Internal Control System at VPBank is designed for senior management to monitor the Bank’s operations. It is also aimed to help carry out internal control, risk management, internal audit of capital adequacy and internal audit. Considering from the angle of functions and roles, internal control activities are at the core of the System.
As presented in Chapter 1 - Overview of Internal Control System at VPBank, internal control involves all of VPBank’s operations, business processes and departments with a view to ensuring compliance with laws, managing conflicts of interests, detecting and dealing with violations, contributing to enhanced awareness of individuals and departments throughout the Bank.
Internal Control at VPBank are carried out to achieve the following: (i) VPBank's operations to comply with laws and regulations; (ii) conflicts of interest to be managed and violations to be detected and dealt with; (iii) Awareness of internal controls to be enhanced to build and maintain control culture at VPBank.
Internal Control at VPBank is implemented through Control Activities, Information Exchange Mechanisms and Management Information System.
VPBank's control activities are implemented through the following:
- Decentralization of the authority to make decision must be based on levels of credibility of competent bodies/authorities involved and capability of individuals and departments. The authority to make decision must be based on transaction sizes, risk limits and other restrictions;
- Functions and duties assigned to individuals and departments from the lowest to the highest levels in all transactions and operational procedures at VPBank must be determined based on the following principles: (i) Members of the Board of Directors (“BOD”) shall not consider and make decisions on matters that fall within the functions and duties of the CEO unless such member is the very CEO; (ii) Functions and tasks in respect of transactions and business processes shall be separated such that conflicts of interest can be avoided or controlled; no single individual shall be assigned to take exclusive control over a transaction/transaction process; no single individual shall be asigned to cary out conflicting works; independent individuals in the same unit or independent units shall be made available to conduct ordinary or extraordinary inspections; (iii) If conflict of interest is likely or violations occur, monitoring must be put in place and measures must be taken to minimize the risks.
- The responsibility for managing assets must be assigned based on the assets’ value or other specific restrictions in accordance with internal regulations;
- Accounting must comply with accounting standards and regimes; Accounting procedures must be checked and verified to detect and promptly handle errors;
- Violations of law and internal regulations must be prevented or handled in a timely manner;
- Human resources must be allocated according to each business activity and control.
Control activities of VPBank’s Head Office over branches, dependent units must ensure that:
- Head Office is able to supervise and control transactions and activities of branches and dependent units;
- There are regulations on functions, tasks, reporting mechanism, salary, reward, disciplines, staff rotation and other mechanisms to ensure independence and no conflict of interest;
- Mechanisms are availiable to allow customers to check and verify transactions performed at branches/dependent units with Head Office.
Control over credit extension, in addition to complying with the above control principles, must control conflicts of interest on the basis that individuals or units tasked with credit appraisal are independent of those in charge of (i) Customer relationship, (ii) Re-appraisal (if any), (iii) Approval of credit extension, (iv) Control over credit risk limits, management doubtful debts, making and using provisions to deal with credit risks.
Control over proprietary tradings, in addition to complying with the above control principles, must ensure that: (i) There exists a unit specified for proprietary tradings on a decentralized and independent basis, (ii) Proprietary tradings are carried out within appropriate limits and accounting, (iii) Information, documents and dossiers on proprietary tradings are adequately and promptly provided to individuals and units having the authority to control, (iv) Internal procedures are available for execution and settlement of proprietary tradings.
- MECHANISMS FOR INFORMATION EXCHANGE:
- The information exchange mechanisms at VPBank is organized in a systematic, open and transparent manner and in a way that ensures that all individuals and units are well aware of and agree with internal policies;
- Information exchange mechanisms are implemented through management information systems and other information mechanisms;
- The following principles must be ensured: (i) Information is exchanged from the upper level to the subordinate level and to the relevant individuals and units; (ii) Information on the internal control system is exchanged from lower to higher level, from branches and dependent units to Head Office;
- Information on new products, new market activities, losses, frauds, risk of loss and fraud are timely exchanged for specialized units (Risk Management Division, Internal Audit Division and related units);
- The higher the risk, the more frequent the exchange of information.
- MANAGEMENT INFORMATION SYSTEM:
- VPBank's management information system is organized to provide information and internal reports to the BOD, SB, CEO and relevant individuals and units to ensure compliance.
- Management information system including: internal reports and other management information; Organizational structure of management and operation of management information system; Collecting, processing, archiving, providing information, building, sending, receiving and processing reports; Appropriate IT infrastructure.
- Management information system must ensure: It helps support the implementation of information exchange mechanism; Information and data are provided fully, accurately and timely; sources of information and data are tested for reliability; the compliance situation is updated; Confidentiality, security of information, data and backup systems; To be reviewed and evaluated annually, irregularly, upgraded and updated regularly.
- IMPLEMENTATION OF INTERNAL CONTROL AND THE ROLE OF LEGAL&COMPLIANCE DIVISION (“L&C”)
Internal controls are implemented by all units and individuals throughout the VPBank system, specifically:
- At the First Protection Line ("Layer 1"): Business Units and Operational - Support Units perform their initial control functions through the fulfillment of corresponding compliance obligations when perfoming their main functions and obligations on the principle that no prohibited acts are allowed and all requirements are completed, laws and internal procedures are always complied with; report to leaders and units of Layer 2 for issues to be timely settled.
- At the Second Protection Line ("Layer 2"): L&C and Risk Management Division assists Layer 1’s units to develop internal regulations and procedures to ensure compliance law and assess the compliance.
- At the Third Protection Line ("Layer 3"): The Internal Audit Division assists the SB in evaluating the internal control, independent inspection and evaluation of the internal control of the Layer 1 and Layer 2, make recommendations.
LEGAL AND COMPLIANCE DIVISION
As the Unit plays a joint role in the internal control and implementation of compliance duties, L&C performs the following functions:
- Assisting CEO in assessing the suitability, compliance with the law of internal regulations; assisting CEO to report to the BOD and the SB on serious violations of laws and internal regulations;
- Reporting periodically, irregularly to CEO about compliance with the law; reporting, notifying the relevant legal changes;
- Supporting units to construct and review internal regulations, handle compliance problems.