Guideline on Supervisory Review Process

BOM/BSD 27/ April 2010 BANK OF MAURITIUS Guideline on Supervisory Review Process April 2010

2

3 TABLE OF CONTENTS INTRODUCTION.................................................................................................4 PURPOSE ........................................................................................................... 4 AUTHORITY ........................................................................................................ 4 SCOPE OF APPLICATION ........................................................................................... 4 EFFECTIVE DATE ................................................................................................... 4 STRUCTURE OF THE GUIDELINE ................................................................................... 4 SECTION I – BACKGROUND AND SCOPE OF THE SUPERVISORY REVIEW PROCESS6 FOUR PRINCIPLES OF THE SRP ................................................................................... 6 ELEMENTS OF THE SRP ........................................................................................... 6 PROPORTIONALITY................................................................................................. 6 SUPERVISORY ARRANGEMENTS ................................................................................... 6 Frequency of SRP.......................................................................................... 6 Application to local banking group.................................................................... 7 Application to foreign bank subsidiaries............................................................. 7 Application to branches of foreign banks ........................................................... 7 SECTION II - THE ICAAP.................................................................................... 8 DESIGN OF ICAAP................................................................................................ 8 BOARD AND SENIOR MANAGEMENT OVERSIGHT .................................................................. 8 SOUND CAPITAL ASSESSMENT .................................................................................... 9 COMPREHENSIVE RISK MANAGEMENT POLICIES AND PROCEDURES............................................ 10 MONITORING AND REPORTING .................................................................................. 11 INTERNAL CONTROL REVIEW .................................................................................... 11 SECTION III – THE SUPERVISORY REVIEW AND EVALUATION PROCESS............ 12 MAIN FEATURES OF THE SREP ................................................................................. 12 KEY FACTORS TO BE CONSIDERED IN THE SREP .............................................................. 12 Regulatory capital ....................................................................................... 13 Credit risk including concentration risk............................................................ 13 Market risk................................................................................................. 13 Operational risk .......................................................................................... 14 Interest rate risk in the banking book ............................................................. 14 Liquidity risk .............................................................................................. 14 Country risk ............................................................................................... 15 Earnings and profitability.............................................................................. 15 Corporate governance and internal control ...................................................... 15 Other material risks..................................................................................... 15 Review of the ICAAP .................................................................................... 16 DIALOGUE WITH BANKS ......................................................................................... 17 SECTION IV – SUPERVISORY RESPONSE .......................................................... 18

4 INTRODUCTION The supervisory review process (SRP) of the Basel II framework is intended to ensure that banks have adequate capital to support all the risks in their business, and to encourage banks to develop and use better risk management techniques in monitoring and managing their risks. The supervisory review process recognises the responsibility of bank management in developing an internal capital adequacy assessment process (ICAAP) and setting capital targets that are commensurate with the bank’s risk profile and control environment. In the new capital adequacy framework, bank management continues to bear responsibility for ensuring that the bank has adequate capital to support its risks beyond the core minimum requirements. Purpose The purpose of this guideline1 is to provide a transparent and informative description of the methodology and the supervisory procedures that the Bank of Mauritius (hereinafter referred to as ‘the Bank’) will adopt for capital assessment of banks, and that will be integrated into a risk-based supervision framework. The guideline also describes the specific elements that the Bank expects a bank’s ICAAP to encompass. It sets the stage for the implementation of Pillar 2 of the Basel II framework. Authority This guideline is issued under the authority of Section 100 of the Banking Act 2004 and Section 50 of the Bank of Mauritius Act 2004. Scope of application This guideline applies to all banks licensed under the Banking Act 2004. Effective date This guideline takes effect as from 1 July 2010. Structure of the guideline There are four sections in this guideline: Section I sets out the background and scope of application of the SRP; Section II describes the elements that should be included in the ICAAP; Section III defines the methodology of the Supervisory Review and Evaluation Process (SREP); and

1 The guideline should be read in conjunction with other guidelines and guidance notes issued by the Bank that are relevant to the assessment of a bank’s capital adequacy.

5 Section IV sets out the supervisory response with regard to the findings of the SREP and the results of the ICAAP.

6 SECTION I – BACKGROUND AND SCOPE OF THE SUPERVISORY REVIEW PROCESS Four principles of the SRP

1. The SRP rests on four fundamental principles, which enunciate the broad responsibilities of both banks and supervisors with respect to Pillar 1 minimum capital requirements. Principle 1 – Banks should have a process for assessing their overall capital adequacy in relation to their risk profile and a strategy for maintaining their capital levels. Principle 2 – Supervisors should review and evaluate banks’ internal capital adequacy assessments and strategies, as well as their ability to monitor and ensure their compliance with regulatory capital ratios. Supervisors should take appropriate supervisory action if they are not satisfied with the result of this process. Principle 3 – Supervisors should expect banks to operate above the minimum regulatory capital ratios and should have the ability to require banks to hold capital in excess of the minimum. Principle 4 – Supervisors should seek to intervene at an early stage to prevent capital from falling below the minimum levels required to support the risk characteristics of a particular bank and should require rapid remedial action if capital is not maintained or restored. Elements of the SRP
2. The SRP encompasses four elements which emanate from the four principles stated above: the ICAAP, the SREP, the dialogue between the Bank and the banks and the supervisory response. Proportionality
3. The scope and depth of the SRP will be proportionate to the nature, scale, complexity and systemic importance of a bank, so will be the level of sophistication and complexity that the Bank expects from a bank’s ICAAP. The current SRP and ICAAP expectations reflect the use by banks of the standardized approaches in Pillar 1. Any subsequent move to the advanced approaches would be accompanied by changes to the SRP and greater expectations in respect of the ICAAP. However, where banks have the IRB capability for credit risk, the Bank has no objection to the use of the IRB approach for the limited purpose of drawing up the ICAAP document. Supervisory arrangements Frequency of SRP
4. The SRP will be conducted on each bank regularly (normally on an annual basis) as part of its risk-based supervision and in line with the proportionality concept described in paragraph 3. The scope of the SRP will

7 cover the significant business activities of the bank on a solo and/or consolidated basis. Application to local banking group 5. With respect to a local banking group, the Bank will apply the SRP to the group as a whole and the Bank will monitor the group’s capital adequacy at the consolidated level. In cases where the local banking group has overseas branches and/or subsidiaries, the Bank as home supervisor of the local banking group may seek information from the host supervisors when conducting the SRP on a consolidated banking group. Application to foreign bank subsidiaries 6. With respect to foreign bank subsidiaries, the Bank will consider the strength and availability of parental support and other relevant information from the home supervisor of the foreign banking group when conducting the SRP. Application to branches of foreign banks 7. Branches of foreign banks will not be required to have an ICAAP. The SRP will thus apply to branches of foreign banks in respect of elements other than the ICAAP.

8 SECTION II - THE ICAAP 8. Good banking practice requires banks to identify the risks to which they are exposed and to manage and mitigate those risks. Consistent with that, a bank is expected to have an ICAAP for assessing its overall capital adequacy in relation to its risk profile and a strategy for maintaining its capital levels. Its chosen internal capital targets should be well founded and consistent with its overall risk profile and current operating environment. Design of ICAAP 9. As the ICAAP document is a bank’s own document, the Bank will not prescribe its format; a bank may design its own ICAAP to cater for its individual circumstances and needs. It is not necessary to rewrite other policy/procedures documents, which could be included in full or in part. However, the ICAAP must incorporate the features and essential elements detailed in paragraphs 12 to 21; and the bank must demonstrate that its ICAAP is fit for purpose and therefore meets the supervisory requirements. 10. A foreign bank subsidiary may employ the ICAAP methodology of its parent bank. In case it elects to do so, it will have to demonstrate to the Bank how the methodology has been adjusted to reflect the specificities of the local jurisdiction and risks to which it is exposed. 11. A bank should ensure that its capital assessment process is rigorous and includes the following five main features: (a) board and senior management oversight; (b) sound capital assessment; (c) comprehensive assessment of risks; (d) monitoring and reporting; and (e) internal control review. Board and senior management oversight 12. A bank’s board of directors is responsible for setting the bank’s risk tolerance and senior management is responsible for understanding the nature and level of risk being undertaken by the bank and how this relates to adequate capital levels. 13. The board and senior management of a bank should view capital planning and capital management as crucial elements in achieving the bank’s desired strategic objectives. The board and senior management should (a) establish a capital management policy which, at a minimum, includes: (i) the bank’s current and future capital requirements in relation to its strategic objectives; (ii) the approved capital targets, consistent with the bank’s tolerance for risks;

9 (iii) measures that would be taken in the event capital falls below targeted levels; (iv) an outline of the bank’s capital needs, anticipated capital expenditures, desirable capital level, and external capital sources; (b) maintain other policies that supplement the capital management policy, e.g. policy regarding stress testing and dividend policy; (c) develop internal controls systems and written policies and procedures for capital planning and assessment and ensure that management effectively communicates these throughout the organisation; and (d) establish methods for monitoring compliance with regulatory capital standards and internal policies. Sound capital assessment 14. The ICAAP of banks should at least possess the following characteristics: (a) While the ICAAP must address the matters required by this guideline, its essence is how the bank sets its risk appetite, how risk is identified and managed and mitigated and how capital targets are set and monitored. It is acknowledged that because of their size, complexity and business strategy many banks do not require sophisticated risk measurement and capital calculation processes. Such banks are free to propose their own capital calculation processes; they are not precluded from setting their own internal capital targets based on regulatory capital methodologies (rather than economic capital concepts); (b) The ICAAP must address all significant risks to which the bank is exposed. Those risks must include the Pillar 1 risks of credit and operational risk. More generally, banks are expected to seek to improve the ICAAP over time; (c) the ICAAP should be forward-looking. It should take into account the bank’s strategic plans and how they relate to macroeconomic factors; (d) the ICAAP should be integrated into the management process and decision-making culture of the bank and duly communicated to all relevant staff; (e) the ICAAP should be formally documented and the conceptual design (at a minimum, the scope, general methodology and objectives) of the ICAAP, should be reviewed and approved by the board of directors and senior management of the bank. The Bank expects the ICAAP document to be signed off by the board; and (f) the ICAAP should be reviewed at least annually to ensure that risks are adequately covered and that capital reflects the risk profile of the bank.

10 15. The essential elements of a sound ICAAP include: (a) policies and procedures designed to ensure that the bank identifies, measures, and reports all material risks including new risks; (b) a process reflecting the size, complexity and business strategy of the bank that relates capital to the level of risk; (c) a process that states the bank’s capital adequacy goals with respect to risks, taking account of the bank’s strategic focus, business plan and operating environment; and (d) a process of internal controls, reviews and audit to ensure the integrity of the overall management process. 16. The ICAAP should include the bank’s own assessment of its capital requirements. Comprehensive risk management policies and procedures 17. The policies and procedures to identify, measure and report the risks faced by a bank in the conduct of its activities should meet the following standards: (a) risk measurement systems should be sufficiently comprehensive and rigorous to capture the nature and magnitude of the risks faced by the bank; (b) adequate controls should be in place to ensure the objectivity and consistency of risk identification and measurement and that all material risks are addressed; (c) risk measurement techniques should be robust and based on inputs of good quality; (d) qualitative assessment and management judgment should be used for risks that are not easily quantifiable; (e) changes in the risk profile of the bank should be promptly incorporated into the risk measures; and Stress tests represent an important tool for exploring potential vulnerabilities to exceptional but plausible events. Stress testing must therefore represent a component of any ICAAP. In the first instance, banks should design their own stress tests consistent with their own capabilities, product offerings and risk profiles. The ICAAP should justify why the bank believes its stress testing (both scope and methodology) is appropriate. The ICAAP may, of course, draw on the results of any stress tests separately required by the Bank. 18. A bank should be able to satisfy the Bank that its approach to relate capital to risk is conceptually sound and that the results are reasonable.

11 Monitoring and reporting 19. The bank should establish an adequate system for monitoring and reporting risk exposures and assessing how the bank’s changing risk profile affects the need for capital. The bank should have adequate systems to ensure that reports on the bank’s risk profile and capital needs are submitted to senior management or board of directors on a regular basis. These reports should allow senior management to: (a) evaluate the level and trend of material risks and their effect on capital levels; (b) evaluate the sensitivity and reasonableness of key assumptions used in the capital assessment measurement system; (c) determine whether the bank holds sufficient capital against the various risks and is in compliance with established capital adequacy goals; and (d) assess its future capital requirements based on the bank’s reported risk profile and make necessary adjustments to the bank’s strategic plan accordingly. Internal control review 20. The bank’s internal control structure is essential to the capital assessment process. Effective control of the capital assessment process includes an independent review and, where appropriate, the involvement of internal or external audits. Reviews required under this guideline are not meant to duplicate any existing reviews, although the ICAAP should reference all relevant reviews. 21. The bank should conduct periodic reviews of its risk management process to ensure its integrity, accuracy, and reasonableness. The frequency of the review may vary depending on the size and complexity of individual banks but should not be less than once every year. Areas that should be reviewed include as a minimum: (a) appropriateness of the bank’s capital assessment process given the nature, scope and complexity of its activities; (b) identification of large exposures and risk concentrations; (c) accuracy and completeness of data inputs into the bank’s assessment process; (d) reasonableness and validity of scenarios used in the assessment process; and (e) stress testing and analysis of assumptions and inputs. 22. Any deficiency in the ICAAP and non-compliance with internal policies and/or minimum capital requirements must be reported to the board of directors for timely rectification.

12 SECTION III – THE SUPERVISORY REVIEW AND EVALUATION PROCESS 23. The basic components of the SREP are already embedded in the Bank’s existing supervisory framework which rests on two elements - off-site monitoring and on-site examination. The implementation of the SREP in the context of this guideline will be more of an elaboration and refinement process, rather than a radical change in existing practices. Main features of the SREP 24. The SREP will broadly involve the review of adequacy of risk assessment, assessment of capital adequacy, assessment of the control environment and review of compliance with minimum standards and will involve some combination of: (a) on-site examinations; (b) off-site review; (c) discussions with bank management; (d) review of work done by external auditors (provided it is adequately focused on the necessary capital issues); (e) periodic reporting; and (f) risk assessment system. Key factors to be considered in the SREP 25. The Bank will consider as a minimum the following key factors, which will enable it to apply a risk-based supervision framework to banks: (a) regulatory capital, (b) credit risk, including concentration risk, (c) market risk, (d) operational risk, (e) interest rate risk in the banking book, (f) liquidity risk, (g) country risk, (h) earnings and profitability, (i) corporate governance and internal control, (j) other material risks; and (k) review of the ICAAP.

13 Regulatory capital 26. With respect to regulatory capital, the Bank will assess and analyse: (a) the structure of regulatory capital, the proportion and quality of Tier 1 capital, including the proportion of minority interests; (b) the manner in which the bank monitors and manages its regulatory capital with particular attention to any event/circumstance that may impact on the capital adequacy ratio, e.g. a large risk of provisioning, pursuit of a policy of expansion and peer group comparison; and (c) the capacity of the bank to secure additional capital including parent or group support and accessibility to markets. Credit risk including concentration risk 27. The Bank’s assessment of credit risk will consist of the following: (a) a review of the broad composition of the bank’s credit portfolio, including its business lines and credit assessment procedures; (b) a review of the bank’s level of doubtful loans, its policy for classifying doubtful loans as well as the appropriateness of the level of provisioning; (c) the verification of the bank’s calculation of credit risk-weighted assets under the standardised approach; and (d) a review of the bank’s credit risk mitigation policies and the credit risk mitigation instruments used by the bank, and their compliance on an ongoing basis with the minimum requirements to be recognised for regulatory capital purposes. This will ensure that other risks that the use of credit risk mitigation techniques give rise to e.g. legal risk, documentation risk and liquidity risk, are adequately controlled. With respect to credit concentration risk, the Bank will assess: (a) the bank’s policies and limits with respect to exposure sizes and concentrations, including sectoral and geographical concentration, (b) the actual structure of its credit portfolio; and (c) whether the Pillar 1 standardised credit risk capital figure is adequate. Market risk 28. The trading activities of banks are currently considered to be insignificant and as such no capital charge is presently being imposed on banks with respect to market risk other than foreign exchange risk. However, the Bank will: (a) review the nature of the trading activities of a bank to ascertain whether there is no variation in market parameters that would warrant a change in the Bank’s policy;

14 (b) review the bank’s policy with respect to interest rate risk, equity risk, foreign exchange risk and commodity risk; (c) evaluate how the bank combines its risk measurement approaches to arrive at the overall internal capital for interest rate risk, equity risk, foreign exchange risk and commodity risk; and (d) where appropriate, assess the adequacy of the capital. Operational risk 29. The analysis of operational risk will cover: (a) the review of the structure and complexity of the bank’s business model and operations; (b) the systems for identifying and cataloguing material incidents along with any losses recorded; (c) the operational risk monitoring system and its scope of application; and (d) the assessment of the bank’s calculation of operational risk capital under the standardised approach and the adequacy of capital. Interest rate risk in the banking book 30. Banks should conduct simple stress tests to provide standardised measures of interest rate risk in the banking book (IRRBB), involving an across-the￾board interest rate shock of 200 basis points up or down. Banks for which this standard test results in a reduction in economic value of more than 20 per cent of the capital base are identified as ‘outliers’, and will be given extra supervisory attention. They may be required to maintain additional capital. The analysis of the IRRBB will involve: (a) an assessment of the bank’s tools and methodologies which include both quantitative and qualitative factors, used for the measurement of the overall interest rate risk; and (b) an assessment of whether the standardised measure accurately reflects the true IRRBB of the bank and if not, what alternative (Basel II) measures the bank believes would be more appropriate and what results they would produce. Liquidity risk 31. In the analysis of the bank’s liquidity and transformation structure, the Bank will review the bank’s liquidity risk management policies, procedures and limits, and its actual liquidity risk profile. Factors to be considered will include the level, trend and volatility of the bank’s liquidity ratio, its maturity profile, the stability and concentration of its funding sources and other qualitative factors such as the bank’s borrowing capability and access to money markets, and results of stress tests.

15 Country risk 32. With respect to country risk, the Bank will: (a) review the bank’s policies and processes relating to the identification, measurement, monitoring and control of country risk and transfer risk; (b) assess whether the bank monitors and evaluates developments in country risk and in transfer risk and applies appropriate countermeasures; (c) assess whether the bank has information systems, risk management systems and internal control systems that accurately monitor and control exposures on an individual country basis and whether country exposure limits, if any, are adhered to. Earnings and profitability 33. The quality of the profits earned by a bank is critical to ensuring the maintenance of its financial strength. For this reason, the Bank will analyse: (a) the composition of income and profits; and (b) the level, structure and trends in a number of ratios and indicators e.g. the return on assets, net banking income and cost-to-income ratio. The Bank will complement the analysis with an accounting review of the composition of earnings and will assess all the above elements in relation to the overall strategy of the bank. Corporate governance and internal control 34. The review of the bank’s general organisation will include: (a) the control systems put in place by the bank including the bank’s management information systems, and the methods used to monitor each of the risks borne by the bank; (b) an evaluation of the board’s responsibility in ensuring that management establishes a system for assessing the various risks that relates them to the bank’s capital level; and (c) a review of the work of internal audit and external audit reports. Other material risks AML/CFT measures 35. Money laundering and terrorist financing may represent significant risks for a bank. In this respect, the Bank issued Guidance Notes on AML/CFT in which it has recommended a panoply of anti-money laundering and anti-terrorist financing measures. The Bank will verify: (a) whether the bank has implemented internal procedures to detect money laundering and terrorist financing;

16 (b) whether the bank has procedures that allow the application of legal and regulatory provisions; (c) whether the collection of relevant information on large, unusual and complex transactions is effected; and (d) the effectiveness of the tools, computerised or other, that are used to detect suspicious transactions. 36. The analysis of risks detailed above is not exhaustive. The Bank will enquire from the bank whether it believes there are any other risks to which it is materially exposed and the impact they may have on overall capital adequacy. The Bank will consider the extent to which the bank has provided for unexpected events in setting its capital levels. Review of the ICAAP 37. A bank shall submit its ICAAP document and the results of its stress tests to the Bank not later than 5 months after the end of its financial year. The Bank will verify whether the ICAAP incorporates the general principles described in paragraphs 12 to 21. The objective of the Bank’s review of the ICAAP is to determine whether the level and composition of capital are appropriate for the nature and scale of the bank’s business. The Bank will evaluate whether the target levels of capital established by the bank are: (a) based on a rigorous process that is comprehensive and encompasses all material risks to which the bank is exposed; (b) relevant to the current operating environment; (c) based on testing for unexpected events (scenario analysis); (d) commensurate with the bank’s risk profile, the adequacy of its risk management and internal control environment; and (e) properly monitored by senior management and reviewed by the Board. 38. A bank must be able to explain and demonstrate to the satisfaction of the Bank: (a) how its ICAAP meets supervisory requirements; (b) how it defines, categorises and measures its material risks; (c) how the internal capital targets are chosen and how they relate to the overall risk profile and current operating environment of the bank; and (d) how these targets are consistent with the present and future business needs of the bank. 39. The bank must be able to explain the similarities and differences between the level of capital calculated under its ICAAP and its regulatory capital requirements.

17 Dialogue with banks 40. The SREP will generate an active dialogue with the bank, the purpose of which is: (a) to obtain a deeper understanding of the bank’s overall risk profile and its risk control system; (b) to understand the approach of the bank towards the risks not captured by Pillar 1 and the amount of capital allocated to them; (c) to evaluate the extent of reliance on the ICAAP in the Bank’s assessment of the capital adequacy of the bank; (d) to exchange information on the key findings of the SREP; and (e) to ensure follow-up on the implementation of any prudential measures that may be decided by the Bank. 41. This dialogue will take place with management, the compliance officer and the officers in charge of risk measuring and monitoring or any person at an appropriate level designated by the bank.

18 SECTION IV – SUPERVISORY RESPONSE 42. After completion of the SREP, the Bank will consider whether the minimum capital requirements remains appropriate for the bank or whether they need to be changed in the light of the results and findings of the SREP. 43. The Bank will discuss with the bank the results of its assessment, including any areas of concern, which may lead to an increase in its minimum capital adequacy ratio (CAR). The Bank will explain the factors that have led to this assessment and recommend actions which the bank should take to address the concerns. 44. If there is a proposed increase in the minimum CAR, the bank will be consulted (with the opportunity to make representations) before a final decision is taken. 45. Other supervisory actions include but are not limited to intensifying the monitoring of the bank, restricting the payment of dividends, restricting risky activities, requiring the bank to prepare and implement a satisfactory capital adequacy restoration plan, and requiring the bank to raise additional capital immediately. 46. The Bank will monitor the progress made by the bank in implementing the corrective actions.