Instruction No. 006/2000-CSBF on the Internal Control of Credit Institutions

---

INSTRUCTION NO. 006/2000-CSBF on the Internal Control of Credit Institutions INSTRUCTION NO. 006/2000-CSBF on the Internal Control of Credit Institutions

---

The Banking and Financial Supervision Commission (CSBF) of the Republic of Madagascar, Having regard to Law No. 95-030 of February 22, 1996 on the activity and supervision of credit institutions, Having regard to Law No. 96-020 of September 4, 1996 regulating the activities and organization of mutual financial institutions, Pursuant to Articles 35 and 41 of the aforementioned Law No. 95-030, which empower the CSBF to establish management standards and prudential rules that credit institutions must comply with, notably to ensure their liquidity, solvency, and financial structure balance, Having regard to the opinion issued by the Professional Association of Credit Institutions pursuant to the last paragraph of Article 36 of the aforementioned Law No. 95-030, DECIDES

TITRE I: DEFINITIONS AND PRINCIPLES Article 1. For the purposes of this Instruction, the internal control system consists of the combination of internal control proper, internal audit, and supervision of internal audit.

1. Internal control is a monitoring and security mechanism integrated into operational processes, established for the prevention, monitoring, and management of an institution's risks. It also comprises all means and procedures put in place to ensure good control over activities, thereby guaranteeing the institution's sustainability. The internal control comprises two levels:

• First-level control, ensured through organizational and operational measures, notably the existence of a regularly updated organizational chart, clear allocation of responsibilities, separation of functions, and compliance with procedure manuals;
• Second-level control, or management control, assumed by any hierarchical head responsible for a given sector, and covering, among other things, the monitoring of various risks and results generated by operations.

1. Internal audit is a function whose mission is to verify the effectiveness and consistency of internal control. This function, also called inspection or audit, aims to detect weaknesses in internal control and propose corrective measures.
2. Supervision of internal audit is a function responsible for examining the activities and results of internal audit. This mission falls under the competence of the deliberative body.

Article 2. The internal control system has as its main objectives:

• To safeguard the institution's assets, namely to preserve the security of operations, values, goods, and personnel against all types of losses such as waste, fraud, abuse, deterioration due to weather conditions, fire;
• To ensure the compliance of operations, organization, and procedures with legal rules, professional regulations, as well as guidelines and limits set by the executive body;
• To ensure the regularity, sincerity, completeness, and reliability of accounting and financial information, as well as the conditions for their evaluation, recording, retention, availability, and reporting;
• To guarantee compliance with objectives and strategy, notably the commercial policy adopted by the deliberative body;
• To ensure the reliability and effectiveness of organization and procedures.

Article 3. Credit institutions authorized to conduct banking operations in Madagascar must establish an internal control system meeting the definitions and objectives above. The main devices to be put in place for this purpose are:

1. Risk prevention, in the form of operational rules and due diligence ensuring that the institution operates under required security conditions and complies with applicable legal and regulatory provisions, professional standards, practices, and ethical rules, as well as guidelines and limits defined by the deliberative and executive bodies;
2. Permanent control, responsible for ensuring the regularity of carried-out operations, their faithful recording in the institution's accounts, and compliance with the rules and due diligence defined under point 1 of this Article;
3. Internal audit, tasked with verifying the effectiveness and consistency of devices implemented under points 1 and 2 of this Article, notably their adequacy to the nature and magnitude of incurred risks and the compliance of activities with the terms of the authorization decision, and proposing necessary corrective measures.

Article 4. Credit institutions may adapt all internal control devices provided by this Instruction according to their characteristics. The following elements are particularly decisive in the organization of internal control.

1. Size and number of employees: The ability to effectively separate functions is more limited when staff size is small. In such cases, emphasis must be placed on supervisory control.
2. Nature of risks in each activity domain: The control system must be more elaborate when the risk related to an activity sector is deemed significant.
3. Commercial policy: Internal control is not static; it must evolve according to the products and services provided by the institution.

Article 5. For the purposes of this Instruction,

1. The expression "executive body" refers to the persons covered by Article 23 of Law No. 95-030, tasked with effectively determining the direction of the institution's activities. This body is responsible for the day-to-day management of the institution as a business head and represents it vis-à-vis third parties;
2. The expression "deliberative body" refers to the board of directors, or the body acting in its place; the deliberative body, under its responsibility and under conditions it defines, may establish a committee tasked with exercising all or part of the powers conferred upon it by this Instruction, or to assist in exercising these functions;
3. Counterparty risk is the loss risk incurred in case of default by a counterparty engaged with the institution, under its three main aspects:

• Credit risk, namely risks inherent to credit operations as defined by Article 5 of Law No. 95-030 - cash credits, credit-leasing operations, signature commitments - in case of default by a client or group of clients considered as the same beneficiary according to the Instruction on risk division;
• Interbank risk, namely risks incurred in case of default by other credit institutions regarding deposits, placements, and loans made by the institution or guarantees issued to it;
• Settlement/delivery risk, namely risks incurred on market operations giving rise to reciprocal delivery obligations that are not yet settled, such as foreign exchange operations, treasury bill market operations, in case of non-performance by a counterparty of its commitments;

4. Illiquidity risk is the risk for the institution not to have at the due date the necessary cash flow to meet its commitments;
5. Price risk is the risk incurred in case of unfavorable evolution of interest rates, exchange rates, and equity positions, having the effect of an asymmetric variation in the cost of resources and yield of assets;
6. Operational risks are risks resulting from errors in defining or implementing the rules and due diligence provided under point 1 of Article 3, shortcomings in applying these rules, fraud, or misappropriation of assets;
7. Technical risks are risks resulting from partial or total failure of the information system, loss or alteration of data, due to breakdowns, errors, imprudence, or malice;
8. Legal risks are litigation risks with third parties - clients, members, staff, administration, other credit institutions - due to gaps, deficiencies, inapplicability of contracts, or imprecisions of any kind in the conduct of operations or transgression of applicable legal and regulatory provisions by the institution.

TITRE II - RISK PREVENTION Article 6. Credit institutions must implement a risk prevention device meeting the following principles:

• principle of separation of functions,
• clear definition of positions, attributions, and identification of responsibilities,
• inventory of risks linked to different functions and risk measurement,
• definition and regular updating of procedure manuals,
• existence of a grid of powers and decision-making.

Article 7. The principle of separation of functions implies an allocation of tasks among several entities such that decision-making, execution, accounting recording, and control are each assumed by different functions or persons. Depending on the size and resources of the institution, some tasks may be grouped. However, it is imperative that operational services, responsible for carrying out operations, are separated from functional services, responsible for the accounting and administrative processing of these operations. Control must remain an independent function.

Article 8. Credit institutions must maintain an effective register of existing functions. This register entails the preparation of a detailed organizational chart defining each position, its attributions, and responsibilities. The organizational chart must be regularly updated.

Article 9. Credit institutions implement a procedure for collecting and centralizing information necessary to determine and measure their exposure to the risks listed in Article 5, provided these risks exist.

Article 10. Provisions and procedures adapted to the organization and management mode are defined and implemented to circumscribe operational, technical, and legal risks resulting from activities. These devices must establish adequate prevention of the aforementioned risks through measures aimed at:

• ensuring data and value integrity - authorization system, securing access notably by rules for holding keys and confidential codes, physical protections, backup procedures,
• validating the legal basis of operations,
• limiting the financial consequences of potential losses, either a priori or a posteriori through guarantee or insurance mechanisms.

Article 11. In the case of processing performed by an information management system, the institution implements security devices capable of preventing material incidents or alteration of programs or data. Backup and contingency procedures are organized and periodically tested to ensure operational continuity in case of system failure, conditions for retaining and reporting information and processing results, and security rules.

Article 12. Operations involving credit risk must be governed by clearly formalized procedures. These procedures must ensure a contextual assessment of the risk based on quantitative and qualitative analysis of the beneficiary's situation, and, where applicable, the group to which it belongs according to the Instruction on risk division, notably based on recent and future evolution:

• of the activity sector in which it operates;
• of its financial structure, particularly its net global working capital and cash flow, profitability, repayment capacity, and the substance of collateral provided, both real and personal;
• of its strategy, particularly its commercial and/or production policy;
• of the nature and reality of its financing needs. When the institution's size justifies it, a specialized unit independent of operational services must be tasked with ensuring the regularity of decision-making, issuing opinions on commitments based on risk magnitude, and verifying compliance with fixed conditions.

Article 13. A file consolidating risk assessment elements and analysis and decision documents is created for each credit risk and regularly updated. Credit institutions must, at least quarterly, analyze the evolution of their engagement quality. This review allows for possible reclassification of compromised claims into healthy claims, downgrading of healthy claims into doubtful, litigious, and contentious claims, and establishment of corresponding provisions according to the Instruction on provisioning for compromised claims.

Article 14. Credit institutions develop procedure manuals related to their various activities. These documents describe in particular the rules and procedures for commitment, recording, accounting of operations, processing, and reporting of information. Procedure manuals must be regularly updated. The exercise of new activities must be subject to the definition of general rules and conditions applicable to them, risk analysis they generate, and implementation of adequate measurement, limitation, and control procedures.

Article 15. Decision-making powers must be clearly formalized and adapted to the institution's characteristics, particularly its size, organization, and nature of activity. Major risks, namely those exceeding a threshold previously set by the deliberative body, fall under its competence based on the executive body's proposal. Delegations of powers and signatures must be modulated so that delegates possess the necessary qualifications and abilities to objectively evaluate resulting risks. Except in exceptional cases, commitment decisions are taken by at least two responsible persons. Formalized procedures must be established to:

• regularly monitor compliance with limits set in the preceding paragraphs and any conditions imposed on the institution upon authorization to exercise its activities,
• report to the executive and deliberative bodies,
• and promptly inform the competent level of any exceedances so that it can take adequate measures. The executive body must submit to the decision of the deliberative body, at least once a year and whenever necessary, limits granted by risk type.

Article 16. Documentation is created and regularly updated on all provisions and means implemented to prevent and control risks, including notably:

• a detailed organizational chart of the institution,
• decisions regarding delegation of powers,
• documentation on the information system provided in Article 11,
• procedure manuals prescribed in Article 14,
• typology of risks and enterprises,
• a description of the conditions for implementing provisions of this Instruction,
• analysis and synthesis reports regarding evaluation of various risks and functioning of the device. This documentation is organized to be accessible, upon simple request, to any person entitled to know it, notably the executive body, deliberative body, statutory auditors, and the Banking and Financial Supervision Commission.

TITRE III - PERMANENT CONTROL Article 17. Credit institutions implement a set of control devices integrated into the operational process. These devices must enable:

• ensuring compliance with the institution's strategic orientations,
• verifying regulatory compliance, notably risk limitation and prudential standards,
• controlling the quality of accounting and financial information,
• controlling the quality of information and communication systems.

Article 18. Credit institutions implement budget control procedures to ensure regular monitoring of forecasted budget execution and explaining significant variances. These procedures must include a system for analyzing the profitability of different activities. When the internal audit function, defined in Title IV of this Instruction, simultaneously performs management control, the aforementioned evaluation must be reported to the deliberative body.

Article 19. Credit institutions ensure the implementation of a counterparty risk management system defined in Article 5 of this Instruction. This system translates into:

• centralized identification of all on-balance sheet and off-balance sheet risks for a single counterparty and groups forming the same beneficiary according to the Instruction on risk division;
• qualitative classification and regularly updated rating of credit operation beneficiaries, where justified by client type, in the form of a graduated rating according to potential risk level, taking into account provisions on risk provisioning rules;
• production of alert statements in case of: (i) exceedance of prudential rules or internal management rules, notably signature or delegation powers, (ii) occurrence of incidents of any nature, and their communication to the executive body as well as internal audit defined in Title IV of this Instruction,
• production at the central body of necessary information so that it is constantly informed about the situation of major risks and incidents affecting them.

Article 20. Credit institutions must ensure the completeness, quality, and reliability of accounting and financial information. In this regard, operations must be recorded in accounting upon realization according to provisions of the Instruction on the chart of accounts for credit institutions. Assets and securities representing rights or claims held by the institution on behalf of third parties but which by nature do not appear in accounts, are recorded and tracked in the form of inventory accounting tracking existences and movements. Accounting monitoring is ensured by a function or persons other than those who initiated and entered the operations. Balance reconciliation must occur at close intervals, at least once a month, and may lead to adjustments by the function responsible for accounting, which informs the functions that initiated the operations.

TITRE IV - INTERNAL AUDIT Article 21. Credit institutions must establish an internal audit function responsible for supervising risk prevention and control devices. This function must meet the following characteristics:

• be independent,
• have exhaustive competence,
• be equipped with necessary resources,
• have clear objectives,
• be permanent.

Article 22. The internal audit function is independent. It must be appointed by the deliberative body upon proposal of the executive body. It reports to the highest executive hierarchy present locally, executes verification missions entrusted by it, and reports to the deliberative body. For institutions whose size and activity volume do not justify a full-time internal audit, internal audit tasks may be entrusted to:

• the parent company's internal audit or that of another group company,
• external auditors for periodic missions decided by the deliberative body, subject to prior approval of the Banking and Financial Supervision Commission. The internal auditor cannot suffer any career or other prejudice due to opinions or views expressed in the course of their functions. For mutual financial institutions organized in a network, a common system may be established with the agreement of the deliberative bodies of affiliated institutions.

Article 23. The deliberative body may create an audit committee to assist in exercising its mission. The composition of this committee, its mission, and operational modalities are fixed by the deliberative body. Generally, the audit committee is formed by members of the deliberative body not involved in management. It may be assisted by persons chosen for their particular expertise. The main attributions of this committee are as follows:

• supervise major strategic transactions of the institution,
• control all accounting and financial information,
• ensure compliance with risk policy,
• supervise compliance with banking regulation,
• supervise internal control and internal audit,
• ensure the link between the executive body and external auditors.

Article 24. The internal audit function has exhaustive competence. To this end, it benefits from unlimited examination rights within the institution. To carry out its mission effectively, it has free access to all books, documents, and database systems. All information necessary for performing its verification tasks must be provided to it.

Article 25. Credit institutions ensure that the internal audit function is equipped with necessary resources, notably human and technical means adapted to activities, size, and locations of the institution. The use of external expertise may be considered when the audit function examines a highly specialized sector. Regardless of the organization chosen, the audit function must be equipped with necessary attributions and means to conduct a comprehensive periodic control of operations and different units,

• over as limited a number of years as possible, while ensuring an annual review of major risks;
• according to a program...