Region

Jurisdiction

Regulator

2019-05-20

Instructions Concerning Internal Control Systems and Risk Management

The Central Bank of Kuwait mandates all registered Islamic banks to establish and maintain adequate internal control systems commensurate with their size, operations, and risk profiles. The directive outlines comprehensive requirements for accounting records, management information systems, organizational structure, and risk mitigation across credit, liquidity, foreign exchange, and operational exposures. Banks must annually submit external auditor evaluation reports, known as Management Letters, to verify system adequacy and address inspection-identified gaps while aligning with Basel Committee guidelines.

Kuwait

Central Bank of Kuwait

A) General guidelines directory on Islamic banks internal control systems, and external auditors reports on the evaluation of those systems. B) Basel Committee's Operating Guide concerning the risks associated with settlement of FX transactions. C) Circular concerning Basel Committee’s guidelines on the principles of managing E-Banking risks. D) Circular concerning guidelines on sound practices in managing and monitoring operational risks. E) Circular concerning (Corporate Governance) in financial institutions. F) Providing the Central Bank with the external auditors report prepared under the name “Management Letter”. G) Circular concerning Guidelines on the Establishment of the Compliance Function and its Role in Banks, as issued by Basel Committee on Banking Supervision in April 2005. H) Circular requiring banks to take the necessary actions for enhancing internal control systems, so as to bridge the gaps in some aspects of the internal control systems of some banks, as revealed by The Central Bank of Kuwait inspection on those banks. 14- INSTRUCTIONS CONCERNING INTERNAL CONTROL SYSTEMS AND RISK MANAGEMENT

Introduction
General requirements
Information for Management SECTION THREE INTERNAL CONTROL SYSTEMS
Introduction
General requirements
Control in Information Technology systems
Internal Audit SECTION FOUR SCOPE OF EXAMINATION & EXTERNAL AUDITORS REPORTS
Introduction
Scope of Examination
The required report SECTION FIVE * Format of External auditors report on the accounting records, other records and internal control systems

CHAPTER TWO: The law, supervisory & Regulatory Instructions & Control on Islamic Banks 14- INSTRUCTIONS CONCERNING INTERNAL CONTROL SYSTEMS AND RISK MANAGEMENT A) General guidelines directory on Islamic banks internal control systems, and external auditors reports on the evaluation of those systems. 2 INSTRUCTIONS NO. (2/IBS/96/2003) SECTION ONE THE GENERAL GUIDELINES DIRECTORY FOR ISLAMIC BANKS INTERNAL CONTROL SYSTEMS AND FOR EXTERNAL AUDITORS EVALUATION REPORTS ON SUCH SYSTEM* Introduction: 1- Based on the rule of the Article (84) and (97) of the Law No.(32) of the year 1968, Concerning the Currency, Central Bank of Kuwait and Organization of the Banking Business, the Central Bank of Kuwait stresses the necessity that the Islamic banks registered with the Central Bank of Kuwait should set adequate Internal Control systems, commensurate with the size, nature and scope of the banks various activities. Banks should be committed to implement such systems so as to provide a basis for managing the risks encountered by the banks in their day-to-day business. 2- Members of the bank’s board of directors and top management shall be responsible for ensuring the sufficiency of the bank’s accounting records, other records and the Internal Control systems. 3- All Islamic banks registered with the Central Bank of Kuwait are obliged to submit reports on the extent of adequacy of their current Internal Control systems on an annual basis, or any other time basis defined by the Central Bank. Such reports shall be prepared by local audit firms approved by the Central Bank, but other than the auditing firms entrusted with auditing the accounts of those banks. Such local auditing firms must be associated with one of the international auditing firms as a conditions for being approved by the Central Bank for carrying out the evaluation of those banks internal control systems. The external auditors assigned for this mission are considered to be responsible for expressing their opinions and comments on the extent of adequacy of the bank’s internal control systems in terms of quality and quantity, in such a manner that allows to manage business risks in the course of the bank’s day-to-day operations. Therefore, the external auditor’s duty basically lies in pinpointing areas of inadequacy of the Internal Control systems which they detect while carrying out their examination tasks, in addition to submitting their recommendations in this connection.

issued by the Board of Directors of the Central Bank of Kuwait on 15/6/2003.

CHAPTER TWO: The law, supervisory & Regulatory Instructions & Control on Islamic Banks 14- INSTRUCTIONS CONCERNING INTERNAL CONTROL SYSTEMS AND RISK MANAGEMENT A) General guidelines directory on Islamic banks internal control systems, and external auditors reports on the evaluation of those systems. 3 4- This directory aims at indicating the Central Bank of Kuwait’s requirements relating to Internal Controls records and systems, which shall be observed by the local banks, so as to assist those banks to establish and implement sound Internal Control systems, apart from helping the external auditors - who are assigned by the banks to evaluate extent of adequacy of the Internal Control systems- to prepare the reports requested in this regard. These guidelines define the scope and nature of the information and financial data that should be stated in the accounting and other records submitted to the bank’s management. They also confirm the areas and nature of the Internal Control systems and the purposes for which such systems have been set by the management. The guidelines have been prepared to be sufficiently comprehensive to cover all areas of the activities exercised by the Islamic banks, whether those related to the balance sheet items or off-balance sheet items, and whether exercised by the banks for their own account or for a third party’s account. 5- The conditions pertaining to adequacy of the accounting and other records and Internal Control systems, shall be applied to the banks registered with the Central Bank of Kuwait, inclusive of the external branches and subsidiaries exercising banking business, taking into account the circumstances and requirements established in compliance with the Laws and regulations currently in effect in the countries where such branches and subsidiaries operate. It is significant in this regard to establish clear and adequate arrangements to organize the relationship between the bank and its subsidiaries, particularly in relation to regulating the flow of information and the decision-making powers in various areas of business.

CHAPTER TWO: The law, supervisory & Regulatory Instructions & Control on Islamic Banks 14- INSTRUCTIONS CONCERNING INTERNAL CONTROL SYSTEMS AND RISK MANAGEMENT A) General guidelines directory on Islamic banks internal control systems, and external auditors reports on the evaluation of those systems. 5 B) Submission of details related to each transaction or undertaking - whenever appropriate - to indicate the following: 1- Other totally or partially participating parties. 2- Type of the currency and the amount. 3- Type of the agreement (new or renewal), value and settlement or repayment dates. 4- The exchange rate agreed upon for the foreign exchange transactions. 5- The payable and receivable commissions and fees agreed upon in addition to any other related payments and collections. 6- The nature and current estimated value of any collaterals or guarantees provided to cover the facilities and any other liabilities of the customers, alongwith detailing the physical location and the evidencing documents for each of such collaterals. 7- Statement of the assets provided by the bank as a collateral in the event of obtaining finance from a third party. C) Book-keeping of the financial data and other information related to the bank’s activities in various areas, in a manner rendering them easily accessible to enable the management to achieve the following: 1- Monitor the quality of the bank’s assets and protect and safeguard them, inclusive of those fiduciary assets retained by the bank by way of trust. 2- Identify, determine the size, monitor and manage the overdrawn positions of other parties related to all products of the bank. 3- Identify and determine the type and size of business risks in various areas, most importantly: credit risks, liquidity, foreign exchange and market risks. 4- Rationalization and direction of various areas of activities, one by one. 5- Taking the necessary decisions at the right time, based on sound facts and information.

CHAPTER TWO: The law, supervisory & Regulatory Instructions & Control on Islamic Banks 14- INSTRUCTIONS CONCERNING INTERNAL CONTROL SYSTEMS AND RISK MANAGEMENT A) General guidelines directory on Islamic banks internal control systems, and external auditors reports on the evaluation of those systems. 6 D) Records should include details of exposure limits duly approved by the management, and which should be in line with the type, nature and size of the transactions exercised (Refer to Item 10/F). Such limits should include - whenever necessary- the trading limits for each customer, sector or country, the trading limits to accommodate the settlement risks, securities trading limits, overnight and intraday open position in foreign exchange operations, limits of trading other shareea’a – compliant instruments, and limits of the maturity mismatches to encounter the liquidity risks, in a manner which ensures availability of necessary information on any excesses to the said limits, accurately, systematically and promptly. E) Records should include details of the factors taken into account, the analysis performed and the management’s approval or declination with respect to finance and investment transactions or other types of exposure. F) Submission of necessary information on the details of each deal concluded in the name or on behalf of a third party, whether the bank is acting as an agent or trustee. [While observing Central Bank’s instructions concerning “the rules regulating the management of third parties portfolios” in relation to accounting books and other required records, as well as the instructions concerning “capital adequacy ratio for Islamic banks” in relation to preparing the systems and records necessary for classifying assets by finance sources, whether assets are self-financed or financed from unlimited or limited investment accounts]. Management Information: 8- Each Islamic bank should adopt a suitable information system which would provide the bank’s board of directors and top management with all the data and information necessary for evaluating and monitoring the bank’s performance, its financial position and business risks. Such information should be prepared at the bank’s level as an independent unit, and at a consolidated level which shall cover all the subsidiaries in the cases where so required. Periodicity of the information, level of details and quantity of analysis and notes are dependent upon level of management they are submitted to. There are certain types of information which are required to be submitted more frequently than others. It may be required to submit information when detecting deviations or breaching of the approved limits, through exceptional reports explaining such special cases.

CHAPTER TWO: The law, supervisory & Regulatory Instructions & Control on Islamic Banks 14- INSTRUCTIONS CONCERNING INTERNAL CONTROL SYSTEMS AND RISK MANAGEMENT A) General guidelines directory on Islamic banks internal control systems, and external auditors reports on the evaluation of those systems. 8 SECTION THREE INTERNAL CONTROL SYSTEMS Introduction: 11- The scope and nature of the effective Internal Control systems which proper and systematic progress of the work, should be consistent with the bank’s needs and special conditions, and should take into account in this respect: nature and size of the bank’s operations, diversification of the activities, size of the transactions and degree of their complexity, degree of risks associated with each area of the bank’s activities, level of control exercised by the top management on the daily operations, degree of centralization in work management and extent of reliance upon the information automated systems. Attention should be paid in this regard that the financial or non-financial benefits attained or expected to be attained as a result of implementing the control systems, are commensurate with the effort of applying or maintaining such systems. The internal control system must be designed in a manner that properly ensures the attainment of the underlying objectives, as there should be the necessary assurance that all income of the bank devolves to its favour, all the expenses are duly approved as per the necessary authorization and that they are dispensed properly, the assets are sufficiently protected, the liabilities are recorded, all the legal requirements pertaining to the records and accounts are adhered to, and all conditions and procedures of the reports necessary for providing management information, are strictly observed. General Requirements: 12- The bank’s board of directors and top management are responsible for laying down Internal Control systems and for revising and testing such systems on regular basis, so as to ensure on a daily basis their effectiveness and continued feasibility for achieving their objectives. In many banks, the audit activities help the top management in this regard through independent review of such systems [Refer to Items (26) to (30) mentioned hereinunder].

CHAPTER TWO: The law, supervisory & Regulatory Instructions & Control on Islamic Banks 14- INSTRUCTIONS CONCERNING INTERNAL CONTROL SYSTEMS AND RISK MANAGEMENT A) General guidelines directory on Islamic banks internal control systems, and external auditors reports on the evaluation of those systems. 9 13- This directory does not aim at providing a comprehensive list of the Internal Control procedures applicable to all the banks, or a detailed list of some of the procedures relating to an activity or another and which are to be adoptedwhenever appropriate- by all the banks. But it aims at determining the general requirements required to be met in the effective internal control systems to ensure proper and systematic progress of the work. 14- The internal control systems adopted in the Islamic banks, must provide the necessary assurances as to the following: A) The business is carried out in an organized and prudent manner, in adherence to the established policies and limits. B) The transactions are concluded in accordance with the established powers. C) The operations executed and the procedures of their execution do not violate the rules of the Islamic Shareea’a. D) Existence of the necessary supervisory and control systems, to enable the management to protect the bank’s assets and control the business liabilities. Assurance should also be there as to the availability of procedures which curb the losses risks that may arise from breaching common practices or from misrepresentation or errors, and which ensure that the adopted systems secure the identification of such losses promptly as and when they occur. E) The bank’s accounting records and other records provide complete and accurate data at the right time (in the manner referred to under the second section of this directory). F) The management is capable of managing and controlling the financial position’s elements (capital adequacy, liquidity, profitability, quality of assets and the risks associated therewith) on a regular basis and at the right time [Refer to Item (10)]. G) Availability of the systems and regulations which enable management of the bank to measure and manage risks encountered by the bank in various areas of its activities, through establishing a specialized unit for this purpose with necessary efficiency and capabilities to properly discharge its duties, so that those systems and controls shall allow: 1- Regular and timely management and monitoring of risks.

CHAPTER TWO: The law, supervisory & Regulatory Instructions & Control on Islamic Banks 14- INSTRUCTIONS CONCERNING INTERNAL CONTROL SYSTEMS AND RISK MANAGEMENT A) General guidelines directory on Islamic banks internal control systems, and external auditors reports on the evaluation of those systems. 10 2- Determination of appropriate provisions for problem loans or for any other risks, whether related to the balance sheet items or to off-balance sheet items. [Central Bank’s instructions concerning “the rules and regulations for Islamic banks direct investments” must be observed in relation to organizing and managing direct investments risks]. H) Management is enabled to prepare and submit on time all the statements and reports required by Central Bank of Kuwait, accurately and according to the Central Bank of Kuwait’s instructions. [Central Bank’s instructions concerning “the rules regulating the management of third parties portfolios, must be observed in relation to the bases and rules for internal control system]. 15- The following are the most important areas and elements which the bank should give sufficient attention to while laying down an effective internal control system: A) The Organization Structure. B) Performance supervision and control. C) Segregation of duties and responsibilities. D) Authorization and approval. E) Completion and accuracy. F) Protection of assets. G) Manpower. The following items [from (16) to (22)] will address these elements. The Organization Structure: 16- The Islamic banks should formulate and authenticate the Organization Structure which should be proportionate to the size and nature of various banking activities. The structure should clearly demonstrate the level of organizational units and the needed administrative committees and their relation with the board of directors, alongwith defining the powers, responsibilities and method of reporting on all aspects of the activities. Proper job descriptions should also be set for positions in general, with special emphasis on the supervisory positions in this connection.

CHAPTER TWO: The law, supervisory & Regulatory Instructions & Control on Islamic Banks 14- INSTRUCTIONS CONCERNING INTERNAL CONTROL SYSTEMS AND RISK MANAGEMENT A) General guidelines directory on Islamic banks internal control systems, and external auditors reports on the evaluation of those systems. 11 Supervision & Control of Performance: 17- The Islamic bank is required to set the procedures which would secure submission of sufficient and accurate information on the bank’s performance, its financial position and liabilities, to the appropriate management levels on a regular and timely basis [Please refer to the items (8) to (10)]. The bank is also required to set the procedures necessary for ensuring adherence to the established policies and limits, inclusive of limits of authorities referred to under the item No. (16) above, as well as to the legal and supervisory requirements. Segregation of Duties and Responsibilities: 18- Segregation of duties and responsibilities is one of the most important internal control elements, which should be applied in such a manner that prohibits a single employee from solely recording and completing a transaction. This segregation reduces the risks of manipulation and errors and enhances effectiveness of the review and control process. The jobs and works which need to be segregated so that each of them would be carried out by a different section or different people, are listed hereunder: A) Approval of transactions. B) Execution. C) Follow up- Execution. D) Settlement of payments. E) Evaluation. F) Settlement of suspense transactions. G) Possession of assets. H) Keeping the legal documents of transactions. I) Entry into registers. In some areas (such as finance or treasury operations), the above-mentioned jobs or functions must be segregated financially and organizationally. It is necessary to determine the staff members who shall be allowed to have access to the computer programmes related to the accounts or control (for instance: The marketing officer may not have access to the established limits for dealing with the customers, nor be allowed to enter the deals). In the case of computerized systems, there should be a segregation between the systems development activities and the daily operations (entry and completion of operations or payments).

CHAPTER TWO: The law, supervisory & Regulatory Instructions & Control on Islamic Banks 14- INSTRUCTIONS CONCERNING INTERNAL CONTROL SYSTEMS AND RISK MANAGEMENT A) General guidelines directory on Islamic banks internal control systems, and external auditors reports on the evaluation of those systems. 12 Authorization and Approval: 19- All the transactions require approval from an appropriate officer, based on pre-determined authorities and responsibilities. It should be observed in this connection that the authorities entrusted are proportionate with the responsibilities of various staff levels, taking into account the nature, size and degree of complexity of the bank’s operations. Completion and Accuracy: 20- The Islamic banks are required to set the regulations which ensure that all the transactions prepared for registration and completion, have been executed under authorizations, and that they are registered properly and executed accurately in conformity with the established procedures. These regulations should basically include checking the accounting accuracy of amounts of entries against documents; evaluation processes; settlement of suspense transactions (whether internally between the various registers and accounts, or externally with other parties), and verification of accounts, control and trial balances. Protection of the Assets: 21- The bank must have the controls that shall ensure prevention of accessibility to bank’s assets or information (whether directly or indirectly) except for staff members authorized by the management. The special importance of these controls is obvious in relation to the valuable and moveable assets, which can be replaced or disbursed, as well as fiduciary assets held in the custody of the bank. Manpower: 22- The bank is required to adopt the policies and procedures which would ensure that the staff abilities are proportionate with the responsibilities assigned to them, as smooth progress of any system depends upon competence and honesty of the staff operating it. Emphasis on the qualifications and recruitment and training policies, as well as the special qualities of the staff, is one of the most important aspects of building the control systems. In this respect, sufficient attention should be focused on the requirements of Article (68) of the Law No. (32) of the year 1968 and its amendments under Law Decree No. (36) of the year 1992 as concerns members of the board of directors, the chief executive officer, his deputies and assistants.

CHAPTER TWO: The law, supervisory & Regulatory Instructions & Control on Islamic Banks 14- INSTRUCTIONS CONCERNING INTERNAL CONTROL SYSTEMS AND RISK MANAGEMENT A) General guidelines directory on Islamic banks internal control systems, and external auditors reports on the evaluation of those systems. 13 Control in an Information Systems Technology: 23- The computerized information within the bank’s information systems, is considered amongst the valuable assets which need to be safeguarded properly against the possibility of being freely accessed to by unauthorized persons for the purpose of reviewing the records and disclosing the information. Such a protection is needed to avoid risks of the irresponsible usage of such information. The aforesaid Internal Control elements are equally applicable to the transactions manually or automatically recorded, although there are additional risks associated with a business environment using automated systems, which shall be addressed in the following paragraph. The management is responsible for understanding and interpreting the extent to which the bank is reliant upon such automated information, in order to determine the value of such information and establish a proper control system. The Central Bank of Kuwait is aware that proper control may be achieved through combination of manual and automated regulations, depending on the conditions that differ from one bank to another. This reflects the need for each bank to study the proper regulations and their costs, in order to achieve the control objective effectively. 24- The risks associated with utilization of Information Technology Systems in the banking and financial institutions, are basically exemplified in the following: A) MISPRESENTATION & THEFT: Access to information and systems allows the opportunities to manipulate the data and bring about or conceal heavy financial losses. Besides, the information could be stolen without being physically transferred or detected, a situation which may lead to the loss of the competitive benefits. Such kinds of unauthorized acts could be committed by persons who have or who do not have legal right of access to the registers and information. B) ERRORS: Although errors usually occur during manual entry of information or development or amendment of the computer programs, yet they can be detected at any stage of information system cycle. Therefore, attention should be paid to the review and checking procedures.

CHAPTER TWO: The law, supervisory & Regulatory Instructions & Control on Islamic Banks 14- INSTRUCTIONS CONCERNING INTERNAL CONTROL SYSTEMS AND RISK MANAGEMENT A) General guidelines directory on Islamic banks internal control systems, and external auditors reports on the evaluation of those systems. 14 C) DISRUPTION & FAILURE: The components of the automated systems are exposed to disruption and failure, and if sufficient arrangements are not made to encounter such emergency cases, this would lead to serious operational difficulties and/or severe financial losses. D) GIVING INCORRECT INFORMATION Such problems usually occur in the systems which have not been properly designed or developed. These problems may become immediately evident. However, they may pass without being detected for some period during which they may destroy the information which are supposed to be accurate and intact. This issue is considered to be one of the most risky areas wherever the checking and review procedures are modest to the extent that it becomes difficult to trace any transaction. Information Security: 25- The bank’s management is required to realize its responsibilities as to developing and enhancing the security awareness and alertness as to the importance of security measures at the bank. In particular, the bank’s management should focus its attention on the following: A) Adopt a policy for the information security comprising the criteria, procedures and responsibilities which guarantee adequacy and integrity of the utilized arrangements. B) Provide education and training on the security of the automated information, in such a manner which makes all the employees concerned aware of the need for, and of their role in supporting, the security of such information and the importance of such security in safeguarding the bank’s assets. Internal Audit: 26- The Internal Audit forms an integral part of the control systems which rules are established and maintained by the bank’s management, and is assumed to provide independent assurances on the extent of integrity and effectiveness of such systems.

CHAPTER TWO: The law, supervisory & Regulatory Instructions & Control on Islamic Banks 14- INSTRUCTIONS CONCERNING INTERNAL CONTROL SYSTEMS AND RISK MANAGEMENT A) General guidelines directory on Islamic banks internal control systems, and external auditors reports on the evaluation of those systems. 15 27- The Existence of independent Internal Audit functions at the banks is considered to be an important requirement, which the Islamic banks registered with the Central Bank of Kuwait should meet in order to provide an independent evaluation of the efficiency and adequacy of the adopted controls and systems. The scope and objectives of the Internal Audit depends on the bank’s management assessment of its needs in light of the size and structure of the bank and the risks inherent in its operations. The effectiveness of the Internal Audit relies upon several factors, most importantly: Extent of independence from the executive management, extent of adequacy, scope and periodicity of the audit, the extent of adequacy of the audit procedures, the reporting systems and quality of the audit staff. [Refer to the items (29) and (30) below]. 28- The most important Internal Audit functions within the internal control area, are as follows: A) Audit of accounting and other records. B) Audit of the extent of adequacy and efficiency of the adopted Internal Control Systems. C) Detailed testing of the operations and balances to secure the achievement of the control objectives. D) Checking adherence to the policies and limits established at the bank, the laws in force and the instructions and resolutions of the Central Bank of Kuwait. E) Carry out special investigation tasks for the bank’s management. 29- The bank’s management should ensure that the Internal Audit functions are organized and that the information necessary for performing such functions are available, so as to enable the internal audit to carry out the independent evaluation for the Internal Control regulations. Internal Audit operating system should be clearly defined (Audit check-list, Audit Guide etc......). Internal Audit’s independence should be asserted through determining the audit reporting line and thereafter the parties to which the audit reports should be submitted, namely, the bank’s board of directors or the audit committee (of the board of directors). The Internal Audit may also report directly to the Chairman of the Board, taking into account that in the cases where the Internal Audit reports to the audit committee,

CHAPTER TWO: The law, supervisory & Regulatory Instructions & Control on Islamic Banks 14- INSTRUCTIONS CONCERNING INTERNAL CONTROL SYSTEMS AND RISK MANAGEMENT A) General guidelines directory on Islamic banks internal control systems, and external auditors reports on the evaluation of those systems. 17 SECTION FOUR SCOPE OF EXAMINATION & EXTERNAL AUDITORS REPORTS Introduction: 31- The records, systems and controls examinations cover normally a period of 12 months. The first step starts by the Central Bank of Kuwait sending a notification to the respective bank - every year - requiring it to provide the Central Bank of Kuwait with the subject report, and defining therein the scope of examination and any other relevant instructions. In accordance with this notification, the respective bank sends an assignment letter to the external auditor to carry out the task and prepare the subject report. A copy of this letter is sent to the Central Bank of Kuwait. 32- The external auditors, appointed by the bank under the Central Bank of Kuwait’s approval, are required to form their own opinion as to the extent to which the bank - during the examination period - has adhered to the Central Bank of Kuwait’s requirements, provided for in this Directory, in respect of adequacy of the accounting records, other records and Internal Control Systems, taking into account, while forming this opinion, the nature, areas and size of the activities exercised by the bank. 33- In the cases where the external auditor finds out during the course of carrying out the examination that the bank does not adhere to any of the requirements provided for in this Directory, and believes that this matter is significant, particularly in relation to the Central Bank of Kuwait’s supervisory role, or if the external auditor detects a serious matter which needs an urgent action, he should request the respective bank to immediately notify the Central Bank of Kuwait to this effect. 34- The cases of reservation in the external auditors reports shall include the following: A) Unavailability of certain records and systems, which are in the auditors opinion necessary to assist the management in exercising the bank’s dayto-day business in a prudent way. B) Existence of serious and influential weakness or deficiency in a number of records or systems during the examination period, or

CHAPTER TWO: The law, supervisory & Regulatory Instructions & Control on Islamic Banks 14- INSTRUCTIONS CONCERNING INTERNAL CONTROL SYSTEMS AND RISK MANAGEMENT A) General guidelines directory on Islamic banks internal control systems, and external auditors reports on the evaluation of those systems. 18 C) The bank’s external auditors inability to form a specific opinion as to one of the areas related to the records and systems, a situation in which the external auditors deem it necessary to discuss this issue with the bank in a joint meeting with the Central Bank of Kuwait and the respective bank. 35- The Central Bank of Kuwait does not require the external auditors to include in their reports all the deficiency and weakness points which are simple in nature, scope and effects on the efficiency of the bank’s records and systems. They are required to report the cases which they believe did not enable them to give acceptable assurances on the bank’s adherence to the conditions and requirements provided for in this Directory. The Central Bank of Kuwait expects the external auditors to indicate in their reports any form of repeated deficiencies detected in their previous examinations. Scope of Examination: 36- When the Central Bank of Kuwait requests one of the banks to submit an overall examination report, the Central Bank expects the external auditors to pay attention to studying the adequacy of the accounting records, other records and Internal Control systems in various areas of banking activities, inclusive of the functions of the internal audit of the bank’s operations . In addition, the external auditor is required to check whether the bank’s procedures are sufficient to prevent and detect any money-laundering cases and to submit reports on the suspicions related to them. [Please refer to the Central Bank’s instructions regarding the " combat of money laundering and terror financing transactions "]. 37- The banks, in consultation with the external auditors, and subject to the Central Bank of Kuwait’s approval, may assign the external auditors in anyone year to carry out a specific task of examining the records and Internal Control Systems in one or more of the bank’s areas of activities, and to confine their reports to such area(s), within an audit programme extending over a number of years, as an alternative for the overall examination which covers all the areas and activities of the bank every year. 38- The Central Bank of Kuwait does not expect the external auditor to examine or evaluate the bank management’s resolutions and projections related to the banking matters.

CHAPTER TWO: The law, supervisory & Regulatory Instructions & Control on Islamic Banks 14- INSTRUCTIONS CONCERNING INTERNAL CONTROL SYSTEMS AND RISK MANAGEMENT A) General guidelines directory on Islamic banks internal control systems, and external auditors reports on the evaluation of those systems. 19 The Required Report 39- The external auditors should submit their reports to board of directors of the respective bank - in the event of the Kuwaiti Islamic banks- and to the general manager in the event of a branch operating in Kuwait for an Islamic foreign bank, who in turn must send a copy thereof to the Chairman of the board. The report must be submitted in the format shown in the Section Five of this Directory. The external auditors should include in their reports their general opinion on the state of affairs of the controls in each area of activity they have examined. They should also submit concise information, unless exempted under the assignment letter, on the area of activity which has been examined, including: the Organization Structure, nature and size of the operations, whenever appropriate, in addition to the major risks the bank might have encountered and the most important control regulations in place. When further information is requested, the required information shall be specified in the Central Bank of Kuwait’s advice addressed to the respective bank. 40- In the event of a qualified report of the external auditors, the report should demonstrate explicitly the risks encountered by the bank owing to the existing areas of deficiency, and should indicate the seriousness of the deficiency and its adverse impacts if not rectified. The time limit for the bank’s response to any of the recommendations, is considered an issue to be agreed upon between the respective bank and Central Bank of Kuwait, noting that the matter may need to be discussed in a meeting attended by the three parties. 41- The report must be completed and submitted by the respective bank to the Central Bank of Kuwait, alongwith the notes and comments which the bank’s management deem necessary to present, within the time limit specified by the Central Bank of Kuwait, but not exceeding four months from end of the examined period. The bank management’s notes and comments shall be sent to the external auditors at the time such notes and comments are submitted to the Central Bank of Kuwait.

CHAPTER TWO: The law, supervisory & Regulatory Instructions & Control on Islamic Banks 14- INSTRUCTIONS CONCERNING INTERNAL CONTROL SYSTEMS AND RISK MANAGEMENT A) General guidelines directory on Islamic banks internal control systems, and external auditors reports on the evaluation of those systems. 21 SECTION FIVE FORMAT OF THE EXTERNAL AUDITORS REPORT SUBMITTED TO MEMBERS OF THE BOARD OF DIRECTORS OF THE ISLAMIC BANK ON THE ACCOUNTING RECORDS, OTHER RECORDS AND INTERNAL CONTROL SYSTEMS To: The Board of Directors of ……. Bank As per your assignment to us on --/--/--, we have examined the accounting records and other records of your bank. We have also examined and evaluated the Internal Control systems of your bank which were applied during (the year/period) ending on --/--/-- , as related to .........(mention the activities and locations which were examined). We have carried out the examination, taking into account the requirements provided for under the general guidelines directory issued by Central Bank of Kuwait on --/--/--. We would like to indicate that your responsibilities as members of the Board of the ------- Bank, include the establishment of accounting systems and records and adequate Internal Control Systems for your bank, taking into account that the cost of such systems should be commensurate with the benefits expected from their implementation. Noting that the purpose of this report is to give you reasonable assurances, on the extent to which the adopted procedures and systems are adequate to safeguard the bank’s assets against the losses which may result from irresponsible acts and uses, as well as confirmations that : the risks are being monitored and accurately evaluated; the operations are processed according to the authorization procedures in place and are properly recorded; the procedures and systems enable you to exercise all types of business with care and caution. However, it should be taken into account that the deficiency aspects in any of the accounting systems or Internal Control systems, may result in errors which can not be detected or traced, and that it is difficult to evaluate the adequacy of the systems for future periods, because the management information and the control procedures may become insufficient due to changes in circumstances or as a result of poor adherence to such procedures. In our opinion, taking into account the nature and size of the business, during the year/ period ending on --/--/--

CHAPTER TWO: The law, supervisory & Regulatory Instructions & Control on Islamic Banks 14- INSTRUCTIONS CONCERNING INTERNAL CONTROL SYSTEMS AND RISK MANAGEMENT B) Basel Committee's Operating Guide concerning the risks associated with settlement of FX transactions. 23 GOVERNOR Ramadhan 15, 1424 H November 10,2003 THE CHAIRMAN, Instructions No.(2/IBS/123/2003) FX Transactions Settlement Risks The Settlement & Payments Systems Sub-committee of Basel Committee passed an Operating Guide in January, 2000, on “FX Transactions Settlement Risks Control”, which addressed the risks associated with the arrangements adopted in the banks in respect of settlement of the FX transactions, and the proposed work mechanisms for the both public and private sectors in order to contain such risks, through various guidance papers specially prepared for this purpose. Within this context, it is worth noting that the Central Bank of Kuwait supports the attention given to this issue by the Basel Committee and all other central banks within the (G10) Group. Central Bank of Kuwait also urges your bank to ascertain the adequacy and efficiency of its FX transactions settlement arrangements, in a manner that achieves integrity and strength of your bank’s financial position, the adequacy of its liquidity ratios and financial solvency in general. We would also like to confirm the need for Islamic banks to develop advanced systems to measure and manage the risks which they would be exposed to in the areas of their various activities, through establishing specialized units having the necessary expertise and personnel to perform the function in the desired manner. In addition to the aforesaid, your bank’s efforts must focus on containing the risks associated with the said transactions through adopting work mechanisms which would help your bank ascertain adequacy of the systems adopted to manage risks of the FX transactions settlements, properly measure the risks of the FX operations settlements, and check the adequacy of the control and follow-up systems of the obligations resulting from the FX trading transactions. In order to advise your bank of the practical applications currently available for management and measurement of the FX transactions settlement risks, you may seek guidance in the following informative papers:

CHAPTER TWO: The law, supervisory & Regulatory Instructions & Control on Islamic Banks 14- INSTRUCTIONS CONCERNING INTERNAL CONTROL SYSTEMS AND RISK MANAGEMENT C) Circular concerning Basel Committee’s guidelines on the principles of managing E-Banking risks. 25 GOVERNOR Ramadhan 15, 1424 H November 10,2003 THE CHAIRMAN, Instructions No. (2/IBS/130/2003) To All Islamic Banks In the light of the advancement Internet-based (E-Banking) has achieved, and despite the advantages the Internet provides for both banks and customers, yet ebanking involves multiple risks that do not considerably differ from those of other typical traditional banking services, which the respective bank should be fully aware of and should develop appropriate means to manage them and to take relevant precautionary actions. Within this context, the Basle Committee passed in May 2001 a paper entitled “Principles of e-Banking Risks Management”. This paper comprised 14 principles which constitute a directory model to be used for ascertaining the integrity of e-banking at the respective bank, and which Islamic banks can seek guidance with respect to their e-banking activity. The principles of managing e-banking risks are classified into three general and interrelated categories: A) Supervision and control by the board of directors and top management. B) Monitoring controls. C) Management of legal risks and reputation risks. We would like to note that those principles do not represent the minimum nor the best available application. Accordingly, your bank has to initiate all procedures and systems that ensure proper management of those operations risks. Additionally, your internal control systems should cover and cope with the types of such operations.

CHAPTER TWO: The law, supervisory & Regulatory Instructions & Control on Islamic Banks 14- INSTRUCTIONS CONCERNING INTERNAL CONTROL SYSTEMS AND RISK MANAGEMENT D) Circular concerning guidelines on sound practices in managing and monitoring operational risks. 27 GOVERNOR Thu Alqi'da 14, 1424 H January 6,2004 Instructions No.(2/IBS/152/2004) To All Islamic Banks THE CHAIRMAN, Guidelines on the Principles of Sound Practices in Managing and Monitoring Banks Operational Risks The Basel Committee on Banking Supervision issued a set of principles on the sound practices for managing and monitoring banks operational risks, which main pillars are as follows : 1- Stressing the significance of defining operational risks as a distinct risk category, beside other categories of credit risks and market risks. This step is viewed by Basel Committee as the most important development in the issue of operational risks. 2- Determining the principles of sound practices for managing and monitoring banks operational risks, and the role assigned to boards of directors and top managements in relation to setting up, approving and ensuring the implementation of appropriate mechanisms comprising the relevant policies and procedure. 3- Each bank, regardless of the size of its business, shall have to develop policies and procedures (working mechanism) for the identification, assessment and monitoring of operational risks, as part of a comprehensive system for risks management, consistently with the directives of Basel Committee. 4- Banks must make a sufficient level of public disclosure, allowing the parties of the market to evaluate the bank’s method in managing operational risks. This is in line with the policy adopted by Central Bank of Kuwait aiming at making the Kuwaiti banking business compliant with the best international practices in this respect.

CHAPTER TWO: The law, supervisory & Regulatory Instructions & Control on Islamic Banks 14- INSTRUCTIONS CONCERNING INTERNAL CONTROL SYSTEMS AND RISK MANAGEMENT D) Circular concerning guidelines on sound practices in managing and monitoring operational risks. 29 Guidelines on Principles of Sound practices in Managing and Monitoring Banks Operational Risks General Principles and Definitions : 1- Banking business during recent years has been witnessing rapid quantitative and qualitative developments in the area of products and services, coupled with the use of highly advanced and sophisticated technology for electronic processing of data and information. These developments have been accompanied by an increasing degree of banks operational risks, to the extent that such operational risks have come to be treated as a distinct risk category beside other categories of credit risks and market risks. Within the context of subjecting such developments to the regulations and standards of international business, the Basel Committee issued guidelines to banks containing a set of principles regarding the sound practices for managing and monitoring banks operational risks, on which basis these guidelines have been prepared. 2- Operational risks can be defined as being “the risks of loss resulting from deficiency or weakness in the internal processes of the bank, or from weakness of staff or systems performance, or as a result of external events”. Examples of such risks include the risks of electronic data processing, the risks of increasing growth of the use of e-banking, the risk of systems security and violation of confidentiality, the risks of fraudulent transactions from within or outside the institutions, the risks of abusing customers information, the risks accompanying banking mergers and the shift in the systems used , the risks of money laundering transactions and illegal activities, the risks of damaging financial assets or properties due to deliberate acts of violence or natural disasters, the risks of disputes with suppliers, the risks of wages and compensations claims, in addition to the legal risks. 3- Although the term “Operational Risks” may involve wide interpretations in the banking industry, and although the policies necessary for managing these risks may differ from one bank to another depending on the variance in the size of banks business and their nature and degree of their interrelation, yet there is a set of joint elements that constitute the structure or mechanism for the management of the operational risks, regardless of the variance in the size of banks business.

Principles of Sound Practices for Managing & Monitoring Operational Risks: Taking into account the general principles and definitions, banks are required to take the following actions: First: Setting up policies and procedures for operational risks management, comprising the definition, assessment and monitoring of these risks. Such policies must be approved and regularly reviewed by the board of directors. Second: Subjecting the policies and procedures for the management of operational risks to periodic comprehensive audit by qualified staff members. The board of directors must ensure that the scope of the audit and its frequency is consistent with the degree of the bank’s exposure to operational risks, and that the audit reports show the extent of the efficiency in implementing these policies. Third: Implementing the policies and procedures for the management of operational risks in coordination amongst the units of the bank, while familiarizing all employees with their responsibilities in relation to the management of such risks. The top management of the bank shall be responsible for setting up, implementing and enhancing those policies, consistently with the requirements for managing the operational risks for all products and activities of the bank.

CHAPTER TWO: The law, supervisory & Regulatory Instructions & Control on Islamic Banks 14- INSTRUCTIONS CONCERNING INTERNAL CONTROL SYSTEMS AND RISK MANAGEMENT D) Circular concerning guidelines on sound practices in managing and monitoring operational risks. 31 The top management of the bank must ensure that the staff members managing the operational risks are in continuous communication with the officers in charge of managing credit risks and market risks, within a concerted framework that meets the objectives of managing the overall risks of the bank. Fourth: Identifying and assessing the operational risks inherent in the bank’s products, activities, procedures and systems. Such assessment must be carried out before launching any products or implementing any new systems. Within this context, the bank must identify the internal factors influencing operational risks, such as the structure of the bank, the nature of its activities and its human resources. The bank must also identify and assess the external factors such as the changes in the banking business and the advancement of the information technology. When assessing operational risk, the bank must identify the points of weakness and the points of strength in its procedures and operational systems. In order to enhance the efficiency of risk measurement, each bank can develop its own techniques for transforming the qualitative operational risks into quantitative measurement risks. Fifth: Application of appropriate techniques for monitoring the various aspects of the operational risks that may entail huge losses. The top management and the board of directors must be provided with regular reports containing the information relevant to those risks. Within this framework, banks may use early warning systems for monitory increasing risks in order to face and contain them. The level of monitoring must be consistent with such risks and their frequency, as well as with the nature of change in the operational environment. The results of risks monitoring must be documented in the form of reports to be submitted to the board of directors by the risk management unit and the internal audit. These reports must fully indicate the areas of risks and the prompt actions to be taken for rectification. Sixth: Conducting periodic review for the limits of the operational risks and the strategies of monitoring them. Such strategies must be adjusted in the light of the developments of the bank’s overall risks.

Identifying the risks which must be subjected to monitoring, together with setting up documented policies for these risks management system.
Identifying the activities which risks can be met by insurance against them.
Reinforcing the concepts of an integrated internal control system for the bank’s operations, and stressing the importance of the internal control in cases where the operational risks are more obvious, such as the case of initiating new activities, upgrading and launching of products beyond the core business of the bank, or directing such products to unconventional markets. Seventh: Setting up contingency and business continuity plans, ensuring the continuity of the bank’s business with minimal losses in case of any disruption of the bank’s business. Within this context, the bank must develop a contingency plan to face the cases of failure of machines, equipment or communication networks. Such plans must include the possible risks scenarios, and must be subject to periodic review so as to make the necessary adjustments in the light of the developments in the business of the bank and in the environment of the banking industry. Eighth: Banks must continue their efforts for setting up and implementing better applications for operational risks management, ensuring the necessary monitoring in order to preserve their safety and security at all times. Ninth: Banks must make a sufficient level of public disclosure, allowing the parties in the market to evaluate banks method in managing their operational risks. The level of disclosure must be proportionate to the size and nature of the bank’s operations and the areas of risks in those operations. Tenth: Banks must submit reports on the evaluation of their policies and procedures applied in managing operational risks. Such reports shall be prepared by the External Auditors in charge of evaluating the internal control systems, as per the mentioned Central Bank’s instructions issued on 15/6/2003.

CHAPTER TWO: The law, supervisory & Regulatory Instructions & Control on Islamic Banks 14- INSTRUCTIONS CONCERNING INTERNAL CONTROL SYSTEMS AND RISK MANAGEMENT E) Circular concerning (Corporate Governance) in financial institutions. 33 GOVERNOR Rabi Al-Awal 14, 1425 H May 3,2004 THE CHAIRMAN, Circular to All Local Banks & Investment Companies Subject to The Central Bank of Kuwait Supervision (Corporate Governance in Financial Institutions) The issue of Corporate Governance has come to be at the forefront of priorities for economic administrations in various countries, owing to the financial crises that shocked huge shareholding companies and shook the confidence in the sound management of such companies, as well as in the integrity of their published financial results, leading to negative consequences. The attention to this subject also increased with the growing trend of segregating between ownership and management in new shareholding companies, with the consequent likelihood of conflict of interests between management and shareholders. While taking into account that banks and investment companies in the State of Kuwait operate within a supervisory and regulatory environment that provides appropriate legislative frameworks for Corporate Governance, particularly with the existence of regulatory rules and instructions issued by Central Bank of Kuwait covering various aspects of banking and financial business in the domestic market, yet with the increasing international attention to the issue of Corporate Governance due to the gross risks every now and then identified in international markets as resulting from unsound corporate practices, the Central Bank of Kuwait resolved to issue to local banks and investment companies certain instructions directly related to the principles of Corporate Governance in financial institutions, aiming at stressing the relevant rules included in the Central Bank’s previous instructions, as well as at supplementing such previous instructions by another set of principles directly addressing Corporate Governance in banks and investment companies.

CHAPTER TWO: The law, supervisory & Regulatory Instructions & Control on Islamic Banks 14- INSTRUCTIONS CONCERNING INTERNAL CONTROL SYSTEMS AND RISK MANAGEMENT E) Circular concerning (Corporate Governance) in financial institutions. 34 Attached is a copy of those directives which should be observed and implemented in such a manner that favorably reflects on banks and investment companies administrative structures as well as policies and practices. We hope that these directive will encourage financial institutions in Kuwait to adopt best practices in the area of Corporate Governance. With my best wishes, SALEM ABDUL AZIZ AL-SABAH

CHAPTER TWO: The law, supervisory & Regulatory Instructions & Control on Islamic Banks 14- INSTRUCTIONS CONCERNING INTERNAL CONTROL SYSTEMS AND RISK MANAGEMENT E) Circular concerning (Corporate Governance) in financial institutions. 35 Directives to Banks and Investment Companies Concerning the Principles of Corporate Governance in Financial Institutions General Guidelines and Principles: 1- During the last three decades, the world witnessed significant changes in the role of the private sector in economic development and in providing job opportunities. The number of the countries adopting the market system as a guide for its economic policy has also increased. These developments were accompanied by an increasing level of awareness as to the significance of the role companies play in the economic life and in the welfare of individuals. The attention to this subject also increased with the growing trend of segregating between ownership and management in new shareholding companies, with the consequent likelihood of conflict of interests between management and shareholders. The issue of Corporate Governance has come to the top of priorities for economic administrations in various countries owing to the financial crises that shocked huge shareholding companies and shook the confidence in the sound management of such companies, and accordingly the authenticity of their share prices in stock exchanges, as well as the integrity of their published financial results, leading to different negative consequences. Based on this, the current trends of Corporate Governance in listed companies have come to stress the fact that such companies are part of an integrated economic system that influences and is influenced by the local, regional and international environment, hence the need for control and audit. This has created more focus on the functions of the internal and external audit, the responsibilities of the board of directors in forming audit committees for efficient monitory of the company’s operations, and the need for enhancing the efficiency of the role of the board of directors in supervising the operations. 2- According to the definition included in the principles approved by the Ministerial Council of the OECD regarding the " Corporate Governance " a definition which was approved by Bazel Committee on Banking Supervision, corporate governance represents “a set of interrelated relations between the executive management, board of director and shareholders of an institution, as well as the other related parties”. In the course of this definition, these principles explained that corporate governance should embrace the structure through which the institution “can define its objectives,

CHAPTER TWO: The law, supervisory & Regulatory Instructions & Control on Islamic Banks 14- INSTRUCTIONS CONCERNING INTERNAL CONTROL SYSTEMS AND RISK MANAGEMENT E) Circular concerning (Corporate Governance) in financial institutions. 36 the means of achieving these objectives, the supervision of performance, and the appropriate stimulation of the board of directors and executive management to pursue the targeted objectives to the benefit of the company and its shareholders, all within the context of certain procedures that facilitate efficient supervision and encourage institutions to more effectively use their resources”. Hence, corporate governance is based on the manner of balancing between the powers enjoyed by management and the protection of shareholders and other related parties interests. Corporate governance and transparency are viewed as part of the basic pillars for the management of companies. 3- Based on the set of principles included OECD’s paper on corporate governance, the principles and guidelines issued by International Institute for Finance on corporate governance and transparency in emerging markets, and the principles and directives of the Basel Committee on promoting corporate governance in banking institutions, corporate governance for companies is underlied by a set of basic pillars that harmonize with the above mentioned definition. These pillars are: protection of shareholders rights and equitable treatment of shareholders; respect and protection of the interests of stakeholders / related parties ; definition of the responsibility of boards of directors and executive managements ; disclosure , transparency and sound practices ; emphasis of internal and external audit and audit committees functions. 4- Within the context of these pillars for corporate governance, the legislative and regulatory frameworks applied in the State of Kuwait – particularly law No. (32) of the year 1968 and the set of regulations and instructions issued by The Central Bank of Kuwait - include many significant aspects pertinent to corporate governance in financial institutions. Furthermore, the Commercial Companies Act No. (15) of the year 1960, as well as the laws issued in respect of organizing Kuwait Stock Exchange (KSE) and the resolutions issued by KSE management, all in turn include a set of rules and regulations related to the main pillars on which corporate governance principles in Kuwait are based. 5- With the increasing international attention to corporate governance owing to the gross risks identified from time to time in international markets due to unsound practices, the Central Bank of Kuwait deemed it necessary to issue directives to banks and investment companies, directly related to

CHAPTER TWO: The law, supervisory & Regulatory Instructions & Control on Islamic Banks 14- INSTRUCTIONS CONCERNING INTERNAL CONTROL SYSTEMS AND RISK MANAGEMENT E) Circular concerning (Corporate Governance) in financial institutions. 37 " corporate governance " in financial institutions. These directives are intended to re-affirm the principles included in our previous instructions, and to complement those instructions with other principles deemed appropriate in the area of sound practices. Here below are the basic pillars for the principles of corporate governance in financial institutions, to be implemented by banks and investment companies. It is to be noted that the general guidelines and principles mentioned above are intended to encourage financial institutions in Kuwait to promote best business practices.

CHAPTER TWO: The law, supervisory & Regulatory Instructions & Control on Islamic Banks 14- INSTRUCTIONS CONCERNING INTERNAL CONTROL SYSTEMS AND RISK MANAGEMENT E) Circular concerning (Corporate Governance) in financial institutions. 38 First Pillar Protection of Shareholders Rights and Equitable Treatment of Shareholders The corporate governance framework of a financial institution as well as its policies and practices should comply with the rules of Laws, regulations and instructions issued by various regulatory bodies in relation to protecting shareholders rights and equitable treatment of shareholders in terms of : 1- Protecting basic shareholders rights in relation to securing methods of ownership registration and transfer, participating and voting in general shareholder meetings, sharing in the profits of the corporation and obtaining regular information on the corporation. 2- Ensuring the shareholders rights to be sufficiently informed of or to participate in making decisions concerning amendments to the memorandum, or articles of incorporation, including the authorization of capital increase through new shares issue, or the launch of shares under staff share option scheme, or the repurchase of shares, as well as the decisions related to extraordinary transactions influencing the destiny of the institution or the course of its business, such as merger or sale of a significant portion of the company’s assets or divestiture of subsidiaries. 3- Ensuring that shareholders have the opportunity to participate effectively in general shareholders meetings. Shareholders should be informed of the rules, and procedures for voting, including notifying them of the date of the general meeting and its agenda at a reasonable time before the meeting so that they can prepare for representation by proxy. The venue and date of the meeting should be publicly announced in accordance with the relevant laws , rules and regulations. 4- Emphasizing the importance of disclosure of capital structure or any arrangements that enable certain shareholders to obtain a degree of control. 5- Ensuring that all shareholders should be equitably treated, including small investors and foreign investors. All shareholders should have the right to question the acts of the board of directors and to rectify any prejudice to their rights.

CHAPTER TWO: The law, supervisory & Regulatory Instructions & Control on Islamic Banks 14- INSTRUCTIONS CONCERNING INTERNAL CONTROL SYSTEMS AND RISK MANAGEMENT E) Circular concerning (Corporate Governance) in financial institutions. 39 Second Pillar The Role of Stakeholders (Related Parties in Corporate Governance Stakeholders or related parties are meant to be all individuals, institutions and bodies having business relation with financial institutions (such as depositors, borrowers, creditors, investors, employees, and society at large). Corporate governance in this area requires the following : 1- The corporate governance framework should recognize the rights of stakeholders established under relevant laws, regulations and instructions, and should encourage active cooperation between corporations and stakeholders in enhancing development, creating jobs and strengthening the integrity of the financial positons of those corporations. Financial Institutions should observe that one of the important aspects of corporate governance is to ensure the flow of funds within those institutions. Therefore, the ultimate success of the institution is the outcome of the joint efforts of several parties including depositors, borrowers, employees, investors and other parties having business relation with the institution. Banks and financial institutions should realize that their interest on the long term lies in enhancing wealth creation through the cooperation and participation of all stakeholders. It is noteworthy that law No.(32) of the year 1968 and the set of regulations and instructions issued by the Central Bank of Kuwait to banks and financial institutions in relation to business practices, include the controls and bases that provide the necessary protection for the rights of stakeholders, particularly depositors, borrowers, and shareholders, in a manner that ensures the protection of the financial positions of those institutions and the energizing of their role in servicing the community and in contributing to the economic development. Therefore, the compliance with such controls and bases represents the general framework for one of the most important pillars on which corporate governance in financial institutions is based. 2- The corporate governance, policies and practices of the institution should emphasize the rights of stakeholders in rectifying any prejudice to their rights, in accordance with the provisions of the relevant laws. 3- Where stakeholders are permitted to participate in managing the financial institutions, they should have access to relevant and sufficient information in line with the nature of their participation in management.

CHAPTER TWO: The law, supervisory & Regulatory Instructions & Control on Islamic Banks 14- INSTRUCTIONS CONCERNING INTERNAL CONTROL SYSTEMS AND RISK MANAGEMENT E) Circular concerning (Corporate Governance) in financial institutions. 40 Third Pillar Disclosure and Transparency A strong disclosure system that promotes real transparency is a pivotal feature of market-based monitoring of companies performance, and is central to shareholder’ ability to exercise their voting rights on an informed basis. Disclosure can also be a powerful tool for influencing the behavior of companies and for protecting investors. The stronger the disclosure system is, the more it enhances confidence in the capital markets. Shareholders and investors also need correct, adequate and sufficiently detailed material information, enabling investors to evaluate the management of those companies and make informed investment decisions. Material information can be defined as information influencing the company’s share price, or which omission or misstatement could influence the economic decisions taken by users of information. Within this context, the promotion of corporate governance in financial institutions requires the presence of an appropriate mechanism for accurate and timely disclosure of all material affairs of institutions, including the financial position, the operating results, any changes in ownership or management and any other information required to be disclosed under the relevant laws and instructions, particularly disclosure requirements as included in Central Bank of Kuwait and Kuwait Stock Exchange relevant instructions. The principles of disclosure support timely disclosure of all material developments that arise between regular reports. They also support simultaneous reporting of information to all shareholders in order to ensure their equitable treatment. As a minimum, disclosure should include all information and data specified under applicable laws and regulations, including but not limited to the following: 1- The operating results and financial statements showing the balance sheet, profit and loss account, cash flow statement and notes to the financial statements. The objective behind this disclosure is to provide the basic data and information needed for evaluating the share of the institution and for properly monitoring the performance of this institution.

CHAPTER TWO: The law, supervisory & Regulatory Instructions & Control on Islamic Banks 14- INSTRUCTIONS CONCERNING INTERNAL CONTROL SYSTEMS AND RISK MANAGEMENT E) Circular concerning (Corporate Governance) in financial institutions. 41 2- Major share owners or those controlling the management of the institution. This disclosure provides the basic information that should be known by the investors as one of their major rights. 3- Board members and senior executives in the institution, as well as the packages of their remunerations including any benefits under a share option scheme. Such information is necessary for the investor in order to evaluate the experience and qualifications of the board members and senior staff, as well as to assess any likely conflict of interests. 4- Important issues pertaining to the employees and other related parties, which may materially affect the performance of the institution. 5- The nature and size of transactions with any related parties who have influence or control over the institution, including senior management members. 6- The corporate governance code or policy and the process by which it is implemented, and prevention of overlapping of powers between the shareholders, the management and the board members. The disclosure of such information is one of the requirements for evaluating the management of the institution. 7- The objectives and policies of the institution in relation to business ethics, and the obligations of the institution towards the environment and the public. The disclosure of such objectives and policies may be useful for the purpose of a better evaluation of the relationship between the financial institution and the community it operates in. 8- The systems and mechanisms applied by the institution for managing and monitoring various risks inherent in banking and financial business. The disclosure of such systems and mechanisms is one of the requirements for evaluating management performance in relation to controlling these risks, as well as assessing the level and size of the risks that the institution may encounter in relation to the size and nature of its business. 9- Financial data should be prepared and disclosed in accordance with the International Accounting Standards or any other standards approved under the laws and resolutions issued by various regulatory bodies, particularly Central Bank of Kuwait’s instructions with regard to the reports of the external auditors. 10- The institution should publish the information in such a manner that users can access in a timely manner at fair cost.

CHAPTER TWO: The law, supervisory & Regulatory Instructions & Control on Islamic Banks 14- INSTRUCTIONS CONCERNING INTERNAL CONTROL SYSTEMS AND RISK MANAGEMENT E) Circular concerning (Corporate Governance) in financial institutions. 42 Fourth Pillar Responsibilities of the Board of Director and Executive Management Responsibilities of the Board The corporate governance framework should stress the strategic guidance of the company, the effective monitoring of executive management by the board, and the board’s accountability to the company and the shareholders. The primary pillar for corporate governance lies in the presence of a board of directors that exercises its responsibilities guided by the purposes and objectives of the institution and the significance of its activities and achievements. Within this context, the implementation of the principles of corporate governance in financial institutions requires the board of directors to discharge its functions within the following scope of responsibilities Basic Responsibilities 1- The board members should perform their functions collectively and individually, in good faith, with due diligence and care, and in the best interest of the company and the shareholders. 2- Any board decisions should treat all shareholders equitably. 3- The board should ensure that the institution’s activities and practices take into account the interests of stakeholders. 4- Board members should pass their resolutions based on adequate, accurate and timely information. Strategy and Planning 5- The board of directors should select the members of the senior management in the institution, taking into account the educational qualifications and professional experience in banking and finance as required for the incumbents of these positions, while observing the requirements stipulated under the relevant laws and instructions passed by various regulatory bodies. 6- The board of directors should set a strategy for the institution, annual business plans, performance targets and policies for managing and monitoring various risks, seeking the assistance of the executive management or the external experts and consultants, if so needed.

CHAPTER TWO: The law, supervisory & Regulatory Instructions & Control on Islamic Banks 14- INSTRUCTIONS CONCERNING INTERNAL CONTROL SYSTEMS AND RISK MANAGEMENT E) Circular concerning (Corporate Governance) in financial institutions. 43 7- The board should review and guide corporate strategy and annual business plans, and should monitor the implementation of plans and actual performance compared to targeted performance. Organization Structure and Internal Control 8- The board of directors should adopt an organization structure suitable for the nature of the institution’s business and activity, and ensuring the presence of required organizational controls for the implementation of the strategy approved by the board. This can be achieved through explaining the targeted objectives for each organizational unit and defining its functions and responsibilities, establishing limits of authorities and communications between managers across the board, ensuring dual control and the principle of segregation of duties in order to avoid conflict of responsibilities and operational risks. Guidelines, policies and operating manuals should be available for executing and monitoring operations, in addition to job description for various positions and definition of qualifications and experience required therefore. 9- The board of directors should periodically check the adequacy and efficiency of the internal control system required to protect the institution’s properties and assets, the correctness of its financial data and the efficiency of its operations in terms of administrative, financial and accounting aspects, while ensuring compliance with such internal controls and ascertaining that such controls provide the necessary protection for the institution against any illegitimate interference from within or outside the institution. 10- The board of directors should ensure that the internal audit department enjoys both independence and competence, and that the scope, procedures and periodicity of audit meet the level of risks encountered in the different activities of the institution. The head and team members of internal audit should be appointed and their benefits determined by the board of directors to emphasize the principle of this department’s independence and competence. To enhance the efficiency of the board of directors, the board should benefit from the audit comments, and should request the external auditor to evaluate the effectiveness of the internal controls. Furthermore, the board of directors should view the internal audit and external audit functions as important control instruments, availing of the audit reports which are essentially an independent review of the information reported from the executive management to the board of directors.

CHAPTER TWO: The law, supervisory & Regulatory Instructions & Control on Islamic Banks 14- INSTRUCTIONS CONCERNING INTERNAL CONTROL SYSTEMS AND RISK MANAGEMENT E) Circular concerning (Corporate Governance) in financial institutions. 44 Supervision of Executive Management 11- The board of directors should evaluate the performance of the executive management and identify its ability to implement internal control policies and procedures, evaluate the targeted results and make the necessary amendments in the light of such results. 12- The board of directors should monitor basic capital expenditure, review the financial remunerations for the senior executive positions and for the board members, and ensure transparency in determining such benefits. 13- The board of directors should rely on the executive management’s experience in implementing the board resolutions without any intervention in management responsibilities. In the event any of the board members participates in executing resolutions passed by the board, such participation should be in accordance with an authorization issued by the board , under notification to the board of the outcome of such participation. 14- The board of directors should ensure that the executive management complies with the laws and instructions issued by various regulatory authorities and the board resolutions in relation to the institution’s lines of business, thus protecting the institution against the risks of non-compliance with such laws and instructions. Business Practices and Management of Conflict of Interests 15- The board of directors should manage and monitor the potential conflict between the interests of the institution, the board members and the shareholders, including the abuse of the institution’s resources and any misuse of powers in the transactions between the institution and the board members. 16- The board members shall be committed to preserve the confidentiality of the information and data on the institution’s customers, as per the rules of the laws and instructions issued by the regulatory bodies in the respect. 17- No board member may use the information available for him on the state of affairs of the institution for the sake of achieving self-interests or interests for other related parties.

CHAPTER TWO: The law, supervisory & Regulatory Instructions & Control on Islamic Banks 14- INSTRUCTIONS CONCERNING INTERNAL CONTROL SYSTEMS AND RISK MANAGEMENT E) Circular concerning (Corporate Governance) in financial institutions. 45 The Board of Directors Accountability Before the Shareholders and the Regulatory Bodies 18- The board of directors shall be accountable towards the shareholders and other parties and bodies concerned as to the soundness of the institution’s financial statements and operating results . Such financial data should be transparent and objective, and should disclose all transactions with related parties in accordance with the rules of the relevant laws, resolutions and instructions. 19- The board of directors shall bear primary accountability before the regulatory authority as to the integrity of the institution’s financial position and the protection of the shareholders and depositors rights, as well as for the soundness and transparency of financial data and information supplied to the Central Bank of Kuwait. The board of directors should ensure the institution’s compliance with the laws, resolutions and instructions passed by the Central Bank of Kuwait. Board Members Remunerations 20- The financial packages for the board members (including remunerations, allowances or other benefits) should be commensurate with the significance and burdens of their responsibilities, ensuring incentives for better discharge of their duties to the best interest of both the institution and its shareholders, and their firm commitment to their responsibilities, without any exaggeration in such benefits. The Role and the Responsibility of the Executive Management The Executive Management of the institution comprises the CEO and his assistants for various areas of business, as well as the administrative and technical committees set up pursuant to written and authorized resolutions. Within the context of corporate governance in financial institutions, the responsibilities of the executive management are as follows : 1- Propose business strategies, plans and policies in various lines of banking and financial business, for approval by the board, using its professional expertise in this regards. 2- Implement the policies approved by the board for all areas of business and operations, and develop appropriate mechanisms to ensure the implementation of such policies.

CHAPTER TWO: The law, supervisory & Regulatory Instructions & Control on Islamic Banks 14- INSTRUCTIONS CONCERNING INTERNAL CONTROL SYSTEMS AND RISK MANAGEMENT E) Circular concerning (Corporate Governance) in financial institutions. 46 3- Any important decisions made by the management should be passed with the participation of more than one member of the executive management. 4- Provide the board of directors with regular financial and administrative reports on the implementation of the policies approved by the board, as well as on the progress of work and the operating results, with comparison between actual performance and targeted performance, while defining deviations from targeted performance and the reasons therefore, together with any proposals needed to adjust and energize such policies. The executive management has also to comply with the principles of transparency and objectivity in the reports raised to the board on the operations of the institution. 5- The executive management shall be responsible for compliance with the rules of the laws, regulations and circulars passed by the Central Bank of Kuwait and other regulatory bodies in relation to the institution’s lines of business and operation, so as to avoid the risks of non-compliance and the consequent penalties, financial losses and reputation risks. The executive management has to develop appropriate policies for ensuring such compliance . 6- The executive management should exercise its activities in accordance with business ethics. The executive management should also pass appropriate instructions for implementation by all institution staff members. Its policies should also include necessary controls for ensuring compliance with business ethics. 7- The executive management has to prepare the institution’s financial statements in accordance with the International Accounting Standards or any other approved standards or instructions passed in this regard.

CHAPTER TWO: The law, supervisory & Regulatory Instructions & Control on Islamic Banks 14- INSTRUCTIONS CONCERNING INTERNAL CONTROL SYSTEMS AND RISK MANAGEMENT E) Circular concerning (Corporate Governance) in financial institutions. 47 Fifth Pillar Audit Committee and Board Committees The effective monitoring of the institution’s operations makes it a must for the board of directors to set-up the necessary board committees for enhancing the quality and efficiency of participation in the monitoring process. The setting up of audit committee in banks and financial institutions is viewed as one of the requirements of corporate governance , which is one of the top priorities in their policies. According to relevant international corporate governance practices and trends, the formation and the definition of the functions of such committees is organized in accordance with the following framework : 1- The committee shall be formed by a resolution of the institution board of directors, and shall consist of 3 members (chairman of the committee and 2 members) to be elected by the board from among its non-executive members that have adequate financial experience in terms of ability to analyze financial data. The term of the committee shall be the same as the term of its board members. The board of directors shall fix the remunerations it deems fit for the committee members. 2- The audit committee shall work under the supervision of the board of directors, and shall refer to the board its report and recommendations on the outcome of exercising its functions. 3- The primary functions of the audit committee shall comprise the following : • Supervise the external audit of the business of the company; review the comprehensiveness of the audit, and ensure coordination between the activities of external auditors if more than one auditor is performing this function. • Supervise the activities of the internal audit; review and approve the scope and periodicity of internal audit works. • Receive audit reports and ensure that proper actions are taken to rectify any observation or any areas of weakness in internal control. • Ensure the institution’s compliance with relevant policies, laws and instructions.

CHAPTER TWO: The law, supervisory & Regulatory Instructions & Control on Islamic Banks 14- INSTRUCTIONS CONCERNING INTERNAL CONTROL SYSTEMS AND RISK MANAGEMENT E) Circular concerning (Corporate Governance) in financial institutions. 48 • Review and check the adequacy and efficiency of internal control systems, including policies and procedures addressing sound practices for managing and monitoring various types of risks. • Review and check the financial data of the bank before presentation to the board of directors, ensuring compliance with the Central Bank’s relevant instructions. • Provide the board of directors with periodic reports on the affairs of internal and external audit. 4- The audit committee shall convene its meeting at least once every three months, or whenever needed, or upon request of its two members. A quorum will be met with the attendance of at least 2 members. The head of internal audit shall participate in the periodic meeting of the audit committee. The committee may also invite any other staff member to hear his opinion when discussing a certain issue. 5- The board secretary shall be the audit committee secretary, and shall take minutes of its meetings. Such minutes of meetings shall be viewed, together with the minutes of board meetings, as part of the institution’s records. Setting Up Other Committees In the light of the size and nature of its business, it is appropriate for each institution to consider the need for setting-up other board committees that would contribute to enhancing the effectiveness of the board’s monitoring of the important operations. Such committees may include the “Recruitment Committee” that performs the function of selecting management members who enjoy talents and capabilities that meet the requirements of the institutions’ business, and the “Compensations Committee” that determines renumerations and compensations consistently with the interests of the institution and the shareholders.

CHAPTER TWO: The law, supervisory & Regulatory Instructions & Control on Islamic Banks 14- INSTRUCTIONS CONCERNING INTERNAL CONTROL SYSTEMS AND RISK MANAGEMENT F) Providing the Central Bank with the external auditors report prepared under the name “Management Letter”. 49 Executive Director Jumada Al-Aula 26, 1426 H July 3, 2005 THE GENERAL MANAGER, Providing the Central Bank with the external auditors report prepared under the name “Management Letter” Within the framework of the Central Bank’s attention to studying the external auditors report prepared under the name (Management Letter), we have already requested local banks to provide the Central Bank with the said report within a maximum period of three months from the end of the financial year. Therefore, your bank is kindly requested to provide the Central bank with the said report commencing from the current year (2005), while observing the deadline for submitting it. Best Regards, Ibrahim A. Al-Qadhi Executive Director of the Supervision Sector

CHAPTER TWO: The law, supervisory & Regulatory Instructions & Control on Islamic Banks 14- INSTRUCTIONS CONCERNING INTERNAL CONTROL SYSTEMS AND RISK MANAGEMENT G) Circular concerning Guidelines on the Establishment of the Compliance Function and its Role in Banks, as issued by Basel Committee on Banking Supervision in April 2005. 50 DEPUTY GOVERNOR Jumada Al-Akhir 4, 1426 H July 10, 2005 THE CHAIRMAN, “Circular to All Local Banks” Guidelines on the Establishment of the Compliance Function and its Role in Banks The Basel Committee on Banking Supervision issued in April 2005 a paper comprising a set of principles entitled “Compliance and the Compliance Function in Banks”. In order for the Central Bank of Kuwait to ensure further organization of the banking business and its direction in the manner conducive to the soundness and integrity of the financial position of banking system’s units, and in order to ensure that such units shall not be exposed to any crises that may arise from noncompliance with the banking rules and regulations in conducting their business, and since the mentioned guidelines on the establishment of a compliance unit, as presented by the Basel Committee, are complementary to the Central Bank of Kuwait’s methodology of ensuring the compliance of the banking business in Kuwait with the best international practices in this regard, we recommend that you visit the website of the Bank for International Settlements - Basel Committee on Banking Supervision: www.bis.org/publ/bcbs113.htm to review the mentioned paper and to seek the guidance of those principles. With my best wishes, DR. NABEEL AHMED AL MANNAIE

CHAPTER TWO: The law, supervisory & Regulatory Instructions & Control on Islamic Banks 14- INSTRUCTIONS CONCERNING INTERNAL CONTROL SYSTEMS AND RISK MANAGEMENT H) Circular requiring banks to take the necessary actions for enhancing internal control systems, so as to bridge the gaps in some aspects of the internal control systems of some banks, as revealed by The Central Bank of Kuwait inspection on those banks. 51 GOVERNOR Ramadam 4, 1427 H September 26, 2006 THE CHAIRMAN, Circular to All Local Banks Despite the tangible progress local banks have achieved in technological applications and the positive reflections of these applications on the level of customer service, yet the inspection carried out on local banks has revealed a number of gaps in some aspects of the internal control systems in some local banks. These gaps relate to the applications of some IT systems or the general control systems. This requires the respective banks to take the necessary actions for bridging such gaps, while taking the following regulatory controls into consideration, given the risks involved: 1- Some banks have not got the ratification of their boards of directors for the (Disaster Recovery and Business Continuity Plans). These plans are also not updated to reflect the latest activities and products of the bank that should be incorporated into such plans. Furthermore, it was also observed that some banks have not tested the subject plans to ensure their efficiency. 2- It was noticed in some cases that the powers delegated to the users of a banking system of some banks give the employees a set of delegation levels to enter, execute and amend the data - a case which is in conflict with the principle of segregation of duties. This is the result of giving such employees new delegated powers without canceling the previous delegations that are in conflict with the new ones and with the principle of dual control. Moreover, it was also noticed that there are active delegated authorities for some systems users whose service with some bank branches has ended. This situation requires banks to review the powers delegated to the systems users, so as to take the necessary corrective actions. 3- The inspection revealed, in some cases, that there are control gaps in the credit cards issuance system. It was noticed that these cards are delivered to customers in an “Active” status. The cards are also kept for certain period in non-sealed envelopes pending delivery to customers. This situation requires the local banks to observe various relevant regulatory controls, such as activating such cards by customers only after the date of receipt, as well as in relation to providing dual control and cards delivery procedures.

CHAPTER TWO: The law, supervisory & Regulatory Instructions & Control on Islamic Banks 14- INSTRUCTIONS CONCERNING INTERNAL CONTROL SYSTEMS AND RISK MANAGEMENT H) Circular requiring banks to take the necessary actions for enhancing internal control systems, so as to bridge the gaps in some aspects of the internal control systems of some banks, as revealed by The Central Bank of Kuwait inspection on those banks. 52 4- It was also noticed that the funds recovered to the favor of customers after the settlement of disputes on some customers card transactions, are transferred to the respective customers accounts only after a long period from the date of posting such amounts into the bank accounts. Such a period may extend to more than six months. Therefore, banks must refund these amounts to customers without any delay and during a period not exceeding one month from the date of recovering the amounts. 5- In the area of checking the data of the report on suspicious transactions, it was noticed that the statement of financial transactions report electronically transmitted to The Central Bank of Kuwait on a daily basis (and which include the (FCT) file and the (LCT) file for amounts equivalent to or exceeding KD 3,000/-, or the equivalent in foreign currency), does not include in some cases all the transactions carried out in the bank. This situation requires the local banks to ensure regular consistency of the report. 6- The Central Bank of Kuwait noticed that the internal audit plans of some banks do not include sufficient coverage of certain important areas of the IT systems. This situation requires banks to give due attention to internal audit of IT systems. Although most of the above mentioned observations relate to the Internal Control Systems in regard of which The Central Bank of Kuwait issued its instructions to local banks, particularly the guidelines on internal control systems, and the circulars issued with respect to corporate governance and management and control of operational risks, yet given the special nature and significance of the subject observations, the respective banks must enhance the controls applied in this respect. With my best wishes, SALEM ABDUL AZIZ AL-SABAH