Central Bank of Libya Circular No. 6/2023 on the Evaluation of Banks' Internal Control Systems

Central Bank of Libya P.O. Box 1103 | Telex: CBL-Libya - Tripoli, Libya

Circular No. 6/2023 Date: 18 Jumada al-Akhir 1444 AH | Corresponds to: 11 January 2023 AD

To: Board of Directors of Banks / General Managers of Banks Subject: Evaluation of Internal Control Systems for Banks

---

With greetings, Based on the provisions of Law No. 1 of 2005 and its amendments, and in light of the supervisory and regulatory role exercised by the Central Bank of Libya over banks. With reference to the Corporate Governance Manual issued by the Central Bank of Libya, approved by Board of Directors Resolution No. 20 of 2010. With reference to the Banking and Currency Supervision Department Circular No. 9 of 2022, issued on 6 October 2022, regarding the Internal Capital Adequacy Assessment Process (ICAAP) assessment manual. With reference to the Basel Committee on Banking Supervision’s Core Principles for Effective Bank Supervision, specifically Principle No. 15 concerning risk management in commercial banks, which ensures the existence of a written and approved internal control system by senior bank management. This system’s procedures and rules must be clear and efficient to shield banks from negative consequences arising from credit, market, or operational risks they cannot bear, and to keep pace with developments in banking sector activities. Accordingly, we attach herewith a questionnaire prepared to evaluate the internal control systems of your banks. You are required to complete the questions and inquiries regarding the currently applied internal control systems in your banks, and submit it by no later than 15 February 2023.

Peace be upon you,

Naji Mohammed Issa Director of Banking and Currency Supervision Department

Copies to:

• The Governor
• The Deputy Director of Banking and Currency Supervision Department
• The Deputy Director for Office Supervision and Compliance Monitoring
• The Deputy Director for Inspection Affairs
• The Deputy Director for Islamic Banking Affairs
• Banking Supervision, Benghazi
• Risk Management Department Directors in Banks
• Heads of Compliance Units in Banks
• Audit Department Directors in Banks

Phone: +218 333 3591, Fax: +218 21 444 1488, www.cbl.gov.ly, SWIFT: CBLJLYLX

---

Banking and Currency Supervision Department CENTRAL BANK OF LIBYA

Questionnaire on Banks' Internal Control Systems (Internal Capital Adequacy Assessment Process) ICAAP

Banking and Currency Supervision Department

The purpose of the attached questionnaire is to evaluate and examine the bank's internal control system, ensuring its soundness and comprehensiveness regarding all potential risks. The evaluation of the internal control system is based on the following main elements:

1. The bank's internal control environment.
2. The accounting system.
3. Applied internal control procedures.

1. Internal Control Environment: The internal control environment refers to the extent of effective policies and factors that enhance this control and monitor bank operations and risks. These factors include:

• The Board's awareness of bank risks, its ability to measure/monitor/follow up on them, the existence of specific policies per risk type, and the identification of acceptable/absorbable risks.
• Defined roles of the Board and its committees.
• An administrative/organizational structure defining all departments, divisions, functions, authority distribution, responsibilities, and senior management duties.
• Job descriptions for each administrative level.
• Continuous communication technology across all bank levels.
• Information flow to senior management via detailed reports from various departments, reviewed by the Board.
• Periodic communication with external auditors and internal audit/compliance units (as per Article 83, Paragraph 3, Clause 4 of Law No. 1/2005), with Board oversight of executive departments.

Page 2 of 44

2. Accounting System: The accounting system refers to the framework adopted by the bank for identifying, collecting, categorizing, analyzing, and reporting information reflecting true financial status. It must be effective by achieving the following:

• Correct identification, recording, and categorization of banking/financial transactions.
• Sufficient disclosure details for transactions.
• Accurate measurement, recording, and categorization in financial statements aligned with IFRS/International Accounting Standards.
• Appropriate presentation in financial statements with related disclosures.

3. Internal Control Procedures: Internal control procedures consist of the policies and practices adopted by bank management to achieve set objectives, including:

• Appropriate delegation of authority for operations/activities.
• Functional segregation (approval, recording, asset custody, depositor rights assigned to different staff).
• Numbered documents/records enabling verification of correct recording.
• Adequate asset/record protection with restricted access to authorized staff.

Objectives of Evaluation: The goal is to ensure the Board and Senior Management can implement the organizational structure, set objectives/policies, develop/executing procedures, and manage bank risks.

General Guidelines: When filling the questionnaire, adhere to: For "No" or "N/A", place a checkmark (✓). For "Yes", place a checkmark (✓) and provide required documents in the designated column. Basel Supervision Application Units/Risk Management Departments must complete and submit it within the specified timeframe, and be ready to upload it via the electronic platform in the subsequent phase.

Page 3 of 44

Internal Control System Evaluation Questionnaire

Board of Directors Duties & Responsibilities	Yes	No	N/A	Notes
1. Does the bank have an organizational structure clarifying all executive/administrative departments, divisions, and committees, and showing their interrelationships?	[ ]	[ ]	[ ]	If Yes: <br> - Copy of organizational structure. <br> - List of staff names/roles per department/division/committee.
2. Does the bank have a written manual detailing its internal policies and procedures?	[ ]	[ ]	[ ]	If Yes: <br> - Copy of the manual.
3. Does the bank adopt a written manual with job descriptions for staff within its structure, defining authorities and responsibilities?	[ ]	[ ]	[ ]	If Yes: <br> - Copy of this manual.

Page 4 of 44

[Continued]	Yes	No	N/A	Notes
4. Does the Board periodically review proposed strategies and amend them as needed?	[ ]	[ ]	[ ]	If Yes: <br> - Board decisions must be amended according to CBL regulations and changing business conditions.

Senior Management (General Administration)	Yes	No	N/A	Notes
1. Does Senior Management implement policies set by the Board?	[ ]	[ ]	[ ]	If Yes: <br> - Policies defined by the Board and decisions/procedures taken to implement them.
2. Is Senior Management capable of identifying, measuring, monitoring, and following up credit, market, liquidity, operational, and other risks? Does it adopt a periodic change system showing risks and resulting losses?	[ ]	[ ]	[ ]	If Yes: <br> * Risk identification procedures. <br> * Risk measurement methods. <br> * Reports reaching Senior Management from lower levels. <br> * Entity preparing these reports.

Page 5 of 44

[Continued]	Yes	No	N/A	Notes
3. Does Senior Management provide channels to deliver information and reports to relevant parties promptly?	[ ]	[ ]	[ ]	If Yes: <br> - Reports issued by each committee/department/division and their issuance frequency.
4. Does Senior Management receive at least the following reports: <br> - Daily general status report? <br> - Monthly results report? <br> - Daily limit breach report? <br> - Periodic legal/policy compliance report? <br> - Daily receivables, loans, and financing report?	[ ]	[ ]	[ ]	If Yes: <br> - Copies of these reports.

Page 6 of 44

[Continued]	Yes	No	N/A	Notes
5. Does Senior Management review internal audit procedures prepared by the bank's Internal Audit Department?	[ ]	[ ]	[ ]	If Yes: <br> - Copy of the internal audit system.

Internal Audit	Yes	No	N/A	Notes
1. Does the Internal Audit Department have a specified written system and audit manual?	[ ]	[ ]	[ ]	If Yes: <br> - Copy of the internal audit system. <br> - Copy of the audit manual.
2. Is the Internal Audit Department permitted to contact any employee and review any file, document, or committee meeting minutes?	[ ]	[ ]	[ ]	If Yes: <br> - Copy of the latest Internal Audit Department report for the last financial year.

Page 7 of 44

[Continued]	Yes	No	N/A	Notes
3. Is the number of Internal Audit Department staff sufficient to monitor and review head office and branch activities?	[ ]	[ ]	[ ]	If Yes: <br> - List of staff numbers at head office and branches.
4. Are Internal Audit Department staff sufficiently experienced and competent in their field?	[ ]	[ ]	[ ]	If Yes: <br> - Staff CVs including: <br> - Academic qualifications. <br> - Years of experience. <br> - Training courses completed.

Page 8 of 44

Operational Risks	Yes	No	N/A	Notes
1. Does the bank's internal system identify and define risks? <br> - Have specific policies/procedures for handling operational risks been established?	[ ]	[ ]	[ ]	If Yes: <br> - Operational risk management system and procedures for identification, measurement, and monitoring.
2. Is Senior Management capable of establishing appropriate procedures to evaluate operational risks from new activities or financial instruments?	[ ]	[ ]	[ ]	If Yes: <br> - Systems/procedures for handling new financial instruments or banking activities.
3. Does the bank adopt a reporting system for operational risks reaching all relevant levels?	[ ]	[ ]	[ ]	If Yes: <br> - Copies of these reports.
4. Regarding accepted/absorbable operational risks, have monitoring procedures and techniques been defined?	[ ]	[ ]	[ ]	If Yes: <br> - Copies of directives regarding all bank risks.

Page 9 of 44

[Continued]	Yes	No	N/A	Notes
5. Does the bank adopt operational risk insurance policies or risk transfer to other parties?	[ ]	[ ]	[ ]	If Yes: <br> - Copies of various insurance contracts against bank risks.
6. When adopting new technologies/mechanisms or increasing reliance on IT systems, are contingency plans in place for potential system failures?	[ ]	[ ]	[ ]	If Yes: <br> - Contingency plans for IT system failures and the backup entity's capacity to handle electronic banking operations/technologies.
7. When outsourcing technical/information services, is a contingency plan in place considering recourse to a second party in case of disputes with the primary outsourcer?	[ ]	[ ]	[ ]	If Yes: <br> - Copies of contracts/agreements with alternative technical/information service providers. <br> - Name of the second party to be contacted in case of disputes with the primary provider.

Page 10 of 44

[Continued]	Yes	No	N/A	Notes
8. Does the bank establish necessary provisions to face potential losses from operational risks?	[ ]	[ ]	[ ]	If Yes: <br> - Review of financial records/data to verify provision formation using the applied calculation method.
9. Does the bank periodically disclose operational risks and how it manages them?	[ ]	[ ]	[ ]	If Yes: <br> - Reports/data proving this disclosure.

Page 11 of 44

Electronic Banking	Yes	No	N/A	Notes
10. When adopting electronic banking, does the Board and Senior Management understand the associated risks, and are specific policies/procedures established? <br> * Does management recognize resulting risks? <br> * Is adequate/experienced staff provided for electronic banking tasks? <br> * Are reports showing electronic banking risks provided by management? <br> * Were risks examined before adoption?	[ ]	[ ]	[ ]	If Yes: <br> - Policies/procedures for managing these risks. <br> - Written system on this matter. <br> - Clarification of potential bank risks. <br> - Procedures/channels to face these risks. <br> - List of electronic banking department manager/staff CVs and experience. <br> - Copies of reports on risk identification/measurement and monitoring methods.

Page 12 of 44

[Continued]	Yes	No	N/A	Notes
11. Does the Board and Senior Management review/maintain electronic banking security systems periodically and ensure infrastructure protecting against internal/external breaches? <br> * Are departments/persons responsible for technological security policies appointed? <br> * Is adequate monitoring preventing physical access to electronic banking devices (except authorized personnel)? <br> * Is adequate monitoring preventing access to the electronic banking database? <br> * Do card withdrawals/deposits pass through accounts managed by Libyan banks domestically? <br> * Are foreign currency conversions facilitated via the Libyan Dinar as an intermediary?	[ ]	[ ]	[ ]	If Yes: <br> - Measures taken to maintain electronic banking device security. <br> - Appointed personnel for technological security policies. <br> - Job manual for IT and electronic banking devices.

Page 13 of 44

[Continued]	Yes	No	N/A	Notes
12. Does the bank take appropriate measures to verify customer identities and authorities when dealing via electronic banking? <br> - Card blocking procedures? <br> - Who receives the PIN and how is it protected?	[ ]	[ ]	[ ]	If Yes: <br> - Procedures for card issuance and ensuring the holder does not exceed account balance.
13. Does the bank follow functional segregation/task separation for personnel managing/evaluating electronic banking operations?	[ ]	[ ]	[ ]	If Yes: <br> - Job manual clarifying each employee's tasks.

Page 14 of 44

[Continued]	Yes	No	N/A	Notes
14. Does the bank adopt appropriate measures to maintain the integrity of electronic banking operations, records, and information through periodic review/verification ensuring no system breaches?	[ ]	[ ]	[ ]	If Yes: <br> - Written procedures adopted for maintaining operational/record integrity.

Page 15 of 44

[Continued]	Yes	No	N/A	Notes
15. Does the bank adopt a special system for reviewing electronic banking operations, particularly regarding: <br> * Opening/changing/closing customer accounts? <br> * Operations resulting in financial liabilities? <br> * Granted allowances for customers to exceed limits? <br> * Granted allowances for customer access to specific information?	[ ]	[ ]	[ ]	If Yes: <br> - Internal control system and written review procedures.
16. When adopting electronic banking, does the bank provide all information and disclose its status on its website, including at least: <br> - Bank name and head office address? <br> - Name of the supervising monetary authority? <br> - How customers can contact the bank for issues, complaints, or suspicious transactions? <br> - How to inquire about depositor rights regarding deposit limits and compensation?	[ ]	[ ]	[ ]	If Yes: <br> - Clarification of website disclosure completeness.

Page 16 of 44

[Continued]	Yes	No	N/A	Notes
17. Does the bank take appropriate measures to comply with banking secrecy requirements and avoid legal/reputational notices? <br> - Discloses its information confidentiality policy? <br> - Discloses procedures for exchanging customer information?	[ ]	[ ]	[ ]	If Yes: <br> - Procedures for disclosing all information regarding banking secrecy. <br> - Lawsuits against the bank concerning banking secrecy (if any).

Page 17 of 44

[Continued]	Yes	No	N/A	Notes
18. Is the bank capable of continuing electronic banking services and: <br> - Developing e-services to keep pace with sector developments? <br> - Continuously processing electronic information under stress conditions? <br> - Adopting contingency plans for uninterrupted e-service delivery in case of internal system failures?	[ ]	[ ]	[ ]	If Yes: <br> - Copy of bank's policies on electronic banking services. <br> - Written report on contingency plans for IT system failures.

Page 18 of 44

Outsourcing	Yes	No	N/A	Notes
1. When outsourcing data processing, customer services, operational activities, or electronic banking to a third party, does the bank:	[ ]	[ ]	[ ]	If Yes: <br> - Copy of CBL approval. <br> - Copy of information provided by the bank for outsourcing services, compared with offers received from various providers.

Page 19 of 44

[Continued]	Yes	No	N/A	Notes
* Verifies the capability/competence of the outsourced entity and its ability to execute assigned tasks? <br> * Reviews proposed contracts with the third party and submits them to the Legal Affairs Department for opinion to safeguard bank rights? <br> * Ensures the external entity maintains information confidentiality for the bank and does not disclose it to unauthorized parties (intentionally or unintentionally)? <br> * Monitors the operations of other entities regarding assigned outsourcing activities? <br> * Adopts contingency plans to ensure continuous service receipt? <br> * Establishes a comprehensive program for managing outsourcing risks and addressing related issues?	[ ]	[ ]	[ ]	- Bank's feasibility study for obtaining external services. <br> - Bank's policy on defining responsibilities toward the regulatory authority and customers. <br> - CV of the service provider and knowledge of previous projects. <br> - Legal Department's opinion on the legality/validity of contracts with external providers. <br> - Written report on contingency plans if the external provider stops fulfilling obligations. <br> - Internal control system for managing outsourcing risk operations.

Page 20 of 44

Credit and Financing Risk Management	Yes	No	N/A	Notes
1. Does the bank adopt a credit policy reflecting its ability to bear a certain level of financing/lending risks and the expected return? <br> Does the bank's credit policy consider the distribution of credit facilities/financing across: <br> - Different economic sectors. <br> - Specific geographic regions? <br> Does the bank's credit policy consider: <br> - Types of debts/financing accepted?	[ ]	[ ]	[ ]	If Yes: <br> * Organizational structure for credit risk management. <br> * General credit risk policies. <br> * Internal control system for credit risk. <br> * Granted authorities and amount limits per level granting facilities/financing. <br> * Job manual for the Credit Committee, branch managers, and their authorities regarding granting facilities/financing.

Page 21 of 44

[Continued]	Yes	No	N/A	Notes
- Maximum tenures for each financing type. <br> - Acceptable guarantees. <br> - Guarantee evaluation methods. <br> - Maximum amounts for a single person or related group. <br> - Responsibilities/duties of Credit and Financing Management supervisors.	[ ]	[ ]	[ ]

Page 22 of 44

[Continued]	Yes	No	N/A	Notes
2. Does the bank's Board review the credit and financing policy at least annually?	[ ]	[ ]	[ ]	If Yes: <br> - [Document continues...]