Legal and regulatory framework

Legal role

What legal role does corporate risk and compliance management play in your jurisdiction?

Corporation is one of the most fundamental units in social economy, as well as a crucial civil and commercial subject. Therefore, various laws and regulations on corporate risk and compliance management and controlling play an irreplaceable key role in the Chinese jurisdiction.

Laws and regulations

Which laws and regulations specifically address corporate risk and compliance management?

Corporate risk and compliance management and controlling is a relatively broad concept, involving all aspects of corporate operation and governance. The most common topics include: strategy risk, finance risk, market risk and operational risk. At present, China does not have a specialised law or regulation integrating all corporate risk and compliance management and controlling. These provisions are spread across laws and regulations governing various fields. For example, the Company Law and Administrative Regulations on Company Registration outline the general requirements for companies; the Law on Enterprise Income Tax, Basic Rules for Enterprise Internal Control and Financial Rules for Financial Enterprises deal with finance risk management; and the Anti-Unfair Competition Law, Labor Contract Law and Interim Regulations on Prohibition of Commercial Bribery govern operation risk management, etc.

Types of undertaking

Which are the primary types of undertakings targeted by the rules related to risk and compliance management?

Because undertakings such as limited companies, listed companies and financial institutions are of great importance to China’s economy, all of them are heavily regulated by laws and regulations. In comparison, because listed companies directly affect a wider public interest, they are the most strictly regulated. The major governing laws and regulations in this field include the Securities Law, Guidance for the Articles of Association for a Listed Company and Regulation of Shareholders’ Meeting of Listed Company. Furthermore, in recent years, China has strengthened the risk management and controlling of internet financial institutions, such as the management and controlling of shadow and peer-to-peer (P2P) banking for which the main regulations include the Measures for the Liquidity Risk Management of Commercial Banks (Trial) (amended in 2015) and the Implementation Plan of Specific Rectification Work of P2P Internet Credit Risk.

Regulatory and enforcement bodies

Identify the principal regulatory and enforcement bodies with responsibility for corporate compliance. What are their main powers?

The main supervisory authorities in charge of corporate compliance management include:

  • the Administration for Market Supervision (and previously the Administration for Industry and Commerce (AIC)): market supervision and management, law enforcement administration;
  • the Tax Bureau: classifying the taxpayer, administration of tax collection;
  • Customs: port management, bonded supervision and management, customs inspection;
  • the Foreign Exchange Authority: supervising the foreign exchange market, managing foreign exchange settlement and sale;
  • the China Securities Regulatory Commission (mainly concerning listed companies): centralised and unified supervision and management of the securities and futures market, supervising listed companies and securities market activities performed by the shareholders of listed companies under their obligations stipulated by the laws and regulations;
  • the China Banking and Insurance Regulatory Commission (mainly concerning financial institutions and insurance companies): examining and approving the establishment, change, termination and business scope of financial institutions and insurance companies, executing the qualification management of the directors and senior executives of banking financial institutions and insurance companies, inspecting the business activities and the related risks of banking financial institutions and insurance companies;
  • the Public Security Bureau: maintaining the social security order, protecting public and private properties, preventing and punishing delinquency activities;
  • the Procuratorate: works on behalf of the State in accordance with law, to exercise the procuratorial authority of a State organ. The main duties are investigating criminal responsibility, raising public prosecution and implementing legal supervision; and
  • the Supervisory Committee: a new established institution, this is the political organ used to realise the self-supervision of the Party and the State. On behalf of the Party and the State, it supervises all civil servants who exercise public power. It investigates not only illegal behaviours concerning duty, but also criminal behaviours concerning duty.

Definitions

Are ‘risk management’ and ‘compliance management’ defined by laws and regulations?

Generally, there are some definitions of ‘risk management and controlling’ and ‘compliance management and controlling’ in the laws and regulations regarding financial institutions and listed undertakings. For example, the Guidelines on Comprehensive Risk Management for Banking Financial Institutions, Measures for the Compliance Management of Securities Companies and Securities Investment Fund Management Companies, Specification for Compliance Management of Securities Investment Funding Management Companies, Measures on Risk Control Standard Management of Securities Companies, Regulation on the Risk Disposal of Securities Companies, Measures on Risk Control Standard Management of Futures Companies and Guidelines on Reputation Risk Management of Insurance Companies.

Processes

Are risk and compliance management processes set out in laws and regulations?

Generally, concerning financial institutions and listed undertakings, there are rules for the specific process of risk management and controlling and compliance management and controlling stipulated in the rules and regulations (such as the rules and regulations mentioned in question 5). However, in China it is rare that rules are made for the specific process of risk management and controlling and compliance management and controlling for general companies or enterprises unless the State is strengthening the supervision of a specific industry. If so, there may be some specific risk compliance requests for the companies in that specific industry. In addition, owing to the special status of the State-owned enterprise, the State will announce some principal regulations or guidelines in order to push the State-owned enterprise to conduct risk management and controlling and compliance management and controlling. For example, the Opinion on the Overall Advancement of the Rule of Law Construction of Central Enterprises announced by the State-owned Assets Supervision and Administration Commission of the State Council.

Standards and guidelines

Give details of the main standards and guidelines regarding risk and compliance management processes.

Generally, the standards and guidelines concerning the risk management and controlling and compliance management and controlling of financial institutions and listed companies are based on the laws and regulations. For example, the Guidelines on Comprehensive Risk Management for Banking Financial Institutions stipulate the standards and guidelines for the risk system of banking financial institutions from several perspectives, including risk management structure; risk management strategy; risk preference and risk limitation; risk management policy and procedure; management information systems and data qualification controlling mechanisms; as well as internal controlling and audit systems. However, for general companies, there are no standards and guidelines for specific risk control and compliance control stipulated by law. Generally, companies will establish respective risk and compliance controlling systems based on their own business conditions in order to prevent non-compliance activities from occurring. However, not all companies have their own risk and compliance controlling system. In most cases, only comparatively large-scale enterprises will have a risk and compliance controlling system.

Obligations

Are undertakings domiciled or operating in your jurisdiction subject to risk and compliance governance obligations?

In China, companies have corresponding risk and compliance obligations (see question 2). There are no laws and regulations that request a company to establish an internal reporting mechanism but, in practice, most large-scale enterprises will actively establish such a mechanism. Generally, the internal reporting mechanism will list the reporting scope, reporting procedure (commonly reporting to an independent department or individual, which means no need for N+1 approval from the informer), award for reporting, punishment for non-reporting and protection for the informer (for example, the informer shall not be demoted or fired, face a reduced salary, etc, because of the reporting).

What are the key risk and compliance management obligations of undertakings?

Internal governance

This mainly includes company governance compliance and financial and tax compliance. Company governance compliance includes the compliance of the board of directors and board of shareholders, the rule of procedure of the board of directors, compliance with equity structure, compliance with various policies of the company, etc. Financial and tax compliance includes compliance with revenue accounting, compliance with tax payment, etc.

External operation

This mainly includes business compliance and third-party compliance. Business compliance refers to compliance with business model, compliance with contract signing procedure, etc. Third-party compliance includes the risk audit for transaction, internal audit and third-party audit, regular assessment and rewards, punishments, etc.

Liability

Liability of undertakings

What are the risk and compliance management obligations of members of governing bodies and senior management of undertakings?

The risk and compliance management of a company cannot be separated from the establishment, execution and obedience with compliance policy by the management. The main obligations for the management include:

  • establishing the compliance controlling strategy;
  • establishing the risk compliance system;
  • cultivating the risk consciousness of employees and the compliance culture of the company;
  • supervising the compliance operation of the company;
  • being forbidden to embezzle the property of the company via the advantage of convenience of position;
  • being forbidden to take bribes or commit bribery for the benefit of the company or individual;
  • being forbidden to violate the obligation of prohibiting on business competition; and
  • confidentiality.

Do undertakings face civil liability for risk and compliance management deficiencies?

Yes. If the non-compliance activity infringes a third party, the third party may be able to sue the company. For example, if the company violates the Cyber Security Law to collect sensitive personal information without the consumer’s authorisation, the consumer may be able to bring civil litigation against the company in order to make the company compensate for the infringement regarding right to reputation, right to privacy, etc. Another example is, if a company fires an employee who conducted non-compliance activity while such activity has not been stated as a reason for dismissal in the compliance governance documents of the company, the company may be sued by the employee.

Do undertakings face administrative or regulatory consequences for risk and compliance management deficiencies?

Yes. If the company’s non-compliance activity violates the related laws and regulations, the company may face corresponding administrative punishment. For example, if the company violates the Anti-Unfair Competition Law to bribe a trading party, the administrative organisation can impose a penalty, confiscate illegal gains, revoke the business licence and record in the credit record among other punishments.

Do undertakings face criminal liability for risk and compliance management deficiencies?

Yes. If the company’s non-compliance activity violates the related laws and regulations and meets the standard of filing a criminal case, the company may face corresponding criminal punishment. For example, if the company violates the Criminal Law to smuggle goods or evade the payable tax, the company will have a penalty imposed on them several times the size of the original payment amount.

Liability of governing bodies and senior management

Do members of governing bodies and senior management face civil liability for breach of risk and compliance management obligations?

Yes. If the company’s non-compliance activity violates the related laws and regulations, the legal representative of the company and the senior management involved in the non-compliance activity may face corresponding civil liability. For example, if a company is enrolled on the blacklist of dishonesty because of outstanding debt, according to Interpretations of the Supreme People’s Court on Certain Issues Concerning Application of Enforcement Procedure of the Civil Procedure Law of the People’s Republic of China, the person directly responsible or the person subject to direct liability for affecting the performance of debts may be restricted from leaving the country, staying in a hotel, taking a flight, opening a banking account, etc.

Do members of governing bodies and senior management face administrative or regulatory consequences for breach of risk and compliance management obligations?

Yes. If the company’s non-compliance activity violates the related laws and regulations, the legal representative of the company and the senior management involved in the non-compliance activity may face corresponding administrative punishment. For example, a senior executive of a company who also holds a post within the Party or acts as a national civil servant may be dismissed from office or expelled from the Party if the company infringes State-owned property.

Do members of governing bodies and senior management face criminal liability for breach of risk and compliance management obligations?

Yes. If the company’s non-compliance activity violates the related laws and regulations and meets the standard of filing a criminal case, the senior management involved in the non-compliance activity may face corresponding criminal punishment. For example, according to the Criminal Law, if the company unlawfully raises funds and the amount involved is huge, as well as the penalty imposed on the company, the person who is directly in charge will be sentenced to fixed-term imprisonment or criminal detention.

Corporate compliance

Corporate compliance defence

Is there a corporate compliance defence? What are the requirements?

According to the current laws and regulations in China, there is no generalised compliance defence. However, in judicial practice and law revision, there is some narrow compliance defence. For example, if a company has express policy that prohibits its employees from bribing medical workers to illegally collect the personal information of consumers, the court can identify that the non-compliance activity was individual behaviour conducted by the employee and the company may not face any liability. Another example is, according to the Anti-Unfair Competition Law, if an employer has evidence to prove there is no relation between the transaction opportunities or competition advantage and an employee’s non-compliance bribery, including that the employer has not gained any benefit owing to the employee’s non-compliance activity, the employer may not be punished.

Recent cases

Discuss the most recent leading cases regarding corporate risk and compliance management failures?

In November 2017, Shanghai YangPu AIC decided that employees of Squibb, in the hope of procuring drug sales, sponsored the business class tickets for flights for a hospital medical director to participate in the European Society of Cardiology Congress in London in 2015. The AIC further discovered that, during that period, the hospital that the medical director worked for did purchase related drugs from Squibb in larger amounts than previously purchased. Such behaviour violates the related provisions of the Pharmaceutical Administration Law of the People’s Republic of China. The AIC imposed an administrative punishment on Squibb and the involved individuals, including the confiscation of illegal gains and the imposing of a fine.

Government obligations

Are there risk and compliance management obligations for government, government agencies and state-owned enterprises?

Yes. For example, the Several Opinions on Promoting Fair Competition and Maintaining Regular Order in the Market, issued by the State Council on 4 June 2014, put forward recommendations to reform the system of market access. These include setting a clear negative list, vigorously reducing administrative examination and approval of items, banning a disguised form for examination and approval, etc.

Digital transformation

Framework covering digital transformation

What are the key statutory and regulatory differences between public sector and private sector risk and compliance management obligations?

In China, the risk and compliance management obligations for the public sector and private sector are basically the same. However, owing to the different social status, the obligations for the public sector are greater than for the private sector and the punishment for the public sector can be more severe than for the private sector as well. Furthermore, from a criminal perspective, the same behaviour conducted by the public sector or private sector may cause different accusations and criminal punishment. For example, if a public sector employee takes a bribe, the employee may be accused of the crime of taking bribery, which is a specific crime for an employee of the public sector. However, if a private sector employee takes a bribe, the employee may be accused of the crime of non-official servant taking bribery. The standards of criminal punishment for those two crimes are different.

Update and trends

Update and trends

Updates and trends

Before the election of the new government of the People’s Republic of China in March 2018, there was some expectation that the new government may to some extent reduce its emphasis on anti-corruption because the anti-corruption struggle since 2014 has already achieved great effects. However, with the new government taking power, they have shown they will continue to strengthen their efforts to combat corruption through public propaganda and practical action.

Among the government’s recent anti-corruption efforts, the most notable are the establishment of the Supervisory Committee and the promulgation of the Supervision Law. Pursuant with the Supervision Law, the Supervisory Committee oversees all functionaries who exercise public power; investigates duty-related violations and crimes; conducts the construction of clean governance and anti-corruption work; and upholds the dignity of the Constitution and laws.

It is worth noting that the Supervisory Committee has absorbed the functions of the Anti-Corruption Bureau within the People’s Procuratorate and greatly expanded the regulatory target. Under the current legal structure, government workers, ranging from top-tier ministers to frontline clerks, all now fall within the scope of the regulatory target of the Supervisory Committee, which also triggers the change of the criminal justice system of the People’s Republic of China.

Against the backdrop of economic globalisation, when Chinese enterprises go abroad to expand their businesses, more and more compliance risks shall be faced and will need to be resolved. For example, due to the current Sino-US trade relationship, how Chinese enterprises try to comply with US regulations and avoid commercial losses is a really pressing issue. Furthermore, with the One Belt and One Road strategy raised by the government, Chinese enterprises may expand their businesses into some countries or regions where they will face serious compliance and corruption risks. How Chinese enterprises conduct their commercial activities within such an environment is a worthy question to explore as well.

Of course, there is no doubt that the Chinese government will keep up the good momentum to perfect its legal system and law enforcement to ensure that businesses from all walks of life can benefit from a fair yet efficient compliance environment.