Ordinance No 10 of the BNB on the Organisation, Governance and Internal Control of Banks

Ordinance No 10 of the BNB 1 Ordinance No 10* of the BNB of 24 April 2019 on the Organisation, Governance and Internal Control of Banks (Published in the Darjaven Vestnik, issue 40 of 17 May 2019; amended; Darjaven Vestnik, issue 12 of 2024; amended; Darjaven Vestnik, issue 97 of 15 November 2024, effective as of 15 November 2024) Chapter One SUBJECT Article 1. (1) This Ordinance shall determine the requirements to organisation, governance and internal control of banks. (2) The provisions of this Ordinance shall also apply to:

1. third-country bank branches;
2. companies included within the scope of supervision on a consolidated basis. Chapter Two ORGANISATION AND GOVERNANCE Section I General Requirements Article 2. (1) The organisation, governance and internal rules of banks shall be consistent with the size, nature, scale and complexity of the activities performed by them and the risks to which they are exposed. (2) (аmended; Darjaven Vestnik, issue 12 of 2024) For the purposes of paragraph 1, the banks shall take into account the criteria set out in point 19 of the Guidelines on Internal Governance (EBA/GL/2021/05) issued by the European Banking Authority. Article 3. (1) Management and control bodies of the bank, in line with their com￾petence, shall create a suitable and transparent organisational and operational struc￾ture, which shall ensure effective and prudent management of the bank. (2) The structure of the bank shall be consistent with its risk strategy and risk appetite and shall not impede the ability of the management and control bodies to manage and oversee the risks it faces and the ability of the Bulgarian National Bank to effectively supervise its activity.

• Unofficial translation provided for information purposes only. The Bulgarian National Bank bears no responsibility whatsoever as to the accuracy of the translation and is not bound by its contents.

2 Ordinance No 10 of the BNB (3) Banks shall not set up unduly complex and non-transparent structures, that have no clear economic justification and may be used for illegal purposes. Section II Internal Rules Article 4. (1) The management body of the bank shall adopt and implement rules on bank’s organisation and governance, which shall include at least:

1. a detailed description of bank’s management and organisational structure, in￾cluding clear allocation of functions and responsibilities among structural units, rela￾tionships between them and a decision-making procedure;
2. an exhaustive definition of powers and responsibilities of administrators and key function holders in the bank, as well as a description of requirements for holding such positions in order to ensure knowledge, skills and professional experience necessary for the performance of their duties;
3. the bank’s strategy and plan of activities that take into account its long-term financial interests and solvency;
4. the policy and structure of risk management and control, including determina￾tion of bank’s risk appetite;
5. the procedure for preparing and the scope of management information;
6. appropriate and reliable accounting and financial reporting systems, including efficient organisation of financial and operational controls;
7. an effective internal control framework that includes independent risk manage￾ment service, compliance function and internal audit service;
8. the policy to establish, manage and prevent conflicts of interest;
9. the procedure for reporting by employees breaches committed within the bank;
10. the code of ethics of administrators and employees, that includes high ethical and professional standards consistent with bank’s specific needs and characteristics;
11. the system for providing training, evaluation and incentives to senior manage￾ment and employees with supervisory functions. (2) The management body of the bank shall periodically review and assess the rules under paragraph 1 and in case of identified deficiencies, weaknesses and/or need of improvements it shall amend them. The conclusions of the assessment and the meas￾ures undertaken shall be included in the meeting minutes. (3) Upon assuming office, the members of management and control bodies, and the employees to whom the rules under paragraph 1 apply shall acquaint themselves with these rules, which shall be certified in writing or in other appropriate manner. The requirement under the previous sentence shall apply to any subsequent amend￾ment to the rules. (4) The supervisory board of the bank, respectively the non-executive members of the board of directors shall oversee the implementation of policies, rules and proce￾dures for the organisation and management of the bank in relation to:
12. bank’s risk culture;

Ordinance No 10 of the BNB 3 2. accounting and financial reporting; 3. the internal control framework; 4. the policy for identifying, managing and preventing conflicts of interest; 5. the annual internal audit service plan; 6. the code of ethics; 7. other issues provided for in the bank’s Statute and internal acts. Article 5. (1) The management body of the bank shall develop a sound and con￾sistent risk culture, taking into account the risks to which the bank is exposed, and its risk appetite. (2) The risk culture shall include at least:

1. management and control bodies’ core principles, values and expectations con￾cerning risk-taking and risk management;
2. the responsibility of employees at all levels to be aware of and understand the main risks to which the bank is exposed, its risk appetite and risk capacity;
3. open and effective communication between the employees;
4. appropriate incentives in making decisions concerning risk-taking aligned with bank’s risk profile and its long-term objectives. (3) The supervisory board of the bank, respectively the non-executive members of the board of directors shall monitor that the risk culture is implemented consistently. Section III Conflict of Interest Article 6. (1) Each bank shall segregate duties and establish appropriate infor￾mation barriers in all cases where a conflict of interest may occur, and shall prevent the combination of functions related to authorisation, performance and reporting of operations. (2) The management body of the bank shall adopt and implement an effective pol￾icy to identify, manage and prevent actual and potential conflicts of interest between the interests of the bank and the private interests of employees, including members of the management and control bodies, which could adversely influence the performance of their duties and responsibilities. The policy shall include:
5. identification of cases or relationships where conflicts of interest may arise, such as financial interests (holding shares or interests in companies, which are customers of the bank), relationships with the owners of qualifying holdings in the bank, employees of the bank or entities included within the scope of prudential consolidation, consul￾tancy, audit and other companies with which the bank has contractual relationships, and the cases of potential political influence;
6. the procedure for reporting any case that may result or has already resulted in conflict of interest, including the unit to which it should be reported and bank employ￾ees’ specific duties to promptly disclose it;

4 Ordinance No 10 of the BNB 3. procedures, measures, documentation requirements and responsibilities for the identification and prevention of conflicts of interest, for the assessment of their mate￾riality and for taking actions to address them. Section IV Reporting Procedure Article 7. (1) Each bank shall adopt and implement appropriate and effective writ￾ten procedures for reporting by its employees of actual or potential breaches within the bank. (2) The procedures shall ensure:

1. an independent and autonomous reporting channel accessible to all bank’s employees;
2. protection of the personal data of both the person who reports the breach and the person who is allegedly responsible for the breach;
3. providing information on reports received from employees to the bank’s man￾agement and/or control body and other persons entrusted with such functions;
4. that the reports are taken into account by the bank and, where necessary, are sent to the Bulgarian National Bank or other competent authorities or persons;
5. protection of persons reporting breaches from unfair treatment;
6. confidentiality of reported information unless disclosure is required by law in the cases of criminal or administrative proceedings;
7. record keeping of reports and tracking of the outcome of investigations into each report. (3) The bank shall provide for a whistle blowing procedure under paragraph 2, item 3, where requested by the employee who has reported the breach. Chapter Three INTERNAL CONTROL FRAMEWORK Section I General Provisions Article 8. (1) The internal control framework shall include:
8. the organisation of operational control;
9. a risk management service;
10. a compliance function; 3а. (new; Darjaven Vestnik, issue 12 of 2024) a compliance function in relation to the prevention of money laundering and terrorist financing (prevention of ML/TF).
11. an internal audit system. (2) The internal control framework shall cover the entire internal organisation, as well as the responsibilities of bank’s management and control bodies, the activities of all business lines and structural units, including the internal control functions and outsourcing.

Ordinance No 10 of the BNB 5 (3) Each bank shall ensure a clear, transparent and documented decision-making process and a clear allocation of responsibilities and powers within its internal control framework. (4) The internal control framework shall ensure:

1. effective and efficient operations;
2. prudent conduct of business;
3. adequate identification, measurement and mitigation of risks;
4. reliability of financial and non-financial information and reporting;
5. sound administrative and accounting procedures;
6. compliance with laws and regulations, supervisory requirements and bank’s in￾ternal policies, processes, rules and decisions. Section II Reporting and Information Article 9. Each bank shall maintain a reliable reporting and information system, which shall at least allow timely access to information according to officials’ powers, and its movement:
7. upward, to inform the management of the operations, business risks and current bank status;
8. downward, to inform the staff of bank’s objectives and tasks, as well as of the policy, rules and decisions approved by the management; and
9. horizontally across the organisation, to provide and exchange the relevant infor￾mation between the structural and functional units of the bank. Article 10. (1) All bank transactions and operations shall be registered in due time and comprehensively in a chronological order. (2) Banks shall maintain electronic and/or paper files of all transactions by type of operation, customer and other criteria selected by them. Article 11. Bank files shall contain:
10. an inventory of the documents in the file;
11. internal bank documents, minutes, agreements, contracts, etc.;
12. financial and other information about the customers and the market;
13. other documents and information essential for the bank. Article 12. (1) To protect the information when using information and commu￾nication technologies (ICT), the management body shall ensure the segregation of:
14. duties associated with ICT development, implementation and modification, in￾cluding ICT administration and maintenance;
15. rights of access to information. (2) The management body of the bank shall put in place and implement appropri￾ate control mechanisms for operational risk evaluation and management related to ICT reliability and security. Article 13. (1) The management body shall adopt internal rules for using ICT which shall limit:

6 Ordinance No 10 of the BNB

1. errors in software development and modification, database administration and use;
2. interruption of operation due to internal and/or external factors;
3. fraud and unauthorised access to information. (2) Banks shall update their internal rules and procedures for using ICT in line with the technologies they apply and associated risks. Section III Risk Management Service Article 14. (1) Each bank shall maintain an adequate risk management service which shall include:
4. identifying, assessing and measuring all risks to which the bank is exposed, as well as external and internal sources of risk;
5. risk measurement and monitoring and risk assessment models;
6. monitoring and periodical assessment for compliance with risk management internal rules taking into account market conditions and best banking practices;
7. policies and procedures for risk assessment, determination and compliance with risk limits, as well as for allowing exceptions in case of emergencies;
8. the scope, structure and frequency of risk reporting;
9. the risk culture. (2) Requirements to the risk management service shall be governed by Ordinance No 7 of the BNB on Organisation and Risk Management of Banks (Darjaven Vestnik, issue 40 of 2014). Section IV Compliance Article 15. (1) Each bank shall establish a compliance function to ensure an ad￾equate identification, measurement and management of the compliance risk. (2) The compliance function shall be independent of the business lines and inter￾nal units falling within the scope of the activities it oversees. (3) (amended; Darjaven Vestnik, issue  12 of 2024) The compliance function shall be headed by a person of good repute, who holds a university degree in law or econom￾ics and has at least five years of professional experience in the entities referred to in § 1, items 2–5 of the Additional Provisions of Ordinance No 20 of 2019 on the Require￾ments to the Members of the Management and Control Bodies of a Credit Institution and on the Assessment of the Suitability of Their Members and Key Function Holders (Darjaven Vestnik, issue 40 of 2019). (4) The compliance function shall have an adequate stature and sufficient author￾ity and resources to perform its duties, including access to any information that is necessary to carry out its activities. (5) The compliance function shall:

Ordinance No 10 of the BNB 7

1. identify and measure the compliance risk to which the bank is exposed or might be exposed;
2. regularly assess the changes in the laws and regulations applicable to the bank and their impact on its activities;
3. advise bank’s management and control body on measures to be taken to ensure compliance with applicable laws, rules, regulations and standards and shall assess the impact of any changes in the legal and regulatory requirements on bank’s activities;
4. verify that all new products and new procedures comply with the law and the applicable regulations;
5. report to the management and control bodies on the compliance risk;
6. cooperate and exchange information with the risk management service on risk compliance and its management. (6) The management body of the bank shall adopt internal rules and an annual plan of the compliance function’s activities. Section IVa Compliance in Relation to the Prevention of ML/TF (new; Darjaven Vestnik, issue 12 of 2024) Article 15a. (1) Any bank shall establish a compliance function in relation to the prevention of ML/TF, which shall ensure the adequate identification, measurement and management of risk related to the compliance in this area. (2) The function under paragraph 1shall be independent of the business lines and structural units falling within the scope of the activities it oversees and controls. (3) The function under paragraph 1 shall be headed by a person who has: 1. a good reputation, a university degree in law or economics and at least five years of professional experience in the entities referred to in § 1, items 2–5 of the Additional Provisions of Ordinance No 20 of 2019 on the Requirements to the Members of the Management and Control Bodies of a Credit Institution and on the Assessment of the Suitability of Their Members and Key Function Holders, including knowledge of the legal and regulatory framework applicable in the area of the prevention of ML/TF, identification, assessment and management of ML/TF risks and application of policies, controls and procedures for the prevention of ML/TF; 2. sufficient knowledge and understanding of the ML/TF risks associated with the bank's business model necessary to perform his duties effectively; 3.  sufficient time to carry out his duties effectively, independently and autonomously. (4) The person referred to in paragraph 3 shall be appointed to a management position and shall have sufficient authority to propose, on his own initiative, to the attention of the bank’s management and control bodies, all necessary and appropriate measures to ensure compliance and effectiveness of the internal procedures for the prevention of ML/TF.

8 Ordinance No 10 of the BNB (5) The bank shall ensure the continuity of the operations of the compliance func￾tion referred to in paragraph 1 and shall appoint a deputy for the person referred to in paragraph 3 who, in its opinion, has the necessary knowledge, skills and expertise to perform the functions of that person. (6) The function referred to in paragraph 1 shall be of appropriate stature and have sufficient powers and resources to perform its duties, including access to all informa￾tion necessary to carry out its activities. (7) The function referred to in paragraph 1 shall perform at least the following functions: 1. identify and measure compliance risks related to the prevention of ML/TF to which the bank is or may be exposed; 2. regularly assess the changes in the laws and regulations applicable to the bank and the impact thereof on its activities; 3. advise the bank’s management and control body on the measures to be taken to ensure compliance with applicable laws, rules, regulations and standards in the area of the prevention of ML/TF, and shall assess the impact of any changes in the legal and regulatory requirements on the bank’s activities; 4. verify that all new products and new procedures comply with the applicable regulations; 5. report to the bank’s management and control bodies on the results of the assess￾ment of the business wide risks and individual ML/TF risk assessments related to the compliance in the area of the prevention of ML/TF, and propose measures to mitigate these risks; 6. cooperate and exchange information with the risk management service and the compliance function on compliance risks related to the prevention of ML/TF and the management thereof. (8) The management body of the bank shall adopt internal rules and an annual plan for the activities of the compliance function under paragraph 1. (9) The person referred to in paragraph 3 shall, at least once a year, draw up a report on the activities of the function under paragraph 1. The content of the report should be appropriate to the scope and nature of the Bank's activities, taking into ac￾count its branches and subsidiaries. (10) (new; Darjaven Vestnik, issue 97 of  2024, effective as of 15 November 2024) The function under paragraph 1 shall also perform the functions of the specialised office under Article 106, paragraph 1 of the Law on Measures Against Money Launder￾ing, respectively, the person under paragraph 3 shall perform the functions of a person under Article 106, paragraph 2 of this Law. (11) (new; Darjaven Vestnik, issue 97 of  2024, effective as of 15 November 2024) The person under paragraph 3 may not hold a position in the management body of the bank. Article 15b. (1) Appropriate to the size, nature, scope and complexity of the bank’s activities and the risks to which the bank is exposed, the management body of the bank could combine the functions under Articles 15 and 15a in a single structure. In such a case, the head of the combined function shall meet the requirements of Articles 15,

Ordinance No 10 of the BNB 9 paragraph 3 and 15a, paragraph 3 and shall be able to devote the time necessary for the proper performance of his duties. (2) Where the bank’s management body considers that the functions under Arti￾cles 15 and 15a should be separated, the bank’s internal rules shall clearly allocate their responsibilities and powers. Article 15c. (1) The bank’s management body shall designate one of its members as the person responsible for the compliance with the relevant requirements for the prevention of ML/TF and should identify and take into account potential conflicts of interest and take steps to avoid or mitigate them. (2) The person under paragraph 1 shall meet the following conditions: 1. have sufficient knowledge, skills and experience in relation to ML/TF risks and the implementation of policies, controls and procedures for the prevention of ML/TF, with a good understanding of the bank's business model and the sector in which it operates; 2. devote sufficient time and have sufficient resources to effectively perform his duties in relation to the prevention of ML/TF. Article 15d. The responsibilities of the person referred to in Article 15c shall in￾clude at least the following: 1. ensuring that internal control policies, procedures and measures in relation to the prevention of ML/TF are adequate and proportionate, taking into account the characteristics of the bank and the ML/TF risks to which it is exposed; 2. assessing, together with the bank’s management body, whether it would be ap￾propriate to appoint a separate head of the compliance function in relation to the prevention of ML/TF or whether it would be acceptable to combine this position with another; 3. ensuring that the management body of the bank receives regular reports on the activities of the person referred to in Article 15a, paragraph 3, and that that body is provided with sufficient, comprehensive and timely information and data on ML/TF risks and the compliance related to the prevention of ML/TF as is necessary for it to carry out the role and functions assigned thereto; this information shall include also the bank’s commitments to the BNB and communication with the Financial Intelli￾gence Unit, without prejudice to the confidentiality of suspicious deal and transaction reports, and any ML/TF findings made by the competent authority against the bank, including any supervisory measures or administrative penalties imposed; 4. informing the bank's management body of any serious or significant problems or violations with regard to the prevention of ML/TF and recommending actions to address them; 5. ensuring that the person under Article 15a, paragraph 3: a) has direct access to all information necessary for the performance of his tasks; b) has sufficient human and technical resources and tools for the proper perfor￾mance of the assigned tasks; and

10 Ordinance No 10 of the BNB c) is well informed of incidents and deficiencies related to the prevention of ML/TF identified by internal control systems and by national and, in the case of groups, for￾eign supervisory authorities; 6. ensuring that any concerns expressed by the person under Article 15a, para￾graph 3 are duly addressed, and, where this is not possible, the same are considered by the bank's management body; 7. for banks with a two-tier system of governance: detailed reporting on the tasks in the area of the prevention of ML/TF, and regular, but where necessary, immediate, reporting to the supervisory board of the bank; 8. preparing proposals to the management body for making changes in the or￾ganisational structure of the compliance function under Article 15a, while taking into account the volume of activities carried out by it. Article 15e. The management body of the bank shall: 1. approve the bank's overall strategy for the prevention of ML/TF and oversee its implementation; 2. ensure compliance with the strategy under item 1 and the human and technical resources necessary for its implementation; 3. review, at least once a year, the activity report of the person under Article 15a, paragraph 3 and receive more frequent interim updates on activities that expose the bank to higher ML/TF risks; 4. adopt policies, rules and procedures to control and prevent ML/TF for the bank, which shall be applied by its branches and subsidiaries. Article 15f. The bank’s control body shall be responsible for exercising control and monitoring over the implementation of the internal governance and internal control framework to ensure compliance with applicable requirements with respect to activi￾ties related to the prevention of ML/TF, and in this regard it shall at least: 1. be informed of the results of the ML/TF risk assessment on the bank’s overall activities and risk profile; 2. exercise control and monitor the extent to which the policies and procedures for the prevention of ML/TF are adequate and effective with a view to the ML/TF risks to which the bank is exposed, and take appropriate action to ensure that corrective measures are taken, where necessary; 3. review, at least once a year, the activity report of the person under Article 15a, paragraph 3 and receive more frequent interim updates on activities that expose the bank to higher ML/TF risks; 4. assess, at least once a year, the effective functioning of the function responsible for the compliance in relation to the prevention of ML/TF, including taking into ac￾count the conclusions of any internal and/or external audits related to the prevention of ML/TF, including with regard to the adequacy of the human and technical resources allocated to the person under Article 15a, paragraph 3. Article 15h. The bank’s control body shall ensure that the person under Article 15c: 1. has the knowledge, skills and experience necessary to identify, assess and manage the ML/TF risks to which the bank is exposed and to implement the policies, controls and procedures for the prevention of ML/TF;

Ordinance No 10 of the BNB 11 2.  has a good understanding of the bank's business model and the sector in which it operates, and the extent to which that business model exposes the bank to ML/TF risks; 3. is promptly informed of decisions that may affect the risks to which the bank is exposed. Article 15i. The bank’s control body shall have access to and take into account data and information of sufficient detail and quality to enable it to effectively perform its duties related to the prevention of ML/TF. It shall at least have timely and direct access to the report on the activities of the person under Article 15a, paragraph 3, to the report of the internal audit service, the findings and observations of external audi￾tors, where applicable, as well as to the findings of the competent authorities, relevant communications with the financial intelligence unit and any supervisory measures or sanctions imposed. Section V Internal Audit. Internal Audit Service Sub-section I General Requirements Article 16. (1) Internal audit is an independent and objective appraisal service to review bank transactions and operations, and control systems to provide assurance and consultations, intended to improve bank’s operations. (2) Internal audit helps the bank to achieve its objectives by applying a systematic and disciplined approach to evaluating and improving the effectiveness of risk man￾agement, control and governance processes. (3) All activities, including outsourcing, each structural unit and each process in the bank shall be subject to internal audit. (4) The internal audit of the bank shall be exercised by an internal audit service, which shall assist the management bodies in taking decisions and conduct follow-up reviews on their execution. Article 17. (1) In performing its function, the internal audit service shall examine and evaluate:

1. the reporting and information system, usefulness of the analyses prepared, ICT and data quality;
2. compliance of operations with law, observance of internal rules and procedures, and whether objectives set by the management have been met;
3. compliance of internal control policies and procedures with statutory and regu￾latory requirements, as well as with decisions of management and control bodies;
4. the accuracy and effectiveness of applied internal policies and procedures;
5. the risk management systems, risk and capital adequacy assessment methodologies;

12 Ordinance No 10 of the BNB 6. the adequacy, quality and effectiveness of the controls performed by the units responsible for operational controls exercised over business units conducting transac￾tions and operations, the risk management service and the compliance function; 7. reliability and timely submission of reports to the Bulgarian National Bank; 8. whether the bank’s assets are properly safeguarded from mismanagement and fraud; 9. adherence to contracts and commitments; 10. staff recruitment and training, as well as consistency of job descriptions with duties. (2) In carrying out their activities, internal audit officers (internal auditors) shall be empowered to:

1. unlimited access to: a) the bank’s premises and assets; b) the decisions of management bodies, committees and other officials and structures; c) accountancy and ICT;
2. require and collect information, statements and other documents in relation to the assigned tasks;
3. recruit experts in carrying out specific control actions. (3) Internal auditors may not be authorised or held liable for the activities and subjects of examination, and their position may not combine with other positions in the bank. (4) Administrators and employees of the bank shall assist the internal auditors in performing their activity. (5) Reviews and control actions initiated by administrators and other persons of the management staff within their powers may not substitute the internal audit functions. Article 18. (1) Internal auditors shall have:
4. professional skills in applying international standards for the professional prac￾tice of internal auditing, procedures and techniques of auditing;
5. knowledge and experience in applying accounting standards;
6. knowledge of management principles and prudential banking. (2) Internal auditors shall follow the prescribed principles and best practices of ethical conduct, they shall be honest, impartial, diligent, loyal and outgoing in their contacts with people. Article 19. (1) (amended; Darjaven Vestnik, issue 12 of 2024) The head of the spe￾cialised internal audit service shall be a person of high moral and professional stand￾ing, with a university degree in law, economics or information technology and at least five years’ experience in internal or external audit, accounting, compliance or risk management in the entities under § 1, items 2–5 of the Additional Provisions of Or￾dinance No 20 of 2019 on the Requirements to the Members of the Management and

Ordinance No 10 of the BNB 13 Control Bodies of a Credit Institution and on the Assessment of the Suitability of Their Members and Key Function Holders. (2) The head of the internal audit service may not hold more than one office in the bank. (3) The head of the internal audit service shall ensure and oversee the application of international standards for the professional practice of internal auditing and the ef￾ficiency of internal audit activities. Article 20. (1) The management body of the bank shall approve internal rules and an annual plan of the internal audit’s activities. (2) The annual plan under paragraph 1 shall be adopted on a motion by the head of the internal audit service following the risk-based approach. Article 21. (1) The internal rules shall regulate the powers of internal auditors, the procedure for taking control actions, their documentation and reporting results. (2) Internal rules shall ensure:

1. independence and discretion to the head of the internal audit service in planning and assigning examinations;
2. unlimited access to the assets and information;
3. direct contacts of the head of the internal audit service with management bodies;
4. the right of the head of the internal audit service to recruit internal auditors in compliance with the professional qualification required;
5. avoidance of any conflict of interests in executing the tasks by the internal auditors;
6. conditions for recruitment of experts in taking specific control actions. Article 22. (1) The head of the internal audit service shall estimate resources and approve programmes on execution of detailed control tasks with a view to implement￾ing the annual plan. (2) All processes, objects and internal audit systems shall be covered within an audit period of up to three years. The frequency of internal audits concerning indi￾vidual processes, objects and control systems shall be determined according to their significance and potential risk for the bank. Sub-section II Documentation of Control Actions and Reporting Results Article 23. Any examination or other control actions of internal auditors shall fin￾ish with preparing a report containing findings and recommendations for measures to be taken against violations of law and internal rules, and for removing malpractices in the bank’s operations. Article 24. (1) The head of the internal audit service, in compliance with inter￾national standards for the professional practice of internal auditing, shall approve re￾quirements for the reports and documents prepared and collected by internal auditors. (2) Information collected in the process of auditing shall base the findings, evalu￾ations and recommendations made.

14 Ordinance No 10 of the BNB Article 25. (1) The report under Article 23 shall be submitted to the head in charge of the examined unit, to the head of the structural unit involved in the audit processes and to the head of the internal audit service. (2) Within the terms set by the internal rules, the head of the examined unit shall submit explanations and/or lay claims concerning the findings and recommendations addressed. (3) Internal auditors shall draw a conclusion on the written explanations or claims submitted by the head of the examined unit. (4) Upon implementing procedures under the previous paragraphs, the head of the internal audit service shall submit the report and the documents under paragraphs 2 and 3 to the executive directors. (5) The management body and the administrators shall impose remedial measures and notify the head of the internal audit thereby. Article 26. (1) In case of significant violations and malpractices or where insuf￾ficient remedial measures have been taken, as well as if violations and breaches on the part of executive directors or procurators have been identified, the report shall be submitted to the competent management body. (2) In case of identified violations and breaches on the part of the management bodies or if in cases under paragraph 1 insufficient measures have been taken by these bodies, the report shall be submitted to the superior body in compliance with the bank’s Articles of Association, as well as to the Bulgarian National Bank. Sub-section III Annual Performance Report Article 27. (1) The head of the internal audit service shall present an annual report of the internal audit service to the shareholders’ general meeting and the board of di￾rectors, the supervisory board and the management board respectively. (2) The annual report shall inform about main results of internal auditors’ actions, measures taken and their execution. It shall include organisational issues and underly￾ing tasks to be fulfilled in the following year and in the future. Chapter Four ORGANISATION, GOVERNANCE AND INTERNAL CONTROL ON A CONSOLIDATED BASIS Article 28. Management bodies of banks, financial holding companies, mixed fi￾nancial holding companies and mixed-activity holding companies which are subject to supervision on a consolidated basis by the Bulgarian National Bank shall ensure:

1. adoption and implementation of effective and reliable policies, rules and proce￾dures for organisation and governance;

Ordinance No 10 of the BNB 15 2. maintenance of control systems and application of procedures in compliance with the requirements of this Ordinance relating to directly and/or jointly controlled companies, including those which are not covered by the Law on Credit Institutions; 3. compatibility and coordination of systems for risk management on a consoli￾dated basis, and 4. the required scope of management information. Article 29. Management bodies of banks, financial holding companies, mixed fi￾nancial holding companies and mixed-activity holding companies shall maintain in￾ternal rules and risk management systems adequate to the organisation of the group and the specificity of enterprises controlled. Chapter Five RELATIONSHIP WITH THE BANKING SUPERVISION Article 30. (1) The Bulgarian National Bank shall assess the organisation, govern￾ance, internal rules and effectiveness of internal control in banks on an individual and consolidated basis. (2) The Deputy Governor heading the Banking Supervision Department or per￾sons authorised by him and the head of the internal audit service shall periodically hold discussions and consultations on the banking risks inherent, the measures to be taken and the relations with audit companies conducting an independent financial audit of the bank under Article 76, paragraph 1 of the Law on Credit Institutions. Article 31. (1) The head of the internal audit service shall immediately notify the Bulgarian National Bank of established violations or malpractices in the bank’s man￾agement that have led or may lead to material damages. (2) Management bodies of banks, financial holding companies, mixed financial holding companies and mixed-activity holding companies shall submit to the banking supervision bodies the annual reports of the internal audit, and by request, reports on conducted examinations and other control actions. ADDITIONAL PROVISION § 1. Within the meaning of this Ordinance:

1. International Standards for the Professional Practice of Internal Auditing shall be the International Standards for the Professional Practice of Internal Auditing issued by the Global Institute of Internal Auditors, USA and their translation in Bulgarian published by the Institute of Internal Auditors in Bulgaria.
2. Risk appetite shall be the aggregate level and types of risk an institution is will￾ing to assume or maintain within its risk capacity, in line with its business model, to achieve its strategic objectives.
3. Risk culture shall be norms, attitudes and behaviours of the bank’s management bodies and employees related to risk awareness, risk-taking and risk management, and the controls that shape decisions on risks.

16 Ordinance No 10 of the BNB 4. Compliance risk shall be the risk of legal measures and sanctions, the risk of ma￾terial financial loss, or loss to reputation the bank may suffer as a result of its failure to comply with laws, standards, codes of conduct, and internal rules applicable to bank’s activities. 5. (new; Darjaven Vestnik, issue 12 of 2024) ‘Compliance risk related to the pre￾vention of ML/TF’ means the risk of the imposition of measures and sanctions in this area, as well as the risk of the materialisation of significant financial losses or damage to the bank's reputation due to non-compliance with the law, guidelines, recommen￾dations and other measures of the European supervisory authorities adopted by the BNB and to be complied with under Article 79a, paragraph 1, item 2 of the Law on Credit Institutions, standards, ethical codes of conduct and internal rules applicable to the bank's activities. TRANSITIONAL AND FINAL PROVISIONS § 2. Banks shall bring their activity in line with the requirements of this Ordinance within three months after its enforcement. § 3. This Ordinance is issued on the grounds of Article 11a, paragraph 1, Article 73, paragraph 6 and Article 74, paragraphs 3 and 4 in relation to § 13 of the Transitional and Final Provisions of the Law on Credit Institutions and is adopted by Resolution No 149 of 24 April 2019 of the Governing Council of the Bulgarian National Bank. § 4. This Ordinance repeals Ordinance No 10 of 2003 on the Internal Control in Banks (published in the Darjaven Vestnik, issue 108 in 2003; amended, issue 102 of 2006). Ordinance on Amendment to Ordinance No 10 of 2019 on the Organisation, Governance and Internal Control of Banks (published; Darjaven Vestnik, issue 12 of 2024) …………………………………………………………………………………….. TRANSITIONAL AND FINAL PROVISIONS § 7. Banks shall bring their activities in line with the requirements of this Ordi￾nance by 31 December 2024. § 8. Within the term under § 7, banks shall submit to the BNB the relevant internal rules and procedures required to ensure compliance with the requirements of Sec￾tion IVa of Chapter Three. § 9. This Ordinance is issued on the grounds of Article 11a, paragraph 1, Ar￾ticle 73, paragraph 6 and Article 74, paragraphs 3 and 4 in relation to § 13 of the Transitional and Final Provisions of the Law on Credit Institutions, and is adopted by Resolution No 22 of 22 January 2024 of the Governing Council of the Bulgarian National Bank.

Ordinance No 10 of the BNB 17 Ordinance on Amendment to Ordinance No 10 of 2019 on the Organisation, Governance and Internal Control of Banks (published; Darjaven Vestnik, issue 97 of 15 November 2024, effective as of 15 November 2024) …………………………………………………………………………………….. TRANSITIONAL AND FINAL PROVISIONS § 2. This Ordinance shall enter into force on the day of its publication in the Dar￾javen Vestnik. § 3. This Ordinance is issued on the grounds of Article 11a, paragraph 1, Article 73, paragraph 6 and Article 74, paragraphs 3 and 4 in connection with § 13 of the Transi￾tional and Final Provisions of the Law on Credit Institutions and adopted by Decision No 507 of 31 October 2024 of the Governing Council of the Bulgarian National Bank.