Resolution JPRFM-2025-011-M: Replacing Section 3 on Integrated Risk Management in the Central Bank of Ecuador Governance Codification

RESOLUTION NO. JPRFM-2025-011-M THE FINANCIAL AND MONETARY POLICY AND REGULATION BOARD

CONSIDERING:

That, the Constitution of the Republic, in Article 226, prescribes that public servants and persons acting by virtue of a state power shall exercise only the competencies and faculties attributed to them in the Constitution and the Law;

That, Article 227 ibidem states that Public Administration constitutes a service to the community governed by the principles of effectiveness, efficiency, quality, hierarchy, coordination, planning, among others;

That, the first paragraph of Article 303 ut supra determines that the formulation of monetary, credit, exchange, and financial policies is the exclusive faculty of the Executive Function and will be implemented through the Central Bank of Ecuador;

That, on October 13, 2025, the Organic Reform Law of the Monetary and Financial Code was published in the Sixth Supplement of the Official Register No. 142;

That, the Financial and Monetary Policy and Regulation Board will apply international technical standards related to its area of competence, in accordance with the article added after Article 6 of the Monetary and Financial Code;

That, Article 13 of the Monetary and Financial Code creates the Financial and Monetary Policy and Regulation Board, part of the Executive Function, as an organ with functional, technical, and institutional autonomy, and in its decisions, responsible for the formulation of monetary, credit, financial, securities, insurance, and prepaid comprehensive health care services policy. The Financial and Monetary Policy and Regulation Board will be the highest governance body of the Central Bank of Ecuador;

That, Article 17 of the referred Code, in its pertinent part, determines that: "(...) For the fulfillment of these functions, the Board will issue regulations in matters within its competence, without altering legal provisions. The Financial and Monetary Policy and Regulation Board may issue regulations by segments, economic activities, and other criteria. It may even reform or repeal regulations from the former Monetary and Financial Policy and Regulation Board, Monetary Policy and Regulation Board, or Monetary and Financial Policy and Regulation Board. All norms and policies issued by the Financial and Monetary Policy and Regulation Board in the exercise of its functions, duties, and faculties must be backed by duly substantiated technical and legal reports (...)";

That, Article 19 ibidem determines as a function of the Financial and Monetary Policy and Regulation Board, among others: "(...) 2. Establish the policies of the Central Bank of Ecuador and supervise their execution; (...)";

That, Article 24 of the same Code provides that the acts of the Financial and Monetary Policy and Regulation Board enjoy the presumption of legality and will be expressed through resolutions that will have mandatory force, which will govern from their publication in the Official Register, or from the date of their issuance when so determined by the Board, in accordance with the matter;

That, Article 25.2 ibidem determines that the Technical Secretariat of the Financial and Monetary Policy and Regulation Board is exercised by the Central Bank of Ecuador, and Article 25.3 establishes as its functions the elaboration of technical and legal reports that support regulation proposals, provide technical and administrative support to the Financial and Monetary Policy and Regulation Board, and the others assigned to it by said Board;

That, General Provision Twenty-Ninth ibidem states: "In existing legislation where mention is made, indistinctly, of the Monetary and Financial Policy and Regulation Board, the Monetary Policy and Regulation Board; or, the Financial Policy and Regulation Board, replace and understand as 'Financial and Monetary Policy and Regulation Board'";

That, Article 18 of the Organic Law for Digital and Audiovisual Transformation determines: "The Digital Security Framework constitutes the set of principles, models, policies, norms, processes, roles, technology, and minimum standards that allow preserving the confidentiality, integrity, and availability of information in the digital environment administered by entities of the Public Administration";

That, Article 19 ibidem states: "Management of the Digital Security Framework. - The State's Digital Security Framework must observe and comply with the following: (...) d. Institutional: Entities of the Public Administration must establish, maintain, and document an Information Security Management System";

That, Article 20 ibidem states: "The Digital Security Framework is articulated and sustained by the norms, processes, roles, responsibilities, and mechanisms regulated and implemented at the national level in the matter of Information Security. Information Security focuses on information, independently of its format and support. Digital security deals with information security measures processed, transmitted, stored, or contained in the digital environment, seeking to generate trust, managing risks that affect the security of people and economic and social prosperity in said environment";

That, through Agreement No. 004-CG-2023, of February 7, 2023, the Comptroller General of the State issued the "Internal Control Standards for entities, agencies of the public sector, and legal persons of private law that dispose of public resources";

That, Article 1 of Ministerial Agreement No. MINTEL-MINTEL-2024-0003, of February 8, 2024, establishes: "Issue the Government Information Security Scheme - EGSI (...) which is the mechanism to implement the Information Security Management System in the Public Sector";

That, Article 5 ibidem states: "It is the responsibility of the highest authority of each institution, in the implementation of the Government Information Security Scheme, to form the institutional information security structure, with personnel trained and experienced in information security management, as well as to assign the necessary resources";

That, letters a) and b) of numeral 1.1., of Article 1, of Annex C of the "Guide for the Implementation of Information Security Controls", among the recommendations for the implementation of information security policies, states:

"1.1. Information Security Policies (...) a) The highest authority will order the implementation of this Government Information Security Scheme (EGSI) in the institution; Central Public Administration institutions, which generate, use, process, share, and store information in electronic or written media, classified as public, confidential, reserved, and non-reserved, must apply the Government Information Security Scheme to define processes, procedures, and technologies in order to guarantee the confidentiality, integrity, and availability of that information, in the media and time that its legitimacy requires.

b) The highest authority of the institution must approve the Information Security Policy (high level) and any changes, prepared/coordinated by the security officer and reviewed by the information security committee, defining the necessary directive to manage information security (...)";

That, through Resolution No. JPRM-2025-007-G, of July 16, 2025, the former Monetary Policy and Regulation Board approved the "Codification of Governance Resolutions of the Monetary Policy and Regulation Board and the Central Bank of Ecuador";

That, it is necessary to reform Section 3 "Integrated Risk Management", of Chapter I "Governance of the Central Bank of Ecuador", of Title II "Governance Policies of the Central Bank of Ecuador" of the Codification of Governance Resolutions of the Monetary Policy and Regulation Board and the Central Bank of Ecuador, in order to establish the reference framework for the identification, evaluation, control, and monitoring of risks that may affect the achievement of strategic, operational, and financial objectives within the framework of the corporate governance of the Central Bank of Ecuador;

That, it is necessary to incorporate Section 4 "Information Security", of Chapter I "Governance of the Central Bank of Ecuador", of Title II "Governance Policies of the Central Bank of Ecuador" of the Codification of Governance Resolutions of the Monetary Policy and Regulation Board and the Central Bank of Ecuador, in order to establish the reference framework for the functioning of the Information Security Management System and protect the information assets of the Central Bank of Ecuador and ensure compliance with international, national standards, and applicable regulations;

That, the First Transitional Provision of the Organic Reform Law of the Monetary and Financial Code determines that the members of the Financial and Monetary Policy and Regulation Board, sworn in on September 16, 2025, by the National Assembly, will continue to exercise their functions for the periods they were designated and will maintain their labor continuity and acquired rights;

That, through Office No. T.233-SGJ-25-098, of September 5, 2025, signed by the Constitutional President of the Republic, addressed to the President of the National Assembly, the list of candidates for the designation of the Members of the Financial and Monetary Policy and Regulation Board was sent; as well as the temporality of their stay within the initial period;

That, the Plenary of the National Assembly, on September 16, 2025, designated and swore in the members of the Financial and Monetary Policy and Regulation Board, in the persons of: Gustavo Estuardo Camacho Dávila; Silvia Daniela Moya Arteta; Roberto Javier Basantes Romero; María Isabel Camacho Cárdenas; and, Jeniffer Nathaly Rubio Abril;

That, the Financial and Monetary Policy and Regulation Board, through ordinary session No. 006-2025, under mixed modality, on November 27, 2025, reviewed the proposal sent via Memorandum No. BCE-BCE-2025-0274-M, of November 21, 2025, by the General Manager of the Central Bank of Ecuador to the President of the Financial and Monetary Policy and Regulation Board; as well as, Technical Report No. BCE-GR-2025-077, of November 20, 2025, and Legal Report No. BCE-GJ-062-2025, of November 20, 2025; and,

In exercise of its functions and in attention to what is provided in Article 24 of the Monetary and Financial Code, Book I, the Financial and Monetary Policy and Regulation Board,

RESOLVES:

Article 1.- Replace Section 3 "Integrated Risk Management", of Chapter I "Governance of the Central Bank of Ecuador", of Title II "Governance Policies of the Central Bank of Ecuador" of the Codification of Governance Resolutions of the Monetary Policy and Regulation Board and the Central Bank of Ecuador, issued through Resolution No. JPRM-2025-007-M, of July 16, 2025, with the following text:

"SECTION 3 INTEGRATED RISK MANAGEMENT

SUBSECTION 1: GENERALITIES

Article 66.- Object: Establish the general framework for the management of the risks to which the Central Bank of Ecuador is exposed in its performance and in the fulfillment of its objectives to contribute to monetary and financial sustainability.

Article 67.- Scope of application: All administrative units, governing, substantive, and adjunct processes, servants, and workers of the Institution, regardless of the type of risk.

Article 68.- Definitions: For the purposes of the application of this resolution, the following definitions will be considered:

1. Internal control: Integral process oriented to provide reasonable assurance in the fulfillment of institutional objectives, the efficiency and effectiveness of operations, the reliability of information, and the compliance with the applicable legal and regulatory framework.

2. Effectiveness: Capacity of the Institution to achieve its objectives through proactive risk management.

3. Efficiency: Capacity to manage risks with the least possible use of resources (time, money, effort, materials, personnel) in an optimal way, without waste or unnecessary efforts.

4. Effectiveness: Capacity of the Institution to achieve proposed objectives using available resources optimally, combining effectiveness and efficiency.

5. Exposure: Risk assumed by the Institution after considering mitigation actions and/or coverage implemented.

6. Impact: Financial or non-financial effect that the materialization of a risk may have on the performance and fulfillment of the Institution's objectives.

7. Risk Matrices: Data structures that summarize the position of inherent or residual risk presented in a model that incorporates the dimensions of the different types of risk analyzed. The matrices will contain information on the probability of occurrence of the different risks, as well as their potential impact on the financial health and continuity of operations of the Institution.

8. Integral Risk Matrix: Constitutes the general consolidated of the matrices of the different types of risk analyzed in the Institution.

9. International best practices: Correspond to international norms and principles for risk management, which are listed, but not limited to, the following:

a. Basel Committee international principles.

b. ISO (International Organization for Standardization) principles, guidelines, and requirements for risk management, among others related.

c. COSO Framework developed by the Committee of Sponsoring Organizations of the Treadway Commission.

10. Risk Level: Magnitude or potential severity of a risk for the Institution, determined by the combination between the probability of occurrence of a negative event and the impact of this on the financial health and performance of the Central Bank of Ecuador. Risk levels will be low, medium, high, and very high:

a. Very High Risk: when the risk represents a probability of loss such that it can seriously affect business continuity and even lead to the consumption of the accounting equity value of the Central Bank of Ecuador and, therefore, requires immediate actions by the Integrated Risk Management Committee and the General Management;

b. High Risk: when the risk represents a probability of loss such that it can affect the normal functioning of certain processes of the Institution, and that requires the attention of the Integrated Risk Management Committee and the General Management;

c. Medium Risk: when the risk represents a moderate probability of loss, which affects certain processes of the Institution, and that requires the attention of the management and middle management; and,

d. Low Risk: when the risk represents a low probability of loss, which does not significantly affect the entity's processes, and which are administered with routine controls and procedures.

11. Risk Profile of the Central Bank of Ecuador: Constitutes an integral presentation model of the different risks to which the Institution is exposed, based on a strategic methodology, considering its systemic role, its macroeconomic functions, and its operational environment. It will include relevant risk types, and risk appetite and tolerance.

12. Preventive action plan: Is the structured set of planned measures implemented before a risk event occurs, in order to eliminate the root cause, reduce the probability, and/or strengthen existing controls.

13. Corrective action plan: Is the set of planned actions to respond or remedy a risk that has materialized or an incident occurred, in order to correct the root cause, mitigate effects, restore normal functioning, and avoid recurrence of the event.

14. Key Projects: Projects that have a strategic character or their representativeness regarding the budget or their level of impact on the performance of other areas is relevant, characterized by their high incidence in value creation and institutional sustainability.

a. Missionary projects: Are fundamental projects directly related to the raison d'être of the Central Bank of Ecuador, that is, with the fulfillment of the mission, vision, and institutional objectives in accordance with the functions provided in the Constitution and the Law.

b. Non-missionary projects: Are projects that enable internal functioning, operational efficiency, and support for missionary projects.

15. Risk: Is the possibility that an event or condition occurs that negatively impacts the achievement of the Institution's objectives or its good performance.

a. Inherent or brute risk: Risk level that exists naturally in the activities and processes performed by the Institution, before applying any control or mitigation measure.

b. Residual or net risk: Risk level that remains after applying controls and mitigation measures. It represents the residual risk exposure that the Institution accepts, monitors, and manages continuously.

16. Types of risks: For the purposes of this norm, the following types of risks will be analyzed:

a. Financial risk: Is the possibility that an event or condition occurs that negatively impacts the balance sheet and results of the Central Bank of Ecuador. It comprises market risk, liquidity risk, counterparty risk, and structural balance risk.

b. Operational risk: Is the possibility that an event or condition occurs derived from failures or deficiencies in processes, people, internal systems, information technology, or by external events. Operational risk includes legal risk. Within operational risk management, business continuity is an essential component, and refers to the Institution's capacity to maintain its critical operations in the face of significant interruptions, ensuring the provision of essential services, asset protection, and financial system confidence.

c. Money laundering and financing of other crimes risk: Is the possibility of loss or damage that the Central Bank of Ecuador may suffer due to its exposure to being used directly or through its operations as an instrument for money laundering and/or channeling resources towards the commission of other crimes, or when the concealment of assets derived from said activities is sought. It includes bribery and corruption risk.

d. Information security risk: Is the possibility that events or conditions occur that may compromise the confidentiality, integrity, and availability of the Central Bank of Ecuador's information, regardless of the format in which it is found (digital, physical, verbal, etc.). These risks can arise from internal or external threats, intentional or unintentional actions, and failures in security processes or controls.

e. Strategic risk: Corresponds to the possibility of negatively affecting the level of credibility, reputation, or even the financial nature of the Institution, caused by inadequate decision-making. The lack of decisions or their slowdown are also causes of strategic risk as they could distance the Institution from the need to adapt or react adequately to changes in the environment.

f. Reputational risk: Is the probable negative effect or possible deterioration of the image, credibility, or trust in the Central Bank of Ecuador caused by the poor management of other risks.

17. Risk tolerance: Specific level of acceptable variation regarding the fulfillment of the strategic and operational objectives of the Central Bank of Ecuador, which it is willing to assume in the exercise of its functions. Tolerance is established differently for each risk category and is expressed through quantitative and/or qualitative parameters.

SUBSECTION 2: POLICIES FOR INTEGRATED RISK MANAGEMENT

Article 69.- Principles: The servants of the Central Bank of Ecuador in the execution of their functions and for the fulfillment of the objectives and institutional mission will be permanently guided by the following policies:

1. Leadership, commitment, and development of risk management culture: The Institution's authorities will show their permanent commitment to a risk-based management by ensuring that risk administration is integrated into the strategy, processes, culture, and structure of the Central Bank of Ecuador. Servants will permanently act considering the consequences of their decisions and their actions or omissions on certain tasks or processes. They will adopt preventive thinking by coordinating with Risk Management and consulting authorities at the corresponding hierarchical level with the purpose of warning of possible consequences, weaknesses, or opportunities to evaluate, treat, monitor, and communicate any risk that the Institution might face.

2. Three lines approach: The risk management of the Central Bank of Ecuador will be carried out considering an integral and coordinated work approach to protect the Institution from different types of risks. This approach will allow prioritizing treatment and mitigation actions, allocating resources efficiently, and supporting strategic decisions throughout the Institution.

The defense approach considers three lines:

a. First line: Operational and administrative management, are the units where the Institution's activities and processes are carried out daily, directly responsible for evaluating, treating, monitoring, and communicating risks in their daily activities. They must implement internal controls in their processes.

b. Second line: Administrative units responsible for assisting first-line functions in integrated risk management. These functions are framed in methodological advice, supervision, and risk control. Part of this second line are Risk Management; Monetary and Financial Stability Management; and, Internal Management of Financial Market Analysis of Investment Management.

c. Third line: Internal Audit Function, which provides independent and objective assurance and consulting activity designed to add value and improve the Institution's operations. It helps the Institution accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes."