Regulation on Minimum Requirements for Operational Risk Management in Commercial Banks of the Kyrgyz Republic

Return to previous page

Print version

Date of creation: 2025-11-27

Approved

by the resolution of the Board of Directors

of the National Bank

of the Kyrgyz Republic

of December 15, 2005 No. 37/5

REGULATION

on minimum requirements for operational risk management in commercial banks of the Kyrgyz Republic

(In the edition of the resolutions of the Board of Directors of the National Bank of the KR of November 16, 2012 No. 43/1, December 23, 2015 No. 78/22, June 15, 2017 No. 2017-P-12/25-7, October 17, 2018 No. 2018-P-12/43-2, December 27, 2019 No. 2019-P-12/68-2, January 17, 2024 No. 2024-P-12/1-3, September 26, 2025 No. 2025-P-12/49-3-(NPA), November 12, 2025 No. 2025-P-12/60-4-(NPA))

I. General Provisions

1.1. This Regulation establishes mandatory minimum requirements for the organization of operational risk management to be observed by commercial banks (hereinafter - banks).

(In the edition of the resolution of the Board of Directors of the National Bank of the KR of January 17, 2024 No. 2024-P-12/1-3)

1.2. The Regulation serves as additional guidance for banks regarding minimum requirements for policies, procedures, and internal controls to comply with operational risk management standards established by the Regulation "On Minimum Requirements for Risk Management in Banks of the Kyrgyz Republic".

Commercial banks conducting operations in accordance with Islamic principles of banking and financing shall refer to this Regulation to comply with operational risk management standards established by the Regulation "On Minimum Requirements for Risk Management in Banks Conducting Operations in Accordance with Islamic Principles of Banking and Financing", approved by the resolution of the Board of Directors of the National Bank of the Kyrgyz Republic (hereinafter - National Bank) of July 18, 2018 No. 2018-P-12/30-3-(BS).

(In the edition of the resolutions of the Board of Directors of the National Bank of the KR of November 16, 2012 No. 43/1, December 23, 2015 No. 78/22, December 27, 2019 No. 2019-P-12/68-2, January 17, 2024 No. 2024-P-12/1-3)

1.3. The Regulation uses terms in accordance with the Regulation "On Minimum Requirements for Risk Management in Banks of the Kyrgyz Republic".

II. Basic Requirements for the Organization of Operational Risk Management

2.1. A bank must develop and approve an operational risk management policy by the Bank's Board of Directors, which corresponds to the scale, risk profile, systemic significance, and capital size of the bank.

The operational risk management policy may be presented as a separate document or may be part of a unified risk management policy and must at least include:

• goals and objectives of operational risk management;
• basic principles of operational risk management;
• main types of operational risks taking into account all areas of the bank's activity and the causes of their occurrence;
• distribution of powers and responsibilities at all levels of management and monitoring of operational risk;
• methods for identifying, assessing, monitoring, controlling, and minimizing operational risk;
• procedures for reporting and information exchange on operational risk management.

(In the edition of the resolution of the Board of Directors of the National Bank of the KR of December 23, 2015 No. 78/22)

2.2. The basic principles of operational risk management imply that the following must be reflected in the bank's internal documents:

• procedures, rules, and regulations for conducting banking operations and other transactions;
• functioning of information and other systems;
• procedure regulating the transfer of work to a backup center (if available) and interaction of system personnel in cases of force majeure circumstances (such as natural disasters (floods, earthquakes, storms, fires, and other natural or technological catastrophes), technical catastrophes, epidemics, declaration of a state of emergency, mass riots, looting, military actions, etc.);
• organization of internal processes, separation of powers, and functional responsibilities;
• procedure for interaction between departments and bank employees;
• procedure for reporting and information exchange;
• definition of conflict of interest and the possibility of preventing it in cases where transactions involve those who make decisions.

(In the edition of the resolution of the Board of Directors of the National Bank of the KR of June 15, 2017 No. 2017-P-12/25-7)

2.3. For the purpose of limiting operational risk, the bank must have the following documents:

• on the conduct of all types of operations carried out by the bank;
• on physical security, including requirements for premises where branches, vaults, safes, documents, and archives are located, as well as measures for physical protection of technologies;
• on the receipt, storage, and transportation of funds and other valuables;
• on ensuring technologies that must be tested and documented before their introduction and which can be updated if necessary;
• on outsourcing. Outsourcing is understood as the bank's attraction of external service providers to perform certain types of work and services on a continuous or periodic basis, which would normally be carried out by the bank itself. The bank cannot use outsourcing for operations related to lending, deposit attraction, or other banking operations requiring a license;
• business continuity plans, including the availability of backup premises, external storage for backup data, recovery processes, and contingency plans for responding to the destruction or unavailability of key systems.

(In the edition of the resolutions of the Board of Directors of the National Bank of the KR of December 23, 2015 No. 78/22, November 12, 2025 No. 2025-P-12/60-4-(NPA))

2.4. The operational risk management policy must be reviewed periodically, at least once a year, and the bank's procedures and other internal documents on operational risk management must be reviewed as necessary, but at least once every two years, taking into account the achieved level of operational risk management in the bank and international experience, fully integrated into the bank's general risk management process, and also brought to the attention of all bank employees in a timely manner.

(In the edition of the resolution of the Board of Directors of the National Bank of the KR of December 23, 2015 No. 78/22)

2.5. The Board of Directors bears primary responsibility for operational risk management and determines approaches that best correspond to the bank's activities, as well as monitors the effective implementation by the Bank's Board of the policy and procedures for operational risk management.

(In the edition of the resolution of the Board of Directors of the National Bank of the KR of December 23, 2015 No. 78/22)

2.6. The assessment of operational risk management must be carried out both for the bank as a whole and in the context of its activity areas, internal processes, information technology systems, and banking products that make up these activity areas. At a minimum, the assessment of operational risk management must include a systematic analysis of exposure to each type of operational risk for each area of the bank's activity.

2.7. For the purpose of unifying approaches and data comparability, the bank may use the following classification of activity areas:

• account opening, cash and settlement services for individuals and legal entities;
• payment processing;
• lending;
• asset management, including securities;
• agency services;
• brokerage services;
• consulting services;
• other activity areas.

2.8. The Bank's Board of Directors together with the Bank's Board of Directors must ensure the creation of an organizational structure with the establishment of rights and obligations at all levels of management and monitoring of operational risk in accordance with the basic principles of operational risk management.

2.9. For the purpose of managing operational risks, all banks must ensure a comprehensive set of measures for the restoration and resumption of the functioning of their internal information systems in accordance with the requirements of regulatory legal acts of the National Bank.

(In the edition of the resolution of the Board of Directors of the National Bank of the KR of June 15, 2017 No. 2017-P-12/25-7)

III. Fundamentals of Operational Risk Management

3.1. Operational losses may arise as a result of events and processes carrying operational risk, which are classified into the following types:

(In the edition of the resolution of the Board of Directors of the National Bank of the KR of December 23, 2015 No. 78/22)

3.1.1. Internal fraud, that is, abuses or illegal actions by bank employees (for example, abuse of office, theft, intentional concealment of the commission of operations, unauthorized use of information systems and resources, intentional violation of the bank's internal documents, unauthorized use of information obtained by an employee in the course of official duties for personal gain).

The main approach to risk management in the event of such events is the existence of a reliable internal control system, which includes the separation of duties, the organization of dual control, and the clear definition of delegated approval limits. It is necessary that the relevant internal audit service, which checks compliance with established policies and procedures, supports this internal control system.

3.1.2. External fraud, that is, illegal actions by persons unrelated to the bank (for example, robbery, unauthorized intrusion into the bank's information and other systems, forgery and/or counterfeiting of payment and other documents).

In addition to the general internal control system, banks must develop specific measures ensuring physical security and information technology security in accordance with the approved policy. The fundamentals of operational risk management prescribe that these policies clearly define how to reduce the risks of theft and fraud, indicating possible losses due to the robbery of branches or theft of funds in transit, and the inadequacy of information technology security.

3.1.3. Employment practices, violations of banking, labor, and other legislation, working safety conditions, and employee health protection.

These types of events carrying operational risk are determined to a greater extent by the bank's internal regulatory acts on human resources, taking into the possibility of insurance in accordance with legislation.

3.1.4. Violation by the bank of obligations under contracts with bank clients and third parties, abuse of information about bank clients, poor quality of operations or services, non-compliance with business customs, violation of antimonopoly legislation, non-compliance with customer due diligence requirements.

Measures to ensure proper training and supervision of employees, compliance with market conduct provisions, and consumer protection are the main measures to reduce these types of operational risks.

3.1.5. Damage to the bank's material assets (for example, as a result of fire, natural disasters, acts of terrorism, vandalism, etc.).

Ensuring physical security, including the protection of premises and other assets, as well as business continuity planning, including the availability of backup means in case of destruction or loss of access to key premises, are the main approaches to managing these risks. Business interruption insurance may also play a role in reducing financial costs.

3.1.6. Failures in the functioning or breakdown of the bank's information and other systems, equipment, and communications.

Business continuity planning, which includes the process of backup and recovery, backup mechanisms for responding to the unavailability or destruction of the most important information or technology, are the main means of reducing these operational risks. In addition, strict testing of new or improved systems, including the ability to restore information in case of failures or breakdowns, is a necessary component of the technology management policy.

3.1.7. Improper organization of internal processes and information flows, including the order of access to confidential information, such as client accounts, information systems, improper execution of operations and established procedures, violation of obligations by work or service providers to the bank, errors in entering data on operations and transactions, accounting errors, calculation errors, incorrect or incomplete preparation of reports or legal documentation, loss or destruction of documents, deficiencies and violations in collateral management, etc.

Operational risk resulting from the above factors is largely controlled by corresponding internal control systems. If the bank uses the services of contractors for certain types of work and services, it must have corresponding internal regulatory documents providing for the circumstances under which outsourcing can be used, selecting qualified and reliable service providers, establishing quality standards, including compliance, safety, and timeliness standards, monitoring risks, and developing contingency plans for key service providers in case of disruptions.

3.1.7-1. Before using outsourcing, the bank must develop a procedure for making decisions on attracting service providers, as well as prepare outsourcing contracts. The outsourcing contract is an important tool for reducing risks associated with non-performance or disputes between parties. The following must be included in the key provisions of the outsourcing contract:

• clear definition of the types of work and services transferred to a third party for execution;
• the bank's right to access the service provider's financial reports, including in cases where the financial condition of the service provider may affect the performance of its obligations under the outsourcing contract and other information relevant to the object of outsourcing. In this case, at the request of the National Bank and external auditors, the bank is obliged to provide such information relevant to the object of outsourcing;
• continuous monitoring and assessment by the bank of the service provider's activities for the timely adoption of corrective measures;
• conditions and minimum terms for terminating the contract in case of necessity, as well as obligations remaining in force after the termination of the contract;
• procedure for resolving significant issues specific only to the outsourcing contract (for example, if the service provider is located abroad, a provision on the legislation of the countries of the parties to the contract, to avoid collision of regulatory legal acts);
• conditions for transferring all or part of the outsourcing activity to a sub-contract in case of necessity (to ensure the possibility of maintaining a similar risk management regime in case of a change in the service provider);
• issues of ensuring the service provider's confidentiality of information concerning the bank and protection against intentional or accidental disclosure to third parties.

The procedure for making decisions on attracting service providers must include criteria that allow for a preliminary assessment of the possibility and ability of the service provider to effectively, reliably, and at a high level carry out outsourcing activities, as well as to assess the factors of emerging risks associated with attracting a specific service provider.

When developing criteria, the bank should take into account that the service provider must:

• have the necessary resources and employees of appropriate qualification to perform the work and services transferred by the bank for outsourcing;
• understand the goals and objectives of the bank in this area of activity and act in accordance with them;
• be financially sound in order to perform its obligations in a timely and full manner.

(In the edition of the resolutions of the Board of Directors of the National Bank of the KR of December 23, 2015 No. 78/22, October 17, 2018 No. 2018-P-12/43-2)

3.2. To identify the influence of external factors on the level of operational risk, it is necessary to conduct an analysis of the following conditions of the bank's activities:

• analysis of the external financial environment affecting the bank's activities;
• analysis of exposure to operational risk of all areas of the bank's activity, including the development of new areas of activity;
• analysis of individual bank operations;
• analysis of internal policies and procedures, including the procedure for preparing reports and exchanging information.

3.3. To ensure the effective identification of operational risk, the bank must keep a record of all events related to the occurrence of operational risk. Information on the bank's risk events is submitted by the bank to the National Bank monthly as part of the Periodic Regulatory Banking Report.

(In the edition of the resolution of the Board of Directors of the National Bank of the KR of December 27, 2019 No. 2019-P-12/68-2)

3.4. To identify and assess operational risk, banks may independently develop operational risk assessment methods or use methods applied in international banking practice, which must be reflected in the bank's internal documents. At the same time, the operational risk assessment method must correspond to the nature and scale of the bank's activities.

3.5. For the timely detection and elimination of deficiencies in operational risk management, the bank must regularly monitor operational risk. In the process of monitoring, the bank may use a system of indicators signaling the probability of the occurrence of events as a result of which operational losses may arise (for example, rapid growth in the volume of operations conducted, the number of failed and incomplete operations, staff turnover, the number and frequency of errors made, the frequency and duration of failures of the bank's information and other systems, etc.).

IV. Control over the Effectiveness of Operational Risk Management

4.1. The Bank's Board of Directors must ensure that the processes of identification, assessment, control, and monitoring of operational risks correspond to the bank's needs, evaluating their consistent use over a certain period of time.

4.2. The Bank's Board of Directors must systematically assess the effectiveness of operational risk management.

4.3. Based on the analysis of external and internal factors affecting the bank's activities, it is necessary to periodically, but at least once every two years, review internal processes and procedures for the purpose of identifying operational risks. Special attention must be paid to the quality of control means for documentation and the practice of conducting operations.

(In the edition of the resolution of the Board of Directors of the National Bank of the KR of December 23, 2015 No. 78/22)

4.4. The bank's internal documents must establish the procedure and periodicity for reviewing facts of operational losses, identifying the causes of their occurrence, and the procedure for applying measures to eliminate them.

4.5. Control over compliance with policies and procedures on operational risk is carried out within the internal control system. Control over operational risk implies, at a minimum, control:

• over compliance with established limits in the conduct of operations and provision of services;
• over compliance with the principle of separation of powers, the procedure for approval and accountability for operations conducted and services provided;
• over compliance with the established procedure for access to information and material assets of the bank;
• over the training and professional development of bank personnel.

4.6. The Bank's Board of Directors must consider the possibility of insuring losses for specific categories of operational risks in accordance with legislation.

4.7. In addition, an assessment must be made of the sufficiency of the available insurance compensation and the bank's ability to self-insure against losses associated with events carrying operational risk.

V. Disclosure of Information on Operational Risk Management

5.1. The bank must disclose information on measures to reduce operational risk to depositors and other clients, creditors, shareholders (participants) of the bank, external auditors, other organizations, institutions, and the public to a sufficient extent as part of the annual report.

VI. Minimum Requirements for the System of Counteraction to Internal and External Fraud (Anti-Fraud)

(Chapter in the edition of the resolution of the Board of Directors of the National Bank of the KR of September 26, 2025 No. 2025-P-09/49-3-(NPA))

6.1. The bank is obliged to ensure the presence and effective functioning of a system for counteraction to internal and external fraud (anti-fraud) in accordance with the requirements of this chapter.

(In the edition of the resolution of the Board of Directors of the National Bank of the KR of September 26, 2025 No. 2025-P-09/49-3-(NPA))

6.2. The requirements of this chapter apply as the main mechanism for counteraction to internal and external fraud in banking information systems, including in the event of non-compliance of the existing algorithms for counteraction to internal and external fraud in banking information systems with the requirements of this chapter.

(In the edition of the resolution of the Board of Directors of the National Bank of the KR of September 26, 2025 No. 2025-P-09/49-3-(NPA))

6.3. The bank is obliged to develop, approve by the Board of Directors, and implement a Policy on Counteraction to Fraud in Remote/Distant Banking Service Systems (hereinafter - Policy). The Policy may be оформлен as a separate document or be a constituent part of the bank's risk management policy.

The Policy must at least contain:

• the management's commitment confirming the commitment to protecting clients from internal and external fraud in remote/distant banking service systems;
• principles of early detection, prevention, and prevention of fraud in remote/distant banking service systems;
• the procedure for applying adequate and timely automated or semi-automated response measures to identified cases or attempts of fraud, commensurate with the assessed level of risk;
• measures of responsibility in accordance with the legislation of the Kyrgyz Republic applied to bank employees for inaction or improper action in the field of counteraction to fraud, including monitoring threats, developing and implementing counteraction measures, and responding to incidents.

The Policy is subject to review and updating at least once a year.

Internal procedures and documents of the bank regulating counteraction to fraud in remote/distant banking service systems are subject to review as necessary, but at least once every two years, taking into account the effectiveness of applied measures, best international experience, and current threats.

The bank is obliged to integrate the above procedures and documents into the risk management system and ensure that all necessary bank employees are familiar with them.

(In the edition of the resolution of the Board of Directors of the National Bank of the KR of September 26, 2025 No. 2025-P-09/49-3-(NPA))

6.4. The bank is obliged to implement fraud counteraction systems in remote/distant banking service information systems to prevent both internal and external fraud.

These systems must ensure continuous monitoring and assessment of fraud risk for each outgoing transaction conducted through remote/distant banking service systems, regardless of the amount, frequency, and history of previous transactions. Implementation of these systems is permitted in two ways:

• in the form of a separate, independent software or software-hardware complex interacting with all automated remote/distant banking service systems used by the bank;
• by integrating a specialized fraud counteraction module directly into each of the automated remote/distant banking service systems used by the bank.

(In the edition