Global menu

Our global pages


Personal accountability, culture, risk management: the HKMA rolls out enhanced Corporate Governance and Risk Management regime

  • Hong Kong
  • Other


 5 things you need to know

  • AIs must comply with new measures aimed at clarifying board and senior management responsibilities, board composition and the role of the chairs and INEDs to promote good corporate governance
  • Particular attention is devoted to group structures, and the need for measures preventing intra-group conflicts and enhancing effective communication with regulators globally
  • The role of the Chief Risk Officer, and effective risk management structures, are under increased scrutiny
  • The need for a sound corporate culture is at the heart of these reforms, which follow the path of the UK’s Senior Managers Regime and SFC’s Manager in Charge Regime
  • AIs have until 1st January 2018 to comply with the new requirements

On 6 October 2017, the Hong Kong Monetary Authority (“HKMA”) issued a revised version of Supervisory Policy Manual modules CG-1 (Corporate Governance of Locally Incorporated Authorized Institutions) and IC-1 (Risk Management Framework) (the “Modules”). The Modules and related circular of the HKMA can be found here:

The Modules should be considered by Authorised Institutions (“AIs”) alongside the HKMA’s existing measures aimed at promoting bank culture reform as detailed in its circular dated 2 March 2017.  Through this circular and the Modules, the HKMA seeks to enhance the corporate governance and risk management standards of AIs, with particular emphasis placed on the roles and responsibilities of the board and senior management in driving and maintaining robust corporate governance and an effective risk management framework.

The increased emphasis placed by the HKMA on the roles of the board and senior management within AIs reflects a wider global regulatory trend.  In recent years, global regulators have sought to emphasise the accountability of senior management in meeting regulatory obligations.  The introduction of the Securities and Futures Commission’s Manager-in-Charge Regime (as set out in its circular here), and in the UK, the Senior Managers Regime to promote good governance practice and enhance accountability among senior management (details of which can be found here) are two recent examples of this trend that the HKMA is embracing.

What has changed?

The newly revised Modules detail the HKMA’s expectations on the role and responsibilities of AIs’ board and senior management in establishing and maintaining effective corporate governance and risk management. In many instances the changes introduced by the Modules are relatively minor amendments to previous requirements. However, a number of more significant changes have also been introduced, including:

  1. The board and senior management have substantially expanded responsibilities with regard to risk governance.These include, setting a risk appetite framework that is consistent with the AI’s strategy, business, capital and financial plans, and overseeing the development and implementation of the AI’s risk management policies and procedures.
  2. The AI’s Chief Risk Officer (“CRO”) should head an independent risk management function to oversee all of the AI’s risk-taking activities.The CRO is expected to have a direct reporting line to the AI’s Chief Executive and to report directly to the board or its risk committee regularly. The CRO should also be provided with unfettered access to any information necessary to perform his duties.
  3. The board is required to provide oversight of the whistleblowing mechanism of the AI and ensure that senior management address legitimate issues that are raised, including the manner in which such issues are to be investigated.
  4. The board must maintain a sufficient level of independence for effective and objective decision-making. To this end, save for exceptional cases, the chair of the board should be an independent non-executive director (“INED”) or a non-executive director and the board should have an adequate number of INEDs.
  5. The board should also either establish a standalone culture committee, which should be chaired by an INED, or charge one of its existing committees with the responsibility for reviewing the effectiveness of the AI’s measures to promote a sound corporate culture and supporting the board on culture-related matters.
  6. The remuneration committee, which should be chaired by an INED, is required to ensure that the AI’s remuneration policy is in line with its risk culture, risk appetite and long-term interests. The remuneration committee should also work closely with the risk committee in evaluating incentives created by the remuneration system.
  7. In relation to group structures, where the AI is a parent or holding company, the board of the AI should, amongst other things, ensure that the group’s corporate governance framework includes appropriate controls to identify and address potential intra-group conflicts of interests. It should also maintain an effective relationship with both the home regulator (i.e. the HKMA) and the regulators of all of its subsidiaries. Where the AI is a regulated subsidiary, and group policy conflicts with any applicable local legal or regulatory requirement, the board of the AI should record its dissent and take necessary steps to protect the AI’s position. This may include seeking independent professional advice and raising the issue with the HKMA.

What should AIs do?

Robust corporate governance and risk management will help AIs reduce the possibility of regulatory failings and associated fines and enforcement action. Consequently, AIs should view the introduction of the Modules as an opportunity to review their corporate governance and risk management framework to ensure that they meet the minimum standards articulated by the HKMA but also wider industry best practice.

The Modules should be read together with the Bank Culture Reform circular of 2 March 2017, which listed a series of measures aimed at enhancing bank culture through the three pillars of governance, incentives, and assessment & feedback. You can access the 2 March 2017 circular here and our article on bank culture reform here. Many AIs are already going through a process of implementing new policies, frameworks and governance structures in compliance with the 2 March 2017 circular, and will welcome the codification of the guidance contained in the circular through the new Modules.

The HKMA expects AIs to implement the requirements set out in the Modules by 1 January 2018. In the event that an AI fails to do so, it may call into question whether the AI satisfies the minimum criteria for authorisation in the Banking Ordinance and cast doubt on the fitness and propriety of its directors.

The HKMA adopts a principles-based approach in assessing the adequacy of the AI’s corporate governance arrangements. In the event that an AI’s approach deviates from that detailed in the Modules, the AI is expected to notify the HKMA and provide justification in support of its alternative approach.

AIs which have not yet embarked on a programme of review and harmonization of their existing policies, frameworks, systems and controls to tackle the Bank Culture Reform circular will need to move quickly in order to comply with the new requirements and meet the 1st January deadline.