LogoRegulatory Alerts
2024-01-01

Financial Institutions (Corporate Governance) Regulations 2024

The Central Bank of Uganda issued the 2024 Financial Institutions (Corporate Governance) Regulations to mandate robust governance frameworks for all licensed financial institutions. The regulations require boards to maintain formal charters, ensure independent majority composition, establish specialized committees (audit, risk, credit), and implement comprehensive risk management and compliance functions. Directors must adhere to strict fiduciary duties and undergo annual performance evaluations, with the Central Bank empowered to impose administrative sanctions or remedial measures for non-compliance.

Bank of Uganda logo

Uganda

Bank of Uganda

Click to view thumbnail

413 STATUTORY INSTRUMENTS 2024 No. 25. THE FINANCIAL INSTITUTIONS (CORPORATE GOVERNANCE) REGULATIONS, 2024 ARRANGEMENT OF REGULATIONS Part I—Preliminary Regulation

  1. Title
  2. Interpretation
  3. Objects
  4. Rationale Part II—Regulatory Requirements
  5. Board charter
  6. Board composition
  7. Board chairperson
  8. Functions of the board chairperson
  9. Managing director
  10. Executive director
  11. Company secretary
  12. Selection of directors
  13. Succession plan for directors STATUTORY INSTRUMENTS SUPPLEMENT No. 14 9th May, 2024 STATUTORY INSTRUMENTS SUPPLEMENT to The Uganda Gazette No. 32, Volume CXVII, dated 9th May, 2024 Printed by UPPC, Entebbe, by Order of the Government.

414 Regulation 14. Functions of board 15. Duties of the directors 16. Directors’ code of conduct 17. Board meeting 18. Evaluation of the board of directors 19. Selection, performance, evaluation and succession planning 20. Managing conflict of interest 21. Disclosure and transparency 22. Risk management 23. Risk appetite statement 24. Board committees 25. Audit committee 26. Asset liability management committee 27. Risk committee 28. Credit committee 29. Compensation committee 30. Regulation of information technology 31. Control functions 32. Internal audit function 33. External auditors 34. Management risk committee 35. Head of risk 36. Risk identification, monitoring and control 37. Compliance function 38. Money laundering compliance officer Part III—Remedial Measures and Administrative Sanctions 39. Remedial measures 40. Administrative sanctions 41. Revocation of S.I 59 of 2005.

415 STATUTORY INSTRUMENTS 2024 No. 25 The Financial Institutions (Corporate Governance) Regulations, 2024. (Under section 131(1) (k) of the Financial Institutions Act, 2004, Act No. 2 of 2004. IN EXERCISE of the powers conferred on the Central Bank under section 131(1) (k) of the Financial Institutions Act, 2004, these Regulations are made this 29th day of April, 2024. Part I—Preliminary

  1. Title These Regulations may be cited as the Financial Institutions (Corporate Governance) Regulations, 2024.
  2. Interpretation In these Regulations, unless the context otherwise requires— “Act” means the Financial Institutions Act, 2004; “board” means the board of directors of a financial institution; “control function” means a function that is directly related to the internal control processes of a financial institution and includes compliance, risk management and internal audit that is independent of operational functions in the financial institution. “corporate governance” means the process and structure used to direct and manage the business and affairs of a financial institution with the objective of enhancing the safety and soundness of a financial institution and shareholder value including the overall environment in which the financial institution operates comprising a system of checks and

416 balances which promotes a healthy balancing of risks and returns; “executive director” means a director who is an officer or employee of the financial institution; “executive manager” means a person who is either— (a) empowered to control, direct, and influence decision making of the financial institution; (b) principally accountable or responsible for implementing and enforcing policies and strategies approved by the board in their respective area of responsibility; or (c) principally accountable or responsible for developing and implementing systems, internal controls or processes that identify, measure, increase or decrease, monitor or control, a supervised financial institution’s risk; “independent director” means a director who has no relationship or interest in the financial institution or any of its subsidiaries or affiliates or their related interests; “non-executive director” means a director not involved in the day-to-day management of the financial institution; “managing director” means a person employed by a financial institution in a high-level decision-making position responsible for the overall management of a financial institution and reference to managing director includes chief executive officer; 3. Objects The objects of these Regulations are to— (a) provide for corporate governance principles that are in line with international standards;

417 (b) require a financial institution to comply with corporate governance principles; and (c) promote a degree of uniformity in the application of corporate governance practices by financial institutions. 4. Rationale The rationale of these Regulations is that— (a) financial institutions play the important role of providing finance to commercial enterprises, basic financial services to a broad segment of the population and access to the payment systems. Accordingly, the importance of robust corporate governance practices in these institutions cannot be overemphasized; (b) given the special position of trust held by institutions in the Ugandan economy and their access to government safety nets, it becomes all the more important that institutions have strong corporate governance systems in place; (c) increasingglobalizationoffinancialmarkets,technological advances and innovations in financial products require new approaches to corporate governance practices; (d) weak corporate governance is one of the major causes of corporate entities’ failures in Uganda, therefore robust governance practices are paramount for the safety and soundness of the institutions and the industry as a whole. Part II— Regulatory Requirements 5. Board charter (1) A financial institution shall with the approval of the board develop a board charter. (2) The board charter referred to in sub-regulation (1) shall include—

418 (a) general duties and responsibilities of the board and its committees; (b) board composition including minimum number of independent non-executive directors; (c) the role of the board chairperson and the role of the managing director and other executive directors; (d) directors’ nomination process; (e) the tenure and retirement age of directors; (f) remuneration of non-executive directors; (g) succession planning for board members; (h) areas that may constitute conflict of interest in relation to board operation and its activities; (i) matters reserved for the board; (j) terms of reference of board committees; (k) composition of the board committees, quorum, purpose and any other matter related to board committees; (l) the role of the company secretary; and (m) general operations of the board including, board evaluations, remuneration. 6. Board composition (1) A financial institution shall have at least five directors who are fit and proper persons, vetted by the Central Bank and who satisfy the qualifications of directors under the Companies Act and section 53 (1) of the Act. (2) Subject to subregulation (1), a financial institution shall constitute and appoint the board members of an odd number and the majority of whom shall be independent non-executive directors.

419 (3) A person shall not be permitted to attend a board meeting as a board member unless, the person has been approved by the Central Bank to be appointed as board member by the financial institution. (4) A financial institution shall, as part of the board of directors, appoint at least two executive directors who are residents in Uganda and are knowledgeable in the financial institution’s long-term strategy, have the ability to influence the institution’s policy and able to appropriately direct the business of the institution. (5) While appointing the board of directors, the financial institution shall appoint at least five directors who possess expertise and experience relevant to the functions of the financial institution including financial controls, capital management, banking risks and corporate planning. (6) Where there is vacancy or change in the composition of the board, a financial institution shall within five working days notify the Central Bank of any change in the composition of board of directors. (7) The executive director of a financial institution shall report to the managing director. (8) The board of directors of a financial institution shall establish the necessary procedures to enable every director to discharge his or her duties in the best interest of the financial institution. 7. Board chairperson (1) A person shall not be appointed a chairperson of the board of directors of a financial institution unless, the person is qualified to be appointed an independent director of a financial institution and is resident in Uganda. (2) The board chairperson shall possess experience and competence to perform the functions of chairperson of a financial institution.

420 (3) In exercise of the functions of the chairperson, the chairperson shal— (a) promote high standards of integrity and governance across the financial institution; and (b) promote effective communication between the board, management, shareholders and other stakeholders. (4) A managing director of a financial institution shall not serve as the chairperson of the board of directors. (5) The chairperson of the board shall not serve as a chairperson or member of a sub-committee of the board. (6) An independent non-executive director that has served on the board for more than nine years, shall be deemed to have lost their independence on the ground of length of service on the board and shall be ineligible to serve as a board chairperson or board committee chairperson. (7) A financial institution that wishes to appoint or designate a deputy chairperson of the board shall follow the same procedure and requirements for the appointment of the chairperson of the board and define the functions of the deputy chairperson in the board charter. 8. Functions of board chairperson The board chairperson shall exercise the following functions— (a) provide overall leadership and direction to the board and the financial institution; (b) convene and chair meetings of the board of directors; (c) ensure that board meetings are properly conducted; (d) ensure that the board functions in a cohesive manner; (e) take lead role in the assessment, improvement and development of the board;

421 (f) facilitate effective communication between the board, management shareholders and other stakeholders; and (g) represent the financial institution, together with the managing director to customers, the public, the media and staff. 9. Managing director (1) A financial institution shall appoint a managing director that shall be responsible for the overall day-to-day management of a financial institution as may be assigned to him or her by the board. (2) The managing director shall report to the board of directors. 10. Executive director (1) A financial institution shall, in addition to a managing director appoint at least one executive director who understands the strategy, products and risks of the financial institution. (2) The executive director appointed under subregulation (1), shall be— (a) responsible for providing effective checks and balances on incidents of improper or imprudent day-to-day management actions; (b) involved in approving of management decisions and transactions committing the financial institution; and (c) responsible for providing leadership and direct strategy and policy, in consultation with the managing director. (3) The executive director shall report to the managing director in the execution of his or her day-to-day responsibilities of the financial institution. 11. Company secretary (1) Afinancial institution shall appoint a company secretary that shall be responsible for facilitating effective management of board affairs

422 (2) The company secretary shall be an executive manager of the financial institution and shall be vetted by central bank before his or her appointment. (3) The company secretary shall report to the board, through the managing director. (4) The duties of the company secretary shall be defined in the board charter and shall include— (a) draw up the annual calendar for board meetings; (b) circulate to the board members the meeting agenda and board packs at least seven days before the scheduled meeting; (c) organise and send out notifications of board meetings and meetings of shareholders; (d) record and produce minutes of the board, board committees, annual general meeting and extraordinary meeting; (e) advise directors and shareholders on the legal and governance implications of proposed resolutions; (f) extract and file resolutionsfor registration with the relevant registries; (g) communicate board resolutions to the relevant persons; (h) coordinate the review of the board charter and committee terms of reference periodically for alignment with changes in the operating environment; and (i) monitor changes in the shareholding of the financial institution and maintain a shareholders’ register. 12. Selection of director (1) A financial institution shall establish a nomination committee or a similar body to identify and recommend to the

423 shareholders, candidates to be appointed to the board in line with a selection criteria prescribed by the board with the approval of the shareholders. (2) A person shall not be recommended to be appointed to the board unless, the person is qualified to be appointed to the board, has a clear understanding of his or her role on the board and is not subject to undue influence from management or other parties. (3) The selection criteria referred to in subregulation (1), shall include— (a) knowledge, skills, and experience; (b) integrity and reputation; (c) ability to fully carry out directorship duties; (d) possible conflicts of interest involving management and shareholders, past or present positions held and personal, professional, or economic relationships that may impede a director’s ability to perform their duties objectively and independently; and (e) ability to have frank and open discussion among the Board members. (4) The appointment of the non-executive director shall be formalised through letters of appointment which shall, provide for the duration of the appointment, remuneration terms, duties, and responsibilities of the director. (5) A director shall not simultaneously serve as a board member, member of a governing body or in any executive capacity of any other institution licensed and supervised by the Central Bank. (6) A financial institution shall establish an orientation program for new directors as well as refresher programs for the existing directors that shall include a discussion of the responsibilities and

424 legal obligations of a director and the board as a whole, the nature of business of the institution, conditions in the industry, corporate strategy and expectations from directors. 13. Succession plan for directors (1) In the interest of board continuity, financial institutions shall have a succession policy to prepare for vacancies on the board. (2) The board charter shall include a policy statement outlining the process the board shall follow to plan for the replacement of directors. (3) The policy statement referred to in sub regulation (2) shall clearly state the authority responsible for directors’ succession planning. (4) A financial institution shall require that each director has a personal development plan and have in place a succession roadmap taking into account the board of directors skills matrix and tenure of service. (5) The board shall develop a staggered retirement plan to facilitate orderly succession of board members. 14. Functions of the board (1) The board shall exercise the following main functions— (a) providing strategic direction; (b) policy formulation; (c) decision making; (d) providing oversight on executive management; and (e) risk management and compliance obligations. (2) Notwithstanding the generality of subregulation (1), the board shall be responsible for—

425 (a) defining the financial institution’s strategic goals and approving the financial institution’s long and short-term business strategies including the annual operating plan and capital expenditure budget; (b) reviewing the performance of the financial institution against the approved strategy and holding executive management accountable for the financial institution’s performance; (c) approving the overall risk appetite of the financial institution and ensuring that management strikes an appropriate balance between promoting long-term growth and delivering short-term objectives; (d) approving policies which spell out all elements of risk management as well as internal control processes; (e) setting limits of authority that specify the threshold for large transactions which the Board must approve, including approving delegated authorities for expenditure, lending and other risk exposures; (f) appointing and monitoring management and putting in place appropriate structure and procedures to achieve the corporate strategy; (g) ensuring clear demarcation of responsibilities of the board and management in the interest of an effective accountability regime; (h) steering the capital adequacy assessment process, capital and liquidity plans as well as the financial institution’s compliance with regulatory requirements and internal controls; (i) ensuring that a robust finance function responsible for accounting and financial data is in place; (j) promoting high standards of “risk culture” and reinforcing responsible corporate behavior across the business lines;

426 (k) limiting risk taking within the boundaries set and in line with the approved risk appetite; (l) promoting appropriate legal and ethical behavior; (m) ensuring that staff are aware of the ramifications and disciplinary actions that may ensue for any conduct that is not in compliance with corporate goals set forth by the Board or management; (n) ensuring that the control functions of the financial institution are adequately staffed, and are able to perform their functions independently, effectively and efficiently; (o) seeking expert opinion in fields where the Board may lack the necessary expertise. 15. Duties of the director (1) In accordance with section 56 (1) of the Act, a director shall stand in a fiduciary relationship and shall owe the financial institution and its shareholders the following duties— (a) a duty to act honestly and in good faith; (b) a duty to act in the best interest and for the benefit of the financial institution; (c) a duty to act independently, free from undue influence of any other person; (d) a duty to access necessary information to enable him or her to discharge his or her responsibilities; (e) a duty to understand his or her oversight role and provide a “checks and balances” function vis-à-vis the day-to-day management of the financial institution; (f) to be aware of self-dealing prohibitions and unduly favorable treatment of related parties and always act in the best interest of the financial institution; and (g) dedicate sufficient time to meet his or her responsibilities;

427 (2) The board of directors as an organ and each director individually shall immediately report in writing to the Central Bank if they have reason to believe that— (a) the financial institution may not be able to properly conduct its business as a going concern; (b) the financial institution appears to be or is likely in the near future to be unable to meet all, or any of its obligations; (c) the financial institution has suspended or is about to suspend any payment of any kind, through no fault of the counterparty; (d) the financial institution does not or may not be able to meet its regulatory capital requirements. 16. Directors code of conduct (1) The board shall develop a code of conduct for its members. (2) A person shall not assume duty as director unless he or she has signed the code of conduct as proof of having read, familiarised and is willing to be bound by the code of conduct. (3) The code of conduct referred to in subregulation (1), shall apply to all board members including a board member who is an employee of the financial institution’s subsidiary or the wider group of related companies. (4) The code of conduct referred to in subregulation (1), shall provide for rules relating to— (a) compliance with Laws of Uganda, rules and regulations by directors; (b) fair and honest dealing of directors with shareholders, employees and all stakeholders of the financial institution; (c) conflicts of interest;

428 (d) material non-public information and insider information; (e) confidential information; (f) anti-discrimination; and (g) gifts and relationships with customers. 17. Board meeting (1) A board meeting shall not be convened without at least seven days’ notice to the board members. (2) The notice referred to in subregulation (1), shall be accompanied by information relating to the agenda of the board meeting. (3) The information referred to in sub regulation (2), shall include— (a) changes in business strategy, risk profile or risk appetite; (b) the financial institution’s performance and financial condition; (c) breaches of risk limits or compliance rules; (d) internal control failures; (e) quantitative and qualitative performance of the institution or management, prudential norms, customer satisfaction, service quality, market share and market perception; (f) any legal or regulatory concerns; and (g) issues raised as a result of the financial institution’s whistleblowing procedures. (4) The board and board committee meetings shall be held at￾least once every after three months.

429 (5) The company secretary shall ensure that minutes of board meetings are clearly recorded, complete and signed. 18. Evaluation of the board of directors (1) The board shall perform evaluations of the board, board committees, and the individual directors including the board chairperson at least once a year. (2) The evaluation process shall cover all aspects of the board’s structure, composition, responsibilities, and processes including individual directors’ competencies and respective performance on the board. (3) The board shall perform a review of the effectiveness of its own governance practices, as a part of the evaluation process under sub regulation (1) or as a separate review. (4) An action plan arising from evaluations under this regulation shall be discussed and agreed upon by the board. (5) The board evaluation process shall be a requisite to reappointment of a director. (6) A financial institution shall have a continuous professional development plan in place for directors to enable them keep up-to-date of emerging issues pertinent to the business conducted by the financial institution. 19. Selection, performance evaluation and succession planning of the managing director and executive managers (1) The board shall establish a management team of a financial institution that consists of a core group of officers responsible for the financial institution. (2) Each member of the executive management team referred to in sub regulation (1) shall have the requisite skills to manage the business under their supervision.

430 (3) The board shall be responsible for the selection of the managing director and members of executive management. (4) Except for appointments through a succession plan, the board shall interview at least three candidates for all executive management positions. (5) An appointment letter for an executive manager shall include a requirement to undergo through the Central Bank vetting and shall explicitly state that the confirmation of the executive manager is subject to prior approval of the Central Bank. (6) The board shall develop the succession plan for all executive management positions. (7) The board shall review the succession plan referred to in sub regulation (6) at least annually, to ensure it is dynamic and reflects ongoing changes arising from the new hires, exits and restructuring of some functions. (8) The performance evaluation of the managing director and his or her appraisal instrument shall be completed by all the non￾executive directors, including the board chairperson and the results thereof consolidated into a report providing an overall rating and appropriate recommendations. (9) The board shall approve the financial institution’s objectives which are entrusted to the managing director and set out the basis for measuring the managing director’s effectiveness in achieving institutions objectives. (10) The managing director’s performance shall be assessed at least once a year, against both subjective and objective performance criteria as developed by the board and agreed at the beginning of the appraisal period.

431 (11) The report referred to in sub regulation (8) shall be presented to the board by the chairperson of the committee responsible for Compensation and Human Resources for discussion and approval. (12) The managing director’s performance evaluation shall not be deemed complete unless the board has reviewed and approved the committee report. (13) A financial institution may elect to evaluate the managing director’s performance by the full board directly. (14) The managing director shall be responsible for reviewing the performance of the executive director against agreed performance measures. (15) The board of directors shall review the evaluation of the executive director, completed by the managing director for final approval. (16) The effectiveness of the managing director and executive director as members of the board shall be evaluated during the annual board evaluation of individual directors. (17) An executive manager shall be evaluated by the managing director or executive director according to their approved reporting lines. (18) The report on the evaluation of executive manager shall be presented to the board for final approval. (19) The performance management cycle for an executive manager shall be deemed to be complete, only after final sign off by the board of directors. 20. Managing conflict of interest (1) The board shall develop a policy on conflict of interest providing for the process to identify and avoid possible conflicts of interest that may be detrimental to the board’s ability to perform its functions.

432 (2) The conflict of interest policy referred to in subregulation (1), shall include— (a) specific situations where conflict of interest can occur; (b) obligations for a director to disclose known interests that may conflict with the interests of the institution at the commencement of every financial year and at any time thereafter that such an interest arises; (c) a requirement for a director to declare his or her interest and recuse himself or herself from the board or board committee deliberations and decision making process; (d) procedures covering related party transactions and arm’s length provisions; and (e) procedures for the board to follow where a board member has conflict of interest. (3) The board shall be responsible for making the appropriate public disclosures and transmitting information on conflict of interest to the relevant regulators. 21. Disclosure and transparency (1) A financial institution shall operate with full disclosure and transparency in its operations towards its stakeholders including shareholders, depositors, and market participants. (2) A financial institution shall disseminate information to their stakeholders on a timely basis to assess the effectiveness of the board and executive management regarding the governance of the financial institution. (3) The level and depth of disclosures referred to in subregulation (2) shall be commensurate with the size and complexity of the operations, as well as the risk profile of the financial institution.

433 (4) The information referred to in sub regulation (2) shall be disclosed on an annual basis and shall include— (a) information covering the financial institution’s objectives, organisational and governance structures and policies; (b) a list of specialised committees, their scope of responsibilities and meeting frequencies; (c) the remuneration approach, ownership structure and voting rights; (d) related party transactions; (e) incentive and compensation policy, including the performance measurement criteria and aggregate information on remuneration; and (f) the financial reporting framework applicable to the financial institution and explanation of any material differences between applicable analysis periods. (5) Afinancial institution shall disclose itsrisk profile,specific exposures, and risk mitigation measures in an aggregate fashion and without breaching any confidentiality duty. (6) The board shall satisfy itself that procedures are in place to ensure that the financial institution is satisfying its disclosure obligations and that the information being disseminated is true and accurate. (7) The board shall reinforce sound corporate governance principles which shall cover the following— (a) board structure, including size, membership, qualification, and relevant committees; (b) executive management structure, including responsibilities, reporting lines, qualifications, and experience of relevant individuals;

434 (c) basic organizational structure, including line of businesses and legal entity structures; (d) information about the incentive structure of the financial institution, including remuneration policies, executive compensation, bonuses, and stock options; (e) nature and extent of transactions with affiliates and related parties; (f) mandate of the Board, its duties and objectives, and composition while specifically providing guidance on “inside” and “independent” Directors; and (g) board’s expectations of management and its performance in meeting them; and (h) institutional sustainability, including, social, and environmental considerations. (8) A financial institution shall document the feedback received from stakeholders and procedures established to deal with the concerns raised by the stakeholders. 22. Risk management (1) The Board has primary responsibility of understanding the risks ran by a financial institution and ensuring that the risks are managed appropriately. (2) Notwithstanding the generality of subregulation (1), the board shall— (a) formulate a clear philosophy for each risk area; (b) design and approve structures that include clear delegation of authority and responsibility at each level of administration; (c) review and approve policies that clearly quantify acceptable risk, and specify the quantity and quality of capital required for the safe operation of the financial institution;

435 (d) periodically review controls to ensure that they remain appropriate and make periodic assessment of the long￾term capital maintenance program; (e) obtain explanations where positions exceed limits, including reviews and approvals or authorisation of credit granted to substantial shareholders, directors and other related parties and executive management significant credit exposures, and adequacy of provisions made and institute a process that ensures adequate reporting of limit exceptions, compliance failures and any matters relevant to the overall control framework of the financial institution; (f) certify that the internal audit function includes a review of adherence to policies and procedures; (g) formally delegate to management, the authority to formulate and implement strategies; and (h) specify the content and frequency of reports. 23. Risk appetite statement (1) Theboardshalldevelopafinancialinstitution’sriskappetite statement based on the financial institutions business environment, competitive environment, regulatory developments and the long term strategy of the financial institution. (2) The board shall through the executive management monitor the financial institution’s operations in accordance with the risk appetite statement developed in subregulation (1). (3) The risk appetite statement developed under subregulation (1), shal— (a) communicate the financial institution’s risk appetite effectively throughout the financial institution, linking it to daily operational decision-making and establishing the means to raise risk issues and strategic concerns across the financial institution;

436 (b) include both quantitative and qualitative considerations in the risk appetite statement; and (c) clearly establish the individual and aggregate levels and types of risk that the financial institution is willing to assume prior to engaging its business activities in order to conduct its operations within its risk capacity. 24. Board committees (1) The board shall establish board committees for better utilisation of its resources and attaining more in-depth review of issues or areas relating to the operations of the financial institution. (2) The board committees shall include the— (a) audit committee; (b) asset liability management committee; (c) risk management committee; (d) compensation committee; and (e) credit committee. (3) A financial institution may constitute additional board committees, depending on the complexity of its operations. (4) A board committee shall be chaired by an independent non-executive director. (5) A board committee shall have approved terms of reference that outline the committee’s functions, mandates and working procedures, including its membership, tenure for its members and a viable rotation schedule. (6) The chairperson of the board committee shall maintain appropriate records, minutes and supporting documentation evidencing reviews and resolutions passed during the execution of functions specified in terms of reference.

437 25. Audit committee (1) The board of directors shall constitute from among its members a committee on audit comprising of at least three independent non-executive directors. (2) A person shall not be appointed a chairperson of the audit committee of the board unless, the person is qualified and has experience in accounting or audit. (3) The chairperson of the audit committee of the board shall not be appointed a chairperson of any other committee of the board. (4) The audit committee of the board shall meet at least once annually with the internal and external auditors and in the absence of management of the financial institution. (5) The audit committee of the board shall in exercise of its functions under section 59 (7) of the Act— (a) recommend for the appointment and removal of the head of internal audit and any other staff of the financial institution that performs the audit function; (b) disclose the removal of the head of internal audit to the Central Bank as soon as practicable, but in any case, no later than two weeks after the date of removal, giving reasons for the removal; (c) conduct the performance evaluation of the head of internal audit; (d) take measures to enhance the independence and stature of internal auditors; (e) recommend for the approval of the internal audit charter, annual audit plan and budget; (f) receive and review periodic reports from the internal auditor on the results of the internal audit activities or other matters that the internal auditor deems necessary;

438 (g) review the internal controls, operating procedures and systems, and management information systems of the financial institution; (h) bring matters surrounding the operational efficiency, independence, and effectiveness of the audit function to the attention of the board of directors on a regular basis; (i) review the financial statements of the financial institution and make recommendations on them; (j) provide oversight on the financial institution’s internal and external auditors; (k) ensure that management takes appropriate corrective actions in a timely manner to address control weaknesses, non-compliance with policies, laws and regulations and other problems identified by internal and external auditors; (l) utilize, in a timely and effective manner, the findings of internal and external auditors as an independent check on the information received from management on the operations and performance of the financial institution; (m) require timely correction by management of problems identified by the internal and external auditors; (n) oversee the establishment of accounting policies and practices; and (o) ensure the periodic review of the internal audit function by an independent party to establish the independence of the function in line with International Internal Audit Standards. 26. Asset liability management committee (1) The board of directors shall constitute an asset liability management committee in accordance with section 60 of the Act consisting of not less than two non-executive directors.

439 (2) The asset liability management committee shall perform such functions as the board of directors shall specify in relation to establishing guidelines on the financial institution’s tolerance for risk and expectations from investment to include— (a) limits on loan to deposit ratio; (b) limits on loan to capital ratio; (c) limits on exposure to single or related customers; (d) flexible limits on the percentage reliance on a particular deposit category; (e) maximum dependence on inter-bank and other volatile funding instruments; (f) limits on maximum and minimum maturities for newly acquired categories of assets and liabilities; (g) limits on maximum and minimum maturities for existing categories of assets and liabilities; (h) limits on the sensitivity of the net interest margin on changes in market interest rates; (i) maximum percentage imbalance between interest rate sensitive assets and liabilities; (j) limits on minimum spread acceptable between costs and yields of liabilities and assets; (k) limits on minimum liquidity provision to be maintained to sustain operations while longer term adjustments are made; (l) quantification of primary sources of funds; (m) monitoring of the financial institution’s policies, procedures and holding portfolio to ensure that goals for diversification, credit quality, profitability, liquidity,

440 community investment, pledging requirements and regulatory compliance are met; and (n) generally implementing the asset or liability management policy of the financial institution. 27. Risk committee (1) A financial institution shall have a risk committee of the board to provide oversight of the institution’s overall risk strategy. (2) The risk committee of the board shall have the majority of its membership comprised of independent directors and shall be chaired by an independent non-executive director. (3) The members of the risk committee of the board shall have experience in risk management practices relevant to the complexity of operations conducted by the financial institution. (4) The functions of the risk committee of the board shall include— (a) oversee executive management’s implementation of the duly approved risk management framework, limits and procedures relating to all key risks inherent in the financial institution’s business activities; (b) ensure the financial institution has in place appropriate policies and procedures governing its operations; (c) review the financial institution’s risk policies at least annually and submit them to the board for approval; (d) advise the board on the development and implementation of the financial institution’s risk appetite and report on the state of key risk events, risk culture and the performance and interaction of the Head of Risk; (e) provide oversight over the financial institution’s capital management as well as all risks inherent in the financial

441 institution’s operations including: strategic, operational, credit, liquidity, foreign exchange, interest rate, compliance and other emerging risks; (f) interact with the head of risk on an ongoing basis and receive regular reporting and communication with the head of risk about the financial institution’s risk profile, risk culture and its overall risktaking activities including limits, breaches and risk mitigation measures. 28. Credit committee (1) The credit committee of the board shall provide oversight on credit operations in line with the financial institution’s credit strategy. (2) The functions of the credit committee of the board shall include— (a) recommend for the approval and oversee compliance with the financial institution’s lending policy; (b) delegate lending limits to approved sanctioning authorities of the financial institution; (c) recommend for the approval of credit facilities that are above the sanctioning authority of management; (d) recommend for the approval of credit facilities granted to shareholders, directors, executive management and other related parties; (e) recommend for the approval of policies and procedures governing the implementation of the International Financial Reporting Standards; (f) ensure the financial institution has robust information technology systems, internal control processes and sufficient human resources for successful implementation of the International Financial Reporting Standards;

442 (g) recommend for the approval of governance framework to oversee the implementation of International Financial Reporting Standards, highlighting the role of the board and executive management in the implementation of the standard; (h) recommend for the approval of sound methodologies for measuring expected credit losses to enable appropriate and timely recognition of expected credit losses ; (i) review the quality of the loan portfolio; (j) ensure the financial institution holds adequate provisions for bad debts in compliance with the Central Bank’s guidelines on risk classification and provisioning; (k) recommend for the approval of the write-off of non￾performing credit facilities; (l) ensure that the credit policy and risk lending limits are reviewed at least annually. 29. Compensation committee (1) A financial institution shall establish a compensation committee responsible for overseeing the remuneration system’s design and operation and in ensuring that remuneration is appropriate and consistent with the financial institution’s culture, long-term business strategy and risk appetite. (2) The compensation committee shall be chaired by an independent non-executive director. (3) The managing director and executive director shall not be members of the compensation committee of the board. (4) The functions of the compensation committee of the board shall include—

443 (a) provide oversight on the remuneration of executive management and other key personnel and ensure that compensation is consistent with the financial institution’s culture, objectives, strategy and control environment; (b) ensure that human resource policies and structures are sound, effective and consistent with the financial institution’s risk management practices; (c) recommend for the approval of the organisational structure of the financial institution as well as any changes to the structure; (d) recommend for the approval of the compensation of executive management and other key personnel as may be delegated by the board; (e) recommend for the approval of salary scales, with a view to ensuring that staff do not overly depend on short-term performance or encourage excessive risk-taking. 30. Regulation of information technology (1) A financial institution shall develop an information technology framework which supports effective and efficient management of information technology resources. (2) The board may establish a board committee of information technology or assign the oversight of information technology to any other committee of the board. (3) The functions of the board committee referred to in sub regulation (2) shall include— (a) recommend for the approval of the financial institution’s information technology strategy and provide direction on information technology activities;

444 (b) ensure that information technology staff are adequately skilled to manage information technology resources; (c) monitor the progress of information technology projects, services and investments as well as the disposal of information technology property; (d) provide oversight over information technology governance controls supporting outsourced information technology services; and (e) measure and understand the company’s overall exposure to information technology risks and ensure proper policies are in place to manage these; (4) A financial institution shall employ a head of information technology who shall be responsible for information technology operations. (5) The board shall ensure that the information and intellectual property contained in information systems of a financial institution are protected. (6) The board shall ensure that information technology risk is considered as part of the financial institution’s enterprise-wide risk assessment. (7) The board shall assume full oversight of the financial institution’s information technology and cyber security infrastructure and shall have access to all key reports on information technology operations including reports on assessments conducted by the group, for financial institutions that are a part of group structures. 31. Control functions (1) A Financial institution shall put in place control functions to include— (a) internal audit function; (b) risk management; and

445 (c) compliance function. (2) The control functions referred to in sub regulation (1) shall be headed by different individuals except under exceptional circumstances and upon obtaining prior approval from the central bank. (3) The Central Bank may in granting approval under sub regulation (2) consider— (a) a financial institution with limited operations where the scope and depth of operations of the financial institution allows such consolidation; (b) resource constraints of a financial institution; (c) compatibility of the roles proposed to be merged into one individual; and (d) lack of overlap between control and operational functions; (4) The exceptions under subregulations (2) and (3) shall not apply to Tier 1 institutions. (5) An application for a waiver under this regulation shall indicate which factors under sub regulation (3) apply. 32. Internal audit function (1) The internal audit function shall have a direct reporting line to the board through the audit committee of the board. (2) The audit function shall be independent of the operational aspects of the financial institution. (3) A financial institution shall appoint an internal auditor in accordance with sections 61 of the Act to perform the functions stipulated in the Act. (4) An internal auditor appointed under subregulation (3), shall have adequate seniority to be able to carry out the internal audit mandate with sufficient standing and skills.

446 (5) Subject to section 61 (2) of the Act, the head of internal audit shall have the following powers— (a) have full and unfettered access to any records of the financial institution; (b) conduct his or her functions in line with the national and international audit standards; (c) follow up on internal audit issues identified on a timely manner; and (d) perform an audit of the financial institution’s risk management framework commensurate with the level and depth of operations conducted by the financial institution at least annually. (6) Afinancial institution shall provide resources and adequate staff with adequate skills and knowledge to effectively audit the business lines and functions of the institution. (7) The head internal audit shall while exercising the audit function report to the audit committee of the board. (8) The performance of the head of internal audit shall be evaluated at least annually by the audit committee of the board. (9) The audit committee of the board may use its discretion to seek the views of the managing director with regard to the performance of the administrative tasks assigned to the internal auditor. 33. External auditor A financial institution shall appoint an external auditor in accordance with sections 62 and 67 of the Act, to perform the functions stipulated in the Act for a continuous period of not more than four years. 34. Management risk committee (1) A financial institution shall constitute a management risk committee composed of heads of business units and chaired by the managing director or executive director.

447 (2) The main function of the management risk committee is to formulate risk strategies and develop sound risk management policies and procedural guidelines with the approval of the board. (3) The committee shall review the identified institution-wide risks, measure and monitor the risk exposures and determine whether the risk decisions are in accordance with approved risk strategies, policies as well as risk tolerance and appetite levels. (4) The management risk committee shall have clear and well￾defined terms of reference and meet on a regular basis to effectively execute its mandate. 35. Head of risk (1) A financial institution shall employ a person to serve as head of risk with sufficient authority, stature, independence and resources. (2) The head of risk shall be an executive manager and a member of the management risk committee. (3) The appointment and dismissal of the head of risk, including any changes to the head of risk position shall be approved by the board or by the risk management committee as the board may determine. (4) The head of risk shall report to the managing director and submit reports to the risk committee. (5) The head of risk shall not be assigned any other role relating to management or financial responsibility in respect of any operational business of financial institution or revenue generating functions. (6) The role of the head of risk shall be distinct from other executive functions and business line responsibilities. (7) The head of risk shall have unfettered access to the risk committee of the board for purposes of enhancing the independence of his or her role.

448 (8) The head of risk and the risk committee of the board shall meet regularly and the record of the meeting shall be documented and submitted to the board. (9) The head of risk shall be responsible for the risk management function and the financial institution’s comprehensive risk management program across the entire organisation. (10) The head of risk shall coordinate the activities of the management risk committee, consolidate risk reports from heads of business units and report to the management risk committee. (11) The head of risk shall have access to all business lines to enable him or her gain in-depth understanding of the underlying risks in the financial institution. 36. Risk identification, monitoring and control (1) A financial institution shall develop an adequate risk management framework to enable the timely identification and management of inherent risks in its operations. (2) A financial institution shall have accurate data in order to adequately identify and mitigate risks and allow sound decisions to control its primary risks. (3) The risk management function shall have adequate systems in place to consolidate and assess relevant data, able to model and apply stress testing based on relevant scenarios. (4) The findings of the risk assessments conducted by the risk management function shall be disseminated to management and the board at the next management or board meeting following conclusion of the risk assessment. (5) The risk management function shall be involved in the assessment of new products or services that the financial institution is planning to engage in and provide relevant risk assessment and impact analysis to management and the Board.

449 (6) The risk management process shall include risk mitigation and techniques and approaches to mitigate inherent or emerging risks in the financial institution commensurate with the risk appetite statement of the bank. (7) The risk management function should be actively involved in the identification and mitigation of risks arising from mergers and acquisitions. 37. Compliance function (1) Afinancialinstitutionshallhaveanindependentcompliance function mandated to assess, monitor and report on the compliance of the financial institution with existing rules and regulations, including these Regulations. (2) The compliance function shall report to the managing director and submit reports to the risk committee of the board and shall have sufficient authority, independence, resources, and access to the board. (3) The compliance function shall provide advice to the board and management regarding the financial institution’s compliance with applicable laws, guidelines and standards while providing operational support to comply with the same. (4) The financial institution’s executive management shall develop the compliance policy with the approval of the board. (5) The board is responsible for the oversight of the compliance function, which includes approval of its policies and procedures governing the identification, assessment, continuous monitoring and reporting of the compliance risks inherent in its operations. 38. Money laundering control officer (1) A financial institution shall employ a person to serve as a money laundering control officer whose position shall be at level of executive management.

450 (2) The money laundering control officer shall have a direct reporting line to executive management or the board of the financial institution. (3) The money laundering control officer shall be the contact point for internal and external authorities, including the Central Bank or the Financial Intelligence Authority, concerning anti-money laundering issues. (4) The money laundering control officer role may be held by an independent executive manager or by the head of compliance. Part III—Remedial Measures and Administrative Sanctions 39. Remedial measures (1) Where the Central Bank determines, through an inspection, that a financial institution is not in compliance with these Regulations, it may impose any or all of the corrective actions under Part IX of the Act. (2) The Central Bank may, in accordance with section 77 of theAct, by order in writing, remove from office a chairperson, director, the managing director, executive manager of a financial institution if it deems it necessary, in the public or the institution’s interests, to do so. 40. Administrative sanctions In addition to the remedial measures under regulation 39, the Central Bank may impose any or all of the following administrative sanctions with regard to a financial institution that is not in compliance with these Regulations or whose compliance with these Regulations— (a) prohibition from declaring or paying dividends; (b) suspension of the establishment of new branches or expansion into new banking or financial activities; (c) suspension of access to credit facilities of the Central Bank;

451 (d) suspension of the opening of letters of credit; (e) suspension of the acceptance of new deposits; and (f) suspension of the acquisition of fixed assets. 41. Revocation of S.I 59 of 2005 The Financial Institutions (Corporate Governance) Regulations, 2005 are revoked. MICHAEL ATINGI-EGO Deputy Governor, Bank of Uganda

452

Share