LogoRegulatory Alerts
2013-04-19

Notice No. 02/2013 of March 22 on Internal Control

The Bank of Angola issued Notice No. 02/2013 to mandate that authorized financial institutions implement an internal control system tailored to their nature, size, and complexity. The regulation defines key terms and establishes objectives including business continuity, reliable information, and legal compliance. It further assigns specific responsibilities to the administrative body to ensure ethical standards, risk management, and adequate resources for internal control functions.

Banco Nacional de Angola logo

Angola

Banco Nacional de Angola

Click to view thumbnail

BANCO NACIONAL DE ANGOLA

Governor's Office

NOTICE NO. 02/2013

of March 22

SUBJECT: INTERNAL CONTROL

Considering, on the one hand, the development of the Angolan financial system, reflected notably in the increase in the complexity of financial operations, products, and services offered, and, on the other hand, the most recent guidelines issued by international reference bodies, with translation into internationally accepted supervisory practices, the issuance of a new standard on the internal control system of financial institutions in line with this new framework is justified;

In this context, this Notice establishes that financial institutions authorized by the Bank of Angola implement an internal control system appropriate to their nature, size, and complexity of activity, with the objectives of efficiency in the execution of operations, risk control, reliability of information, and compliance with legal regulations and applicable internal guidelines;

Under the terms of the provisions contained in the Law of the Bank of Angola and the Law of Financial Institutions;

I DETERMINE:

CHAPTER I

GENERAL PROVISIONS

Article 1.

(Scope)

  1. The provisions contained in this Notice apply to financial institutions authorized by the Bank of Angola, under the terms and conditions provided for in the Law of Financial Institutions, hereinafter abbreviated as institutions.

  2. Also covered by the provisions of this Notice are the management companies of shareholdings subject to the supervision of the Bank of Angola, in accordance with the provisions of the Law of Financial Institutions.

Article 2.

(Subject Matter)

This Notice aims to regulate the obligation to establish an internal control system by financial institutions supervised by the Bank of Angola.

Article 3.

(Definitions)

Without prejudice to the definitions established in the Law of Financial Institutions, for the purposes of this Notice, the following are understood as:

  1. "Control Deficiency: error in the design or use of the policies or processes of the internal control system with a negative impact on its objectives and principles;

  2. "Parent Company: the legal entity that exercises a relationship of dominance over another legal entity, designated as a subsidiary, when one of the following situations occurs:

    a) financial institutions authorized by the Bank of Angola;

    b) management companies of shareholdings subject to the supervision of the Bank of Angola under the provisions of the Law of Financial Institutions.

  3. "Risk Factor: aspect or characteristic, notably of financial products and markets, of participants in the business relationship, and of processes in force within institutions, with influence on risk;

  4. "Function: integrated set of processes performed recurrently to achieve certain objectives of the institution and which, if autonomous, corresponds to a structural unit;

  5. "Financial Group: set of resident and non-resident companies possessing the nature of banking and non-banking financial institutions, with the exception of financial institutions linked to insurance and social security activities, in which there is a relationship of dominance by a parent company supervised by the Bank of Angola over the other companies comprising it;

  6. "Administrative Body: person or group of people, elected by partners or shareholders, entrusted with representing the company, deliberating on all matters, and performing all acts to achieve its corporate purpose. It includes, notably, the managers of limited liability companies and the members of the board of directors provided for in the Commercial Companies Law;

  7. "Related Parties: partners or shareholders with qualified participations, entities belonging to the economic group within the meaning of Notice No. 14/07 of September 12 on consolidation for accounting purposes, or persons with a relationship of spouse, descendant, or ascendant, of first and second degree, with members of the administrative and supervisory bodies of financial institutions, considered directly or as ultimate beneficiaries of transactions or assets;

  8. "Relationship of Dominance or Group: "relationship of dominance" as defined in the Law of Financial Institutions;

  9. "Risk: possibility of a future event occurring with a negative impact on the net position of institutions, considering the following categories:

    a) credit risk: arising from the default of financial commitments contractually established by a borrower or a counterparty in operations;

    b) strategic risk: arising from adverse changes in the business environment, the inability to respond to these changes, and inadequate strategic management decisions;

    c) liquidity risk: arising from the institution's inability to meet its responsibilities when they become due;

    d) market risk: arising from movements in the prices of bonds, shares, or commodities and exchange rate and interest rate risks:

    i. exchange rate risk: arising from movements in exchange rates resulting from currency positions originated by the existence of financial instruments denominated in different currencies;

    ii. interest rate risk: arising from movements in interest rates resulting from mismatches in amount, maturities, or interest rate reset periods observed in financial instruments with interest to be received and paid;

    e) operational risk: arising from the inadequacy of internal processes, people, or systems, possibility of occurrence of internal and external fraud, as well as external events. It includes information systems and compliance risk:

    i. compliance risk: arising from violations or non-compliance with laws, rules, regulations, contracts, prescribed practices, or ethical standards;

    ii. information systems risk: arising from the inadequacy of information technologies in terms of processing, integrity, control, availability, and continuity, arising from inadequate strategies or uses, and;

    f) reputational risk: arising from the adverse perception of the image of financial institutions by clients, counterparties, shareholders, investors, supervisors, and the general public, and;

  10. "Internal Control System: integrated set of policies and processes, with a permanent and cross-cutting character throughout the institution, carried out by the administrative body and other employees in order to achieve the objectives of efficiency in the execution of operations, risk control, reliability of accounting and management support information, and compliance with legal regulations and internal guidelines.

Article 4.

(Objectives of the internal control system)

The internal control system aims to ensure:

a) business continuity and the survival of institutions through efficient allocation of resources and execution of operations, risk control, prudent assessment of assets and liabilities, and security and access control in information and communication systems;

b) the existence of complete, reliable, and timely financial and non-financial accounting and management information, which supports decision-making and control processes, and;

c) compliance with legal provisions, internal guidelines, and ethical and conduct rules in relationships with clients, operation counterparties, shareholders, and supervisors.

Article 5.

(General Principles)

  1. The internal control system must be adapted to the size, nature, and complexity of the institutions' activities, their risk profile, and degree of centralization and delegation of competencies.

  2. The internal control system must be formalized in specific documents, sufficiently detailed, which consider the control environment, risk management and information and communication systems, and the monitoring process.

  3. The documents referred to in paragraph 2 of this article must be known by employees required to comply with them and archived in a manner that allows the identification of the dates of changes and enables the reading of previous versions.

  4. In the outsourcing of functions, institutions must ensure the exact compliance with the objectives and principles set out in Article 4 and in this article.

CHAPTER II

CONTROL ENVIRONMENT

Article 6.

(Scope of the control environment)

  1. The control environment respects the attitudes and acts of the administrative body and the other employees of the institutions, possessing levels of knowledge and experience adequate to the functions performed and acting in accordance with high ethical values regarding the internal control system.

  2. The importance of internal control must be recognized by the majority of employees, without prejudice to it being especially highlighted by the administrative body and employees with management responsibilities.

Article 7.

(Responsibilities of the administrative body)

  1. The administrative body is responsible for defining, implementing, and periodically reviewing the internal control system, in order to ensure that, on a permanent basis, the objectives set out in Article 4 of this Notice are achieved.

  2. For the purposes of the preceding paragraph, the administrative body must guarantee, at a minimum:

    a) a strategy, duly formalized, focused on the long-term solvency of institutions;

    b) the existence of high ethical and professional values;

    c) an adequate and transparent organizational structure;

    d) the alignment of remuneration policy with the strategy and risk profile of institutions, to, among other objectives, inhibit excessive risk-taking;

    e) the independence, status, and effectiveness of the key functions of the internal control system for risk management, compliance, and internal audit, which must be endowed with sufficient human and material resources to fulfill their mission;

    f) the identification, assessment, monitoring, control, and reporting of the various categories of risks, with a view to obtaining a sound understanding of their nature and magnitude;

    g) the preparation of financial statements in accordance with policies and processes that ensure their reliability, timeliness, consistency, and understandability;

    h) the existence of processes for identifying and assessing transactions with related parties, in order to guarantee that these take place under conditions identical to those practiced with unrelated parties;

    i) the existence of sufficient human and material resources to achieve the institution's objectives and consistent policies for recruitment, evaluation, promotion, compensation, and training of employees;

    j) the timely execution of its guidelines, notably those aimed at introducing corrections and improvements in the internal control system;

    k) the communication to the Bank of Angola of the existence of operations suspected of criminal activities or situations of fraud material to the security, sound and prudent conduct, and reputation of the institution, and;

Share