Measures for Compliance Management of Financial Institution
2.银行保险机构数据安全管理办法
Measures for Data Security of Banking and Insurance Institutions
3.关于公司治理监管规定与公司法衔接有关事项的通知
Notice on Matters Related to Alignment between Corporate Governance Rules and PRC Company Law
4.金融机构涉刑案件管理办法
Administrative Measures for Criminal Cases Involving Financial Institutions
5.关于修改部分规章的决定(征求意见稿)
Draft Decision on Amending Certain Regulatory Rules
6.关于延长保险公司偿付能力监管规则(Ⅱ)实施过渡期有关事项的通知
Notice on Matters Related to Extending Transitional Period for Implementation of Solvency Regulatory Rules (II) for Insurance Companies
7.关于改进财务再保险监管的通知
Notice on Improving Supervision of Financial Reinsurance
8.财产保险公司监管评级指标及评分规则(征求意见稿)
Draft Measures for Regulatory Assessment Indicators and Scoring Rules for P&C Insurance Companies
9.保险资产风险分类暂行办法
Interim Measures for Risk Classification of Insurance Assets
10.保险资金运用内部控制应用指引(第4号-第6号)
Application Guidelines for the Internal Control of Insurance Fund Utilization (No. 4 to No. 6)
11.关于大力发展商业保险年金有关事项的通知
Notice on Improving Supervision of Financial Reinsurance
12.关于加强银行业保险业移动互联网应用程序管理的通知
Notice on Strengthening Management of Mobile Internet Applications in Banking and Insurance Industries
13.关于强监管防风险促改革推动财险业高质量发展行动方案
Action Plan for Strengthening Regulation, Preventing Risks, Promoting Reform and Promoting High Quality Development of the P&C Insurance Industry
01
金融机构合规管理办法
Measures for Compliance Management of Financial Institutions
On December 25, 2024, NFRA promulgated the Measures for Compliance Management of Financial Institutions, which will take effect on March 1, 2025. Summarized below are certain significant changes and adjustments in respect of the compliance management of insurance institutions:
保险机构内部组织机构的合规管理职责
Compliance management responsibilities of internal organizations
(1)《办法》删除了关于监事或监事会的合规职责要求,明确规定董事会对合规管理的有效性承担最终责任。董事会可以下设合规委员会或者由董事会下设的其他专门委员会履行合规管理相关职责。
The Measures deleted the compliance responsibilities of the supervisors or board of supervisors, and provide that the board of directors should be ultimately responsible for the effectiveness of compliance management. The board of directors may establish a compliance committee or have an existing special committee of the board to perform compliance management responsibilities.
(2)《办法》将现行《保险公司合规管理办法》中总经理的合规管理职责拓宽到全部的高级管理人员,规定“高级管理人员负责落实合规管理目标,对主管或者分管领域业务合规性承担领导责任”。
The Measures impose the compliance management responsibilities not only on the general manager as provided under the current rules but also expressly all senior management members, providing that “senior management members shall be responsible for implementing compliance management objectives, and bear leadership responsibilities for the compliance status of the business of which they are taking or assisting in the charge”.
(3)《办法》明确部门及下属机构主要负责人对本部门和机构的合规管理负首要责任,并将合规管理纳入考核指标。同时,全体员工需遵守相关合规要求,对其履职行为的合规性负责。
The Measures clarify that the main responsible person of each department and each subordinate institution should be principally responsible for the compliance management, which also should be part of their performance evaluations. All employees should adhere to relevant compliance requirements and should be responsible for the compliance of their job performance behaviors.
保险机构首席合规官和合规官的任职资格及职责权限
Qualifications, duties and responsibilities of chief compliance officers and compliance officers
(1)取消合规负责人的设置,增设首席合规官和合规官。根据《办法》,保险机构总部应设立首席合规官,省级分支机构原则上应设立合规官,且是各自的高级管理人员。保险机构可以根据自身经营情况单独设立首席合规官、合规官,也可以由所在机构高级管理人员兼任。
The position of compliance responsible person will be removed, and the new positions of chief compliance officer and compliance officer will be created. According to the Measures, the headquarters of an insurance institution should have a chief compliance officer, and each provincial branch in principle should have a compliance officer, in each case as a senior management member. Each of the chief compliance officer and compliance officer positions may be maintained as a separate position or taken concurrently by another senior management member, based on the circumstances of the insurance institution’s business operations.
(2)更为严格的任职资格条件。《办法》规定首席合规官及合规官应具有金融和法律的双重专业背景,并取得任职资格许可。首席合规官应该从事金融工作八年以上且从事法律合规工作三年以上,或者从事法律合规工作八年以上且从事金融工作三年以上,或者从事金融工作八年以上且取得法律职业资格证书。对合规官而言,上述八年要求降低为六年。由保险机构总经理兼任首席合规官或省级分支机构总经理兼任合规官的,不受任职条件限制,无需另行取得监管的任职资格许可。
Heightened qualification requirements. The Measures require a dual background in finance and law for chief compliance officers and compliance officers, and require a regulatory approval of their qualifications. A chief compliance officer should have at least eight years of work experience in finance and at least three years of work experience in law and compliance; or at least eight years of work experience in law and compliance and at least three years of work experience in finance; or at least eight years of work experience in finance and have obtained the certificate of legal qualifications. A compliance officer should also meet the aforesaid qualification requirements, except that the 8-year requirement is changed to 6 years. If the general manager of an insurance institution concurrently serves as its chief compliance officer or if the general manager of a provincial branch concurrently serves as its compliance officer, he/she will not be subject to the qualification requirements and will not be required to obtain a separate regulatory approval of qualifications.
(3)《办法》实施前保险机构已设置的首席合规官、合规总监、合规负责人、作为高级管理人员的总法律顾问,可以履行首席合规官、合规官的各项职责。前述人员工作调动前,不受《办法》规定的任职条件限制,不需要重新取得监管核准的任职资格。
The existing chief compliance officer, compliance director, compliance responsible person, or general counsel who is a senior management member, if any, of an insurance institution before the implementation of the Measures may perform the duties of chief compliance officer and compliance officer. The aforesaid persons will not be subject to the qualification requirements under the Measures and will not be required to obtain a regulatory approval of qualifications again before they move to another position.
(4)与现行《保险公司合规管理办法》相比,《办法》对合规管理人员的职责内容的规定有了较大变化。除了《办法》第十八条、第二十一条规定的首席合规官应履行的一般职责外,《办法》还规定了一些新职责,例如:
Compared with the current rules, the Measures make certain significant changes in the duties and responsibilities of compliance management personnel. In addition to the general responsibilities, some new duties and responsibilities of the chief compliance officer are provided, for example:
• 新规出台后推动合规落实:评估新法规的影响并推动在机构内部的具体落实和规范修订;
Promote the compliance with and implementation of new regulations after their promulgation: assess the impact of new regulations and promote their specific implementation within the insurance institution and corresponding amendments to the institution’s rules and policies;
• 意见未被采纳时向监管报告:针对保险机构发展战略、重要内部规范、新产品和新业务方案、重大决策事项进行合规审查并出具书面合规审查意见。首席合规官的合规审查意见未被采纳的,保险机构应当将有关事项提交董事会审定,重大事项应当及时向监管机构报告。
Report to the regulator if his/her opinions are not adopted: compliance review should be conducted and compliance review opinions should be issued on the insurance institution’s development strategies, important internal rules, new product and new business plans, and major decisions. If the chief compliance officer’s compliance review opinions are not adopted, the insurance institution should submit the relevant matters to the board of directors for approval, and major matters shall be promptly reported to the regulatory authority.
• 报告及督促整改:首席合规官发现保险机构及其员工存在重大违法违规行为或者重大合规风险隐患时,应当及时向董事会、董事长、总经理报告,有权提出对相关责任人员采取薪酬扣减、岗位调整、降职等措施的建议处理意见并督促整改。
Report violations and risks, and urge rectification: where a chief compliance officer discovers any major violation of laws and regulations by the insurance institution and its employees or any major potential compliance risk, he/she should report timely to the board of directors, chairman and general manager, should have the right to propose measures such as salary deductions, position adjustments, or demotions for responsible personnel and to urge rectification.
• 合规考核“一票否决”权:首席合规官或者合规官发现各部门、下属各机构对重大违法违规行为或者重大合规风险隐患存在瞒报、漏报情形的,应当在机构内部的合规考核中,对责任机构和相关负责人实施“一票否决”,不得评优评先等,并及时推动内部问责。
The veto power associated with compliance assessment: where a chief compliance officer or compliance officer detects any internal department or subordinate institution concealing or omitting to report any major illegal or irregular act or any major potential compliance risk, he/she should, in the internal compliance assessment of such department or institutio
合规管理部门和合规岗位
Compliance management department and compliance positions
(1)根据《办法》,保险机构总部、省级分支机构、纳入并表管理的各层级金融子公司原则上应当设立独立的合规管理部门。此外,不具备设立合规管理部门条件的其他分支机构,原则上应当设立符合履职需要的合规岗位。
According to the Measures, an independent compliance management department, in principle, should be established at an insurance institution’s headquarters, provincial branches, and consolidated financial subsidiaries at all levels. Other branches that do not have the conditions to set up a compliance management department should, in principle, maintain compliance positions that meet the requirements for performing their duties.
(2)保险机构境外分支机构及境外金融子公司的合规要求。根据《办法》,保险机构的境外金融分支机构及境外金融子公司,应当遵循东道国(地区)法律法规和监管要求,并且设立独立的合规管理部门或者符合履职需要的合规岗位。
Compliance requirements for overseas branches and overseas financial subsidiaries of insurance institutions. According to the Measures, such branches and subsidiaries should comply with their local laws, regulations and regulatory requirements, and establish an independent compliance management department or maintain necessary compliance positions to perform duties.
(3)双线汇报要求。根据《办法》,保险机构应当保证合规官报告的独立性,实行双线汇报,以向首席合规官汇报为主,并向本级机构总经理汇报。保险机构总部合规管理部门向首席合规官负责;省级分支机构合规管理部门向本级机构合规官负责。下属各机构合规管理部门接受上级合规管理部门的指导和监督。
Dual reporting lines. According to the Measures, an insurance institution should ensure independent reporting of compliance officers and adopt dual reporting lines, primarily to the chief compliance officer and secondarily to the general managers of their respective entities. The compliance management department of the headquarters of an insurance institution should report to the chief compliance officer, and the compliance management departments of the provincial branches should report to the compliance officers of such branches. The compliance management departments at lower-level entities should receive guidance and supervision from the next higher-level compliance management departments.
利益冲突原则。保险机构的合规管理部门和合规岗位应当独立于前台业务、财务、资金运用、内部审计部门等可能与合规管理存在职责冲突的部门或者岗位,不得承担与合规管理相冲突的其他职责。
Conflict of interest. The compliance management department and compliance positions of insurance institutions should be independent from front office business, finance, fund usage, internal audit and other departments or positions that may have a conflict of duties with compliance management, and should not assume any other duties that conflict with compliance management.
薪酬保障机制。《办法》规定保险机构应当建立首席合规官、合规官、合规管理人员薪酬管理机制。首席合规官、合规官及合规管理人员工作称职的,其年度薪酬收入总额原则上不低于同等条件(同职级、同考核结果)高级管理人员、所在机构同等条件(同岗位类型、同职级、同考核结果)人员的平均水平。该等人员的考核管理制度应确保合规独立性,不得以业务部门的经营业绩为依据或其他部门评价等方式进行考核。
Salary protection. The Measures provide that insurance institutions should establish a salary management mechanism for the chief compliance officer, compliance officers and compliance management personnel. If competent in their duties, their total annual compensation package should, in principle, not be lower than the average package for the senior management personnel with the same conditions (same ranking and same performance review results) or for the employees with the same conditions (same type of positions, same ranking and same performance review results) within the entities they are working for. The performance review system for such personnel should ensure independence of the compliance function, and should not be based on the operating results of the business departments or the feedback received from other departments.
金融监管
Financial Supervision
(1)现行《保险公司合规管理办法》和《办法(征求意见稿)》均要求保险机构每年4月30日之前报送上一年度合规管理报告,但《办法》删除了该报送义务。
Under the current rules and the draft version of the Measures, insurance companies are required to submit a compliance management report for the previous year by April 30 of each year. The Measures do not require such a report.
(2)《办法(征求意见稿)》规定的保险机构应当就重大违法违规行为或者重大合规风险隐患制定内部细化标准,并向监管报备,《办法》取消了该要求。
The draft version of the Measures required insurance companies to formulate detailed internal standards for identifying major illegal or irregular acts and major potential compliance risks, but the Measures do not have an requirement.
(3)保险机构及首席合规官从轻、减轻及免于追究责任的情形。保险机构通过有效的合规管理,主动发现违法违规行为或者合规风险隐患,符合法定情形的,监管依法可以从轻、减轻处理;情节轻微并及时纠正违法违规行为,没有造成危害后果的,或者仅违反保险机构内部规定的,不予追究责任。对于保险机构的违法违规行为,首席合规官或者合规官、合规管理部门、合规管理人员已经尽职履责的,不予追究责任。
Leniency provisions. An insurance institution that actively discovers any illegal or irregular act or potential compliance risk through effective compliance management may receive a lesser penalty from the regulator under certain circumstances in accordance with laws; if the circumstances are minor and the illegal or irregular act is rectified in a timely manner, without causing any harmful consequence, or only the internal rules of the insurance institution are violated, no liability will be pursued. For an illegal or irregular act of an insurance institution, if the chief compliance officer or the compliance officer, the compliance management department or the compliance management personnel have performed their duties diligently, they may not be held liable.
《办法》将适用于保险集团(控股)公司、保险公司(包括再保险公司)、保险资产管理公司、相互保险组织,外国再保险公司分公司以及其他由金监总局及其派出机构监管的金融机构根据行业特点和监管要求参照执行。
The Measures will apply to insurance group (holding) companies, insurance companies (including reinsurance companies), insurance asset management companies and mutual insurance organizations; the branches of foreign reinsurance companies and the other financial institutions supervised by NFRA and its local bureaus should apply the Measures as a reference in accordance with the sectoral characteristics and regulatory requirements.
02
银行保险机构数据安全管理办法
Measures for Data Security of Banking and Insurance Institutions
On December 27, 2024, the NFRA published the Measures for Data Security of Banking and Insurance Institutions.
明确数据安全治理架构。要求银行保险机构建立数据安全责任制,指定归口管理部门负责数据安全工作,承担制定数据安全管理制度标准、建立维护数据目录、推动数据分类分级保护、组织开展风险监测、预警及处置等职责。明确银行保险机构党委、董事会对数据安全工作负主体责任,机构主要负责人为数据安全第一责任人,分管数据安全的领导为直接责任人。
Clarify data security governance framework. Banking and insurance institutions should establish a data security responsibility system, designate a centralized management department to be responsible for the data security work and undertake a number of tasks, such as formulating the data security management policies and standards, establishing and maintaining the data catalogue, promoting data classification and tiered-protection, and organizing the risk monitoring, early warning and resolution. The party committee and board of directors of a banking or insurance institution are the responsible subjects for data security, the institution’s main responsible person is the first responsible person for data security, and the officer in charge of data security is the directly responsible person for data security.
建立数据分类分级标准。要求银行保险机构制定数据分类分级保护制度,建立数据目录和分类分级规范,动态管理和维护数据目录,并采取差异化的安全保护措施。在数据分类方面,对机构业务及经营管理过程中获取、产生的数据进行分类管理,具体类型包括客户数据、业务数据、经营管理数据、系统运行和安全管理数据等。应当根据数据的重要性和敏感程度,将数据分为核心数据、重要数据、一般数据。其中,一般数据细分为敏感数据和其他一般数据。
Establish data classification and tiering standards. Banking and insurance institutions should establish a data classification and tiered protection system, establish data catalogues and data classification and tiering standards, dynamically manage and maintain data catalogues, and adopt differentiated security protection measures. Data obtained or generated from the institution’s operations and management should be classified into customer data, business data, operation and management data, system operating data and security management data. In terms of their importance and sensitivity, data should be divided into core data, important data and ordinary data, and ordinary data is further divided into sensitive data and other ordinary data.
强化数据安全管理。要求银行保险机构根据自身发展战略建立数据安全管理制度和数据处理管控机制。在处理敏感级及以上数据的业务活动时,或者开展对数据主体有较大影响的活动时,应当事先开展数据安全评估。应当以信息系统为数据收集的主要渠道,限制或者减少其他渠道、临时性数据收集;建立专职数据服务团队。应当制定数据访问闭环管理机制,并对数据访问行为实施审计。在数据集团内部共享的过程中,应建立总行(公司)与其子公司数据安全隔离的“防火墙”,并对共享数据采取有效保护措施。因合并、分立、解散、被宣告破产等需要转移数据,应当明确数据转移内容,通过协议、承诺等方式约定数据接收方全面承接对应数据的安全保护义务,通过公告等方式告知数据主体。《管理办法》还对数据加工、委托处理、共同处理、数据转移、数据跨境等具体的数据处理场景分别提出了相应安全管理要求。
Strengthen data security management. Banking and insurance institutions should establish data security management systems and data processing control mechanisms based on their own development strategies. A data security assessment should be conducted before conducting business activities involving processing of data at the sensitive or greater level, or before carrying out activities that have a significant impact on data subjects. Banking and insurance institutions should use IT systems as the main channel for data collection, limit or reduce data collection through other channels or on an ad hoc basis, and should establish a dedicated data service team. A closed-loop management mechanism should be established for data access, and audit should be conducted on data access behaviors. During the course of sharing data within a company group, a firewall for data security segregation should be established between the parent companies and their subsidiaries, and effective protection measures should be adopted for shared data. When transferring data due to merger, division, dissolution, declaration of bankruptcy, etc., the contents of data transfer should be clarified, and the parties should agree by contract, commitment or otherwise for data recipients to fully assume the corresponding data security protection obligations, and inform data subjects by a public announcement or otherwise. The Measures also set out the corresponding security management requirements for specific data processing scenarios, such as data processing, entrusted processing, joint processing, data transfer and cross-border data flows.
健全数据安全技术保护体系。要求银行保险机构建立数据安全技术架构,明确数据保护策略方法,采取技术手段保障数据安全。应当将数据纳入网络安全等级保护,建立分区域数据安全保护基线,制定用户对数据的访问策略,敏感级及以上数据的操作应当进行日志记录。应当定期对数据操作行为进行审计,审计周期不超过6个月。敏感级及以上数据达到使用或者保存期限后,应当采取技术措施及时删除或者销毁,确保数据不可恢复。供应链服务中涉及敏感级及以上数据处理的,应当加强对供应商的准入和安全管理。开发信息系统时,应当明确系统拟处理的数据及其安全级别、访问规则、保护需求,并实施有效的系统安全控制。
Improve technical protection of data security. Banking and insurance institutions should establish a data security technical framework, clarify data protection strategies and methods, and adopt technical means to safeguard data security. Banking and insurance institutions should include data in the tiered protection of network security, establish baselines for data security protection in different areas, formulate strategies for users to access data, and establish daily logs for handling data at the sensitive or greater level. Banks and insurance institutions should conduct audits of data handling on a periodic basis, with an audit period not exceeding 6 months. Upon expiry of the term for the use or storage of data at the sensitive or greater level, technical measures should be taken to delete or destroy the data in a timely manner to ensure that the data are unrecoverable. Where supply chain services involve processing of data at the sensitive or greater level, banks and insurance institutions should strengthen the access and security management of the service providers. When developing an IT system, it is necessary to clarify the data to be processed by the system and its security classification, access rules and protection requirements, and to implement effective system security controls.
加强个人信息保护。要求银行保险机构按照“明确告知、授权同意”原则处理个人信息,收集个人信息应限于最小范围,不得过度收集。处理、共享和对外提供个人信息时,应当履行必要的告知义务,并取得必要同意。不得以个人不同意处理其个人信息或者撤回同意为由,拒绝提供产品或者服务,处理个人信息属于提供产品或者服务所必需的除外。在开展涉及对个人权益有重大影响的个人信息处理活动时,应当进行个人信息保护影响评估。委托第三方处理个人信息时,应明确受托人对个人信息的保护义务、保护措施和期限等。发生或者可能发生个人信息泄露、篡改、丢失的,应当立即采取补救措施,并向监管部门报告。
Strengthen personal information protection. Banks and insurance institutions should process personal information in accordance with the principle of “Clear Notice and Authorized Consent”, and should collect personal information within the minimum scope and not excessively. Necessary notice should be given and necessary consent should be obtained for processing, sharing and providing personal information to others. Banking and insurance institutions should not refuse to provide a product or service to an individual on the grounds that the individual does not consent to the processing of his or her personal information or has withdrawn the consent, unless such processing is a must for the provision of the product or service. A personal information protection impact assessment should be conducted when a personal information processing activity has a significant impact on the personal rights and interests. When entrusting a third party to process personal information, the parties should specify the entrustee’s obligations for the protection of personal information, and also the measures to be taken and the applicable time periods. Where personal information is or may be divulged, tampered with or lost, remedial measures should be taken immediately, with a notice to the regulatory authorities.
完善数据安全风险监测与处置机制。要求银行保险机构将数据安全风险纳入全面风险管理体系,明确风险监测评估、应急响应报告、事件处置的管理流程。应当制定数据安全事件应急预案,定期开展应急响应培训和应急演练。应当每年开展一次数据安全风险评估,审计部门应当每三年至少开展一次数据安全全面审计,发生重大数据安全事件后应当开展专项审计。数据安全事件根据影响范围和程度,分为特别重大、重大、较大和一般四个级别。在数据安全事件发生2小时内向金监总局或其派出机构报告,并在事件发生后24小时内提交正式书面报告。数据安全事件处置结束后,银行保险机构应当在五个工作日内将事件及其处置的评估、总结和改进报告报送属地监管部门。
Improve data security risk monitoring and resolution mechanism. Banks and insurance institutions should incorporate data security risks into their comprehensive risk management system; clarify the management processes for risk monitoring and assessment, emergency response reporting and incident handling; formulate data security emergency response plans and conduct emergency trainings and drills periodically. Banking and insurance institutions should conduct an annual data security risk assessment, and their audit departments should conduct a comprehensive data security audit at least once every three years, and a special audit should be conducted after a major data security incident occurs. Data security events are classified into 4 levels, i.e. very significant, significant, relatively significant and ordinary events, based on the scope and extent of their impact. Among other things, a data security event should be reported to NFRA or its local bureau within 2 hours after its occurrence, with a formal written report due within 24 hours after its occurrence. Within 5 business days after a data security event is handled, an evaluation, summary and improvement report on the event and its handling should be submitted to the relevant local bureau of NFRA.
明确监督管理职责。金监总局制定银行业保险业重要数据目录,提出核心数据目录建议,银行保险机构应当按要求向其报送重要数据目录,重要数据目录发生重大变化应当及时报备更新后的数据目录。涉及批量敏感级及以上数据的数据共享、委托处理、转让交易、数据转移,银行保险机构应当在处理、合同签署前二十个工作日向国家金融监督管理总局或者其派出机构报告,除另有规定外。银行保险机构应当于每年1月15日前向金监总局或其派出机构报送上一年度数据安全风险评估报告。
Clarify supervisory and administrative responsibilities. NFRA should formulate a catalogue of important data for the banking and insurance industry, and make suggestions for a catalogue of core data, and banking and insurance institutions should report their catalogs of important data to NFRA as required, and promptly report the updated catalogues upon any major change. For data sharing, entrusted processing, transfer transactions and data transfer involving batch data at the sensitive or greater level, banking and insurance institutions should report to NFRA or its local bureaus 20 working days before the processing or execution of contracts, unless otherwise stipulated. Banking and insurance institutions should submit an annual data security risk assessment report to NFRA or its local bureaus by January 15 of the next year.
03
关于公司治理监管规定与公司法衔接有关事项的通知
Notice on Matters Related to Alignment between Corporate Governance Rules and PRC Company Law
On December 17, 2024, NFRA issued a Notice on Matters Related to Alignment between Corporate Governance Rules and PRC Company Law, to clarify the relevant requirements for banking and insurance institutions to maintain the board of supervisors and employee directors, in order to achieve alignment with the PRC Company Law.
《通知》允许金融机构根据自身实际,可以继续保留监事会、监事,也可以选择由董事会下设的审计委员会履行监事会职责,不设监事会或监事。金融机构取消监事会后,原外部监事符合独立董事任职资格要求的,可按照独立董事的选任程序转任独立董事。但原任职外部监事和转任独立董事的累计任职年限,原则上不得超过六年。
The Notice permits financial institutions to either retain the board of supervisors and supervisors, or alternatively have the audit committee of the board of directors perform the functions and duties of the board of supervisors, without maintaining the board of supervisors or supervisors, in light of their own circumstances. If a financial institution abolishes the board of supervisors, its existing external supervisors who meet the independent director qualification requirements may switch to serve as independent directors in accordance with the independent director selection process, provided that the original external supervisorship and the new independent directorship should not have a cumulative term of more than six years in principle.
职工人数三百人以上的机构,除依法设监事会并有职工监事的外,其董事会成员中应当有职工董事。职工董事由公司职工通过职工代表大会、职工大会或者其他形式民主选举产生。高级管理人员和监事不得兼任职工董事。金融机构要加强与股东、职工等利益相关方的沟通,结合实际推进章程修改和人员选任工作。
Those institutions with 300 or more staff members should have employee director(s) on the board of directors, unless they maintain the board of supervisors and employee supervisor(s) as well in accordance with law. Employee directors are to be elected by the company’s staff members democratically through the employee representative assembly, employee assembly or otherwise. Senior management personnel and supervisors should not concurrently serve as employee directors. The Notice requires financial institutions to strengthen communications with shareholders, employees and other stakeholders, and promote the work related to amending their articles of association and selecting the relevant personnel based on their actual circumstances.
04
关于加强和改进互联网财产保险业务监管有关事项的通知
Administrative Measures for Criminal Cases Involving Financial Institutions
On September 2, 2024, NFRA issued the Administrative Measures for Criminal Cases Involving Financial Institutions, which superseded the Administrative Measures for Criminal Cases Involving Banking and Insurance Institutions (Trial) and seven other rules. The Measures provide for the scope of criminal cases, the reporting and handling obligations, and the regulatory actions.
刑事案件的范围
Scope of Criminal Cases
(1)《办法》规定,金融机构发生涉刑案件后需向金融监管机关报告。具体而言,案件是指金融机构从业人员在业务经营中,利用职务之便侵犯机构或客户权益,以及违规套取信用参与非法金融活动,且已被公安、司法、监察机关立案查处的刑事案件。其中“从业人员”包括案发时与金融机构签劳动合同的在岗人员,以及董监高、保险代理人和签劳务合同从事辅助性金融服务的人员。
The Measures require financial institutions to report criminal cases to financial regulatory authorities. Specifically, a criminal case under the Measures is a criminal case for which the public security, judicial or supervisory authorities have opened a file for investigation and in which the staff members of a financial institution take advantage of their positions during business operations to harm the interests of the financial institution or its clients, or unlawfully obtain credit and engage in illegal financial activities. The staff members of a financial institution include those who have signed labor contracts and are serving with the financial institution when the cases occur, and also the directors, supervisors, senior management personnel, insurance agents and those individuals who are providing auxiliary financial services under service contracts.
(2)《办法》还规定了案件风险事件,即可能演变为案件但未达确认标准的事件,如已报案未立案,或调查机关无法确定犯罪行为与业务的关联性等情况。此类事件报告要求同一般案件,金融机构在报告后需及时核查。
The Measures also define (criminal) case risk events to mean those incidents that have not met the criteria for but may evolve into criminal cases, such as those incidents that have been reported but have not been accepted as criminal cases or where the investigation authorities are unable to determine the linkage between the relevant criminal act and the business operations. The case risk events are subject to the same reporting requirements for criminal cases. After reporting a case risk event, a financial institution should verify the same promptly.
(3)在一般案件外,达到任一标准将构成重大案件:一是涉案金额达人民币一亿元以上;二是风险敞口金额(涉案金额扣除已回收现金或等同现金资产)人民币五千万元以上,且占金融机构净资产百分之十以上;三是引发重大负面舆情、导致集中退保以及可能诱发区域性系统性风险等具有重大社会不良影响的情形。
In addition to ordinary cases, those cases meeting any of the following criteria will be considered major cases: (i) involving an amount of more than RMB100 million; (ii) involving a risk exposure amount (i.e., the amount involved minus the cash or cash-equivalent amount already recovered) of more than RMB50 million and accounting for more than 10% of the net assets of the financial institution; or (iii) having a substantial adverse social impact, such as significant negative public opinions, mass policy cancellations, or potential regional or systemic risks.
信息报送与处置
Information Reporting and Handling
(1)案件信息报送。案件发生后,金融机构须在 5 个工作日内,向属地派出机构与法人总部报告。若金融机构分支机构发生重大案件,应由法人总部审核并在收到分支机构报告后的 5 个工作日内,需向金融监管总局或属地派出机构报告。
Reporting of Case Information. Within 5 business days after a case occurs, the financial institution should report it to the relevant local bureaus of NFRA and the headquarters of the institution. If a major case occurs at a branch of a financial institution, the headquarters of the institution should review the case and report it to NFRA or its relevant local bureau within 5 business days after receiving the branch’s report.
(2)进行业务调查。金融机构报送案件信息后,需开展涉案业务调查并按时报送报告。重大案件或法人总部直接管理人员涉案的,调查组组长由法人总部负责人担任。调查通常应在六个月内完成并提交报告,金融机构可书面申请延期,每次延期最长六个月。
Conducting Business Investigations. After reporting a case, the financial institution should investigate the relevant business and submit reports timely. For any major case or any case involving personnel directly managed by the headquarters, the investigation team should be led by the responsible person of the headquarters. The investigation generally should be completed, with a report submitted, within six months, but the financial institution may apply in writing for an extension for up to six months each time.
(3)整改与审结报告要求。金融机构需针对案件制定整改方案,包括整改措施、期限与责任,并向主管单位报送。同时,应在报送案件报告后的一年内,向相关主管单位报送审结报告。如有需要,金融机构可书面申请延期,每次延期不超六个月。
Requirements for Rectification and Case Closure Reports. Financial institutions should formulate a rectification plan for the case, including the rectification measures, timelines and responsibilities, and submit the plan to the regulatory authorities. Within one year after submitting a case report, a case closure report should be submitted to the relevant regulatory authorities, but the financial institution may apply in writing for an extension for up to six months each time.
监管处置
Regulatory Actions
金融监管总局及其派出机构会指导、督促金融机构做好案件处置,对于重大复杂案件可能面临现场督导。金融机构报送审结报告后,监管机构要在六个月内完成监管审结,申请延期每次不超六个月。若案件两年内未审结,监管机构可能对金融机构采取监管约谈、限期整改等措施。
NFRA and its local bureaus will guide and supervise financial institutions to ensure effective case handling. For major complex cases, on-site supervision may be conducted. After a financial institution submits a case closure report, the regulatory authorities should complete the regulatory review within six months, subject to extension for up to six months each time. If a case remains pending after two years, the regulatory authorities may take measures such as supervisory interviews and demand a rectification within a specified period of time.
05
关于修改部分规章的决定(征求意见稿)
Draft Decision on Amending Certain Regulatory Rules
On December 25, 2024, NFRA published the draft Decision on Amending Certain Regulatory Rules for public comment.
在《银行保险机构关联交易管理办法》中新增规定:董事、监事、高级管理人员及其近亲属,前述人员直接或间接控制的企业,以及与董事、监事、高级管理人员有其他关联关系的关联方,与董事、监事、高级管理人员所任职银行保险机构发生的关联交易,应经由关联交易控制委员会审查后,提交董事会批准,不适用办法第五十七条免予审议的规定。前述关联交易的标的为银行保险机构提供的日常金融产品、服务等,涉及自然人单笔交易额在50万元以下或法人单笔交易额在500万元以下,且交易后累计未达到重大关联交易标准的,董事会可对此类关联交易统一作出决议。
The following provision is proposed to be added to the Management Measures for Affiliated Transactions of Banking and Insurance Institutions: The affiliated transactions between banking and insurance institutions on the one hand, and their directors, supervisors, senior management personnel and their close relatives, the enterprises directly or indirectly controlled by such personnel, and the other related parties of the directors, supervisors and senior management personnel, on the other hand, should be reviewed by the affiliated transaction control committee and submitted to the board of directors for approval, and should not be entitled to the exemption from review and approval under Article 57 of the Measures. If the subject matters of such affiliated transactions are daily financial products and services provided by the banking and insurance institutions, involving a single transaction amount of less than RMB500,000 for natural persons or less than RMB5 million for legal persons and a cumulative amount of lower than the thresholds for significant affiliated transactions, the board of directors may adopt a unified resolution on such affiliated transactions.
06
关于延长保险公司偿付能力监管规则(Ⅱ)实施过渡期有关事项的通知
Notice on Matters Related to Extending Transitional Period for Implementation of Solvency Regulatory Rules (II) for Insurance Companies
On December 16, 2024, NFRA issued the Notice on Matters Related to Extending Transitional Period for Implementation of Solvency Regulatory Rules (II) for Insurance Companies.
According to the Notice, NFRA has extended the transitional period, which would have expired at the end of 2024, to the end of 2025. Those insurance companies whose solvency adequacy ratios are relatively significantly impacted by the switch from the old rules to the new rules can communicate with NFRA and its local bureaus before January 15, 2025, and NFRA will determine the transitional period policy by the end of February 2025 for each particular company
07
关于改进财务再保险监管的通知
Notice on Improving Supervision of Financial Reinsurance
On November 11, 2021, NFRA issued the Notice on Improving Supervision of Financial Reinsurance. Financial reinsurance contracts are those reinsurance contracts that are intended mainly to transfer the market risks, credit risks and etc. of insurance products and to improve the solvency of ceding companies (cedents).
对分出公司签订财务再保险合同的限制。《通知》要求,分出公司签订财务再保险合同时点最近四个季度的风险综合评级均应在C类及以上。通过存续有效财务再保险合同合计直接改善的综合偿付能力充足率不得超过30个百分点,超过部分不予认可。
Restrictions on cedents' entry into financial reinsurance contracts. The Notice requires that cedents to have an integrated risk rating of Class C or above in each of the past four quarters before signing a financial reinsurance contract. The comprehensive solvency adequacy ratio directly improved by all the existing effective financial reinsurance contracts should not exceed 30 percentage points, and no excess should be recognized.
对分入公司签订财务再保险合同的限制。《通知》要求,分入公司签订财务再保险合同时点最近四个季度的风险综合评级均应在BB类及以上。分入公司因签订财务再保险合同获取的收入占上一会计年度总保费收入的比例不得超过30%。若分入公司为境外保险公司,该境外公司最近一年内的信用评级不得低于A级。若财务再保险境内分入公司将财务再保险向境外保险公司转分保,该境外公司最近一年内的信用评级不得低于A级。相关资产真实转移的,应就该转分保业务向财务再保险境内分入公司提供存款资金或备用信用证等担保。相关资产未真实转移,同时未提供存款资金或备用信用证等担保的,计量分出业务应收分保账款和应收分保准备金的交易对手违约风险最低资本时,基础因子为0.499。
Restrictions on reinsurers’ entry into financial reinsurance contracts. The Notice requires that reinsurers to have an integrated risk rating of Class BB or above in each of past four quarters before signing a financial reinsurance contract. The revenues generated by a reinsurer from the entry into financial reinsurance contracts should not exceed 30% of the total premium revenues in the previous fiscal year. An overseas reinsurer should have a credit rating of A or above in the past year. An overseas retrocessionaire to which a domestic retrocedent retrocedes the risks should have a credit rating of A or above in the past year. If the relevant assets are actually transferred, the overseas restrocessionaire should provide guarantees to the domestic retrocedent for the retrocession business by way of a deposit of funds or stand-by letter of credit, etc. If the relevant assets are not actually transferred and no guarantee such as a deposit of funds or stand-by letter of credit has been provided, then the basic factor should be 0.499 when calculating the minimum capital for the counterparty default risk in respect of reinsurance accounts receivables and reinsurance reserve receivables for the ceding business.
禁止行为。《通知》规定,财务再保险分出公司和分入公司签订财务再保险合同,应当真实转移相关风险,不得存在以下行为:(1)合同实际有效期短于5年;(2)分出公司减少或消除分入公司应承担的赔付责任,或给予分入公司在分出公司损失上升、偿付能力较大幅度下降等情形下,单方面更改合同条款或提前终止合同的选择权;(3)签订“阴阳合同”、合同之外签订“抽屉协议”;(4)通过财务再保险合同进行监管套利、粉饰财务指标或经营数据;(5)其他违法违规行为。
Prohibited behaviors. The Notice provides that a financial reinsurance contract should actually transfer the relevant risks, and prohibits the following : (1) the contract has an actual term of less than 5 years; (2) the cedent reduces or eliminates the reinsurer’s liability for compensation, or grants the reinsurer the option to unilaterally amend the contractual clauses or terminate the contract in advance when, for example, the cedent suffers an increasing loss or a significant decrease in solvency; (3) the entry into “shadow contracts” or “drawer contracts”; (4) engaging in regulatory arbitrage, window dressing financial indicators or operating data by way of financial reinsurance contracts; (5) other illegal and irregular behaviors.
财务再保险相关方责任。《通知》规定,财务再保险分出公司签订再保险合同前应逐案报董事会审议。财务再保险分出公司和分入公司的财务负责人和总精算师应向董事会、管理层报告有关情况,并对合同相关事项承担直接责任,董事长、总经理承担最终责任。财务再保险合同签订后分出公司不得盲目扩张业务规模和激进投资,董事会应制定偿付能力改善方案。与境外公司签订财务再保险合同的,要加强有关境外分入公司之间关联关系的监测以及业务集中度及信用风险的管理。
Responsibilities of relevant parties in financial reinsurance. The Notice provides that before its execution, a financial reinsurance contract should be reviewed by the board of directors of the cedent on a case by case basis. The financial responsible persons and chief actuaries of the cedents and reinsurers in financial reinsurance should report the relevant matters about the financial reinsurance contracts to their board of directors and senior management, and bear the direct responsibility for the relevant matters, with their chairmen of the board and their general managers bearing the ultimate responsibility. After the execution of a financial reinsurance contract, the cedents should not engage in blind expansion of business scale or aggressive investment, and their board of directors should formulate a solvency improvement plan. After the execution of financial reinsurance contracts with overseas companies, the domestic cedents should strengthen the monitoring of the related party relationships among the overseas reinsurers and the management of the business concentration and credit risks.
信息报告责任。《通知》要求,财务再保险分出公司在合同签订后10个工作日内应向金监总局或其派出机构如实报告相关重要信息,包括交易对手、目的和预期效果、分出险种等。
Responsibility for information report. The Notice requires a cedent to truthfully report certain important information about a financial reinsurance contract, including the counterparty, purpose and anticipated impact, type of ceded business, etc., to NFRA or its local bureau within 10 working days after its execution.
过渡期安排。保险公司新签订的财务再保险相关合同应满足《通知》要求。《通知》发布之日前签订的财务再保险相关合同,可按照合同约定终止。保险公司满足分出公司通过存续有效财务再保险合同合计直接改善的综合偿付能力充足率不得超过30个百分点和分入公司因签订财务再保险合同获取的收入占上一会计年度总保费收入的比例不得超过30%这两条规定存在较大困难的,应制定整改计划。原则上自《通知》发布之日起三年内达到相关要求。
Transitional arrangements. When signing new financial reinsurance contracts, insurance companies should meet the requirements under the Notice. Financial reinsurance contracts signed before the issuance of the Notice can be terminated in accordance with their terms. A rectification plan should be adopted, if an insurance company finds it to be quite difficult to meet the two requirements (the comprehensive solvency adequacy ratio of the cedent directly improved by all the existing effective financial reinsurance contracts should not exceed 30 percentage points, and the revenues generated by the reinsurer from the entry into financial reinsurance contracts should not exceed 30% of the total premium revenues in the previous fiscal year); and in principle, the relevant requirements should be met within three years from the issuance of the Notice.
08
财产保险公司监管评级及评分规则(征求意见稿)
Draft Measures for Regulatory Assessment Indicators and Scoring Rules for P&C Insurance Companies
2024年9月,金融监管总局财险司下发了《财产保险公司监管评级指标及评分规则(征求意见稿)》。
In September 2024, the Property Insurance Department of NFRA published the draft Measures for Regulatory Assessment Indicators and Scoring Rules for P&C Insurance Companies.
征求意见稿通过九大维度(公司治理、偿付能力和风险管理、业务经营和承保盈利、再保险、资金运用和资产负债、流动性风险、信息科技、其他风险和监管调整)共104个指标,构建财产险企业监管评价体系。征求意见稿兼顾了不同规模公司的差异性,例如在对业务经营进行评价时,衡量单体公司与行业平均水平差异,结合公司业务结构进行加权评分。相较于人身险公司的监管评级,征求意见稿提高对财险公司的偿付和风险管理能力、业务经营与承保能力等指标的考核权重,并设立了信息科技风险和再保险等专项类别。征求意见稿在支持绿色、科技等方面的业务规模设定了专项指标,鼓励财险公司发展绿色保险、科技保险、责任险、国内贸易信用保险、短期出口信用保险等业务。征求意见稿设置了相应的指标与规则,通过比较二级资本债发行成本和投资收益,引导公司合理增加附属资本,优化资本结构。
The draft provides for a regulatory assessment system for P&C insurance companies via a total of 104 indicators across nine different dimensions (corporate governance, solvency and risk management, business operations and underwriting profits, reinsurance, fund utilization and asset liability, liquidity risk, information technology, other risks, and regulatory adjustments). The draft takes into account the different sizes of companies. For example, when evaluating the business operations of a company, the company’s own performance will be compared to the industry average, and the scores will be determined on a weighted basis by reference to the company’s business structure. Compared to the regulatory assessment system for life insurance companies, the draft increases the weights of indicators such as the solvency and risk management capabilities, business operation and underwriting capabilities, and also includes certain special categories such as IT risks and reinsurance. The draft includes certain specific indicators to support the scales of green business, technology business and etc., encouraging P&C insurance companies to develop green insurance, technology insurance, liability insurance, domestic trade credit insurance, short-term export credit insurance and etc. The draft includes certain indicators and rules that are intended to guide the companies to compare the offering costs and investment returns related to Tier 2 capital bonds in order for them to reasonably increase their supplementary capital and optimize their capital structures.
09
保险资产风险分类暂行办法
Interim Measures for Risk Classification of Insurance Assets
On August 2, 2024, NFRA promulgated the Interim Measures for Risk Classification of Insurance Assets, which will become effective on July 1, 2025.
随着保险资金投资范围不断拓宽、投资结构更加复杂,原保监会发布的《保险资产风险五级分类指引》在监管约束力、资产分类范围和标准、第三方监督机制等方面需要完善。《暂行办法》明确了保险资产风险分类方法、分类标准、结果运用要求、监督机制与主体责任,旨在准确评估保险公司投资风险,真实反映资产质量。
With the continuous expansion of the scope of insurance fund investment and the increasing complexity of the investment structures, the Guidelines for Five-Level Risk Classification of Insurance Assets issued by the former CIRC need to be improved in terms of regulatory binding force, scope and standards for asset classification, and third-party supervisory mechanism, etc. The Interim Measures clarify the classification methods, classification standards, use of classification results, supervisory mechanism and subject responsibility for the risk classification of insurance assets, with a view to accurately assessing investment risks and truly reflecting asset qualities.
分类方法。《暂行办法》对固定收益类、权益类、不动产类资产采取差异化分类方法,对固定收益类资产风险分类实行五分类法,即正常类、关注类、次级类、可疑类、损失类,同时对股权类和不动产类资产实行三分类法,即正常类、次级类、损失类。此外,《暂行办法》细化资产分类穿透识别要求,明确分类不确定的从低确定分类等级,难以穿透评估的,可按照预计损失率情况对产品进行风险分类。
Classification Methods. The Interim Measures adopt differentiated classification methods for fixed-income assets, equity assets and real estate assets, including a five-level risk classification method for fixed income assets (namely Normal, Special Mention, Substandard, Doubtful and Loss), and a three-level classification method for equity assets and real estate assets (namely Normal, Substandard and Loss). The Interim Measures also refine the look-through approach for asset classification, and clarify that where the classification is uncertain, the lower level should prevail, and where a look-through is difficult, the relevant products can be classified based on their expected loss ratios.
分类标准。对于固定收益类资产,《暂行办法》调整了资产本金或利息的逾期天数、减值准备比例等标准,与商业银行保持一致,同时增加了利益相关方风险管理状况、抵(质)押物质量等内容。对于股权及不动产金融产品,《暂行办法》明确了定性和定量标准,要求穿透识别所投向企业或不动产项目的产品质量和风险状况,根据底层资产风险情形以及资产预计损失率指标来判断资产分类档次。
Classification Standards. For fixed-income assets, the Interim Measures adjust the standards related to overdue days of the principal or interest payments on the assets, impairment reserve ratio, etc., in alignment with commercial banks, and in the meantime, the Interim Measures include additional provisions related to stakeholder risk management status and collateral quality, etc. For equity and real estate financial products, the Interim Measures clarify the qualitative and quantitative standards, requires a look-through to determine the product quality and risk status of the invested enterprises or the real estate project, and require that the asset classification level be determined based on the risk status of the underlying assets and the expected loss ratios.
分类结果的运用。《暂行办法》要求保险公司重点关注不良资产、频繁下调分类的资产,以及公允价值长期低于账面价值的长期股权投资等资产,动态监测风险变动趋势,充足计提资产减值准备,及时采取风险防范及处置措施。《暂行办法》还要求不得将资产风险分类结果用于不正当竞争、误导金融消费者等非法或不当目的。同时,监管将保险公司资产风险分类管理及结果纳入监管评价体系和偿付能力监管体系,审慎评估保险资产质量和风险,实施差异化监管。
Use of Classification Results. The Interim Measures require insurance companies to focus their attention on non-performing assets, frequently downgraded assets, and long-term equity investments with fair value persistently lower than book value, and to dynamically monitor changing risk trends, fully provide for asset impairment, and timely adopt risk prevention and resolution measures. The classification results should not be used for illegal or improper purposes such as unfair competition and misleading financial consumers. The regulators will incorporate the insurance companies’ asset risk classification management and results into the regulatory assessment system and the solvency supervisory system, prudently evaluate the quality and risks of insurance assets, and implement differentiated supervision.
保险公司与保险资管公司职责划分。《暂行办法》要求,保险资产管理公司应当对受托资产进行风险分类,出具经审批后的风险分类结果,并及时报送保险公司。整体资产风险分类结果需经过保险公司董事会或其授权机构审批。
Division of responsibilities between insurance companies and insurance asset management companies. The Interim Measures require insurance asset management companies to classify the risks of entrusted assets, issue the risk classification results as duly approved, and promptly submit them to the insurance company. The overall asset risk classification results should be approved by the insurance company’s board of directors or its authorized organization.
保险资产风险分类的组织与管理。《暂行办法》优化了风险分类的“初评、复核、审批”三级工作机制,明确了投资职能部门、风险管理职能部门、董事会或其授权机构的工作职责。《暂行办法》重申董事会对资产风险分类管理承担最终责任,同时增加了对高级管理层履行风险分类职责的监督义务。高级管理层需负责制定资产风险分类制度,推进实施风险分类工作,并定期向董事会报告。
Organization and management of insurance asset risk classification. The Interim Measures optimize the “preliminary classification, review and approval” three-step working mechanism for risk classification and specify the job responsibilities of the investment functional departments, risk management functional departments, and the board of directors or its authorized organizations. The Interim Measures reiterate that the board of directors should bear the ultimate responsibility for the asset risk classification management, and also strengthen the senior management’s responsibility for the oversight of risk classification. Senior management should be responsible for developing asset risk classification policies, promoting their implementation and reporting to the board of directors periodically.
监督约束。《暂行办法》要求保险公司应将资产风险分类制度、程序和执行情况纳入保险资金运用内部控制审计。对违反保险公司资产风险分类监管要求的保险公司,金监总局或其派出机构有权与保险公司董事会、高级管理层进行审慎性会谈;印发监管意见书;要求保险公司加强资产风险分类管理,制订切实可行的整改计划,并报监管机构备案;责令保险公司采取有效措施缓释资产风险。
Supervision and constraints. The Interim Measures require insurance companies to include the asset risk classification policies, procedures and implementation status in the internal control audit of insurance fund utilization. For an insurance company found in violation of the rules on insurance asset risk classification, NFRA or its relevant local bureau has the right to conduct prudential regulatory talks with its board of directors and senior management; issue a regulatory opinion letter; require it to strengthen asset risk classification management, formulate rectification plans and file the plans with the regulator; and order it to adopt effective measures to mitigate the asset risks.
10
保险资金运用内部控制应用指引(第4号-第6号)
Application Guidelines for the Internal Control of Insurance Fund Utilization (No. 4 to No. 6)
On December 20, 2024, NFRA published the Application Guidelines for the Internal Control of Insurance Fund Utilization (No. 4 to No. 6). Based on the Guidelines for the Internal Control of Insurance Fund Utilization published in 2015, the Application Guidelines clarify the operational procedural requirements for non-standard assets in respect of project screening, project approval, due diligence, business negotiation, investment decision-making, contract signing, transaction execution, and post-investment management, and also strengthen the performance and responsibility requirements for the investment decision-making committee and refine the key points of post-investment management.
(1)《应用指引》要求保险公司建立覆盖各个业务环节的操作流程或操作细则,职责要求及操作标准,并定期检查和评估投资相关制度的执行情况。
The Application Guidelines require insurance companies to establish the operational processes or rules covering each business process, specifying the responsibility requirements and operational standards, and regularly inspect and evaluate the status of implementation of the investment related systems.
(2)《应用指引》要求法律、合规、风险管理部门或岗位的专业人员参与尽职调查后的项目评审,并发表意见,尽职调查报告及其他尽职调查信息则需要在投资执行、法律、合规、风险管理以及投后管理等部门或岗位间共享。在谈判过程中,投资专业人员和法律专业人员需要共同参加重要商业条款的谈判,并要求将商务谈判结果以书面形式落实在投资协议或其他法律文本中。针对直接股权投资和不动产投资,《应用指引》要求保险公司根据监管规定聘请第三方专业机构提供尽职调查等专业服务。
The Application Guidelines require the professionals from the legal, compliance and risk management departments or positions to participate and provide opinions in the project review after the completion of due diligence. The due diligence report and other due diligence information should be shared among investment execution, legal, compliance, risk management, and post-investment management departments or positions. Investment professionals and legal professionals should jointly participate in the negotiation of important commercial terms, and should incorporate the business negotiation results in the investment agreements or other legal documents. For direct equity investment and real estate investment, the Application Guidelines require insurance companies to hire third-party professional institutions to provide due diligence and other professional services in accordance with regulatory requirements.
(3)《应用指引》要求保险公司应按照审慎原则逐笔或逐个项目决策,形成书面决议。股权和不动产项目通过审批后,投资执行过程中出现重大因素变更的,构成实质性影响的,应报投资决策机构审批。
The Application Guidelines require insurance companies to make prudent decisions on a case-by-case or project-by-project basis and document the decisions in writing. If a significant change occurs after an equity or real estate project is approved, which has a material impact, it should be reported to the investment decision-making body for approval.
(4)在投后管理阶段,《应用指引》要求保险公司明确投后管理部门或岗位,对每个投资项目或每只金融产品指定专人管理,投后管理部门或岗位需定期编制投资后续管理报告。《应用指引》明确列出(重大)股权投资、不动产投资、金融产品投资各自的投后管理要点。
In the post investment management stage, the Application Guidelines require insurance companies to clarify the post-investment management departments or positions, designate a dedicated person to manage each investment project or financial product, and prepare post-investment management reports periodically. The Application Guidelines include lists of key points of the post-investment management for (major) equity investment, real estate investment, and financial product investment.
除上述统一要求之外,《应用指引》还针对企业股权、不动产和金融产品投资的不同特点,分别规定了一些不同的具体要求。
In addition to the unified requirements discussed above, the Application Guidelines also provide for certain different requirements respectively for the investments in equity stake, real estate and financial products.
11
关于大力发展商业保险年金有关事项的通知
Notice on Promoting Development of Commercial Insurance Annuities
On October 18, 2024, NFRA issued the Notice on Promoting Development of Commercial Insurance Annuities.
《通知》明确,商业保险年金是指由商业保险公司开发的具备养老风险管理和资金长期积累功能的产品,包括年金保险、两全保险、商业养老金等。《通知》强调,保险公司需提升养老年金产品的设计及服务水平,以支持客户全生命周期的养老风险管理。鼓励开发长期领取的年金产品,并探索养老金领取模式的多样化。同时,要求保险公司优化产品设计,通过多种方式满足客户的流动性需求。
According to the Notice, commercial insurance annuities refer to those products developed by commercial insurance companies that are capable of managing pension risks and accumulating funds over term, including annuity insurance, endowment insurance, and commercial pensions, etc. The Notice emphasizes that insurance companies should enhance the design and service level of their pension annuity products to support the management of pension risks in the whole life cycle of customers. Insurance companies are encouraged to develop pension products with long-term payout and explore diversified pension payout models. Insurance companies should optimize their product design and meet their customers’ liquidity needs by various ways.
《通知》指出,商业保险年金业务的试点范围将进一步扩大,保险公司将根据“成熟一家,开展一家”的原则逐步参与试点。养老保险公司需在试点期间改善业务流程和客户体验,加强风险管理。《通知》强调,监管部门需建立健全适应商业保险年金业务特点的监管制度体系,实施从严监管。保险公司需从长期投资、稳健投资的角度出发,加强保险资金与养老服务的协同效应。
According to the Notice, the pilot program for commercial insurance annuities will be further expanded, and insurance companies will be able to participate in the pilot program gradually on a one-by-one basis once a particular company can meet the relevant requirements. Pension insurance companies should improve their business processes and customer experience and strengthen risk management. The Notice emphasizes that the regulatory authorities should establish and improve a regulatory system that is suitable for the characteristics of commercial insurance annuities and implement strict supervision. Insurance companies should strengthen the synergies between insurance funds and pension services for the sake of long-term and stable investment.
12
关于加强银行业保险业移动互联网应用程序管理的通知
Notice on Strengthening Management of Mobile Internet Applications in Banking and Insurance Industries
On September 14, 2024, NFRA issued the Notice on Strengthening Management of Mobile Internet Applications in Banking and Insurance Industries.
加强统筹管理。《通知》涵盖对客户提供金融服务的移动互联网应用程序,包括但不限于移动应用APP、小程序、公众号等。《通知》要求金融机构明确移动应用管理的牵头部门,加强业务与科技协同,明确各方管理职责。金融机构应建立移动应用台账,完善准入退出机制,统筹各部门及各分支机构的移动应用建设规划,合理控制移动应用数量。与政府部门、企业等第三方合作建设移动应用的,金融机构应通过合同或协议明确移动应用管理责任主体。
Strengthen coordination and management. The Notice regulates the mobile internet applications that provide financial services to customers, including but not limited to mobile apps, mini-programs and official accounts. The Notice requires financial institutions to designate a leading department for mobile application management, enhance collaboration between business and technology, and clarify management responsibilities. Financial institutions should establish a mobile application ledger, improve the entry and exit mechanism, and coordinate the mobile application development plans across the different departments and branches to control the number of mobile applications. When collaborating with government departments, enterprises or other third parties to build mobile applications, financial institutions should specify the particular entities responsible for the mobile application management through a contract or agreement.
加强全生命周期管理。《通知》强调,金融机构应确保移动应用的设计、开发和管理符合合规要求。金融机构还应加强移动应用与操作环境的适配管理,确保在系统升级时提前进行兼容性测试,并在必要时制定改造和应急预案。对于用户活跃度低、体验差、功能冗余、安全合规风险隐患大的移动应用,应及时进行优化整合或终止运营。
Strengthen lifecycle management. The Notice emphasizes that financial institutions should ensure that the design, development and management of their mobile applications meet the relevant compliance requirements. Financial institutions should also enhance compatibility between mobile applications and operating environments, and conduct compatibility tests before system upgrades and, when necessary, formulate modification and contingency plans. Mobile applications with low user activity, poor user experience, redundant functions or significant security and compliance risks should be optimized, consolidated or discontinued in a timely manner.
落实风险管理责任。《通知》要求金融机构落实移动应用备案、网络安全、数据安全、外包管理、业务连续性及个人信息保护等监管要求。金融机构应遵守国家网络安全等级保护制度,采取加密方式进行数据传输,并及时监测和处置风险。金融机构应按照“谁管业务、谁管数据、谁管安全”的原则,压实业务管理部门的职责。对于外包服务,需严格控制数据访问权限,确保外包商加强数据安全管理,防范数据泄露。金融机构每年至少开展一次移动应用风险评估,每三年至少开展一次审计,发生重大移动应用风险事件时,应立即开展专项审计。
Implement risk management responsibilities. The Notice requires financial institutions to implement regulatory requirements concerning mobile application filing, cybersecurity, data security, outsourcing management, business continuity and personal information protection. Financial institutions should comply with the cybersecurity classified protection system, employ encryption for data transmission, and promptly monitor and address risks. Financial institutions should, in accordance with the principle of “those who manage the business should also manage the data and the security”, ensure that the business management departments perform their duties. For outsourced services, strict control should be implemented over data access permissions, and outsourcing vendors should enhance data security management and prevent data breaches. Financial institutions should conduct a risk assessment of mobile applications at least once every year and conduct an audit at least once every three years. In the event of a significant mobile application risk incident, a special audit should be conducted immediately.
13
关于强监管防风险促改革推动财险业高质量发展行动方案
Action Plan for Strengthening Regulation, Preventing Risks, Promoting Reform and Promoting High Quality Development of the P&C Insurance Industry
On December 5, 2024, the General Office of NFRA published the Action Plan for Strengthening Regulation, Preventing Risks, Promoting Reform and Promoting High Quality Development of the P&C Insurance Industry.
《行动方案》要求强化股权穿透式监管,加强股东资质、资金来源和行为等方面的实质审查,严把董事长、总经理等关键人员准入关,健全财险分支机构准入退出机制。对风险隐患较大财险公司实施高强度监管,研究提级监管相关程序。探索区分业务范围实施分类监管,出台差异化监管举措。加强关联交易和资金运用监管,重点整治向股东及其关联方输送利益、通过多层嵌套投资规避监管隐匿风险等问题。加强数据真实性监管,强化非寿险业务准备金管理。研究优化股东资质和持股比例要求,支持财险机构增资扩股和发行资本补充工具。加强新型业务和业态监管,强化对公司治理缺陷、经营持续亏损、资产负债错配、偿付能力濒临不足公司的风险预警。督促问题机构必要时启动实施恢复和处置计划,鼓励财险公司兼并重组,运用市场化、法治化方式出清风险。对风险大、不具持续经营能力的财险机构,依法开展市场退出,研究相关配套政策。
The Action Plan requires strengthening the look-through equity supervision, enhancing the substantive review of shareholder qualifications, source of funds and behaviors, strictly controlling the admission of key personnel such as chairman and general manager, and improving the access and exit mechanism for P&C insurance branches. Implement high-intensity supervision of those P&C insurance companies with significant risks and hidden dangers, and research relevant procedures for escalation to high-level regulators. Explore differentiated supervision based on scopes of business, and introduce differentiated regulatory measures. Strengthen the supervision of affiliated transactions and fund utilization, focusing on issues such as transfer of benefits to shareholders and their related parties and circumventing regulation and hiding risks by way of multi-layered nested investments. Strengthen the supervision of data authenticity, and enhance the management of non-life insurance reserve funds. Research optimizing the shareholder qualification and shareholding requirements, and support P&C insurance companies to increase capital and issue capital supplementation tools. Strengthen the supervision of new businesses and new business models, and strengthen risk warning for companies with governance deficiencies, sustained operating losses, asset liability mismatches, and insufficient solvency. Urge problematic institutions to initiate and implement recovery and resolution plans when necessary, encourage the merger and restructuring of P&C insurance companies, and adopt market-oriented and legal methods to resolve risks. For P&C insurance companies with high risks and lacking sustainable operating capabilities, arrange their exit from the market in accordance with law, and research the relevant supporting policies.
Attorney Advertising
This information is offered only for general informational and educational purposes. It is not offered as and does not constitute legal advice or legal opinion. This material is intended, but not promised or guaranteed to be current, complete or up-to-date. Communication of the information is not intended to create, and the receipt does not constitute, an attorney-client relationship. You should not act or rely on any information contained in this material without first seeking the advice of a qualified attorney.