Supervision of Branches Abroad and Compliance at Banking Corporations

Bank of Israel Banking Supervision Department Policy and Regulation Division December 23, 2019 Circular no. C-06-2598 Attn: Banking corporations and credit card companies Re: Supervision of Branches Abroad and Compliance and the Compliance Function at a Banking Corporation (Proper Conduct of Banking Business Directives no. 306 and 308) Introduction

1. The Banking Supervision Department works to strengthen the banking corporations’ supervision over their branches abroad and activity related to abroad. Within this framework, the updates noted below are being integrated into Proper Conduct of Banking Business Directives no. 306 and no. 308.

2. After consultation with the Advisory Committee on Banking Business Affairs, and with the consent of the Governor, we have found it proper to update the abovementioned directives. Main Points of the Update to Directive 306

3. Supervision (Section 6(b)) The existing wording of Section 6(b) shall be replaced with: “The Board of Directors shall verify that for each overseas branch, external audits of focal points of risk at the overseas branch, including the audit and control environment of the focal point of risk and the quality of the audit and control functions’ work, are performed, which shall cover the following:

4. The audits are carried out at a frequency commensurate with the activity and risk level of the branch, and are based on the updated and supported delineation and assessment of the focal points of risk at the branch. However, the focal points of high risk at the branch shall be covered least once every 3 years.

5. Said audits shall be undertaken by external examiners who are experts (in local legislation and regulation) and are independent, at an appropriate professional standard and on an appropriate scale, as the management of the banking corporation shall determine.

6. Said audits shall examine if the activity and risk management and the work of the audit and control functions comply with the standards required by the legislation and regulation in the relevant country and with the best standards that the parent company has established for the banking group.

7. The audits shall also include a sample check of individual files.

8. The audit reports shall be presented for discussion by the Board of Directors of the overseas branch and for discussion at the banking corporation in accordance with the guidelines in Section 36(a) of Directive no. 301 regarding an “external audit report”.

9. It is hereby explained for clarity that, except in reference to the provisions of Section 12(d) below, a banking corporation may undertake the external audits in conjunction with the internal audit function. In addition, the frequency of the internal audit examination shall be in accordance with the provisions of Directive 307, and see 12(d) below as well.” Explanation After the publication of Proper Conduct of Banking Business Directive no. 306, questions arose regarding the essence of the external audit required by the Directive. According to the revised Section 6(b), the external audits are to cover the focal points of risk at the branch, including the audit and control environments of the focal points of risk, at an appropriate frequency as noted in the section. The audits are to include sampling checks of particular portfolios and not just examine policy and procedures.

10. Compliance and management of AML/CFT (Section 11(d)) The end clause of section 11(d) shall be deleted and replaced by a reference to Section 23(a) in Proper Conduct of Banking Business Directive no. 308. Explanation The requirement for there to be a mechanism to examine changes in the compliance directives and in the enforcement policy outside of Israel was added in Section 23(a) of Proper Conduct of Banking Business Directive no. 308. Therefore, the requirement in Proper Conduct of Banking Business Directive no. 306 refers to that directive, with an emphasis on the activity at branches. Main Points of the Update to Directive 308

11. Definitions (Section 9) The definition of “Branches” shall be added, referring to the definition of branches in Proper Conduct of Banking Business Directive no. 301.

12. The function’s roles (Section 23(a)) In the end clause of Section 23(a), the following paragraph is to be added: “Within this framework, to examine significant changes abroad in the compliance directives and enforcement policy that apply to the banking corporation and its branches, including on customers’ activity. The identification and assessment processes that are at the basis of the update are also to include lessons from significant compliance events that are to be anchored in the banking corporation’s procedures or through another way of documentation that will ensure their integration into the process.” Explanation There was a clarification of the requirement that as part of the update regarding development in the compliance area, significant changes abroad should also be examined. In parallel, it was clarified in the FAQ file for this directive that an entity that does not belong to the business line

may be appointed as the function responsible for the update on developments in the compliance directives. 7. Work plan of the compliance function (Section 26(e)) In the end clause of Section 26(e) the following sentence is to be added: “Including information as noted in Section 23(a) above and its possible ramifications.” Explanation It was clarified that the compliance function’s work plan shall be based as well on revisions in the compliance directives and enforcement policy outside of Israel and their possible ramifications. Effective date 8. A banking corporation is to complete its preparation in accordance with this Circular by November 1, 2020. Update of file 9. Update pages for the Proper Conduct of Banking Business Directive file are attached. Following are the provisions of the update: Remove page Insert page (4/18) [1] 306-1-10 (12/19) [2] 306-1-10 (6/15) [2] 308-1-14 (12/19) [3] 308-1-14 Respectfully, Dr. Hedva Ber Supervisor of Banks