Circular Letter No. 08/2023

---

CIRCULAR LETTER NO. 08/2023 SUBJECT: FINANCIAL SYSTEM

• Training Programs within Internal Control Functions

Given the need to standardize training programs with content capable of addressing challenges related to Compliance, Risk Management, and Internal Audit functions, directed at members of management/governance bodies, managers, and employees whose roles are relevant to the internal control system, as well as business and support functions.

Furthermore, given the need to define guiding principles for Financial Institutions regarding compliance with training obligations, as stipulated in Article 23 of Law No. 5/20 of January 27 – the Money Laundering, Terrorist Financing and Proliferation of Weapons of Mass Destruction Prevention and Combating Law, combined with Article 25 of Notice No. 14/20 of June 22, on Money Laundering and Terrorist Financing Prevention and Combating Rules, this Circular Letter serves to guide the following:

1. In implementing periodic training programs in Internal Control System areas, namely risk management, compliance, and internal audit, Financial Institutions must observe the guiding principles defined in this Circular Letter.

2. For the purposes of this Circular Letter, it is understood that: a) Internal Control System training activities - training initiatives, namely training sessions, conferences, colloquiums, and seminars, conducted by external and internal entities, in person or distance (e-learning), as well as a combination of these (b-learning), which comply with the content and objectives defined in point 8 of this Circular Letter. b) Internal Control System training materials - manuals, web content, brochures, pamphlets, notices, and posters suitable for use in the activities referred to in the preceding subpoint, which are in conformity with the content and objectives defined in point 8 of this Circular Letter.

3. Financial Institutions must tailor training activities to the profile of members of governance and oversight bodies, managers, and employees whose roles are relevant to the Internal Control System, business and support functions, as well as best practices related to the three lines of defence.

4. Financial Institutions must ensure minimum training content, defining an adequate workload relative to the complexity of subjects, to be carried out periodically, without prejudice to the need for initial training whenever new hires occur.

5. The minimum content of the training program shall comprise the following: a) Internal control framework: i. Definition of internal control and its relevance in organizations; and, ii. Limitations of internal control. b) Relevance of the control environment: i. Components of internal control and the three lines of defence model; and, ii. Regulation/standards associated with internal control. c) Functions and responsibilities of internal control.

6. Financial Institutions must define training levels and periodicity, according to the table below: | Level | Basic | Intermediate | Advanced/Specialty | |---|---|---|---| | Periodicity | Semi-annual | Annual | Biennial (every 2 years) – 1 (one) Training Only | | New Hires or Mobility/Promotions | All Employees and Members of GA/GF | Staff, Specific Functions (business and risk areas) | Staff, Specific Functions (business and risk areas) | | New Hires and/or Mobility/Promotions | Staff, Specific Functions (business and risk areas) | Staff, Specific Functions (business and risk areas) | New Hires and/or Mobility/Promotions/Governance Body Members |

7. Financial Institutions must conduct a minimum framework of training content in Compliance, Risk Management, and Audit areas, according to the Annex which is an integral part of this Circular Letter.

8. The objectives of training initiatives for the Internal Control System are: a) To promote understanding of basic internal control concepts; b) To contribute to the target audience's ability to recognize Internal Control functions, as well as responsibilities assigned to various areas; c) To strengthen the target audience's competencies, ensuring informed decision-making and choices in the Internal Control area; d) To provide a general understanding of the characteristics, products, and services of Financial Institutions, enabling adequate assessment of respective risks and opportunities; e) To contribute to increasing the ability to recognize situations where additional advice or information is relevant; and, f) To promote self-training habits in the target audience, regarding risks inherent to functions and creating precautionary habits, as well as situations that may indicate fraud or potentially harmful risk situations for their rights and Financial Institutions.

9. Training must be delivered in Portuguese, without prejudice to the use of another language, provided simultaneous translation is ensured.

10. Training activities must be identified by the initiative's name, responsible party, date, location, and access conditions.

11. Training materials must be identified by title, authors, and publication/edition date.

12. Training manuals must identify objectives, topics covered, availability and accessibility, as well as usage restrictions.

13. The training program must adhere to the following principles: a) Rigor and currency: Information provided in training activities must be accurate, complete, updated, and relevant, considering the characteristics and interests of the target audience; b) Impartiality: Training activities and materials must contain impartial and objective information, avoiding value judgments and presenting different viewpoints whenever relevant, as well as constituting a marketing or advertising vehicle and featuring explicit references to sector institutions or specific products or services.

14. Training activities in the Internal Control System and its aspects must be delivered by trainers with adequate knowledge, pedagogical competencies, and a curriculum demonstrating relevant professional experience of at least 5 to 10 years in Internal Control functions and/or specialized training on the subject.

15. Training activities must provide evaluation methods to assess results based on previously established objectives, through: a) Determination of implementation indicators; b) Assessment of acquired knowledge, via questionnaires administered before and after the training activity and through continuous evaluation results; and, c) Identification of factors likely to lead to changes in behaviors and attitudes in the medium term.

16. Financial Institutions must promote specialized certification whenever training activities concerning the Internal Control System are conducted, namely in compliance, risk management, and audit.

17. Heads of Internal Control functions must, for certification purposes, attend courses and pass a written examination administered by competent certified entities with national or international accreditation.

18. Internal Control training activities and materials must be disseminated on Financial Institutions' Intranet or through any other adequate means, with this task assigned to the Management/Governance Body.

19. Without prejudice to the provisions of this Circular Letter and aiming at strengthening the Angolan Financial System, Financial Institutions must ensure continuous reinforcement and enrichment of their training programs, considering the evolution of domestic legal frameworks, as well as internationally accepted practices and standards.

This Circular Letter enters into force on the date of its publication. Luanda, November 6, 2023. DEPARTMENT OF FINANCIAL CONDUCT

---

Eli Valentim de Castro -Deputy Director-

CONTINUATION OF CIRCULAR LETTER NO. 08/DCF/2023 page 2 of 8 ANNEX Minimum Framework of Training Content in Compliance, Risk Management, and Audit

BASIC LEVEL

COMPLIANCE (ML/TF/PWMD)	RISK MANAGEMENT	AUDIT
• Introduction to ML/TF/PWMD and regulatory framework; Phases of ML; Introduction to KYC and KYP; Suspicion indicators; Reporting of suspicious transactions; Introduction to ML/TF risk matrix and client classification in FI; Simplified and enhanced due diligence.	General Risk Concepts: What is risk; Importance of risk management for strategy in a financial sector transformation concept; Risk management as a function and its alignment with strategy; Different stages of the Risk Management System (Identification, Assessment, Monitoring, Control, and Reporting); Relevant banking risks (credit, market, operational, liquidity, interest rate, exchange rate, reputational, strategic); Importance of ESG factors and their integration into risk management; Cyber risks, technologies, impacts, and main sanctions.	• Introduction to Internal Control System and Audit Function; Standards for Professional Ethics and Internal Audit Practices; Internal Audit Professional Practices; Internal Audit and Compliance; Audit and Risk Management; Governance and Internal Control Systems (BNA Notice No. 01/2022); Internationally accepted accounting standards (IAS/IFRS).
International Sanctions: Introduction to international sanctions.	Risk Management Governance: Organization of the risk management function; Strengthening governance model, application of basic principles, and implementation of best practices; Three lines of defence model; Risk management culture in organizations; Chief Risk Officer (CRO) function. Risk Management Forums, composition, and functions.	Other topics based on business and Internal Audit Function.
Anti-Corruption, Fraud, and Other Financial Crimes: Introduction to bribery, corruption, fraud, and other financial crimes.	Strategic Risk Management: Risk management framework; Risk appetite (RAS) and monitoring through metrics (Risk Indicators); Risk-return trade-off, probability, and economic impact; Risk, return, and robustness (the 3 fundamental RRRs of management). Other topics integrated at the FI level in Risk Management.
Code of Conduct/Ethics: Introduction to ethical principles/conduct of FI.
Irregularity Reporting: Introduction to irregularity reporting rules; Behavioral introduction and management measures (other associated topics).
Other pertinent topics, considering identified risk, new methods, and/or market trends related to ML/TF/PWMD.

CONTINUATION OF CIRCULAR LETTER NO. 08/DCF/2023 page 7 of 8 INTERMEDIATE LEVEL

COMPLIANCE (ML/TF/PDM)	RISK MANAGEMENT	AUDIT
• Continuous due diligence: KYT, KYC, KYCC and consequences of non-compliance; Assessment of PEP clients, Wealth Source in Continuous Due Diligence, and Additional Controls.	Risk Management – Regulatory Context: Evolution from Basel I to Basel IV; New prudential supervision requirements internationally (CRR/CR IV); The three pillars of Basel; Adoption of Basel rules in the Angolan Financial System; SREP four pillars: business model, internal governance and risk management, capital adequacy, and liquidity adequacy; Characterization of BNA supervision framework aligned with EU supervision framework; BCBS 239 Data Governance and Quality.	• Continuous Audit and Internal Audit Processes; Audit Reports – Best practices; Fraud Risk and Internal Audit; Audit and Corporate Risk Management Systems; Annual Audit Plan: Construction of KPIs and KRIs; Audit on Corporate Social Responsibility (CSR); Audit on Corporate Governance; Project Management for Internal Auditors; Internal Audit and ML/TF prevention; Audit Risk Assessment – Evaluation of Risks in Internal Audit; Internationally accepted accounting standards; Angolan taxation.
International Sanctions: Special international sanctions regimes and UN (Designated Entities and Fund Freezing); Identification, Prevention, and Management of Conflicts of Interest: Behavioral introduction and management measures (other associated topics) based on specialization.	Strategic Risk Management Processes: Self-assessment of risk management; Prevention of materially relevant risks; Funding and Capital Plan as support for strategic risk management processes; ICAAP; ILAAP; Stress tests; Market discipline.	Other topics based on materiality of associated business themes and the Internal Audit Function itself.
Capital Adequacy: Regulatory Capital and Economic Capital and FPR risk components (reserves, requirements, and guidelines); Quantification of capital requirements for pillar 1 risks; Modernization suggestions; Stress approach in capital quantification; Diversification approach in capital qualification (correlation between risks). Other topics integrated at the FI level.

CONTINUATION OF CIRCULAR LETTER NO. 08/DCF/2023 page 8 of 8 ADVANCED/EXPERTISE LEVEL

COMPLIANCE (ML/TF/PWMD)	RISK MANAGEMENT	AUDIT
• International Trade, SWIFT Rules, Correspondent Banking, and sanctions; Financial Market and Product Assessment; ML/TF Risk in Credit Management; ML/TF, Sanctions, and Reputational Risk Assessment; Compliance, ML/TF/PWMD, and Sanctions; Governance Model for ML/TF/PWMD Risk, Internal Controls, and Independence of Compliance Function. Other pertinent topics considering identified risk, new methods, and/or market trends related to ML/TF/PWMD.	Statistical Models for Risk Quantification: Liquidity, Credit, Market, Operational, Interest Rate, Exchange Rate, Reputational, Strategic, ESG, and Other risks quantification models.	• Standards for Internal Audit Professional Practices; Internationally accepted accounting standards (IAS/IFRS); Quality and performance assessment in Internal Audit; Institute of Internal Audit certification (CIA); Risk Management Assurance certification (CRMA); COSO Enterprise Risk Management (ERM). COSO Internal Control Integrated Framework (ICIF).
Statistical Models – IFRS9: Classification and Measurement of instruments and concept of impairment; PD (Probability of Default) models; LGD (Loss Given Default) models; PD&LGD consolidation; CCF (Conversion Factors) models; BM (Behavioral Maturity) models; PPT (Pre-payments) models.	Statistical Models – VaR (Value at Risk): VaR methodology; Delta Normal, historical, Monte Carlo VaR.	Other topics based on materiality of associated business themes and the Internal Audit Function itself.
Backtesting Models: Backtesting PD, LGD, PPT, BM, CCF, PD, LGD (T test, Chi Squared); Backtesting VaR. Other topics integrated at the FI level.

---