Guidelines for Compliance Management by Insurance Companies

(Issued by the China Insurance Regulatory Commission on September 7 2007 and effective as of January 1 2008.)

Bao Jian Fa [2007] No.91

PART ONE: GENERAL PROVISIONS

Article 1:       These Guidelines have been formulated pursuant to such laws and regulations as the PRC Company Law, the Provisions for the Administration of Insurance Companies, and the Guiding Opinions on Regulating the Governance Structure of Insurance Companies (Trial Implementation) in order to regulate the governance structure of insurance companies and strengthen compliance management by insurance companies.

Article 2:       For the purposes of these Guidelines, the term "compliance" means that the insurance business and management acts of an insurance company, its employees and its marketing personnel shall comply with laws and regulations, the provisions of the regulatory authority, the self-regulation rules of the industry, the company's internal management rules and the ethical standard of good faith.

For the purposes of these Guidelines, the term "compliance risk" means the risk of legal liability, regulatory penalties, financial losses or loss of reputation triggered by non-compliant insurance business and management acts by an insurance company, its employees or its marketing personnel.

Article 3:       Compliance management is the act whereby an insurance company prevents, identifies, assesses, reports and counters compliance risks through measures such as the establishment of a compliance management department or compliance positions, formulating and implementing compliance policies, implementing compliance monitoring and providing compliance training. Compliance management is one of the core aspects of the comprehensive risk management of insurance companies and is one of the fundamental tasks in implementing effective internal controls.

An insurance company shall, in accordance with the requirements hereof, formulate and improve compliance management rules, improve its compliance management organizational structure, clarify responsibilities for compliance management, establish a compliance management system and effectively identify and actively guard against and eliminate compliance risks so as to ensure the stable operations of the company.

Article 4:       Everyone has a responsibility for compliance. An insurance company shall promote and foster a good compliance culture, endeavour to foster an awareness of compliance among all of its employees and marketing personnel and treat the creation of a compliance culture as an important integral part of the creation of the company culture.

Compliance shall commence from the top. The board of directors and the senior management personnel of an insurance company shall promote compliance concepts such as voluntary compliance and compliance creating value in the company's promotion of the ethical standard and values in respect of good faith so as to foster the effective interaction of the insurance company's internal compliance management and external regulation.

Article 5:       The China Insurance Regulatory Commission (the CIRC) and its agencies shall conduct monitoring inspections of the compliance management of insurance companies in accordance with the law.

PART TWO: COMPLIANCE DUTIES OF THE BOARD OF DIRECTORS, SUPERVISORY BOARD AND GENERAL MANAGER

Article 6:       The board of directors of an insurance company bears the ultimate responsibility for the company's compliance management and shall perform the following compliance duties:

(1)   considering and approving compliance policies, monitoring the implementation of such policies and carrying out annual assessments of the implementation of such policies;

(2)   considering, approving and submitting to the CIRC the company's annual compliance reports and taking measures to solve the issues reflected in such reports;

(3)   deciding on the engagement, dismissal and remuneration of the compliance officer based on the recommendation of the general manager;

(4)   deciding on the establishment of the company's compliance management department and its functions;

(5)   ensuring that the compliance officer can communicate independently with the board of directors, the audit committee of the board of directors or other special committee; and

(6)   other compliance duties as specified in the company's articles of association.

Article 7:       The audit committee of the board of directors of an insurance company shall perform the following compliance duties:

(1)   reviewing and submitting to the board of directors the company's annual compliance reports;

(2)   regularly examining the company's semi-annual compliance reports;

(3)   listening to reports on compliance matters by the compliance officer and compliance management department, and submitting comments and proposals to the board of directors; and

(4)   other compliance duties as specified in the company's articles of association or determined by the board of directors.

An insurance company may, based on its own particular circumstances, designate another special committee established by the board of directors to perform the compliance duties specified in the preceding paragraph.

Article 8:       If an insurance company has a supervisor or supervisory board, the supervisor or supervisory board shall perform the following compliance duties:

(1)   monitoring the performance by the board of directors and senior management personnel of their compliance duties;

(2)   monitoring whether the decisions and decision-making process of the board of directors are compliant;

(3)   submitting recommendations to dismiss directors or senior management personnel who trigger major compliance risks;

(4)   submitting recommendations to the board of directors to replace the company's compliance officer;

(5)   investigating, in accordance with the law, irregularities in the company's operations and requiring the company's compliance officer and compliance management department to give their assistance; and

(6)   other compliance duties as specified in the company's articles of association.

Article 9:       The general manager of an insurance company shall perform the following compliance duties:

(1)   establishing and enhancing the company's compliance management organizational structure based on the decisions of the board of directors, recommending a compliance officer to the board of directors, establishing the compliance management department and providing it sufficient resources to perform its duties;

(2)   reviewing the company's compliance policies submitted by the compliance officer and implementing the same after consideration by the board of directors;

(3)   organizing an identification and assessment of the company's compliance risks at least once each year and reviewing the company's compliance risk management plan for the following year;

(4)   reviewing and submitting to the audit committee of the board of directors the company's annual and semi-annual compliance reports;

(5)   taking appropriate remedial measures in a timely manner if he/she discovers that the company has committed non-compliant business or management acts, pursuing the attendant liability of the persons responsible for compliance violations and making reports thereon in accordance with provisions; and

(6)   other compliance duties as specified in the company's articles of association or determined by the board of directors.

The general managers of the branches and core sub-branches of an insurance company shall perform the compliance duties specified in Items (3) and (5) of the preceding paragraph.

PART THREE: COMPLIANCE OFFICER AND COMPLIANCE MANAGEMENT DEPARTMENT

Article 10:     An insurance company shall have a compliance officer. The compliance officer shall be a member of the senior management personnel of the head office of the insurance company. The compliance officer may not concurrently manage a business department or the finance department of the company.

When an insurance company is to appoint a compliance officer, it shall submit his/her name for approval in accordance with the Provisions for the Administration of the Qualifications of the Directors and Senior Management Personnel of Insurance Companies and the relevant provisions of the CIRC.

When an insurance company dismisses its compliance officer, it shall report the same and give a reason therefor to the CIRC within 10 days after the dismissal.

Article 11:     The compliance officer of an insurance company shall be accountable to the general manager and board of directors and perform the following duties:

(1)   formulating and revising the company's compliance policies and submitting them to the general manager for review;

(2)   transmitting compliance policies considered and approved by the board of directors to all of the company's employees and marketing personnel and arrange for their implementation;

(3)   formulating under the guidance of the board of directors and the general manager the company's annual compliance risk management plans, having full responsibility for the company's compliance management work and leading the compliance management department or compliance positions;

(4)   submitting proposals to the general manager and the audit committee of the board of directors on a regular basis for improving compliance, and reporting, in a timely manner, to the general manager and audit committee of the board of directors major compliance violations committed by the company or its senior management personnel;

(5)   reviewing and signing off on various compliance documents, such as compliance reports issued by the compliance management department; and

(6)   other compliance duties as specified in the company's articles of association or determined by the board of directors.

Article 12:     The head office of an insurance company shall establish a compliance management department. An insurance company shall, depending on the scale of its business, its organizational structure and the requirements of its risk management work, establish compliance management departments or compliance positions in its (sub-)branches.

The compliance management departments, compliance positions and compliance personnel of the (sub-)branches of insurance companies shall be accountable to the person in charge of the relevant (sub-)branch and the compliance management department or compliance positions at the next higher level.

An insurance company shall determine the organizational structure, duties and rights of its compliance management department or compliance positions in the form of compliance policies or other formal document and specify measures to ensure the independence thereof.

Article 13:     An insurance company must ensure the independence of its compliance management department or compliance positions and implement independent budgets and assessments therefor. The compliance management department or compliance positions shall be independent from the business departments, finance department and internal audit department.

Article 14:     The compliance management department shall perform the following duties:

(1)   assisting the compliance officer in formulating and revising the company's compliance policies and annual compliance risk management plans and promoting their thorough implementation, and assisting the senior management personnel in fostering the company's compliance culture;

(2)   organizing and coordinating the company's departments and (sub-)branches in formulating and revising position compliance handbooks and other compliance management rules and regulations;

(3)   implementing compliance risk monitoring, identification and assessment, and reporting compliance risks;

(4)   preparing annual, semi-annual and other compliance reports;

(5)   participating in the development of new products and new business, identifying and assessing compliance risks and providing compliance support;

(6)   being responsible for formulating and implementing the company's anti-money laundering rules;

(7)   organizing compliance training, implementing codes of conduct for employees and marketing personnel and providing compliance advice to employees and marketing personnel;

(8)   reviewing the company's important internal rules and regulations and business procedures, and proposing the formulation or revision of the company's internal rules and regulations and business procedures based on changes in, and the development of, laws, regulations, regulatory provisions, and the self-regulation rules of the industry;

(9)   maintaining routine work contact with the regulatory authority, assessing on an ongoing basis regulatory measures and requirements and providing relevant opinions and suggestions thereon; and

(10) other compliance management duties as determined by the board of directors.

The specific duties of compliance positions shall be determined by the company with reference to the provisions of the preceding paragraph.

Article 15:     An insurance company shall secure the enjoyment of the following rights by its compliance officer, compliance management department and compliance positions through rules and regulations:

(1)   obtaining the information necessary to perform their compliance management duties through means such as attending meetings, reviewing documents, interviewing relevant personnel, receiving reports on compliance matters, etc.;

(2)   conducting independent investigations of persons who committed or may have committed compliance violations and of the events and, when necessary, engaging professionals or professional organizations to assist them in their work;

(3)   enjoying an unobstructed reporting channel and submitting reports to the general manager, the audit committee of the board of directors or the board of directors through the chain of reporting determined by the board of directors; and

(4)   other rights as determined by the board of directors.

Article 16:     An insurance company shall employ a sufficient number of compliance personnel for the compliance management department or compliance positions. Compliance personnel shall have the appropriate qualifications and experience to perform their duties, have professional knowledge in law, insurance, accounting, finance, etc., and, in particular, have the ability to comprehend laws, regulations, regulatory provisions, the self-regulation rules of the industry and the company's internal management rules. An insurance company shall enhance the professional skills of its compliance personnel through regular and systematic education and training.

The board of directors and senior management personnel shall support the compliance management department, compliance positions and compliance personnel in the performance of their work duties and take measures to genuinely ensure that the compliance management department, compliance positions and compliance personnel do not suffer unfair treatment as a result of performing their duties.

Article 17:     An insurance company shall employ full-time compliance personnel for the compliance management department of its head office. Qualified insurance companies shall employ full-time compliance personnel for the compliance management departments or compliance positions of their (sub-)branches.

Article 18:     Compliance is not the responsibility solely of the compliance management department, compliance positions and professional compliance personnel, but the responsibility of each employee and each member of the marketing personnel of an insurance company. The departments and (sub-)branches of an insurance company shall bear direct and primary responsibility for the compliance management that falls within the scope of their duties.

The departments and (sub-)branches of an insurance company shall take the initiative to carry out routine compliance self-examinations, submit compliance risk information or risk points to the compliance management department or compliance positions on a regular basis and support and cooperate in the risk monitoring and assessment of the compliance management department or compliance positions.

The compliance management department and compliance positions shall provide compliance support for the business activities of the company's departments and (sub-)branches and their employees and marketing personnel, and assist and guide the company's departments and (sub-)branches in formulating position compliance handbooks and carrying out compliance management.

Article 19:     An insurance company shall establish a mechanism for coordination among the compliance management department and other risk management departments.

The other risk management departments of an insurance company shall be responsible for identifying and assessing various types of risks, including their own compliance risks, reporting relevant compliance risk information to the compliance management department and supporting the compliance risk monitoring and assessments of the compliance management department.

Article 20:     The compliance management department of an insurance company shall be separate from the internal audit department and be subject to regular internal audits by the internal audit department.

An insurance company shall establish a clear cooperation and information exchange mechanism between its compliance management department and internal audit department. Once an audit is completed, the internal audit department shall communicate the results and conclusions of its audit to the compliance management department. The compliance management department may also, at its own initiative, propose an audit to the internal audit department based on the results of its monitoring of compliance risks.

PART FOUR: COMPLIANCE MANAGEMENT

Article 21:     An insurance company shall formulate compliance policies and submit the same to the CIRC for the record after the consideration and approval thereof by the board of directors.

Compliance policies are programmatic documents for compliance management by an insurance company, and shall include at least the following:

(1)   the company's compliance management objectives and basic principles;

(2)   the compliance culture promoted by the company;

(3)   the compliance responsibilities of the board of directors and senior management personnel;

(4)   the company's compliance management framework and chain of reporting;

(5)   the status and duties of the compliance management department; and

(6)   the company's main procedures for identifying and managing compliance risks.

An insurance company shall assess its compliance policies each year and, depending on compliance work requirements, revise the same.

Article 22:     An insurance company shall formulate documents such as codes of conduct for employees and marketing personnel, and position compliance handbooks, implement the company's compliance policies and provide guidance to its employees and marketing personnel in implementing the compliance policies.

The codes of conduct for employees and marketing personnel shall specify the basic codes of conduct that all of the company's employees and marketing personnel are required to jointly observe and may specify particular requirements for directors, supervisors and senior management personnel. The position compliance handbook shall specify the business procedures and standards for each position.

Article 23:     An insurance company shall make explicit the chain of reporting of compliance risks, including the chain for reports to the compliance management department or compliance positions by the insurance company's marketing personnel, other company departments and their staff, the chain of reporting for compliance management departments or compliance positions at each level and the chain for reports by the company's compliance management department or compliance positions and the compliance officer to the general manager, the audit committee of the board of directors and the board of directors.

An insurance company shall specify the duties of each person and unit along the chain of reporting, specify the contents, method and frequency of the reports of the reporting persons and requirements as to whether the persons who receive the reports directly handle the matter or forward the same to a higher level.

Article 24:     An insurance company shall identify, assess and monitor the compliance risks attaching to the following matters:

(1)   insurance business acts, including advertising, publicity, product development, sales, underwriting, claims handling, after-sale service, anti-money laundering, customer service, customer complaint handling, etc.;

(2)   insurance capital application, including the provision of security, financing, investment, etc.;

(3)   establishment, change, merger and closing down of, and strategic cooperation between, insurance organizations;

(4)   company internal management decision making and implementation of rules and regulations; and

(5)   other acts that could trigger compliance risks.

Article 25:     An insurance company's important internal management rules and business rules shall be submitted to the compliance management department for examination and be signed in approval by the compliance officer before their issuance and implementation.

The compliance officer and compliance management department of an insurance company shall ensure the compliance of the company's important internal management rules and business rules.

Article 26:     The compliance management department of an insurance company shall conduct various types of compliance surveys in the company upon the request of the senior management personnel, the audit committee of the board of directors or the board of directors.

Once a compliance survey is completed, the compliance management department shall prepare a report on the results and conclusions of the survey and submit the same to the unit that requested it.

Article 27:     The compliance management department of an insurance company shall establish a coordination mechanism with the company's human resources department, formulate compliance training plans, develop effective compliance training and education programmes and regularly organize compliance training.

The directors, supervisors and senior management personnel of an insurance company shall obtain compliance training appropriate to their duties. An employee shall receive compliance training when he/she enters the company, is promoted or is transferred to a different position.

Article 28:     An insurance company shall establish a mechanism for the reporting of compliance violations and ensure that each employee and member of the marketing personnel has the right and the means to report compliance violations.

Article 29:     An insurance company shall establish an effective compliance assessment and accountability system, treat compliance management as an important item of the company's annual performance assessments, assess and evaluate the performance by management personnel at every level of their compliance duties and pursue the liability of management personnel who commit compliance violations.

PART FIVE: EXTERNAL REGULATION OF COMPLIANCE MANAGEMENT

Article 30:     The compliance management department of an insurance company shall be responsible for organizing the study of the important regulatory documents issued by the CIRC, issuing risk reminders and putting forth compliance proposals.

The compliance management department of an insurance company shall make inquiries to the CIRC in a timely manner, accurately understand and comprehend regulatory requirements and give feedback on the company's opinions and suggestions.

Article 31:     An insurance company shall submit to the CIRC by April 30 each year its annual compliance report for the preceding year. The board of directors of the insurance company shall be liable for the truthfulness of the compliance report.

The company's compliance reports shall contain the following:

(1)   an overview of the status of compliance management;

(2)   the formulation, assessment and revision of compliance policies;

(3)   information on the compliance officer and compliance management department;

(4)   details of the company's internal management rules and business procedures;

(5)   information on the compliance of material business activities;

(6)   the operation of the compliance assessment and monitoring mechanism;

(7)   the major compliance risks to which the company is exposed and countermeasures thereto;

(8)   major compliance violations and the handling thereof;

(9)   details of compliance training;

(10) issues in compliance management and improvement measures; and

(11) other information.

The CIRC may, based on compliance requirements, require on an irregular basis an insurance company to submit various comprehensive compliance reports or compliance reports on specific matters.

Article 32:     The CIRC shall regularly monitor and evaluate the compliance management of insurance companies through means such as compliance reports and onsite inspections, and the results of such evaluations shall serve as an important basis for the implementation of stratified regulation.

PART SIX: SUPPLEMENTARY PROVISIONS

Article 33:     These Guidelines shall apply to share system insurance companies, share system insurance holding (group) companies, wholly foreign-owned insurance companies and Sino-foreign equity joint venture insurance companies, and apply mutatis mutandis to wholly state-owned insurance companies, foreign insurance company branches and insurance asset management companies.

Insurance holding (group) companies may formulate group-wide compliance policies and codes of conduct for employees and marketing personnel with reference to these Guidelines.

Article 34:     The CIRC shall strengthen its guidance and promote the establishment and enhancement of compliance management systems by insurance companies based on the actual development of insurance companies and in line with the principles of differentiated treatment and stratified guidance.

Insurance companies shall take into consideration their own particular circumstances and implement the requirements hereof by the deadline specified by the CIRC.

Article 35:     For the purposes of these Guidelines, the term "(sub-)branches of an insurance company" means an insurance company's branches and core sub-branches.

Article 36:     The CIRC shall be in charge of interpreting these Guidelines.

Article 37:     These Guidelines shall be effective as of January 1 2008.