Internal Capital Adequacy Assessment Process (ICAAP) Guidelines for Banks and Financial Institutions, 2023

INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS (ICAAP) GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS, 2023 BANK OF TANZANIA NOVEMBER, 2023

ii TABLE OF CONTENTS PART I ............................................................................................................................ 1 PRELIMINARY PROVISIONS ........................................................................................ 1 Citation............................................................................................................................ 1 Authorization ................................................................................................................... 1 Application....................................................................................................................... 1 Definitions ....................................................................................................................... 1 Introduction ..................................................................................................................... 1 Objectives ....................................................................................................................... 2 PART II ........................................................................................................................... 2 THE INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS (ICAAP) FRAMEWORK ................................................................................................................ 2 Overview ......................................................................................................................... 2 Board and Senior Management Oversight ...................................................................... 3 Monitoring and reporting ................................................................................................. 7 Internal control and review .............................................................................................. 7 PART III .......................................................................................................................... 9 GENERAL PROVISIONS ............................................................................................... 9 Reporting to the Bank...................................................................................................... 9

1 PART I PRELIMINARY PROVISIONS Citation 1. These Guidelines shall be cited as “Internal Capital Adequacy Assessment Process (ICAAP) Guidelines for Banks and Financial Institutions, 2023”. Authorization 2. These Guidelines are issued under section 71 of the Banking and Financial Institutions Act, 2006. Application 3. These Guidelines shall apply to all banks and financial institutions on solo and consolidated basis and shall come into operation on the 1st day of April 2025. Definitions 4. In these Guidelines, unless the context otherwise requires: “Act” means the Banking and Financial Institutions Act; “Bank” means the Bank of Tanzania; “bank” has the same meaning ascribed to it in the Act; “financial institution” has the same meaning ascribed to it in the Act; Introduction 5. The Basel II framework, under Pillar II, requires that banks and financial institutions to have an Internal Capital Adequacy Assessment Process (ICAAP) to assess their overall capital adequacy in relation to their risk profile and strategy for maintaining capital levels. Thus, under the Framework, management of a bank or financial institution has the responsibility to develop an ICAAP, and set capital targets that are commensurate with the bank or financial institution’s individual circumstances and needs, taking into account the bank or financial institution’s risk profile, control environment and level of sophistication of its operations. 6. The ICAAP is an internal process that encompasses set of policies, methodologies, techniques, and procedures that are comprehensive, proportionate to the nature, scale and complexity of the activities concerned to ensure the bank or financial institution has sufficient capital to meet its current and future business plan and related risks.

2 7. The ICAAP should reflect the risk management approach embedded in a bank or financial institution, as clearly and broadly prescribed in the Risk Management Guidelines for Banks and Financial Institutions issued by the Bank, to meet not only minimum prescribed regulatory capital but also to manage and hold adequate capital for material risks not captured or appropriately factored in Pillar 1. For example, concentration risk, interest rate risk in the banking book (IRRBB), exposure to related parties and climate-related financial risks. 8. These Guidelines therefore, provide a framework on how a bank or financial institution shall establish, operate and maintain its ICAAP, and define the expectations of the Bank with regard to implementation of the ICAAP. Objectives 9. The objectives of ICAAP are to: (a) ensure that banks and financial institutions put in place a consistent approach, process, and methods for proactive internal capital planning, capital adequacy assessment, and maintenance of adequate capital; and (b) ensure that banks and financial institutions undertake risk￾based capital allocations in relation to all material risks. PART II THE INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS (ICAAP) FRAMEWORK Overview 10. A bank or financial institution shall have an Internal Capital Adequacy Assessment Process (ICAAP) in place for assessing its overall capital adequacy in relation to its risk profile and a strategy for maintaining appropriate capital levels. In particular, the ICAAP should aim to: (a) identify all material risks and measure those risks that can be reliably quantified to determine how such risks affect the bank or financial institution’s overall capital adequacy; and (b) develop a strategy for maintaining adequate capital levels consistent with the banking institution’s risk profile, and taking into account its strategic focus and business plans as well as its control environment. 11. The degree of formalization and sophistication of a bank or financial institution’s ICAAP shall be proportionate to its size, nature of business, and complexity of its activities. At minimum, the Bank expects that the ICAAP is embedded within a bank or financial institution’s internal risk management framework, and

3 not developed solely for regulatory compliance purposes. Information derived from the ICAAP should therefore, influence decision making of the bank or financial institution, and be used to determine other management processes and business applications (e.g. in limits setting, product design/pricing and performance measurement). 12. Every bank or financial institution shall design its own ICAAP which, at a minimum, shall incorporate the following main features: (a) Board and senior management oversight; (b) Sound capital assessment; (c) Comprehensive risk assessment; (d) Monitoring and reporting; (e) Internal control and review; and (f) Stress testing. Board and Senior Management Oversight 13. The board of directors and senior management shall be responsible for ensuring that a bank or financial institution maintains an appropriate level and quality of capital for the institution’s risk profile and business plan. For this purpose, the board and senior management shall attain an understanding of the nature and materiality of risks inherent in the bank or financial institution’s activities. 14. In exercising its oversight responsibilities, the board shall: (a) approve the institution’s tolerance for risks (risk appetite) and capital management framework which should include, among others, internal capital targets for a bank or financial institution; (b) ensure that a bank or financial institution has in place a strategic plan which clearly outlines its current and future capital needs, anticipated capital expenditure, desirable capital level and external capital sources; (c) review and approve the target level and composition of capital, and the process for setting and monitoring such targets at least annually; (d) ensure that appropriate documentation is maintained for all aspects of the ICAAP described in these Guidelines; (e) review ICAAP of a bank or financial institution at least annually, to: i. Assess the level and trend of material risks and their effects on capital levels;

4 ii. Evaluate the sensitivity and reasonableness of key assumptions used in the capital assessment measurement system; iii. Determine that the banking institution holds adequate capital against the various risks and is in compliance with established capital adequacy goals; and iv. Assess the banking institution's future capital requirements based on its reported risk profile and make necessary adjustments to the strategic plan, accordingly. (f) approve the annual ICAAP document; and (g) ensure that senior management discharges its responsibilities for development and effective implementation of the ICAAP. 15. Senior management shall be responsible for the development and effective implementation of the ICAAP. Senior management is expected, among other things, to: (a) Ensure the appropriateness of ICAAP on an ongoing basis; (b) Have a good understanding of the design and operation of ICAAP; (c) Develop a risk management framework that is appropriate in light of the risk profile and business strategy of a bank or financial institution and integrating ICAAP with the capital planning and management processes of a bank or financial institution. In this regard, senior management shall, at a minimum: i. Establish robust policies and procedures to be approved by the board to identify measure and report all material risks; ii. Evaluate the level and trend of material risks and their effects on capital levels; iii. Evaluate the sensitivity and reasonableness of key assumptions used in the capital assessment and measurement system; iv. Determine if a bank or financial institution holds adequate capital against the risks faced by the banking institution; v. Assess future capital needs based on the risk profile of a bank or financial institution and propose necessary adjustments to its strategic plan;

5 vi. Conduct formal capital planning and assessment at least annually and report results to the board; vii. Ensure that ICAAP is subject to annual independent internal audit review for robustness and integrity; viii.Establish comprehensive and adequate written policies and procedures, on stress testing to be approved by the board; and ix. Ensure regular reporting of bank or financial institution's ICAAP to the board. Sound capital assessment 16. Internal capital allocation and assessment process shall meet the following requirements. (a) A bank or financial institution shall have an explicit board approved capital plan, which states the objectives and the time period for achieving those objectives, and in broad terms the capital planning process and the responsibilities for that process; (b) The plan shall also lay out how a bank or financial institution will comply with capital requirements in the future considering the expected level of risk, and a general contingency plan for dealing with divergences and unexpected events such as raising additional capital, restricting business activities or using risk mitigation techniques; (c) A bank or financial institution shall set capital targets which are consistent with their risk profile, business environment in which the bank or financial institution is operating, and business plans; (d) An internal strategy for maintaining capital levels which should not only reflect the desired level of risk coverage but also incorporate factors such as loan growth expectations, future sources and uses of funds, and dividend policy; (e) The amount of capital held shall reflect not only the measured amount of risks but also an additional amount to account for potential uncertainties in risk measurement, particularly in the use of models; (f) In assessing capital, a bank or financial institution shall also evaluate the quality and capacity of its capital to absorb losses; (g) The capital planning process must be dynamic and forward-looking in relation to a bank or financial institution’s risk profile. The bank of financial institution shall therefore

6 ensure that capital levels remain above the minimum regulatory capital requirements, as well as the capital required to support its overall risk profile (as implied by the ICAAP) not just at a point in time, but over time, spanning a capital planning horizon of at least three years; and (h) A bank or financial institution shall demonstrate to the Bank that its capital assessment approach is conceptually sound and that outputs and results are reasonable. Comprehensive risk assessment 17. A bank or financial institutions ICAAP shall identify all material risks, which are arising from both on balance sheet and off￾balance sheet exposures, faced by the institution and measure these risks that can be reliably quantified under both normal and stressed conditions. ICAAP shall, therefore, address the following risks. (a) Risks captured under Pillar l: credit, market and operational risks; (b) Risks not fully captured under Pillar 1; concentration risks, and interest rate in the banking book; and (c) Risk types not covered by Pillar 1: risks which are not specifically addressed under Pillar 1, which includes, reputational risk, compliance risk, strategic and business risk, residual risk, and climate-related financial risks. 18. A bank or financial institution shall be able to identify other external risk factors that may arise from the regulatory, economic or business environment. In addition, adequate corporate governance and proper risk management including internal control arrangements constitute the foundation of an effective ICAAP. 19. The risk measurement systems shall be sufficiently comprehensive and rigorous to capture the nature and magnitude of the risks faced by the bank or financial institution. 20. The risks that are not easily quantifiable shall be evaluated using qualitative assessment and management judgment. 21. When measuring risks, comprehensive and rigorous stress tests shall be performed to identify possible events or market changes that could have serious adverse effects or significant impact on the bank or financial institution's capital and operations. 22. In assessing risks, a bank or financial institutions shall also consider the applicable directives issued under the Banking and Financial Institutions Act, Regulations, Circulars and Guidelines

7 including Risk Management Guidelines for Banks and Financial Institutions. Monitoring and reporting 23. A bank or financial institution shall establish an adequate system for monitoring and reporting risk exposures and, assess how the bank or financial institution's changing risk profile affects the capital requirements. 24. A bank or financial institution’s board and senior management shall: (a) receive reports on the banking institution's risk profile and capital needs in a manner appropriate to facilitate the conduct of their responsibilities; (b) evaluate the level and trend of material risks and their effects on capital levels; (c) evaluate the sensitivity and reasonableness of key assumptions used in the capital assessment measurement system; (d) determine that the banking institution holds adequate capital against the risks and is in compliance with established capital adequacy goals; and (e) assess its future capital requirements based on the bank or financial institution's reported risk profile and make necessary adjustments to the bank or financial institution's strategic plan, accordingly. Internal control and review 25. A bank or financial institution's internal control structure is essential to the capital assessment process. Effective control of the capital assessment process includes an independent review, which should include the validation of the models used with the involvement of internal audit and where appropriate the external audits. 26. The person(s) responsible for the development or implementation of ICAAP shall not be involved in the independent review. 27. A bank or financial institution shall conduct periodic independent reviews of its risk management and capital management processes relating to the ICAAP to ensure their integrity, accuracy and reasonableness. The independent review shall be done by internal audit and where appropriate external auditor. This review shall cover at least: (a) whether the banking institution’s ICAAP is proportionate to the size, nature of business, and complexity of its activities;

8 (b) the quality and completeness of data inputs to the ICAAP; (c) the reasonableness and validity of models, methodologies, assumptions and scenarios; (d) the robustness of the banking institution’s ICAAP - related risk monitoring and reporting systems (e.g. the content and timeliness of ICAAP - related management reports as well as reports to the board); and (e) the performance and appropriateness of the use of third - party vendors and products, services and information, to the extent that they are employed within the ICAAP. 28. The assessment of the effect of severe but plausible scenarios on financial position, profitability, bank’s available capital should be systematically assessed. The bank or financial institution should be able to draw conclusions with respect to the adequacy of capital that it maintains and the coverage of risks. The detail of the assessment carried out depends on the complexity of the operations of a bank or financial institution. This assessment forms a particularly important tool for the maintenance of satisfactory level of capital, so that all risks faced by each bank are sufficiently covered. Basically following elements need to be considered: Stress testing (a) Stress testing is a forward looking method that can be used within the ICAAP for evaluating the impact of various factors on the capital needs of a bank or financial institution; (b) A bank or financial institution must implement stress-testing procedures within the ICAAP, in order to evaluate in a predictable way, the impact of negative changes in environmental factors on its risk profile and capital needs; (c) Stress testing aims at evaluating the impact of other factors besides normal or expected risks, which may lead to serious under valuation of risks and capital needs; (d) Stress testing shall cover all material risks at least credit, market, operation, interest rate risk of banking book and other bank specific risks as realized by the board and senior management of the bank or financial institution. The methods and outcome of stress testing must be fully documented. Board and management of bank or financial institution must be informed about the outcome of stress testing; (e) Stress testing scenarios must cover all risks identified by a bank or financial institution as material risks and their

9 potential interaction. It must also reflect severe but plausible scenarios based not only on historical events, but also on forward looking assumptions; (f) The scenarios must take into account the impact of macroeconomic environment including the change of economic cycle stage. The stress testing scenarios must cover the probability and various levels of severity of changes in environmental factors and must evaluate the impact of strategic decisions; and (g) A bank or financial institution must be able to explain to the Bank their reasons for the choice of stress testing scenarios. 29. The results of the stress tests shall be considered when evaluating the appropriateness of a bank or financial institution’s capital plans and internal capital targets, with remedial actions identified to address any potential deficiencies in capital. These may include a review of earnings retention policies in order to gradually build up additional capital buffers, or an infusion of additional capital by shareholders, or any other remedial actions, which can be realistically carried out in a period of stress. This recognizes the fact that accommodating additional capital needs may require significant lead time, and can be costly or difficult, especially at times when market conditions are unfavorable. PART III GENERAL PROVISIONS Reporting to the Bank 30. Every bank or financial institution shall, not later than end of April submit to the Bank a board approved ICAAP report as at 31st December of the previous year. 31. Based on the capital reported at the close of the previous year, the ICAAP document shall provide the bank’s strategies for taking on risk and ensuring that the related capital needs in the next three years are met. 32. At minimum, the ICAAP report shall include the following information: (a) Executive summary; (b) Background of the ICAAP process; (c) Statement of a bank’s appetite to risk; (d) Business strategy  Risk strategy and risk appetite by risk types;  Target risk profile; and

10  Actual risk profile and possible change in this profile. (e) Capital Planning;  Business Plan and Capital Plan  Risk limits and use of these limits in capital allocation;  Summary of capital composition and capital planning; and  Target capital adequacy. (f) Risk Assessment;  Risk definitions;  List of identified risks;  Description of risk assessment methods by risks;  Risk assessment and capital need by risks;  Assessment for aggregated risks; and  Description of risk aggregation methodology. (g) Stress testing;  Description of methods; and  Results of stress testing. (h) Implementation of the ICAAP:  Comparison of ICAAP’s outcome with the regulatory capital requirements and justification of differences;  Internal control mechanisms applied in respect of ICAAP;  Management decisions made on the basis of ICAAP;  Results of an independent review of ICAAP;  Planned changes in the ICAAP; and  Board and senior management discussion on ICAAP. Supervisory Review and Evaluation (SREP) 33. The Bank shall review and evaluate soundness of a bank or financial institutions’ ICAAP against the requirements set out in these Guidelines. This review will also consider the comprehensiveness of the ICAAP and the quality of risk management to form a view on the appropriateness of the bank or financial institution’s internal capital targets and its capacity for meeting the targets. If considered necessary, the SREP could also involve a dialogue between the bank or financial institutions’ top management and the Bank from time to time. 34. Under the SREP, the Bank would also seek to determine whether a bank or financial institution’s overall capital is adequate in relation to its risk profile and strategy and can absorb a severe but plausible stress scenario. Generally, material risks that are not otherwise mitigated should be

11 accompanied by commensurate capital. Where the Bank determines a bank or financial institution’s capital is not commensurate with its risk profile, appropriate supervisory measures shall be initiated including: (a) Directing the bank or financial institution to strengthening the systems, procedures and processes concerning risk management, control mechanisms and internal assessment of capital adequacy; (b) Directing the bank or financial institution to hold an amount of regulatory capital greater than the regulatory minimum requirement; (c) Prohibiting distribution of profits or other elements of capital; (d) Reducing the risk profile of the bank or financial institution through business or operational restrictions; (e) Directing bank or financial institution to raise additional capital; and (f) Limits for exposures that are more conservative than the limits for a single counterparty or group of connected counterparties, deduction from capital, requiring collateralization of such exposures, or higher capital requirements. Emmanuel M. Tutuba GOVERNOR BANK OF TANZANIA