10 Effective from 1 January 2018, IAS39 was replaced by International Financial Reporting Standard 9 which requires the recognition of expected credit losses on financial assets and commitments to extend credit.
84. Paragraph 10 provides that the MA must be satisfied that the institution presently has, and will if authorized continue to have, adequate accounting systems and adequate systems of control. These are essential for ensuring the prudent and efficient running of the institution’s business, safeguarding its assets, minimising the risk of fraud, monitoring the risks to which the institution is exposed and complying with legislative and regulatory requirements. In assessing whether an institution’s records and systems are adequate, the MA has regard to the nature, scale and complexity of its operations, the volume of transactions undertaken, its structure and organisation, and the geographical distribution of the business. The MA’s expectations of the general objectives and major components of internal control systems in respect of risk management are set out in IC-1
“Risk Management Framework” of the SPM. The sound practices contained in IC-1 are also applicable to a sound remuneration system and are reflected in the SPM module on
“Guideline on a Sound Remuneration System” (CG-5). IC-1 is also supplemented by other SPM modules that provide guidance on internal controls for specific types of risk or business activities (e.g. CR-G-12 “Credit Risk Transfer Activities”).
85. The MA expects an authorized institution to put in place and maintain adequate management information systems and adequate systems of control with a view to providing the MA with timely information as required for resolution planning as well as managing an orderly failure of the institution. The MA’s core information requirements for resolution planning for authorized institutions are set out in the Code of Practice chapter on “Resolution Planning – Core Information Requirements” (CI-1) issued pursuant to the FIRO.
86. An internal audit function is essential to the maintenance of adequate internal control systems, providing the board and senior management of an authorized institution with an independent, objective evaluation of the condition of the institution’s systems and controls and identifying weaknesses to be rectified. The MA therefore expects every authorized institution to maintain an internal audit function that is appropriate for the size, nature, scope and complexity of the institution’s operations. The MA’s expectations on the key role, responsibilities and qualities of an institution’s internal audit function, and its approach in assessing the effectiveness of the function, are set out in the SPM module on “Internal Audit Function” (IC-2).
87. Every authorized institution is also subject to examination of the adequacy of its accounting systems and internal control systems by either the MA’s own bank examiners or the institution’s external auditors. “Adequacy” in this context covers both the existence of records and controls and whether they are working effectively.
88. As described in Chapter 3 of the Guide to Authorization, reports by external auditors may be recurrent in nature or ad hoc. Under section 63(3) and 63(3A) of the Ordinance, the MA requires auditors’ reports to be submitted on an annual basis covering the following areas -
(a) the accuracy of prudential returns or other information;
(b) controls relating to the compilation of prudential returns or other information;
(c) controls which enable compliance with statutory provisions in the Ordinance; and
(d) for institutions incorporated in Hong Kong, controls to enable the maintenance of adequate provisions.
89. In addition, the MA has the power under section 59(2) of the Ordinance to require auditors’ reports to be submitted on an ad hoc basis covering matters which are relevant to the exercise of his functions under the Ordinance. This would include aspects of internal control such as the following -
(a) high level controls;
(b) controls relating to the financial accounting and management reporting systems;
(c) specific controls relating to particular areas of institutions’ business operations (such as loans and advances, internet banking etc.);
(d) computer controls;
(e) contingency planning; and
(f) controls to prevent money laundering and terrorist financing.
Guidance in respect of external auditors’ reporting obligations under the Ordinance is laid down in the SPM module on “Reporting Requirements Relating to Authorized Institutions’ External Auditors under the Banking Ordinance” (IC-3).
90. The MA attaches particular importance to the maintenance of effective and risk-based internal controls to combat money laundering and terrorist financing. Such controls are necessary to maintain confidence in both individual banks and the system as a whole and to protect the reputation of Hong Kong as an international financial centre. Prevention of money laundering and terrorist financing is the subject of regular discussion with authorized institutions, and where appropriate, their external auditors. The MA has issued the Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (For Authorized Institutions) to provide practical guidance to assist authorized institutions and their senior management in designing and implementing their policies, procedures and controls to meet the relevant statutory and regulatory requirements, including but not limited to those under the Anti-Money Laundering and Counter-Terrorist Financing Ordinance. In addition, a range of supervisory engagement with authorized institutions is employed to assess the adequacy and effectiveness of their controls in this area. In considering an application for authorization from an institution incorporated overseas, the MA will take into account whether the home jurisdiction of the applicant is identified by the Financial Action Task Force (FATF) in public statements as one of the jurisdictions that subject to a call by the FATF to apply countermeasures or enhanced due diligence measures.
91. In the light of the involvement of a growing number of institutions in the trading of securities and derivatives and the conduct of insurance and MPF intermediary activities, it is also essential that senior management has a full understanding of the nature of these activities and that there are comprehensive risk management systems to control them. It is particularly important that adequate controls such as segregation of duties and responsibilities between the business units and the risk management and settlement
badly on the directors and senior management of the institution concerned. The MA has set up special teams to conduct focused examinations of authorized institutions in these areas. Moreover, there should be effective systems of control to ensure compliance with the relevant regulations and minimum standards that the MA expects authorized institutions to adopt, including but not limited to margin and other risk mitigation techniques set out in the SPM module on “Non-centrally Cleared OTC Derivatives Transactions – Margin and Other Risk Mitigation Standards” (CR-G-14) and those under the SFO11.
92. Authorized institutions which want to operate their Hong Kong offices as a booking centre for derivative trades conducted in Hong Kong or elsewhere should discuss their plans with the MA in advance. In assessing an authorized institution’s plan, the MA will take into account whether the authorized institution has in place adequate and effective systems and controls to manage the risks arising from the activities. These include, but are not limited to, an appropriate risk governance framework, effective risk limits, proper policies and procedures, and adequate risk management capabilities. Institutions which wish to adopt internal models for calculating regulatory capital charges are required to seek prior approval of the MA under the Banking (Capital) Rules.
93. It is the requirement of the MA that authorized institutions undertaking wealth management or private banking business should record the activities and positions of their customers in Hong Kong, including transactions undertaken by the customers, their holdings of assets and deposits, as well as credit facilities granted to them. This is to ensure that the MA has adequate and timely access to all relevant information to enable him to perform his functions under the Ordinance. There may however be cases where the positions of some customers of an institution are recorded in the books of an office of the institution or of its group company outside Hong Kong because of, say, customer preference. In such cases, the institution should satisfy the MA that he will have adequate and timely access to any such records which are necessary for the performance of his functions.
94. Overseas operations add to the complexities of an institution’s business structure and control. The MA therefore requires to be notified where an authorized institution incorporated in Hong Kong proposes to establish an overseas branch, representative office or banking subsidiary. Under sections 49 and 51A of the Ordinance, the approval of the MA must be obtained for such establishments. CG-4 “Establishment of Overseas Banking Subsidiaries: S51A” of the SPM sets out the MA’s expectations and requirements in this area. The MA will need to be satisfied, inter alia, as to the financial capacity of the parent bank to acquire the overseas subsidiary, the adequacy of control by the parent bank over the management of the overseas operation and the adequacy of the internal control systems to be established within that overseas operation.
95. In assessing the overall adequacy of the accounting records and control systems of an institution which is incorporated outside Hong Kong (other than in respect of its business in Hong Kong), the MA will have regard to the views of the home supervisor as well as taking account of any other information which may be available to him.
11 For instance, in respect of OTC derivative transactions, there should be effective systems of control to ensure compliance with the applicable mandatory reporting, clearing, trading and the related record keeping obligations.