance of Country Risk Guidelines in 2010, banks now have better appreciation of country risk and many have included country risk in their risk management policies and procedures, including risk limits and stress testing. 22. Market risk C Sound regulations are backed up by good quality supervisory work in terms of on and off-site analysis. The CBRC should be well placed to implement the revised Basel market risk standard that has followed the fundamental review of the trading book. Looking forward, however, the CBRC should continue its path in building its market risk capacity. While there is, at present, only a relatively weak case for banks to develop their trading and market risk activities further, conditions are likely to change over time. 23. Interest rate risk in the banking book C The CBRC has worked to meet the challenges of interest rate liberalization and is currently enhancing its scenario and shock analysis on a pilot basis. Responding to recommendations from the last assessment, the CBRC has enhanced its resource specialization in respect of interest rate risk—there is a specialist team— and routinely analyses data to identify outliers. 273 PEOPLE’S REPUBLIC OF CHINA Core Principle Grade Comments 24. Liquidity risk C The CBRC approach to liquidity risk supervision is more sophisticated and intense than at its last assessment. As with other related risks— market risk and interest rate risk—the CBRC has developed a pool of specialist resources. All banks with assets of no less than RMB200bn are subject to the LCR and this represents approximately 90 percent of the assets of the banking system. The strengthening of liquidity supervision is particularly welcome given market developments, as lower tier banks are becoming increasingly dependent on wholesale funding and such potential vulnerabilities need to be monitored closely and acted upon at an early moment as necessary. 25. Operational risk C There is a considerable variation in the sophistication of banks’ approach to operational risk. As the less complex banks expand their businesses, the challenge for them, as the CBRC is fully aware, is to develop their approach to operational risk in a commensurate manner with their growth. 26. Internal control and audit C CBRC has a strong supervisory focus for banks to maintain a control environment that is commensurate with the risk profile and scale of their business activities. It has put in place requirements for banks to ensure the independence and authority of the head of internal audit and head of compliance, and it pays close attention to the internal control systems and the effectiveness of the three lines of defense. 274 PEOPLE’S REPUBLIC OF CHINA Core Principle Grade Comments Various rules and guidelines have been issued to 27. Financial reporting and external audit LC prescribe the required qualification and independence of external auditors, mandate rotation of external audit firm, and to strengthen the communication between supervisors and the external auditors. Accounting and auditing standards are now substantially in line with international standards. According to CBRC’s estimates, listed banks, which account for about 76% of total banking system assets, have appointed international accounting firms as their external auditors. The Chinese Institute of Certified Public Accountants (CICPA) conducts audit quality review of the accounting firms, with greater focus on the audit of listed corporates, including listed banks. There continues to be a need to increase oversight of the audit of small-to-medium sized banks. As indicated in EC6, CBRC does not have the direct power to reject or rescind the appointment of an external auditor who is deemed unfit to perform a reliable and independent audit. While CBRC has demonstrated that in practice it was able to indirectly remove the external auditors by recommending the banks to do so, the lack of direct legal power is, nevertheless, not in compliance with Essential Criteria 6. 275 PEOPLE’S REPUBLIC OF CHINA Core Principle Grade Comments The accounting disclosures of banks are in line 28. Disclosure and transparency LC with international standards. Disclosures by listed banks, which constitute about 76% of total banking system, is comprehensive. In addition, CBRC has issued additional information disclosure requirements on banks, and the scope and content of information and the level of details required is commensurate with the risk profile and systemic importance of the banks. Given the size and complexity of the banking sector, there is room for more disclosures on the aggregate statistics and risk indicators for overall banking industry to facilitate a better understanding among market participants, analysts and the public of issues affecting the financial system. For instance, this could entail providing more detailed breakdown of balance sheet structure of banks and their risk profiles including liquidity profile, deposit composition, breakdown of loans, concentrations, etc. This can possibly be done with collaboration between PBC and CBRC. 29. Abuse of financial services LC Both regulatory framework and supervisory practices have continued to develop since the last assessment but some gaps still remain. Regulatory standards have been enhanced and policy coordination across institutions has been supported by the AML JMC. The working relationship between the PBC and CBRC is a particular strength. Regulations, though, retain some weaknesses, notably in relation to the treatment of domestic PEPs and the standards and record keeping in relation to identifying ultimate beneficiaries of transactions. Coordination, cooperation and information exchange between the PBC and the CBRC has been lacking in relation to supervisory approaches to individual institutions. The recent decision to conduct joint on-site inspections is very welcome and can be expected to yield many benefits. 276 PEOPLE’S REPUBLIC OF CHINA RECOMMENDED ACTIONS AND AUTHORITIES' COMMENTS A. Recommended Action Recommended Actions to Improve Compliance with the Basel Core Principles and the Effectiveness of Regulatory and Supervisory Frameworks Reference Principle Recommended Action Principle 1 Review the legal framework eliminating from the Commercial Banks Law the reference to developmental objectives. Ensure that all CBRC communication does not mislead banks as to the CBRC’s commitment, first and foremost, to safety and soundness. Amend the Banking Supervision Law to explicitly grant CBRC powers to have access to de facto parents and their affiliates. Principle 2 Ensure that reasons for dismissal of the Chair of the CBRC must be disclosed publicly. Remove the potential ability for the State Council to over-rule the CBRC’s decision. Widen the CBRC’s autonomy over the management of its resources to ensure greater flexibility in numbers and appropriate skillset of staff, salary scales and internal organization arrangements, so that staff are available as necessary to meet changing risk profiles within the sector. Principle 3 Include into procedures, the need to notify the foreign supervisor in case CBRC is legally compelled to disclose confidential information received from a foreign supervisor. Expand the breadth and depth of data collected from securities and insurance supervisors as needed. Principle 5 Review procedures and training as necessary to ensure that CBRC is well equipped to adequately review the ownership structure and governance of the wider group in complex cases in order not to impose undesired risks to the bank and the banking system. Principle 6 Amend the legal framework requiring that all de facto changes of control, directly or indirectly up to the ultimate beneficial owner are subject to approval by CBRC thus ensuring that cases of significant influence are subject to CBRC scrutiny and approval; Amend the legal framework to have more explicit and clear powers to have access to information of ultimate beneficial owners and controlling interests; Establish procedures in order to receive periodic information on the names and holdings of all significant shareholders or those that exert controlling influence over a bank; 277 PEOPLE’S REPUBLIC OF CHINA Expressly require all commercial banks to notify CBRC as soon as they become aware of any material information which may negatively affect their suitability as a major shareholder. Principle 7 Exercise caution, when authorizing non-banking activities, ensuring that a robust regulatory framework is in place to properly govern such activities, the risks they entail and their implications for the banks, banking groups and the banking system. Review procedures and training as necessary to ensure that CBRC is well equipped to adequately review and assess joint ventures and strategic investments. Principle 8 Adopt a more continuous review and updating approach to banks’ ratings, ensuring links between ratings and data systems that can facilitate automatic changes to ratings where appropriate. Widen the discretion for use of supervisory judgement in the ratings methodology. Complete the resolvability assessment of D-SIBs when D-SIB framework has been established. Principle 9 In the course of the continued development of analytical techniques focus on the interaction of individual risks, as well as business strategy and business model analysis. Principle 11 Establish a coordination framework with the Deposit Insurance Fund. Principle 12 Require annual reporting of group ownership structure up to and including natural persons. Conduct a review and mapping of supervisory information to identify what aspects will be of most value to the CBRC from other financial sector regulators and what information the CBRC can provide in relation to groups under CBRC supervision. Coordination and collaboration on cross sectoral regulation of financial activities should be a priority. Principle 13 Hold periodic colleges for banks, beyond G-SIBs, for which from a home or host perspective are considered appropriate. Take a more proactive approach in communicating to home and host supervisory authorities’ significant findings or supervisory concerns. Principle 14 To establish a consolidated set of guidelines, bringing in elements of requirements that currently exist in other guidelines and listing rules on corporate governance, confirm consistency with international standards and establish clear minimum standards in implementing a proportionate approach for the smaller and less complex banks. The consolidated CG guidelines should also include establishing: - clearer requirements on independence of nominating committee and remuneration committee in respect of non-listed banks. 278 PEOPLE’S REPUBLIC OF CHINA - requirements for risk management committee to be chaired by, and include a majority of, independent directors. Principle 15 Assess whether the banks are effective in adopting enterprise-wide risk approaches and fully identifying, monitoring and managing the risk interactions. Extend the requirement for recovery plan and resolvability assessment to other large banks, in particular those that CBRC assessed to be systemically important in the domestic market. To further develop stress testing capabilities within CBRC and the banks and enhance the robustness of stress testing. Principle 16 While continuing focusing efforts on the proper and effective implementation in the five largest banks, a next step should include commensurate efforts toward mid-sized banks, irrespectively if joint stock, city or rural banks. Establish a D-SIBs framework. Principle 17 Focus on ensuring that all banks have implemented and complied with the recently issued Comprehensive Risk Management Guidelines, Guidelines on Further Enhancing Credit Risk Management, and the proposed tightening measures on off-balance sheet business activities, and also that comprehensive credit risk management is fully embedded across all banks. Consolidate and develop a comprehensive guidance on credit risk management in line with international standards to ensure that CBRC’s supervisory expectations and minimum standards are well understood. Principle 18 Review the current loan classification requirement which permits banks to use good quality collaterals to support categorizing loans more than90 days past due as Special Mention, taking reference from BCBS’ Guidelines on Prudential Treatment of Problem Assets which provides that collateralisation plays no direct role in the categorisation of nonperforming exposures. Review the requirement permitting loans granted to small enterprises to be classified as NPL only when they are more than 180 dpd, to assess whether this practice results in slow downgrading of problem loans and delays the detection of increase in credit risks in this segment. Principle 19 In line with moving towards adopting Basel large exposures framework, - review and clarify the application of the criterion for identifying relationships between entities with common local government ownership. - reduce the regulatory limit on a bank’s interbank exposures (excluding intraday interbank exposures) to 25 percent of its Tier 1 capital and 279 PEOPLE’S REPUBLIC OF CHINA establish a lower limit of 15 percent of Tier 1 capital on a G-SIB’s exposures to another G-SIB Principle 20 Review and bring common ownership of enterprise by local governments into the definition and discipline of related party transactions. Reduce the limit on aggregate related party exposures of 50% of a bank’s capital to a level more consistent with the limits on large exposures. Principle 22 Increase on-site oversight of the foreign banks’ market risk activity. Further cross-sector benchmark reviews of banks’ market risk management should form part of the CBRC’s preparation to implement the revised Basel market risk standards. Principle 23 Use the adoption of the revised Basel standard as a springboard for issuing more extensive guidance to the industry on interest rate risk. Principle 24 Ensure close supervision, and impose limits as necessary, on the scale of wholesale funding in banks not subject to the LCR. Ensure banks conduct stringent and severe stress tests to consider shocks in relation to features of the market that are becoming more pronounced such as wholesale funding and outflows in WMPs. Principle 25 Promote the development of operational risk standards and awareness within the smaller and less complex banks beyond the perspective of internal controls and IT functions. Principle 27 Empower CBRC to reject or rescind the appointment of external auditors who have inadequate expertise or independence, or who do not follow professional standards. Increase audit oversight inspections for audit of small and medium- sized banks. Principle 28 Consider adopting some of the best practices in other countries to enhance disclosures of aggregate statistics and risk indicators for the overall banking industry, to facilitate a better understanding among market participants, analysts and the public of issues affecting the financial system. For instance, this could entail providing more detailed breakdown of balance sheet structure of banks and their risk profiles including liquidity profile, deposit composition, breakdown of loans, concentrations, etc. This can possibly be done with collaboration between PBC and CBRC. Principle 29 Regulations should be strengthened to ensure that the same treatment is applied to both domestic and foreign PEPs. Requirements should be enhanced to ensure that there are explicit obligations for banks to identify the ultimate beneficiaries of transactions and maintain up to date records that are available for inspection at any time. 280 PEOPLE’S REPUBLIC OF CHINA Coordination, cooperation and information exchange between the PBC and the CBRC should be enhanced and systematized. The CBRC should always be informed of decisions to sanction banks, and the reasons for the decision, at the earliest opportunity. An MoU may be useful but is not essential. B. Authorities’ Response to the Assessment 64 36. The CBRC welcomes and supports the BCP Assessment. It has taken the assessment as an opportunity to reflect and evaluate the effectiveness of China’s banking regulation and supervision against international standards. The assessment team demonstrated admirable professionalism and dedication. The CBRC appreciates their hard work, and the opportunity to provide the following comments on the assessment. 37. Since the previous assessment, the CBRC has improved prudential framework, undertaken internal supervisory structural reform, enriched supervisory tools, and enhanced supervisory effectiveness by benchmarking against international standards. These achievements and progress have been largely recognized in the assessment report. The assessment concludes that the banking supervision in China is broadly aligned with the BCP. 38. There are a number of issues in the assessment for which the CBRC would like to provide further clarification. The report identifies that the operational independence of the CBRC may be compromised due to the fact that the CBRC’s decisions could be overturned by the State Council. However, the CBRC does not see this as an independent concern that would compromise its independence or supervisory effectiveness. Pursuant to the legislation regime established by the Legislation Law, only when the regulations or rules issued by an agency violate laws and/or administrative regulations or are in conflict with those issued by other government agencies, may the State Council alter or annul such regulations or rules that are deemed inappropriate. This institutional arrangement has facilitated the establishment of checks and balances which the CBRC and other agencies are subject to and helped maintain the soundness and consistency of the legal system in China. In practice, the State Council has never altered or annulled any regulations or guidelines issued by the CBRC. 39. The assessment report also indicates that the CBRC’s current budgeting and headcount arrangements may stifle the CBRC from performing its role effectively. In recent years, the CBRC has continuously improved the professionalism and efficiency of its supervisors by conducting internal supervisory structural reform, refreshing supervisory techniques, leveraging information technologies and intensifying training efforts. However, the CBRC acknowledges that, like many banking supervisory agencies around the world, it faces challenges in terms of supervisory resources given the growing size and complexity of the banking sector. The CBRC will strengthen the communication and cooperation with relevant agencies to obtain more staffing and budgetary 64 If no such response is provided within a reasonable time frame, the assessors should note this explicitly and provide a brief summary of the authorities’ initial response provided during the discussion between the authorities and the assessors at the end of the assessment mission (“wrap-up meeting”). 281 PEOPLE’S REPUBLIC OF CHINA support, so that it is able to retain high-caliber supervisory staff and better maintain the soundness and safety of the banking sector. 40. The 2012 Core Principles for Effective Banking Supervision fully embodies the post- crisis international consensus on strengthening banking supervision and places more emphasis on risk management. With constant commitment to the prevention of credit risk, the CBRC has required banks to step up the disposal of NPLs, make adequate provisions and increase their resilience against risks. Currently, as banks in China are mainly engaged in deposit-taking and lending business, the risks facing the banking sector are controllable on the whole. In addition, the CBRC pays close attention to cross-sectoral financial risks, requiring banks to apply look-through principle to cross-sectoral financial activities and shorten the chain of transaction. It will also work with relevant agencies to issue harmonized supervisory rules on asset management activities and push the business back to its intended purpose. The assessment report acknowledges that the CBRC has played a major role in the impressive progress that banks have made in improving their risk management, while identifying a number of areas for further improvement. Although the CBRC’s view on the overall risk profile and credit risk level of China’s banking sector is to some extent different from that of the assessors, the CBRC concurs that banks should further improve their group-wide risk management and fully take into consideration the interactions between various types of risks. Meanwhile, the CBRC will continue to enhance its capability in evaluating banks’ risk profiles and risk management processes together with the increase in size and complexity of the Chinese banking sector. 41. It is also identified in the report that transfers of significant ownership and control through indirect holdings remain outside of CBRC purview. The CBRC has been conducting effective supervision on ultimate beneficiary owners according to the relevant supervisory requirements in the Banking Supervision Law, the Company Law and the Implementation Rules on Administrative Licensing of Chinese Commercial Banks, etc. The CBRC is able to monitor the change of ultimate beneficiary owners via formulating institutional overviews, requiring regular submission of relevant information, on-site examinations, interviewing staff, and reviewing documents and takes regulatory measures as deemed necessary. With a view to increasing shareholder transparency, the CBRC is accelerating the effort to optimize the rules governing bank shareholders that will further strengthen the supervision over bank shareholders as well as changes of de facto control from approval to exit. 42. The assessment report has proven to be valuable and rewarding in generating insights and suggestions that will contribute towards the improvement of banking supervision in China. The CBRC appreciates the recommendations made in the assessment, and will take actions on those that are considered appropriate and applicable. The CBRC will continue to draw on international supervisory experience to further optimize China’s banking supervision. In the meantime, the CBRC hopes to deepen and broaden the exchange and cooperation with international financial organizations, so as to contribute towards the enhancement of the resilience of the global banking system. 282