LogoRegulatory Alerts
2026-05-28

Agreement No. 1-2026 Establishing General Guidelines for Integrated Risk Management

The Superintendence of the Securities Market of Panama issued Agreement No. 1-2026 to establish general guidelines for Integrated Risk Management (GIR) for licensed entities. The regulation mandates the implementation of a robust risk framework, including a three-lines-of-defense model, specific risk appetite definitions, and standardized procedures for identifying, measuring, and mitigating financial, operational, and strategic risks. It aims to harmonize Panamanian market regulations with international best practices to ensure market stability, transparency, and investor protection.

Superintendencia del Mercado de Valores Panama logo

Panama

Superintendencia del Mercado de Valores Panama

Click to view thumbnail

REPUBLIC OF PANAMA SUPERINTENDENCE OF THE SECURITIES MARKET Agreement No. 1-2026 (From May 28, 2026) "Establishing the General Guidelines for Integrated Risk Management"

THE BOARD OF DIRECTORS

In exercise of its legal powers and

CONSIDERING

That Law 67 of September 1, 2011, reformed Decree-Law 1 of July 8, 1999, and created the Superintendence of the Securities Market (hereinafter, "the Superintendence"), as an autonomous state agency with legal personality, own assets, and administrative, budgetary, and financial independence.

That the Board of Directors, in accordance with Articles 5, 6, 10 (numeral 1), 19, and 20 of the Single Text of the Securities Market Law (hereinafter, the "Single Text"), acts as the Highest Body for consultation, regulation, and setting of the general policies of the Superintendence, and among its attributions is to adopt, reform, and revoke Agreements that develop the provisions of the Securities Market Law.

That the Superintendence, by virtue of Article 3 of the Single Text, has the general objective of regulating, supervising, and auditing the activities of the securities market developed in the Republic of Panama or from it, promoting legal certainty for all market participants and guaranteeing transparency, with special protection of investors' rights.

That, in this order of ideas, Article 323 of the Single Text establishes that when the Superintendence contemplates adopting an agreement, it must consider to determine if the action is necessary and appropriate: (a) the public interest, (b) the protection of investors, and (c) if the action promotes market efficiency, competition, and capital formation.

That the constant development and growing complexity of international financial markets require that market participants have robust, dynamic, and efficient control mechanisms to protect the integrity of the system against the realization of various risk factors.

That to consolidate the competitiveness, stability, and maturity of the Panamanian securities market, it is imperative to homologate our regulations to the best international standards and practices in risk administration and management.

That the adoption of general guidelines on Integrated Risk Management (GIR) will provide regulated entities with a unified framework of action, allowing them to identify, measure, monitor, control, mitigate, and report in a timely manner the risks inherent to their operations.

That the implementation of standardized risk management policies strengthens the corporate governance of regulated entities, promotes a culture of compliance, and improves public investor confidence in the solidity of the securities market of the Republic of Panama.

That this agreement has been submitted to the Public Consultation Procedure established in Title XV of the Single Text of the Securities Market Law, specifically in Articles 323 and following, whose term in a first public consultation was from August 22 to October 4, 2019, and in a second public consultation from May 29 to July 14, 2025, as recorded in the public access file held by the Superintendence.

That by virtue of the foregoing, the Board of Directors of the Superintendence, in exercise of its legal powers;

AGREES:

ARTICLE ONE: Adopt the General Guidelines for Integrated Risk Management, for entities with licenses issued by the Superintendence, in accordance with the following provisions:

1 /

Chapter I General Aspects

Article 1. Scope of Application. The provisions of this Agreement shall be applicable to the following regulated entities (hereinafter "entity with license" or "entities with license"):

  1. Investment Managers.
  2. Investment Managers of Pension and Retirement Funds.
  3. Securities Houses.
  4. Self-Regulatory Organizations. The provisions of this Agreement shall apply additionally and complementarily to what is established by the following regulatory agreements: Agreement No. 6-2015 of August 19, 2015, regarding the prevention of money laundering, terrorist financing, and financing of the proliferation of weapons of mass destruction; Agreement No. 5-2018 of August 21, 2018, on Information Technology Risk Management; Agreement No. 6-2018 of October 10, 2018, which adopts principles of Good Corporate Governance, and any regulatory norm related to the matter that is adopted from time to time, and any other that the Superintendence determines in matters of risk management.

Paragraph. The Superintendence recommends as a prudential measure to regulated entities not included in the scope of application of this Agreement, the use of the guidelines contained in this document as a guide for the adequate management of their risks.

Article 2. Objectives. This Agreement aims for entities with licenses to apply the guidelines, criteria, and minimum parameters for the design and implementation of their Integrated Risk Management, based on the volume and frequency of their transactions, the type, and complexity of their operations.

Integrated Risk Management is a joint and fundamental responsibility of the Board of Directors, the Administration, and the rest of the collaborators of the entity with license, which must be designed to identify potential events that may affect the organization and manage its risks effectively according to its Risk Appetite.

Integrated Risk Management comprises the policies, procedures, and controls established by the entity with license, to identify, evaluate, monitor, administer, and mitigate its risks.

Article 3. Definitions.

  1. Risk Appetite: Risk Appetite is the level and type of risk, quantitative and qualitative, that an entity with license is willing to assume consciously and strategically to achieve its business objectives, within its capital capacity, liquidity, solvency, operational capabilities, and regulatory tolerances. It is a managerial framework that establishes upper limits and the intensity of exposure that the entity with license accepts under normal and stress conditions, considering its business model, risk profile, strategy, organizational culture, and its capacity to absorb unexpected losses without compromising its viability.

  2. Risk Capacity: The maximum level of risk that an entity with license can assume given its current resources, objectives, and contractual obligations, without incurring regulatory breaches, in order to achieve its objectives and business plan, without compromising its solvency, financial viability, or operational continuity.

  3. Calibration: It is the process by which risk is measured and the premises are adjusted to align with the reality of the identified risk that the entity with license has.

  4. Integrated Risk Management: It is the continuous and proactive process, supervised by the Board of Directors and executed by the Administration, by which the entity with license identifies, measures, monitors, controls, mitigates, and reports to the different areas within the entity with license, the types of risk to which it is exposed, according to the volume and frequency of its transactions, type, and complexity of its operations. Its main objective is to align decision-making with the business strategy and established risk profile.

  5. Risk Management Body: It is the specialized administrative area within an entity with license, responsible for designing and executing policies and procedures for integrated risk management. According to the structure defined by each entity with license, this may be a management, unit, natural person, or third party. 2 / /

  6. Stress Tests: Tests or exercises used to evaluate the impact of exposure to a certain type of risk in exceptional but possible situations or scenarios.

  7. Back Testing: A set of tests or exercises intended to evaluate the degree of precision and statistical reliability of the results obtained from an internal risk measurement model.

  8. Inherent Risk: It is the intrinsic risk of each activity, without taking into account the controls made on it internally. Inherent Risk is inherent to the work or process, which cannot be eliminated, but can be mitigated.

  9. Residual or Net Risk: Level of risk that remains after applying all controls, mitigations, and management measures designed to reduce Inherent Risk. Residual Risk cannot be completely eliminated, only managed within the parameters of Risk Appetite and Risk Tolerance defined by the entity with license.

  10. Risk Tolerance: It is the acceptable margin of deviation with respect to the established Risk Appetite. Specifically, it delimits the range within which each of the risks can fluctuate without it being considered necessary to adopt corrective measures. While Risk Appetite establishes the desired level, Risk Tolerance marks the upper and lower operational limits.

Chapter II Integrated Risk Management

Article 4. Risk Culture. Entities with licenses must promote a risk culture that includes:

  1. Clear communication on Risk Appetite, Risk Capacity, and Risk Tolerance.
  2. Continuous training.
  3. Incentives aligned with risk.
  4. Individual responsibility.

Article 5. Three Lines of Defense Model. Entities with licenses must structure and maintain their Integrated Risk Management system under a three lines of defense model:

  1. First Line (Business): Responsible for identifying, managing, and reporting risks inherent to their activities.
  2. Second Line (Risk and Compliance): Responsible for establishing methodologies, monitoring risks, and ensuring compliance with Risk Appetite.
  3. Third Line (Internal Audit): Responsible for independently evaluating the effectiveness of the risk management system.

Article 6. Integrated Risk Management Framework. Integrated Risk Management must be implemented through a comprehensive and structured risk management framework that includes, at least, the following components:

  1. Internal Environment: Comprises the environment of the entity with license, including corporate culture and values, technical and moral suitability of its personnel, organizational structure, and conditions for delegation of powers and assignment of responsibilities, among others.
  2. Objective Setting: Process by which the corporate objectives of the entity with license are established, which must be aligned with Risk Appetite and within its Risk Capacity.
  3. Risk Identification: Procedures and methodologies by which internal and external risks are identified, and which considers, as appropriate, possible events and associated scenarios.
  4. Risk Assessment: Process through which the probability of occurrence and the impact of risks to which an entity with license is exposed are evaluated, using qualitative and quantitative techniques. Entities with licenses must guarantee the integrity, quality, and traceability of data, controls over information sources, and periodic validations.
  5. Risk Mitigation Plan: The Risk Mitigation Plan must establish preventive or control measures intended to reduce the probability of risk occurrence or diminish its potential impact before the event materializes. Treatment strategies may include risk transfer, reduction, acceptance, or elimination, depending on its nature, magnitude, and the Risk Appetite defined by the entity with license. Each strategy must be evaluated and applied considering the operational context and the strategic objectives of the entity with license, with the purpose of strengthening its response capacity and ensuring effective risk management. The approach must be proactive, with the objective of strengthening controls to avoid or limit the realization of the risk.
  6. Risk Response Plan: The Risk Response Plan must establish the actions to be executed when a risk materializes or there is a high probability that it will occur. It must include action procedures, responsible parties, and response times. The approach is reactive, oriented to contain the impact of the event, recover operations, and restore the normality of the entity with license.
  7. Risk Control: It is the process by which the entity with license implements controls and actions intended to prevent, reduce, or maintain within acceptable levels the exposure to identified risks. This process includes the identification, evaluation, and treatment of risks, considering their probability of occurrence and potential impact.
  8. Information and Communication: Refers to the capacity of the entity with license to generate, process, and communicate relevant, reliable, and timely information and reports, which allow supporting decision-making and the adequate exercise of supervision and control functions. Information must flow effectively through the different levels of the organization and to stakeholders, starting with the Administration and the Board of Directors, ensuring transparency, clarity, and consistency in communication.
  9. Monitoring: Entities with licenses must periodically evaluate the sufficiency of capital based on their risk profile, considering financial and non-financial risks, stress test results, and residual risk. Monitoring implies the continuous review of risks and the effectiveness of implemented measures. Likewise, making periodic adjustments to keep Integrated Risk Management aligned with the objectives of the entity with license and the real situation of the market.

Article 7. Types of Risks. For the purposes of this Agreement, without prejudice to any other risk that the entity with license may identify and what is established in other agreements, the following classifications and types of risk are established:

  1. FINANCIAL AND VALUATION RISKS 1.1 Credit Risk: The possibility of incurring losses due to total or partial default of contractual obligations by counterparties, issuers, debtors, or other obligors, as well as the deterioration of their ability or willingness to pay, in the terms and deadlines agreed. 1.2 Counterparty Risk: The possibility of incurring losses when a counterparty in a financial or contractual operation cannot or is not willing to fulfill its obligations in the established terms, amounts, or deadlines. 1.3 Market Risk: The possibility of incurring losses derived from adverse movements in prices or other market variables that affect the value of assets, liabilities, or financial instruments held by the entity with license, particularly those associated with the trading portfolio. This risk mainly comprises: 1.3.1 Price Risk: The possibility of incurring a loss due to adverse variations in the market price of a financial instrument or due to price indeterminacy at a given moment. 1.3.2 Interest Rate Risk: The possibility of incurring a loss due to adverse variations in interest rates, which affect the value of financial instruments or future cash flows associated with them. 1.3.3 Exchange Rate Risk: The possibility of incurring a loss due to adverse variations in the exchange rate between different currencies. 1.4 Liquidity Risk: The possibility of incurring losses or facing obstacles to timely fulfillment of financial obligations due to the inability to obtain sufficient liquid resources or to convert assets into cash under adequate market conditions. This risk comprises: 1.4.1 Financial Liquidity Risk (or Funding Risk): The possibility of incurring losses derived from situations in which the entity with license does not have sufficient liquid resources to timely fulfill its financial obligations without incurring significant costs or affecting its financial situation. 4

1.4.2 Market Liquidity Risk: The possibility of incurring losses derived from situations in which a financial asset cannot be sold timely or can only be sold with significant discounts with respect to its fair value, due to adverse conditions or lack of market depth. 1.5 Concentration Risk: The possibility of incurring significant losses derived from concentrated exposures in certain clients, counterparties, economic sectors, financial instruments, markets, or geographic regions, which may affect the solvency or financial stability of the entity with license. 1.6 Valuation Risk: The possibility of incurring losses due to the use of inadequate methodologies, models, or assumptions for the valuation of assets, liabilities, or financial instruments, which could generate estimates inconsistent with their real economic value or with prevailing market conditions. 1.7 Country Risk: The possibility of incurring losses derived from adverse political, economic, legal, or social conditions in a specific country that may affect the ability of debtors or counterparties located in that jurisdiction to fulfill financial obligations. This risk comprises: 1.7.1 Transfer Risk: The possibility of incurring losses derived from conditions where debtors of a country cannot fulfill their obligations in foreign currency due to restrictions on the availability or transfer of foreign exchange, regardless of their individual financial capacity. 1.7.2 Political Risk: The possibility of incurring losses derived from changes or instability in the political, institutional, or regulatory environment of a country that may negatively affect the investments or activities of the entity with license. 1.7.3 Sovereign Risk: The possibility that a government or sovereign entity of a specific country cannot or is not willing to fulfill its financial obligations.

  1. OPERATIONAL, TECHNOLOGICAL, AND LEGAL RISKS 2.1 Operational Risk: The possibility of incurring losses arising from failures or deficiencies in internal processes, people, information systems, or as a consequence of external events. It includes risks associated with information technology, fraud, human errors, and failures in internal controls. 2.2 Information Technology and Digital Risk: The possibility of incurring losses arising from failures, interruptions, vulnerabilities, or inadequate use of technological infrastructures, computer systems, applications, networks, or digital channels that support the operations of the entity with license. 2.3 Cybersecurity Risk: The possibility of incurring losses arising from unauthorized access, cyberattacks, security breaches, or compromises of the confidentiality, integrity, or availability of the information systems and data of the entity with license. 2.4 Business Continuity Risk: The possibility of incurring losses arising from internal or external events that interrupt or significantly affect the continuity of the operations of the entity with license, compromising the provision of services or the fulfillment of its obligations. 2.5 Fraud and Corruption Risk: The possibility of incurring financial, material, or reputational losses arising from fraudulent, dishonest, or corrupt acts committed by employees, executives, clients, or third parties. 2.6 Legal Risk: The possibility of incurring losses arising from the incorrect application or non-compliance with legal or regulatory provisions, adverse litigation or judicial resolutions, as well as deficiencies in the formalization or execution of contracts and legal acts. 2.7 Regulatory Risk: The possibility of incurring legal, regulatory sanctions, financial losses, or reputational damage derived from non-compliance with laws, regulations, or sector regulations. 2.8 AML/CFT/FPADM Compliance Risk: The possibility of incurring legal, regulatory sanctions, financial losses, or reputational damage derived from non-compliance with Law 23 of April 27, 2015, and its regulations, as well as sector regulations such as Agreement No. 6-2015 of August 19, 2015, or those established in the future, relative to the prevention of money laundering, terrorist financing, and financing of the proliferation of weapons of mass destruction.

  2. STRATEGIC AND ENVIRONMENTAL RISKS 3.1 Strategic Risk: The possibility of incurring losses or affecting business sustainability due to inadequate strategic decisions, deficient implementation of such decisions, or the inability to adapt timely to changes in the competitive, economic, or regulatory environment. 5

3.2 Reputational Risk: The possibility of incurring economic losses or experiencing a deterioration in the confidence of clients, investors, authorities, or the general public, as a consequence of events, decisions, or behaviors that negatively affect the image or credibility of the entity with license, including inadequate marketing practices, conflicts of interest, misleading or incomplete information, and the improper use of insider information. 3.3 Contagion Risk: The possibility of incurring losses due to the realization of risks in related entities, companies of the same economic group, or entities with which there is a significant financial or commercial relationship. 3.4 Environmental, Social, and Governance (ESG) Risk: The possibility that environmental, social, or corporate governance factors generate negative impacts on the sustainability, financial performance, reputation, or regulatory compliance of the entity with license. The identification, evaluation, and management of the risks defined in this article will be carried out under a materiality approach, considering their relevance, probability of occurrence, and potential impact on the operation and funds administered by the entity with license. Consequently, the entity with license will determine the relative importance of each type of risk identified based on its business model, the nature of its activita

Share