Circular 34/2002 (BA) - Minimum requirements for the credit business of credit institutions

Dienstsitz: 53117 Bonn, Graurheindorfer Straße 108; 53003 Bonn; Postfach 13 08 60439 Frankfurt am Main, Lurgiallee 12; 60391 Frankfurt am Main; Postfach 50 01 54 Translation Circular 34/2002 (BA) To all credit institutions in the Federal Republic of Germany Minimum requirements for the credit business of credit institutions HAUSANSCHRIFT 53117 Bonn, Graurheindorfer Str. 108 REFERAT BEARBEITET VON TELEFON 0228 4108-0 (oder 4108-0) FAX 0228 4108-1550 E-MAIL poststelle@bafin.de INTERNET www.bafin.de IVBB 01888 436-0 DATUM 20 December 2002

GESCHÄFTSZEICHEN I 4 - 44 - 5/2001 (BEI ANTWORT BITTE ANGEBEN) POSTANSCHRIFT BAFin, Graurheindorfer Str. 108, 53117 Bonn

Bundesanstalt für Finanzdienstleistungsaufsicht D u p l i k a t

• Page 2 of 20 - Table of contents 1 Preliminary remarks 3 2 Scope of application 3 3 General requirements 4 3.1 Responsibility of management 4 3.2 Credit risk strategy 5 3.3 Organisational guidelines 5 3.4 Staff qualifications 6 3.5 Credit business in new types of products or on new markets 7 3.6 Requirements for documentation 7 4 Organisation of credit business 8 4.1 Separation of functions 8 4.2 Voting 9 4.3 Requirements for the various credit processes 10 4.3.1 Granting loans 11 4.3.2 Further processing of loans 12 4.3.3 Monitoring of loan processing 12 4.3.4 Intensified handling 13 4.3.5 Treatment of problem loans 13 4.3.6 Risk provisioning 14 5 Risk classification procedures 14 6 Identifying, managing and monitoring risks in credit business 15 6.1 General requirements for the risk procedures 15 6.2 Procedure for the early detection of risks 16 6.3 Risk limitation in credit business 16 6.4 Reporting procedure 17 6.5 Legal and operational risks 18 7 Outsourcing 19 8 Audits 19 8.1 Internal audits 19 8.2 External auditors 19

• Page 3 of 20 - 1 Preliminary remarks 1 This circular introduces minimum requirements which all credit institutions are required to observe in order to limit the risk arising from credit business, taking due account of the specific nature and scope of business. Particular demands are placed on the lending decision because of its outstanding importance. This circular also defines standards for banking practice in the following areas: loan processing, the monitoring of loan processing, intensified handling, the processing of problem loans and risk provisioning. It also prescribes a framework for devising the procedures for identifying, managing and monitoring risks arising from credit business. To that extent, it imposes standards on the internal control system, which encompasses all types of monitoring measures which are directly or indirectly integrated into the operations to be monitored. 2 This circular takes due account of the heterogeneous structure of institutions and the diversity which characterises credit business. It contains various escape clauses which enable simplified and risk-adjusted implementation depending on the size of the credit institution, the core business and the riskiness of credit business. It can therefore be implemented flexibly by, above all, smaller credit institutions. This circular is open to the ongoing development of processes, systems and procedures applied in credit business provided such development is consistent with the objectives of the circular. 3 As the new capital rules are looming on the horizon, the requirements in this circular have been formulated neutrally so that they can be implemented whatever method of calculating capital is used. 4 This circular is based, in particular, on section 25a (1) of the Banking Act (BA), which states that every credit institution needs to have in place a proper business organisation, an appropriate internal control system and suitable arrangements for managing, controlling and monitoring risks. 2 Scope of application 5 The rules in this circular are to be observed by all credit institutions within the meaning of section 1 (1) BA and section 53 (1) BA; they also apply to branches of German credit institutions located abroad. They do not apply to branches of enterprises domiciled in another country of the European Economic Area pursuant to section 53b BA. If a credit institution is the superordinated institution of a group pursuant to section 10a (2) BA, it

• Page 4 of 20 - has to establish a credit risk management and credit risk monitoring system which covers the group as a whole. 6 The scope of application of this circular essentially covers all exposures within the meaning of section 19 (1) BA (asset items and off-balance-sheet transactions entailing a counterparty risk) and transactions with country risk. The requirements of this circular apply only by analogy to trading activities, in accordance with my announcement on the “Minimum requirements for the trading activities of credit institutions” issued on 23 October 1995, as well as to participating interests. For trading activities and participating interests, therefore, the implementation of individual requirements set forth in this circular may be waived provided that their implementation is not appropriate in view of the specific features of these types of business (eg the requirement in item 50 to monitor the purpose of the loan). 7 Credit decisions within the meaning of this circular comprise all decisions, irrespective of whether they are issued only by the institution itself or together with other institutions (syndicated lending), on new loans, overdrafts, loan increases, extensions and changes in risk-relevant circumstances on which the lending decision was based (eg collateral, loan purpose), on setting borrower-related limits and also on participating interests. This also includes the definition of counterparty limits which are to be set, in accordance with subsection 3.2.1 of my announcement on the “Minimum requirements for the trading activities of credit institutions”, by a unit independent of the trading desk, as well as the setting of issuer limits. 3 General requirements 3.1 Responsibility of management 8 All managers (section 1 (2) BA) – irrespective of the internal allocation of responsibility – are responsible for ensuring the proper organisation of credit business (and for the ongoing development of such organisation) as well as for the proper management and monitoring of the risks arising from credit business. They are only capable of meeting this responsibility if they can assess risks and take the necessary measures to limit them.

• Page 5 of 20 - 3.2 Credit risk strategy 9 Management has to define a credit business strategy (credit risk strategy) based on an analysis of the initial business situation and an assessment of the risks associated with the credit business, taking into account the amount of risk the credit institution can bear. This strategy must define the planned credit business activities for a suitable planning period. This responsibility cannot be delegated. The management is required to ensure the implementation of the credit risk strategy. 10 Management has to review and, as appropriate, adapt the credit risk strategy annually; the strategy has to be notified to the credit institution's supervisory board annually. 11 The strategy has to include the planned trend in overall credit business, taking into account the nature and scope of business. This includes planning according to sectors, geographical dispersion (regions, countries et al), types of lending and the distribution of exposures within the risk classification procedure and the distribution according to size category. Adequate attention must be paid to limiting the cumulative concentration of exposures. 12 When defining the strategy, account must also be taken of the staffing level necessary to implement it and the technical and organisational facilities. The remuneration and incentive structure must not contradict the aims set out in the credit risk strategy. 13 The definition of the strategy and changes to it must be documented logically and communicated within the credit institution. The strategy should be integrated into a comprehensive bank management strategy. 3.3 Organisational guidelines 14 Management is required to ensure that credit business is only conducted under framework conditions that are to be specifically defined in organisational guidelines (eg in lending manuals). 15 The organisational guidelines must be set down in writing and communicated to the staff members concerned in a suitable manner. It is to be ensured that the latest version of these guidelines is available to these staff members. As a general rule the guidelines are to be reviewed annually and updated as appropriate.

• Page 6 of 20 - 16 Taking into account the scope, complexity and riskiness of the credit business, the organisational guidelines must contain the following, in particular: (a) clear rules governing the assigning of tasks, the assignment of competencies and monitoring, (b) general guidelines governing the granting of the loan, the further processing of the loan, the monitoring of loan processing, intensified handling and the processing of problem loans, (c) the procedure for the timely valuation of the exposures, also in respect of any risk provisioning measures that might be necessary (value adjustments, write-downs, provisions), (d) the risk classification procedure for assessing counterparty risk and object/project risk (rating method, scoring method, etc) as well as the method of assessing sector risk and, where appropriate, country risk, (e) the procedures for the early identification, management and monitoring of risks arising from credit business, (f) the reporting system, (g) the procedure to ensure the timely submission of documentation necessary to assess counterparty risk, (h) the procedure to handle overdrafts and the dunning procedure, (i) the procedure for valuing, monitoring, administering and realising credit collateral, (j) IT processes, (k) clear rules determining which types of credit business, taking the escape clauses mentioned in this circular into account, might be eligible for the application of simplified rules. 3.4 Staff qualifications

• Page 7 of 20 - 17 Staff members entrusted with the various processes of credit business, and their deputies, have to have the requisite knowledge for assessing the risks of such business. Suitable training is necessary to ensure that the staff members’ qualifications are state of the art. 3.5 Credit business in new types of products or on new markets 18 Prior to taking up business in new products, types of business or on new markets (including new distribution channels) a strategy needs to be developed and set down in writing. The strategy must be based on the outcome of the analysis of the riskiness of this new business and the resultant impact on the management and monitoring of these risks. Depending on the complexity, a test stage may also serve as the basis of this strategy. The strategy has to include all key consequences relating to staffing, organisation, IT, accounting and tax law, as well as other legal consequences of major importance. All units which will be involved in the operations at a later stage have to be involved in the drafting of this strategy; the internal audit function also has to be involved in line with its duties. 19 Prior to the taking-up of business activities in new types of products or on new markets, the strategy and, as appropriate, the test stage, need to be approved by the managers responsible for the front office and back office and for the credit risk controlling tasks (see item 25 f). Approval of the strategy can be delegated provided that clear guidelines have been set by management and that management is informed of the decisions. The requirements of this section are not to be implemented in the case of products composed of standard components, the modification of products or the extension of existing products to cover new markets, providing that a relevant increase in risk can be ruled out. They do not apply to trading activities subject to the requirements set forth in section 2.3 of my announcement on the “Minimum requirements for the trading activities of credit institutions”. 3.6 Requirements for documentation 20 All credit institutions are required to use standardised credit documents where this is possible and appropriate with respect to each type of credit business; the design of the credit forms depends on the nature, scope, complexity and riskiness of the business. 21 All documentation necessary for the initial and ongoing assessment of transactions has to be written and stored systematically and in a way that is easily verifiable by expert third parties pursuant to section 25a (1) number 3 BA. It must be ensured that files are

• Page 8 of 20 - up to date and complete. 22 Collateral, evidence of collateral and certificates are to be maintained such that they are protected against misuse and destruction. 23 All key actions and decisions necessary for the implementation of the requirements in section 4 have to be documented systematically and verifiably. 4 Organisation of credit business 24 The following chapters set forth certain requirements regarding the structure and organisation of operations which should be observed when taking a decision on extending and further processing a loan. The simplified implementation of the requirements in section 4 is possible where the risk arising from the transactions is low. 4.1 Separation of functions 25 The key principle for organising the processes in credit business is the clear separation of the following functions:

• the units which initiate transactions and have a vote in the lending decisions (front office), and

• those units having an additional vote on lending decisions which is independent of the front office (back office). 26 Portfolio risks are to be monitored, and reports filed, independently by a unit not affiliated with the front office (credit risk controlling tasks). 27 The front office and the back office are to be segregated in the structural organisation up to and including management level. The separation of both functions is to be observed at deputy level, too. 28 The review of certain collateral – to be determined by management under risk aspects – is to be conducted separately from the front office. This also applies to the decision regarding risk provisioning for significant exposures. The classification of all other processes or sub-processes listed in section 4.3 is at the credit institutions' discretion (such as loan processing or elements of loan processing), unless this circular contains

• Page 9 of 20 - any stipulations to the contrary. 29 In the case of computer-assisted loan processing, the separation of functions is to be ensured through corresponding procedures and precautions. 30 In the case of trading activities within the meaning of my announcement on "Minimum requirements for the trading activities of credit institutions" the vote of the front office may be exercised by the traders within the context of setting counterparty limits. However, it must be ensured in this case, too, that counterparty risk is properly reviewed. That is also the case for setting issuer limits for trading activities (item 81). 4.2 Voting 31 Depending on the nature, scale, complexity and riskiness of the exposures, a lending decision requires two votes of assent by the front office and back office. This is without prejudice to any further-reaching decision-making rules (contained in, eg, the Banking Act, by-laws). Where these decisions have been taken by a committee, the majority structure within that committee must be defined in such a way that the back office cannot be outvoted. 32 Notwithstanding this, each manager may, within the limits of his individual credit decision-making authority, take lending decisions independently and also maintain customer contact; this does not affect the organisational separation between the front office and the back office. In addition, two votes of assent are necessary where risk aspects render this necessary. Should these decisions be different from the votes or if they are taken by a manager not responsible for the front office, they need to be shown separately in the risk report (item 85 (i)). 33 For lending decisions relating to certain types of business or for lending transactions below a certain thresholds which are to be defined under risk aspects, management may decide that only one vote is necessary. The simplified application is also possible in cases where lending transactions have been initiated by third parties (eg sales staff at building and loan corporations, house banks in promotional business or – with respect to the members of the syndicate – by the lead manager in syndicated loans). These thresholds need to be specified in the organisational guidelines. To that extent the organisational separation between front office and back office is only relevant to credit transactions where the risk involved makes two votes necessary. Where a

• Page 10 of 20 - second vote is not necessary, the proper implementation of the requirements of section 4.3 must be ensured. 34 If the votes are split, clear decision-making rules must be defined in the decision￾making hierarchy. In such cases the loan is to be rejected or sent up to the next higher level for decision (escalation procedure). 35 The organisational guidelines must contain defined criteria (eg risk classification, amount and terms of the exposure to be approved) for assigning the decision on an exposure to a certain decision-making level. 4.3 Requirements for the various credit processes 36 The loan processing processes (the granting and further processing of the loan), the monitoring of loan processing, intensified handling, the processing of problem loans, risk provisioning and the related tasks, competencies and responsibilities need to be clearly defined and coordinated. Responsibility for their development and quality must lie outside the front office. That applies also to the definition and the regular review of the criteria which govern the reclassification of exposures as requiring intensified handling or problem loan processing. 37 The organisational guidelines need to include (loan) processing principles which are differentiated by type of loan (eg consumer loans, investment financing, property development financing, object/project finance, participating interests) and also for the setting of limits. 38 All aspects which play a significant role in the default risk of a credit exposure need to be studied and evaluated, the intensity of these activities being dependent on the riskiness of the exposures. Recourse may also be taken to external sources when assessing counterparty risk. Critical issues concerning an exposure are to be highlighted and, where applicable, considered under various scenarios. The documentation on which the assessment is based needs to be reviewed by the staff responsible for the assessment. These staff members have to comment on the individual circumstances in the credit documentation independently of one another. 39 Country risks need to be assessed particularly, but not exclusively, on the basis of suitable quantitative and qualitative analyses. Here, too, external sources may be cited.

• Page 11 of 20 - 40 In the case of object/project finance, the credit processing procedure should ensure that not only the economic aspects (eg project analysis, financing structure/capital ratio, collateral strategy, ex ante and ex post calculations) but also, and in particular, the technical feasibility and development (eg via inspections and monitoring stages of construction) and the legal risks associated with the object/project are assessed. Recourse may also be taken to the expertise of experts not affiliated with the borrower. Wherever external sources are consulted for these purposes, their suitability must be assessed (eg qualifications, references, reputation, experience, locational knowledge). 41 Depending on the riskiness of the loans, the risks of an exposure are to be evaluated with the help of a risk classification procedure, either as part of the lending decision or in the case of regular or ad hoc assessments. The risk classification is to be reviewed annually. 42 There should be a verifiable and comprehensible link between the classification in the risk classification procedure and the terms and conditions of the loan. 43 Where acceptable in terms of the risk, the requirements in section 4 may be implemented in simplified fashion for overdrafts and extensions on the basis of clear rules issued by management. 44 A procedure is to be established which monitors the timely submission of the necessary lending documentation and ensures timely evaluation. A relevant dunning procedure is to be instituted whenever documents have not yet been submitted. 4.3.1 Granting loans 45 The process of granting loans encompasses all steps of required operations up to the provision of the loan, the fulfilment of the contract or the establishment of a line of credit. All major factors for assessing the risk are to be analysed and assessed, taking particular account of the debt-servicing ability of the borrower or the object/project, with the intensity of the assessment depending on the riskiness of the exposure (eg creditworthiness assessment, risk classification or an assessment based on a simplified procedure). 46 Rejected applications for loans should be documented in a suitable manner (eg by including a warning flag in the computer system).

• Page 12 of 20 - 47 The value of collateral is generally to be assessed prior to granting any loan. Pre￾existing collateral values may be used if there are no indications of changes in value. 48 If the value of the collateral is dependent to a high degree on the financial situation of a third party (eg guarantee), the counterparty risk of the third party is to be adequately reviewed. 49 The types of collateral accepted by the bank and the method of calculating the value of each type of collateral are to be clearly set out in the organisational directives. 4.3.2 Further processing of loans 50 The further processing of loans is intended to monitor whether the borrower is meeting the terms of the contract. In the case of special-purpose loans, the institution must monitor whether the funds made available are being used as agreed (monitoring the loan purpose). 51 Counterparty risk is to be assessed annually, with the intensity of ongoing assessments depending on the riskiness of the exposure (eg creditworthiness assessment, risk classification or assessment based on a simplified procedure). 52 From a certain threshold limit to be set by the credit institution in accordance with the risk involved, the value of collateral is to be checked at suitable intervals during the further processing of loans depending on the type of collateral. The schedule for reviewing each of the individual types of collateral is to be defined in the organisational guidelines. 53 Ad hoc reviews of credit exposures, including collateral, must be conducted immediately at the very least whenever the credit institution obtains knowledge from internal or external sources which would indicate a negative change in the risk assessment of the exposures or the collateral. Such information is to be forwarded to all responsible parties immediately. 4.3.3 Monitoring of loan processing 54 For loan processing, process-dependent controls are to be established to ensure compliance with the organisational guidelines. Controls may also be conducted via the usual “four-eyes” principle.

• Page 13 of 20 - 55 What particularly needs to be monitored is whether the loan agreement was drawn up in accordance with the defined assignment of competencies and whether the preconditions or requirements of the loan agreement were met prior to the granting of the loan. 4.3.4 Intensified handling 56 The organisational guidelines must define criteria to determine when an exposure requires special observation (intensified handling). 57 Exposures under intensified handling must be reviewed according to a schedule to be defined in the organisational guidelines to determine what further treatment they require (further intensified handling, return to normal handling, transfer to winding up or restructuring). 4.3.5 Treatment of problem loans 58 Criteria governing the transfer of an exposure to the staff or sections specialising in restructuring and winding up, and the involvement of these people or sections, need to be included in the organisational guidelines. Responsibility for the restructuring or winding-up process and the monitoring thereof must not be exercised by the front office. 59 Once the criteria have been met, the capability or wisdom of a restructuring on the part of the borrower is to be examined. 60 If the credit institution decides to conduct or accompany a restructuring, the parties involved in the restructuring have to develop and implement a restructuring strategy. The implementation of the restructuring strategy and the effects of the measures are to be monitored by the credit institution. 61 The responsible managers have to be informed regularly on the status of the restructuring at least in the case of significant exposures. If necessary, recourse can be taken in a restructuring process to external specialists with requisite knowledge. 62 If an exposure is to be wound up, a winding-up strategy needs to be developed. In the process of realising the collateral, staff (or, as appropriate, external specialists) with the relevant expert knowledge are to be involved.

• Page 14 of 20 - 63 If there are signs that the restructuring and winding up of significant exposures, or noticeable accumulations of problem loans in relatively low-risk transactions (eg in standard retail banking business) is attributable to deficiencies in the organisation or the handling of credit business, among other things, the respective causes need to be analysed. Conclusions should then be drawn regarding the organisation of credit business. 4.3.6 Risk provisioning 64 The organisational guidelines should include criteria on the basis of which, taking due account of the accounting standards in use, value adjustments, write-downs and loan loss provisions (including country risk provisioning) are to be formed (eg an internal valuation procedure for loans and advances). 65 The necessary risk provisioning is to be calculated in a timely and ongoing manner. 66 A considerable need for risk provisioning must be notified to management immediately; internal criteria for this need to be defined. 5 Risk classification procedures 67 At every credit institution, meaningful risk classification procedures for the initial, regular or ad hoc assessment of counterparty risk and, as appropriate, object/project risk must be established. The establishment of the procedures, as well as major changes to them, are to be decided by management. The organisational guidelines need to contain criteria which ensure that risks are logically assigned to a risk class for the purpose of their assessment. 68 It must also be ensured that sectoral risk and, as appropriate, country risk, can be assessed adequately. 69 Responsibility for the development, quality and monitoring of the use of risk classification procedures must not lie with the front office. 70 Key indicators for determining counterparty risk in the risk classification procedure must include not only quantitative criteria but, wherever possible, qualitative criteria. In particular, account must be taken of the borrower’s ability to generate future profits in order to repay the loan.

• Page 15 of 20 - 71 The classification procedures are to be incorporated into credit processing, the assignment of competencies, risk provisioning and the intensity of customer care. The organisational guidelines shall define how this is to be done. 6 Identifying, managing and monitoring risks in credit business 72 In accordance with the nature, scope, complexity and riskiness of business, procedures

• for the early identification of potential risk in credit business (procedure for early risk detection)

• for managing this risk (credit risk management) and

• for monitoring risks from credit business (credit risk controlling) are to be developed. 73 The procedures should be embedded in a comprehensive bank management strategy. Interdependencies between different types of risk (market risk, liquidity risk, operational risk etc) should be addressed by the procedures. 6.1 General requirements for the risk procedures 74 The procedures must guarantee that all key risks in credit business (including those at group level) are detected at an early stage, captured completely and presented and monitored adequately. They also have to ensure the ongoing monitoring of risks at portfolio level; in particular, they have to ensure that risk is balanced and compatible with the credit risk strategy. Risk-relevant information is to be forwarded immediately to the decision-makers defined in the assignment of competencies so that suitable countermeasures can be initiated at an early stage. The collection of relevant information should be a routine and standardised process. The procedures are, moreover, to be adapted to changing conditions at short notice. Also, damage caused by insufficient processing of exposures should be made suitably transparent. 75 The procedures are to be documented adequately and logically.

• Page 16 of 20 - 6.2 Procedure for the early detection of risks 76 The procedure for the early detection of risks is intended mainly to identify, in a timely manner, borrowers whose loans are beginning to show signs of increased risk. The idea is to enable the credit institution to initiate countermeasures at the earliest possible stage (eg the intensified handling of exposures). For these purposes the credit institution has to develop indicators for the early identification of risks based on quantitative and qualitative risk features. The function of early detection of risks may also be performed by a risk classification procedure that contains suitable early warning indicators. Management is permitted to exempt certain types of credit business to be defined under risk aspects or lending transactions below certain amounts from the application of the procedure for the early detection of risks. 6.3 Risk limitation in credit business 77 Management must take suitable measures to ensure that risks in credit business can be limited. 78 No lending transaction may be performed without a borrower-related limit (borrower limits, borrower unit limits), ie without a lending decision. 79 All transactions must be counted towards the borrower-related limits immediately. The compliance with borrower-related limits must be monitored at adequate intervals depending on the riskiness of the credit business. 80 The credit institution must establish a procedure for dealing with overdrafts which conforms to the assignment of competencies. Overdrafts and measures taken because of them must be documented. 81 If no limits exist for issuers in the trading unit, issuer limits may be defined at short notice for trading purposes based on clear rules issued by management, so as to avoid the need to perform the full loan processing procedure defined in the relevant organisational guidelines according to risk aspects. The relevant loan processing procedure must be performed after three months at the latest. 82 In addition, suitable measures are necessary to ensure that overall business risks (sectoral risk, distribution of exposures by size category and risk category, and, where

• Page 17 of 20 - appropriate, country risk and the accumulation of other concentrated exposures) can be managed and monitored. 83 The measures to reduce borrower-related and overall business risk need to be structured in accordance with the credit institution’s ability to bear risk. The link between the measures and the ability to bear risk must be examined at suitable intervals (at least once a year) by management against the background of the chosen credit risk strategy. 6.4 Reporting procedure 84 A unit which is independent of the front office must – depending on the risk situation in credit business – write a report at regular intervals, at least quarterly, containing the important structural features of credit business, and submit it to management. Management must then forward a report to the supervisory board. The risk report is to be written clearly, concisely and logically and must contain both a description and an assessment of the risk situation. Management must clearly certify that it has read the contents of the report. Appropriate measures introduced on the basis of this report must be documented clearly and logically. 85 Taking due account of the scale, complexity and riskiness of the credit business, as well as the size of the credit institution and its focal points of business, the risk report must comprise the following overall business and borrower-related information: (a) the development of the credit portfolio according to key structural features, particularly sectors, countries, risk categories and size categories, and collateral categories (where appropriate), (b) the level of limits issued and external lines, including their utilisation; moreover, large exposures and other noteworthy exposures must be listed and commented on, (c) where appropriate, a separate analysis of the country risk, (d) the maturity structure of the credit institution’s credit portfolio, (e) significant overdrafts (including a justification) since the last report,

• Page 18 of 20 - (f) the scale and development of new business and credit business in new products or on new markets since the last report, (g) the development of risk provisioning, taking into account the credit institution’s ability to bear risk, (h) important lending decisions taken since the last report which are at odds with the credit risk strategy, and (i) credit decisions taken by managers acting within their individual lending decision￾making powers which are at odds with the votes or were taken by a manager not responsible for the front office. Suggested action, eg to reduce risk, must also be included in the risk report. Where there are no relevant changes to information already disseminated in previous reports, the current report may refer to the earlier information. 86 Major events (eg regarding developments in problem loans or significant overdrafts of loans classified as risky) are to be reported to management and the decision-makers in question immediately (ad hoc reporting). The report is to be documented. 6.5 Legal and operational risks 87 Contractual agreements in credit business must be calculated on the basis of legally validated and correctly documented paperwork. The legal risks must be disclosed to those responsible for overseeing the transactions. 88 Legally validated standard texts are to be used for each loan agreement and have to be updated constantly. Where a deviation from the standard texts is necessary for a given exposure – such as in the case of customised agreements – an examination must be conducted prior to signing the agreement by an independent, expert body. 89 The efficacy of the technical and organisational equipment – particularly the IT systems – must be adequate for the nature and scope of the credit business activities. Suitable measures are to be taken to ensure the functional ability of the databases and to maintain the quality of the data contained in these databases. 90 A written contingency plan is needed to ensure that if the technical facilities necessary for credit business fail, backup solutions are available and can be installed in a timely

• Page 19 of 20 - manner. Moreover, provisions must be made for potential errors in the software being used and for unforeseen staffing shortages. 91 The IT systems used in credit business, IT technical procedures and contingency plans must be reviewed regularly and adapted where required. 7 Outsourcing 92 The partial or complete outsourcing of activities or functions concerning credit business is permitted only in accordance with the principles set forth in section 25a (2) of the Banking Act and provided the requirements in my circular 11/2001 (Outsourcing of areas to another enterprise pursuant to section 25 (2) of the Banking Act) are complied with. In addition, it must be ensured that the requirements of this circular are complied with. In particular, compliance with the requirements concerning the separation of functions and voting as well as the limitation and monitoring of risks must be ensured. 8 Audits 8.1 Internal audits 93 Credit business must be audited at suitable intervals by the internal audit unit. This includes the auditing of compliance with the “Minimum requirements for the credit business of credit institutions”. With due regard for the principles of risk-oriented auditing, system audits (organisation of operations, risk management and risk controlling, internal control system) are also to be conducted. 94 For all other cases, the rules set forth in my circular 1/2000 (Minimum requirements for the design of credit institutions’ internal audit function) must be met. 8.2 External auditors 95 The external auditor needs to obtain a comprehensive insight into credit business and its organisation, the risks they entail and the internal control systems and procedures and to assess the adequacy and efficacy of the processes and procedures. In this connection the external auditor, without prejudice to sections 27 to 43 of the Auditor’s Report Regulation (Prüfberichtsverordnung) or to subsection 2 of part 3 of the Auditor’s Report Regulation, must also indicate in the audit report whether the credit business of the credit institution being audited complies with the minimum requirements formulated here. The report must also indicate the areas where the credit institution has claimed

• Page 20 of 20 - an exemption and whether this exemption is justified in the light of these minimum requirements. pp Dohr This circular has been transmitted electronically and is therefore not signed.