Bank of Albania Regulation 42/2011 on Statutory Auditors for Banks and Foreign Bank Branches

REPUBLIC OF ALBANIA BANK OF ALBANIA SUPERVISORY COUNCIL DECISION No.42, dated 15.06.2011 THE APPROVAL OF REGULATION “ON THE STATUTORY AUDITOR OF BANKS AND BRANCHES OF FOREIGN BANKS” In accordance with Article 43 “c” of the Law No. 8269, dated 23.12.1997 “On the Bank of Albania” as amended, and Article 48, paragraph 1 of the Law No. 9662, dated 18.12.2006 “On banks in the Republic of Albania”, having regard to the proposal from Supervision Department, the Supervisory Council of the Bank of Albania, DECIDED:

1. To adopt the regulation “On statutory auditor of banks and branches of foreign banks” and its Annex, as provided in the texture attached herewith.
2. The Supervision Department of the Bank of Albania is responsible for the implementation of this decision.
3. The Department of Foreign Relations, European Integration and Communication is responsible for the publication of this decision in the Official Bulletin of the Bank of Albania and in the Official Journal of the Republic of Albania.
4. The decision No.6 dated 29.01.2003, of the Supervisory Council “The Approval of Regulation “On statutory auditor of banks”, as amended, shall be abrogated upon the entry into force of this Decision.
5. This decision shall enter into force on the 15 day following that of its publication in the Official Journal of the Republic of Albania. Secretary Chairman YLLI MEMISHA ARDIAN FULLANI 1

REGULATION “ON STATUTORY AUDITOR OF BANKS AND BRANCHES OF FOREIGN BANKS” CHAPTER I General provisions Article 1 Purpose The purpose of this regulation is to set out: a) The criteria, terms and procedures for the approval of statutory auditor of banks and branches of foreign banks from the Bank of Albania; b) The auditing by the statutory auditor of banks and branches of foreign banks for the purposes of the Bank of Albania; c) The relationships between statutory auditor of banks and branches of foreign banks and the Bank of Albania. Article 2 Legal ground This regulation is issued in accordance with: a) Article 12, (a) and Article 43 (c), of the Law No. 8269 dated 23.12.1997 “On the Bank of Albania”, as amended (hereinafter in this regulation referred as the Law “On the Bank of Albania”; b) Article 47, Article 48 (1) and Article 49 (3) of the Law No. 9662, dated 18.12.2006 “On Banks in the Republic of Albania”, (hereinafter in this regulation referred as the Law “On Banks”); c) Law No. 10091, dated 05.03.2009 “On legal auditing, organisation of approved licensed statutory auditor” (hereinafter referred as the Law “On legal auditing”); d) Law No. 9228, dated 29.04.2004 “On accounting and financial statements”, as amended (hereinafter in this regulation referred as the Law “On accounting”). Article 3 The scope of application This regulation shall apply on banks and branches of foreign banks licensed by the Bank of Albania to conduct banking and/or financial activities in the Republic of Albania (hereinafter in this regulation referred as “banks”). 2

Article 4 Definitions

1. The terms used in this regulation shall have the same meaning with the terms defined in the laws “On banks”, “On legal auditing” and in the Law “On accounting”.

2. In addition to paragraph 1 of this Article, for the purpose of this Regulation, the following terms shall have these meanings: a) “statutory auditor”, shall imply the audit company, as stipulated in Article 2 (20) of the Law “On legal auditing”; b) “individual expert of legal person”, shall imply the key audit partner, accordingly to the stipulation of Article 2 (12) of the Law “On legal auditing”. Chapter II Criteria to select the statutory auditor and the approval procedure by the Bank of Albania Article 5 Criteria

3. Bank of Albania shall approve as authorised statutory auditor only the legal person being granted a license or registered in the Public Registry of Statutory Auditors to conduct this activity in the Republic of Albania, who in addition to the criteria set out in Article 48 of the Law “On Banks” shall meet the following criteria: a) To have (three) years of experience in the field of legal auditing of financial statements of banks or other financial subjects, which hold the accounting pursuant with the International Financial Reporting Standards (IFRS); b) At least two of partners or employed persons of this company have obtained the professional title “statutory auditor”; c) During the last two years, Bank of Albania has not requested the re￾auditing carried out by him in compliance with the stipulations of Article 51 (1) of the Law “On Banks); d) To enjoy considerable professional ethic; and e) To not have interests’ conflicts with the bank he audits, accordingly to the stipulations of the Law “On legal auditing”.

4. Individual expert of legal person registered in the Public Registry of statutory auditors, should meet the following criteria: a) To have 3 (three) years of experience in the auditing of financial statements of banks or other financial subjects which hold accounting, 3

in pursuance with the International Financial Reporting Standards (IFRS); b) To enjoy a high professional ethic, and; c) To not have interests conflict with the bank he audits. 3. The bank shall provide the compliance with the criteria stipulated in paragraph 2 of this Article for the individual expert of legal person. Article 6 Documentation

1. On the approval of statutory auditor, the bank shall submit to the Bank of Albania, the following documentation: a) The decision of shareholders’ Assembly or of the relevant authority of parent bank (in case of a branch of a foreign bank) for the appointment of the statutory auditor; b) The program of bank auditing; c) Statutory auditor’s letter of commitment or the contract of supplied service, which shall in addition contain the commitment for the implementation of the requirements of the Law “On banks” of this Regulation; d) A document which certifies that the company of statutory auditors has at least 3 (three) years of experience in the auditing field of financial statements of banks or other financial subjects which hold accounting pursuant to the International Financial Reporting Standards (IFRS); e) A certificate issued from the Institute of Statutory Auditors containing the recent audit’s results of the quality for the statutory auditor; f) A declaration on the meeting of the criteria set forth in Article 5, paragraph 1 (e) of this Regulation.

2. The documentation required in the above paragraphs shall be provided in Albanian language, either in original or a notarised copy. In case of documentation in foreign language, this letter shall be submitted in original or a notarised copy and should be accompanied by the translated and notarised copy in Albanian. Article 7 Procedures for the approval of statutory auditor

3. The bank shall submit to the Bank of Albania, no latter than July of each year, the application and the complete documentation in writing on the approval of statutory auditor, in compliance with all requirements of Chapter II of this Regulation.

4. Bank of Albania shall evaluate the application and the accompanying documentation presented in compliance with the terms and criteria of this Regulation. 4

5. If the documentation presented accordingly to Article 6 of this Regulation is uncompleted, Bank of Albania, within 10 (ten) business days from its submission, shall inform the bank on the identified shortages. The bank shall complete the missing documents within 15 (fifteen) business days from the notification of the Bank of Albania, otherwise the application will be considered as not presented.

6. Date of application acceptance for the approval of the statutory auditor, shall be considered the date when the applicant has met all the requirements of the required documentation in line with article 6 of this Regulation.

7. Bank of Albania, within 1 (one) month from the date of presenting the complete application, shall approve or reject the statutory auditor as proposed from the bank. Article 8 Approval of statutory auditor

8. Bank of Albania shall approve as statutory auditor, only the legal person appointed by the bank, authorized to conduct the legal auditing activity in the Republic of Albania and registered in the “Public Registry of Registered Statutory Auditor”, who meets the criteria and requirements of this Regulation within the terms and procedures set out in its Article 7.

9. In case of a re-appointment of the same statutory auditor for the forthcoming financial year, the bank shall notify the Bank of Albania by providing attached to this notice, the following documentation: a) The decision of the bank for the re-appointment of the statutory auditor; b) The auditing program of the bank; c) Letter of auditors’ commitment or the contract of supplied service, which shall among other contain the engagement for the implementation of the Law “On Banks” and the requirements stipulated in this Regulation.

10. The bank, on the change of statutory auditor within the financial year, who is approved accordingly to paragraph of this Article, shall obtain the prior approval by the Bank of Albania. The bank, for this purpose, shall submit to the Bank of Albania the following documentation: a) Request for the change of statutory auditor; b) Grounds and reasons for the change of statutory auditor; c) The documentation required accordingly to Article 6 of this regulation. 5

11. With regard to the bank application for the change of statutory auditor within the same financial year, Bank of Albania shall observe the same procedures and terms set forth in Article 7 of this Regulation. The Bank of Albania shall either approve or reject the bank application for the change of statutory auditor within the financial year, which is approved in compliance with paragraph 1 of this article.

12. Bank of Albania shall provide the respective reason in case of rejection of the application for the change of statutory auditor.

13. Bank of Albania shall reject the approval of statutory auditor even in case it deems that the statutory auditor, in the previous performed audit, has not acted in line/or has failed to adequately comply with the requirements of the Law “On banks” and of this Regulation. Chapter III Audit form the statutory auditor Article 9 Audit

14. The statutory auditor shall audit on individual and/or consolidated basis the accounts and financial reports of the bank in compliance with the requirements of the Law “On legal audit”, the Law “On banks”, International Accounting standards, and the other implemented by-laws;

15. The statutory auditor shall audit y-o-y the financial statements of the bank. Article 10 Audit performed for the purpose of the Bank of Albania

16. The audit for the purposes of the Bank of Albania shall mean the process of: a) The auditing of financial statements and reports accordingly to the stipulations of reporting and content methodology of financial statements, set out in the by-laws of the Bank of Albania; b) Evaluation of compliance with risk management rules; c) Evaluation of internal audit system; d) Evaluation of the state and management of information systems. Article 11 Check and evaluation of the bank’s reports at the Bank of Albania

17. The statutory auditor shall check the frequency, adequacy and completeness of the banks’ reports presented at the bank of Albania in 6

compliance with the applicable regulatory requirements approved by the Bank of Albania. 2. The statutory auditor, based on the audit performed in line with paragraph 1 of this Article, shall valuate if the reports are conducted or not in line with the stipulations of the Law “On Banks” and/or the by-law acts/regulations of the Bank of Albania and if they reflect in realistic and objective terms the financial position of the bank. Article 12 Valuation of compliance with risk management regulations

1. The statutory auditor shall check and evaluate the adherence of bank’s risk management rules, in line with the stipulations of the Law “On banks’ and the regulatory and supervision framework approved by the Bank of Albania for its implementation.
2. The statutory auditor shall evaluate the level of bank’s risks management systems (credit risk, liquidity risk, market risk, etc) based on the assessment of: a) Compliance with the requirements for the organizational structures with regard to any special risk management; b) Policies and procedures on any special risk management and their implementation; c) Adequacy of identification, measure and monitoring of any special risk; d) Adequacy and efficiency of internal audit system regarding the management of any special risk. Article 13 Valuation of Internal audit system
3. The statutory auditor shall carry out a special evaluation of the bank’s internal audit system. The Statutory auditor shall evaluate if: a) The bank has established a secure and efficient internal audit system, in compliance with the requirements “On banks” and the implemented by-laws; b) The bank has established the internal audit unit, as an independent unit in functional and organisational terms from the other organisational units of the bank, which it audits; c) The bank has established internal audit unit to avoid the conflict of interests; d) Bank has provided a sufficient personnel, having the right qualifications and experience, on the functioning of the internal audit system, proportionally with the size, type, volume and complexity to its activities; 7

e) The internal audit unit shall function in compliance with the stipulations of the Law “On banks” and the implemented bylaws, and the annual job plans of this unit are adequate and/or sufficient. Article 14 Information System Evaluation

1. The statutory auditor carries out a special evaluation of the situation and adequacy of information management system. For this purpose, the statutory auditor should: a) priory set out the purpose and the deepening of the risk-based evaluation; b) implement the methods and procedures of this risk-based evaluation; c) verify the compliance with information management system with the requirements/stipulations of the Law “On banks” and/or the bylaws of the Bank of Albania.
2. Based on the information system evaluation accordingly to paragraph 1 of this Article, the statutory auditor shall set out the main risks against which the bank is exposed. Chapter IV Statutory Auditor’s Annual Report Article 15 Purpose and content of Statutory Auditor’s Annual Report
3. In compliance with the audit of financial reports of the bank for the financial year, the statutory auditor shall prepare the respective audit report conducted in compliance with: a) Article 9, paragraph 1 of this Regulation expressing at the same time his clear opinion if the audited financial statements provide a real and right view of the bank’s position and performance; b) Article 10 of this Regulation, a report which contains: i. A special evaluation of: • Regularity, accuracy and completeness of the bank financial reports which are presented at the Bank of Albania, • Compliance with risk management rules, • Adequacy of risk management systems, of compliance function and of the internal audit system, • The situation of information system and the adequacy of information managements systems in the bank, 8

• Implementation of recommendations provided by the statutory auditor for the previous financial year; ii. Recommendations for the improvement of policies, processes and procedures regarding credit risk management in compliance with paragraph 2, Article 12 of this Regulation. Chapter V Final provisions Article 16 Conduction of meetings Bank of Albania shall keep contacts and hold meetings with statutory auditor of the bank whenever deeming necessary. Article 17 Final provisions

1. The banks shall submit to the Bank of Albania the “Letter to Administrators” that the statutory auditor develops for their executive managers. The submission of “Letter to Administrators” is part of the “letter” of commitment/supplied service contract.
2. The annual report of statutory auditor complied in compliance with requirements of Article 15 of this Regulation, along with the evaluations of the Control Committee and the “Letter to Administrators”, shall be submitted to the Bank of Albania within the first half of the next year. Chairman of Supervisory Council

ARDIAN FULLANI 9

Explanatory Annex On the valuation of risks referring to the report set out in Article 15 of this Regulation To meet the obligations stipulated in Article 15 of the Regulation, the statutory auditor shall refer to the explanations provided in this Annex, but by not being limited on the submission form and deepening of valuation.

1. Bank capital • Evaluation of the bank capital prior and after the adjustments conducted due to the suggestions provided by the auditor. • Preparation of the list of main shareholders of the bank (example: list of shareholders with voting right higher than 5%, etc). • Evaluation of changes in the shareholders structure within 1-year and the estimation of relationships among shareholders.

2. Credit quality • Indicate the assets structure by risk, analysis of assets write-off by assessing the effect on total balance, provisions and off-balance-sheet items. • Analyse credit portfolio, the financial position of main borrowers, loans to related persons pursuant to the stipulation of the Law On banks and their financial situation. • Evidence the interest assets and non-interest assets and analyse the relationship among them. Introduce the structure and level of claims against banks and comment their quality. • Analyse the transactions carried out on behalf and for the account of third persons and evaluate the adequacy of classification of these transactions accordingly to the risk they represent.

3. Indicators of business performance and exposures by risks • Specify the periods when the bank has infringed the regulatory requirements of the Bank of Albania regarding capital adequacy, the indicators of risk exposures, liquidity indicators, and open foreign position. 10

• Evaluate if the bank has adopted rules which provide the consistency control and implementation of procedures for the risk management, and procedures for the regular report concerning issues related with risk management provided to the management structures of the bank and to the Bank of Albania. 4) Capital adequacy • Evaluate if the bank has provided a capital adequacy level in proportion with business’ nature, activities and risks exposure, in compliance with the requirements of the Bank of Albania, in case that due to risks’ complexity, the nature of activities and the practices of risks management, to the bank it is requested a higher capital adequacy rate than the minimum level. • Evaluate if the bank has in place procedures to monitor and valuate capital level considering current or expected exposures by risks. 5) Credit risk • Assess if the bank has adopted policies for credit risk management. • Assess if the bank has in place adequate procedures to identify, measure and assess credit risk. Assess if the bank has a plan for credit risk management and control, and if it has adequate procedures for their implementation. • Assess if the bank has in place adequate procedures for the timely collection of loans, to write-off bad loans and for the recovery of loans write-off.

6. Liquidity • Analyse maturities by claims and obligations, explain the policy implemented by the bank to manage liquidity risk (the way the bank applies to provide the compliance between cash flow and cash outflow, or the way the bank prevents the lack of compliance in this aspect), explain the methodology for the monitoring of cash inflows and outflows, and the restriction on compliancy. • Asses credit indicators against deposits, liquid assets against total assets, and the other indicators set forth in the regulatory framework of the Bank of Albania. Comment concentration risk of deposits and any borrowing from Bank of Albania. • Asses if the bank has adopted a policy of risk management and provide a comment by specifying if the bank has in place internal 11

procedures to calculate and measure liquidity risk, if the bank has a plan for liquidity management for emergency cases and adequate procedures for its implementation which provide timely information and on ongoing basis for liquidity management. 7) Foreign exchange risk • Comment the exposure of bank against foreign exchange risk as at 31 December, date on which the audit is realised. Comment the annual performance of open foreign position as a ratio to capital adequacy. • Evaluate if the bank has adopted a management policy for the risk arising from foreign exchanges, explain the internal restrictions or limits system of the bank related to the exposure size and assess if the bank has internal procedures in place to identify and measure the risk arising from foreign exchange operations. 8) Interest rate risk • Analyse reports regarding interest rate risk measuring for all assets, liabilities and off-balance sheet items, providing a comment for the exposure against risk. • Specify if the bank has adopted policies on interest rate risk management, explain the measures implemented from the bank regarding the impact limit of the decisions on the change of interest rate for the loans and deposits. • Evaluate if the bank has in place internal procedures for the management and control of interest rate risk, comment if the bank has in place a set of instruments to control and manage this risk, and adequate internal procedures to use them. 9) Concentration risk against one counterparty (large exposures) • Evaluate if the bank has adopted a policy on concentration risk management against a counterparty or group of related persons, and against related persons with the bank. Comment the size and performance of this exposure. 10) Investments risk • Asses if the bank has adopted an investment policy regarding investments in other entities and in fixed assets. 12

• Comment investments having a considerable share by non-financial sectors and as a total on bank’s investments in entities out of banking sector, and fixed assets. 11) Operational risk • Evaluate if the bank has adopted an operational risk management policy and provide relevant comments. Assess if the bank has in place internal adequate procedures to identify and measure the operational risk and provide relevant comments. • Comment the internal methodology of the bank to maintain and classify operational losses by categories which evidences the source of risk. 12) Country risk • Evaluate if the bank has adopted a policy for local risk management and provide relevant comments. Assess if the bank has in place internal adequate procedures to identify and measure local risk and provide relevant comments. Comment the exposure limits against this risk. 13) Human resources and organisational skills • Present the personnel structure of the bank, specifying the total number of employees, management, experts, advisors, members of the Steering Council (name, surname, and the number of entity he/she works for) and the executive board of the bank. Specify in gross and net terms the remuneration for the chairman of steering council, the aggregated amount of compensation for the other members of the council. Specify the gross and net remuneration for the Executive Director and the aggregated amount of remuneration for the other members of the executive board. Present the organisational structure containing all the organisational units (branches, business units, local and cross-border representative offices). • Describe and comment on the bank’s technical capacities- specify the size of bank’s business premises, if these premises are in ownership of the bank, if the bank complies with the standards regarding the number of employees, and if technical equipment (computes) are in ownership of the bank. 14) Information systems and technology use 13

14 • Describe the organization and management of information system and use of technologies, evaluating the adequacy, confidentiality and compliance with bank activities. Evaluate the security level of information data and the level of applied technology.