Directive No 03/2018 on Internal Capital and Liquidity Adequacy Assessment Processes (ICAAP and ILAAP)

1 DIRECTIVE No 03/2018 OF 15/02/ 2018 ON INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS (ICAAP) AND INTERNAL LIQUIDITY ADEQUACY ASSESSMENT PROCESS (ILAAP) Pursuant to Law N o 48/2017 of 23/09/2017 governing the Central Bank of Rwanda, especially in its Articles 8, 9 and 10; Pursuant to Law N o 47/2017 of 23 /09/2017 governing the organization of banking, especially in its articles 55, 61 , 66, 67 and 117; Pursuant to Regulation Nº 06/2017 of 19/05/2017 on the Capital requirements for banks especially in its article 30; Pursuant to Regulation Nº 07/2017 of 19/05/2017 on the Liquidity requirements for banks especially in its article 16; The National Bank of Rwanda hereafter referred to as” Central Bank” decrees: Article one: Purpose of the Directive The purpose of this Directive is to establish the process and minimum requirements for assessing internal capital and liquidity adequacy of licensed banks. Article 2: Application This directive applies to banks and other financial banks licensed to conduct banking business in Rwanda under the Banking Law. The requirements apply on both a solo as well as consolidated level. Article 3: Capital and Liquidity assessment requirements and process Notwithstanding the regulation on risk management, banks shall assess, plan and maintain adequate capital and liquidity that commensurate with the risk program of the bank in accordance with the guideline annexed to this directive.

2 Article 4: Internal control reviews The bank must conduct periodic reviews of its capital and liquidity assessment and risk management process to ensure its integrity, accuracy, and reasonableness. Effective control of the capital assessment process includes an independent review and, where appropriate, the involvement of internal and external audits. Article 5: Monitoring and reporting Banks shall submit ICAAP and ILAAP reports to the National Bank of Rwanda on annual basis at date expressed in the attached guideline of this Directive. The Central Bank may require such other information as is necessary to evaluate compliance with this Directive and may call for adjustments to capital and liquidity requirements where necessary. Article 6: Review and Subsequent revision of the ICAAP and ILAAP The Central Bank will perform a review of the ICAAP, ILAAP and hold discussions with management of the bank to provide feedback on whether a bank, in its ICAAP and ILAAP document, has adequately identified its capital and liquidity needs. Any revision of the discussed ICAAP and ILAAP or any previous approved documents or its outcomes by the bank shall be resubmitted to the National Bank of Rwanda within fifteen (15) days. Article 7: Administrative sanctions Where the Central Bank determines that a bank is not in compliance with this Directive, it may impose any or all administrative sanctions prescribed in the law governing the organisation of banking and relevant regulations. Article 8: Transition period Banks shall submit their approved annual ICAAP and ILAAP documents for review by the Central Bank by March 2019. Notwithstanding the first paragraph of this article, all banks with total assets (off and on balance sheet) greater than 250 billion RWFs shall prepare and submit their first ICAAP and ILAAP documents to the Central Bank by the end of July 2018 for review. Article 9: Attached guidelines Guidelines attached hereunder are part and parcel of this Directive.

3 Article 10: Repealing provisions All prior provisions contrary to this Directive are hereby repealed. Article 11: Commencement This Directive shall come into force on the date of its signature. Done at Kigali, on 15/02/2018 (sé) RWANGOMBWA John Governor

1 GUIDELINES ON A BANK’S INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS (“ICAAP”) AND INTERNAL LIQUIDITY ADEQUACY ASSESSMENT PROCESS (“ILAAP”) Contents

1. OVERVIEW...................................................................................................................................................3 1.1 Introduction...............................................................................................................................................3 1.2 Definitions and clarifications....................................................................................................................4
2. PURPOSE AND SCOPE OF APPLICATION.............................................................................................5
3. GUIDING PRINCIPLES FOR ICAAP AND ILAAP IN BANKS .............................................................5
4. COMMON ITEMS FOR THE ICAAP AND ILAAP RELATED INFORMATION...............................6 4.1 Board and senior management oversight................................................................................................6 4.2 Risk appetite and risk management framework ....................................................................................8 4.3 Policies, procedures, limits and controls.................................................................................................9 4.4 Identifying, measuring, monitoring and reporting of risk ..................................................................10 4.5 Appropriate Management Information Systems (MIS) ......................................................................11
5. ELEMENTS SPECIFIC TO ICAAP...........................................................................................................12 5.1 Sound capital assessment and capital planning....................................................................................12 5.2 Comprehensive assessment of risks and approach ..............................................................................12 5.3 Relating capital to risk............................................................................................................................13 5.4 Issue of Valuation practices....................................................................................................................13 5.5 Forward looking and Sound stress testing practices............................................................................15 5.6 Risk monitoring and reporting processes .............................................................................................18 5.7 ICAAP document ....................................................................................................................................18 5.8 ICAAP reporting, Internal Control and review...................................................................................19
6. ELEMENTS SPECIFIC TO ILAAP...........................................................................................................20 6.1 Liquidity and funding risk management framework ..........................................................................20 6.2 Intra-day management of liquidity........................................................................................................20 6.3 Transfer pricing ......................................................................................................................................21 6.4 Management of collateral .......................................................................................................................21 6.5 Managing liquidity across legal entities, business lines, countries and currencies............................21 6.6 Funding diversification and market access...........................................................................................21 6.7 Management of asset encumbrance.......................................................................................................22 6.8 Stress testing ............................................................................................................................................22

2 6.9 Liquidity contingency plan (LCP) .........................................................................................................28 6.10 ILAAP document ..................................................................................................................................28 6.11 ILAAP reporting, Internal Control and review .................................................................................29 7. ICAAP AND ILAAP REPORTING AND REVIEW PROCESS .............................................................30 8. SREP AND SUPERVISORY ADJUSTMENTS.........................................................................................30 8.1 SREP Process...........................................................................................................................................30 8.2 Supervisory assessment and adjustment for ICAAP ...........................................................................31 8.3 Supervisory assessment and adjustment for ILAAP ...........................................................................32 8.4 Processes for Pillar 1 and Pillar 2 supervisory adjustments...............................................................33 Appendices:........................................................................................................................................................35 Appendix I: Elements of the ICAAP document .........................................................................................35 Appendix II: Elements of the ILAAP document........................................................................................38 Appendix III. Summary of ICAAP Review ................................................................................................41 Appendix IV. Summary of ILAAP Review.................................................................................................43 Appendix V. Risk Appetite Statement.........................................................................................................44 Appendix VI. Use of Internal Models for Capital Assessment Review of ICAAP ..................................45

3

1. OVERVIEW 1.1 Introduction 1.1.1 This Guidelines aim at ensuring convergence of sound practices for the preparations of banks’ internal capital adequacy assessment process (ICAAP) and internal liquidity adequacy assessment process (ILAAP), and the supervisory review and evaluation process (SREP) in accordance with capital and liquidity regulations. 1.1.2 In particular, the document sets out guidance in line with Article 30 of the Regulation Nº 06/2017 of 19/05/2017 on the Capital Requirements for banks. 1.1.3 Also, the guidelines sets out guidance in line with Article 16 of the Regulation Nº 07/2017 of 19/05/2017 on the Liquidity requirements for banks. 1.1.4 The Guidelines is structured based on the international standards of the Basel Committee’s publications on the International Convergence of Capital Measurement and Capital Standards (herein after referred to as the Framework or Basel II Accord) that was issued in June 2006 and the Enhancements to the Basel II Framework that was issued in July 2009. 1.1.5 Further, the ILAAP is based on the BCBS publication ‘Principles for Sound Liquidity Risk Management and Supervision’ of September 2008. 1.1.6 “Pillar 1” of “Basel II” (the revised capital adequacy framework issued by the Basel Committee on Banking Supervision) sets out minimum capital requirements for credit, operational, and market risks. “Pillar 2” of Basel II is intended to ensure that banks have adequate capital to support all the risks in their business, and includes the requirement on banks to have an ICAAP. 1.1.7 The Basel II document of the Basel Committee also lays down the following four key principles with regard to the Supervisory Review Evaluation Process (SREP) envisaged under Pillar 2. a) Banks shall have a process for assessing their overall capital adequacy in relation to their risk profile and a strategy for maintaining their capital levels. b) Supervisors shall review and evaluate the bank’s internal capital adequacy assessments and strategies, as well as their ability to monitor and ensure their compliance with the regulatory capital ratios. Supervisors shall take appropriate supervisory action if they are not satisfied with the result of this Guideline. c) Supervisors shall expect banks to operate above the minimum regulatory capital ratios and shall have the ability to require the banks to hold capital in excess of the minimum. d) Supervisors shall seek to intervene at an early stage to prevent capital from falling below the minimum levels required to support the risk characteristics of a particular bank and shall require rapid remedial action if capital is not maintained or restored. 1.1.8 Principles 1 and 3 are related with the supervisory expectations from the banks while the principles 2 and 4 are related with the role of the supervisors under Pillar 2. 1.1.9 The Pillar 2 (SREP) requires banks to implement an internal process, called the Internal Capital Adequacy Assessment Process (ICAAP) for assessing their capital adequacy in relation to the risk profiles as well as a strategy for maintaining their capital levels. a) Banks shall have in place a process for assessing their overall capital adequacy in relation to their risk profile and a strategy for maintaining their capital levels. b) Banks shall operate above the minimum regulatory capital ratios. 1.1.10 The Pillar 2 also requires the supervisory authorities to focus all banks to an evaluation process, also called as Supervisory Review and Evaluation Process (SREP), and to initiate such supervisory measures on that basis, as might be considered necessary. a) Supervisors shall review and evaluate a bank’s ICAAP. b) Supervisors shall take appropriate action if they are not satisfied with the results of this process.

4 c) Supervisors shall review and evaluate a bank’s compliance with the regulatory capital ratios. d) ICAAP Guideline. e) Supervisors shall have the ability to require banks to hold capital in excess of the minimum. f) Supervisors shall seek to intervene at an early stage to prevent capital from falling below the minimum levels. g) Supervisors shall require rapid remedial action if capital is not maintained or restored. 1.1.11 There exists a gap in pillar 2 between material risks (due to credit, market and operational risk) and liquidity risk is managed and supervised by banks and supervisors respectively. In order to close the liquidity risk regulatory gap that is present in Basel III pillar 2, this guideline provides complementary basic rules to ICAAP and SREP for consideration. ILAAP is the solution for managing liquidity risk as ICAAP is for credit, market, operational, business/strategic, counterparty credit risk, insurance, real estate and model risks. 1.1.12 In the event of any further clarifications in understanding this guideline, please contact the Banking Supervision Department at the Bank on the telephone number below or speak to your persons of contact in the Supervision Department. Contact Telephone: +250788199000 1.2 Definitions and clarifications 1.2.1 In this Guideline, unless reasonably implied by contextual usage, the following expressions and words are clarified or shall mean:

Definitions:

1. “Cash flow mismatch risk”: the risk that a firm has insufficient liquidity from liquid assets and other liquidity inflows to cover liquidity outflows on a daily basis.
2. “Central Bank”: the National Bank of Rwanda.
3. “Counterbalancing capacity”: the bank’s ability to hold, or have access to, excess liquidity over short-term, medium-term and long-term time horizons in response to stress scenarios.
4. “Funding risk”: the risk that a bank does not have stable sources of funding in the medium and long term to enable it to meet its financial obligations, such as payments or collateral calls, as they fall due, either at all or only at excessive cost.
5. “Internal Capital Adequacy Assessment Process (ICAAP)”: the bank’s process for the identification, measurement, management and monitoring of internal capital it considers adequate to cover all material risks to which it is exposed.
6. “Internal Liquidity Adequacy Assessment Process (ILAAP)”: the bank’s process for the identification, measurement, management and monitoring of internal liquidity it considers adequate to cover liquidity and funding risks of the bank.
7. “Interest rate risk” (IRR) means the current or prospective risk to the bank’s earnings and own funds arising from adverse movements in interest rates.
8. “Intraday liquidity”: the funds that can be accessed during the business day to enable the bank to make payments in real time.
9. “Intraday liquidity risk”: the current or prospective risk that the bank will fail to manage its intraday liquidity needs effectively.
10. “Liquidity contingency plan”: a plan for dealing with liquidity crises as required by the guideline.
11. “Liquidity risk”: the risk that a bank, although solvent, does not have available sufficient financial resources to enable it to meet its obligations as they fall due.

5 12. “Supervisory Review and Evaluation Process (SREP)”: the process of the regular review of bank’s strategies, processes and mechanisms implemented and evaluate the risks to which the banks are or might be exposed, or poses risk to the financial system. 13. “Survival period” means short period of time when a bank would plan only to survive by maintaining buffers as “insurance” to assure its ability to cope with a crisis while taking other measures in line with its overall liquidity policies and risk appetite for longer-term survival. 14. “Risk appetite”: the aggregate level and types of risk the bank is willing to assume within its risk capacity, in line with its business model, to achieve its strategic objectives. 2. PURPOSE AND SCOPE OF APPLICATION 2.1 The purpose of this document is to provide guidance on how a bank shall establish, operate and maintain its ICAAP and ILAAP. 2.2 The purpose of the Internal Capital Adequacy Assessment Process (ICAAP) is to inform the Board of the ongoing assessment of the bank’s risks, how the bank intends to mitigate those risks and how much current and future capital is necessary having considered other mitigating factors. 2.3 The ILAAP rules require banks to identify, measure, manage and monitor liquidity and funding risks across different time horizons and stress scenarios, consistent with the risk appetite established by the bank’s management body. 2.4 The guidelines apply to all incorporated and registered banks in Rwanda that are subject to a condition of registration requiring them to have an internal process for assessing their overall capital and liquidity adequacy in relation to risk profile and a strategy for maintaining adequate capital and liquidity to support risks. 2.5 Each bank is responsible for its ICAAP and ILAAP. In the case where a bank is a member of a larger banking group, the bank may base its approach on group-wide methodologies. 2.6 In all cases the bank’s board of directors retains the ultimate responsibility for ensuring the overall capital and liquidity adequacy of both the banking group on a consolidated basis and on a solo basis. 3. GUIDING PRINCIPLES FOR ICAAP AND ILAAP IN BANKS 3.1 Banks must have a process for assessing their overall capital and liquidity adequacy in relation to their risk profile and a strategy for maintaining their capital and liquidity levels. 3.2 Banks must have in place an ICAAP and ILAAP that is proportional to their size, nature, complexity of the bank’s business, risk profile, and operating environment. Banks are required to have in place sound, effective and complete strategies and processes to assess and maintain on an ongoing basis the amounts, types and distribution of internal capital or liquidity that they consider adequate to cover the nature and level of the risks to which they are or might be exposed. These strategies and processes shall be subject to regular internal review to ensure that they remain comprehensive and proportionate to the nature, scale and complexity of the activities of the bank. 3.3 Banks will need to implement this guideline based on the following a minimum guiding principles: a) Management bodies are responsible for ICAAP & ILAAP. Management boards, senior managers and risk committees need to take full ownership of the processes and also the capital adequacy statement and liquidity adequacy statement, respectively. b) The ICAAP & ILAAP are integral to risk management frameworks. The processes shall be aligned with group risk appetite and look not just at the current situation, but also at least three years ahead.

6 c) The ICAAP & ILAAP aim to ensure the bank’s short and medium-term viability. Banks need to make their assessments from two different perspectives, which are intended to be mutually informative. (i) The normative perspective is based on the ability to fulfil supervisory requirements. For capital this includes key ratios such as CET 1, Tier 1, and leverage; for liquidity it includes the LCR. The normative view shall consider the short term position but also look forward three years or more, including a baseline scenario and at least two adverse scenarios. (ii) The economic perspective is based on the bank’s economic or net present value. As such, it shall consider the wide range of possible risks that a potential shareholder might consider. This includes taking ‘hidden’ or off-balance sheet liabilities into account. d) The ICAAP and ILAAP shall identify and consider all material risks. Banks are expected to address any potential threats to their capital or liquidity positions, according to their business model. Therefore must have an adequate systems and procedures to identify, measure, monitor and manage the risks arising from the bank’s activities on a continuous basis to ensure that capital and liquid assets are held at a level consistent with the Bank’s risk profile; e) Capital and liquidity need to be clearly defined, and of high quality. In the case of capital, common equity is expected to play a major role. Liquidity buffers shall be marketable and well diversified. Therefore a capital and contingency funding plans, consistent with the bank’s overall business plan, for managing bank’s capital and liquidity levels on an ongoing basis. f) Assumptions and methodologies need to be proportionate, consistent and thoroughly validated. Each bank’s approach to ICAAP and ILAAP shall be appropriate to its business model and risk appetite. Assumptions shall be conservative, independently validated and consistent across the whole group. g) Regular stress tests shall ensure viability under adverse market conditions. Internal stress tests shall be conducted at least once a year, based on in-depth review of potential vulnerabilities. 4. COMMON ITEMS FOR THE ICAAP AND ILAAP RELATED INFORMATION 4.0 At a minimum, banks must demonstrate the following requirements in the ICAAP and ILAAP documents: a) Board and senior management oversight; b) Established policies, procedures, limits and controls; c) Identifying, measuring, monitoring and reporting key risks; d) Implementing sound capital /liquidity assessment; e) A comprehensive assessment of risks; and f) Internal control review. 4.1 Board and senior management oversight 4.1.1 Banks’ board of directors and senior management are responsible for defining the risk appetite and to ensure that the risk management framework includes detailed policies that set specific bank wide prudential limits on the banks’ activities.

7 4.1.2 A sound risk management process is the foundation for an effective assessment of the adequacy of a bank’s capital position. Bank management is responsible for understanding the nature and level of risk being taken by the Bank and how this risk relates to adequate capital levels. Senior management and the board of directors must view capital planning as a crucial element in being able to achieve its desired strategic objectives. 4.1.3 The board of directors and senior management must possess sufficient knowledge of all major business lines to ensure that appropriate policies, controls and risk monitoring systems are effective. They must have the necessary expertise to understand the capital markets activities in which the bank is involved – such as securitisation and off-balance sheet activities – and the associated risks. 4.1.4 The board and senior management must remain informed on an ongoing basis about its risks as financial markets, risk management practices and the bank’s activities evolve. In addition, the board and senior management must ensure that accountability and lines of authority are clearly delineated. With respect to new or complex products and activities, senior management must understand the underlying assumptions regarding business models, valuation and risk management practices. In addition, senior management must evaluate the potential risk exposure if those assumptions fail. 4.1.5 The board and senior management must identify and review the changes in bank wide risks arising from potential new products or activities before embarking on new activities or introducing products new to the bank. They must also ensure that the infrastructure and internal controls necessary to manage the related risks are in place. Banks must also consider the possible difficulty in valuing the new products and how they might perform in a stressed economic environment. 4.1.6 Senior management must be satisfied that all business units conducting activities that have an impact on liquidity are fully aware of the capital and liquidity management strategy and operate in accordance with approved policies, procedures, limits and controls. 4.1.7 The risk management function of banks must be independent of the business lines in order to ensure an adequate separation of duties and to avoid conflicts of interest. Banks must ensure that its risk function and its Chief Risk Officer (CRO) or equivalent person reports directly to the Board and the Chief Executive Officer (CEO). The risk function must highlight to board and senior management risk management concerns such as risk concentrations and breaches of tolerable risk limits. 4.1.8 On the set-up and governance of risk management and control frameworks, banks shall ensure that they submit the following information on risk governance framework: a) description of the overall governance arrangements, including the roles and responsibilities within the risk management and control organisation, including at the level of management body and senior management across the group covering: (i) risk taking, risk management and risk control, in general; (ii) ICAAP and ILAAP and their key components, including inter alia risk identification, risk measurement, stress testing, capital and liquidity planning, limit structures, limit breaches, escalation procedures etc.); b) description of reporting lines and frequency of regular reporting to the management body covering the risk management and control of the risks; c) description of interaction between risk measurement and monitoring and actual risk taking practice (e.g. limit setting, monitoring, dealing with breaches etc.); d) description of processes that ensures that the bank has in place a robust framework for the management of its risks and their evolution, the interaction and integration of capital and liquidity management, including interaction between ICAAP and ILAAP, also referring to ICAAP and ILAAP integration into risk management, and the overall management of the bank, including pricing and performance management;

8 e) where appropriate, description of separation of tasks within the banking group, institutional protection scheme or cooperative network concerning risk management. 4.2 Risk appetite and risk management framework 4.2.1 The Board is responsible for the risk appetite of a regulated bank and for ensuring that the bank has an appropriate risk management framework. Risk appetite is a fundamental part of both risk management and capital management. 4.2.2 An ICAAP/ILAAP involves an integrated approach to risk management, liquidity and capital management, based around assessing the level of, and appetite for, risk in the regulated bank and ensuring that the level and quality of capital is appropriate to that risk profile. The Central Bank expects the processes of risk, liquidity and capital considerations to have clear linkages, and be consistent with one another and with the business planning process. The processes will also be embedded in the bank’s operations and be key inputs into decision-making. 4.2.3 The Central Bank expects that the risk appetite and risk management framework of a regulated bank will address all material sources of risk for that bank. This will include risks that are covered by specific regulatory capital requirements and risks that are not, regardless of whether those risks are able to be quantified. 4.2.4 A bank is also responsible for the sound management of liquidity risk. A bank shall establish a robust liquidity risk management framework that ensures it maintains sufficient liquidity, including a cushion of unencumbered, high quality liquid assets, to withstand a range of stress events, including those involving the loss or impairment of both unsecured and secured funding sources. 4.2.5 Since a regulated bank is required under the capital and liquidity standards to have an appropriate ICAAP/ILAAP in place at all times, it follows that material changes in its risk profile or risk appetite would prompt a reconsideration of capital and liquidity needs and a review of the ICAAP/ILAAP. Banks shall collect and share the following information: a) Information on business model and strategy (i) Banks shall ensure that they prepare and submit the following information on business model and strategy:  description of the current business models including identification of core business lines, markets, geographies, subsidiaries and products it operates;  description of main income and cost drivers, allocated to core business lines, markets and subsidiaries. (ii) On forward-looking strategy, banks shall ensure that they prepare and submit the following information:  description of the changes planned by the bank to the current business model and its underlying activities (including information on operational changes (such as IT infrastructure) or governance issues);  projections of key financial metrics for all core business lines, markets and subsidiaries;  description of how the business strategy and ICAAP/ILAAP are linked. b) Information on risk appetite framework The risk appetite framework, banks shall share the following: (i) description of the correspondence of the strategy and business model of the bank with its risk appetite framework;

9 (ii) description of the process and governance arrangements, including the roles and responsibilities within senior management and management body, in respect of the design and implementation of risk appetite framework; (iii) information on the identification of material risks the bank is or might be exposed to; (iv) description of the risk appetite/tolerance levels, thresholds and limits set for the identified material risks, as well as time horizons, and the process applied to keeping such threshold and limits up-to-date. A bank shall clearly articulate a liquidity and funding risk risk tolerance that is appropriate for its business strategy and its role in the financial system; (v) description of the limit allocation framework covering group, and, e.g. core business lines, markets and subsidiaries; (vi) description of the integration and use of the risk appetite framework in risk and overall management, including links to business strategy, risk strategy, ICAAP and ILAAP, including capital and liquidity contingency planning. Capital plan shall also take into account the dividend policy and planned growth while determining the adequate capital level. 4.3 Policies, procedures, limits and controls 4.3.1 Banks’ risk management programmes must include detailed policies that set specific bank prudential limits on the principal risks relevant to the bank’s activities. 4.3.2 The bank’s policies and procedures must provide specific guidance for the implementation of broad business strategies and shall establish, where appropriate, internal limits for the various types of risk to which the bank may be exposed. 4.3.3 These limits must consider the bank’s role in the financial system and be defined in relation to the bank’s capital, liquidity, total assets, and earnings or, where adequate measures exist, its overall risk level. 4.3.4 In general banks’ policies, procedures and limits must: a) provide for adequate and timely identification, measurement, monitoring, control and mitigation of the risks posed by its lending, investing, trading, securitisation, off-balance sheet, fund management, fiduciary and other significant activities at the business line and bank wide levels. b) ensure that the economic substance of the bank’s risk exposures, including reputational risk and valuation uncertainty, are fully recognised and incorporated into the bank’s risk management processes. c) be consistent with the bank’s stated goals and objectives, as well as its overall financial strength. d) clearly delineate accountability and lines of authority across the bank’s various business activities, and ensure there is a clear separation between business lines and the risk management function. e) provide for the escalation of breaches to the Board and address breaches of internal position limits. f) provide for the review of new businesses and products by bringing together all relevant risk management, control and business lines to ensure that the bank is able to manage and control the activity prior to it being initiated; and g) include a schedule and process for reviewing the policies, procedures and limits and for updating them as appropriate. h) key policies for implementing the strategy and the liquidity risk management structure must be communicated throughout the organisation by senior management. i) must be subject to effective review on an ongoing basis, in addition to a comprehensive review as part of the review of the risk management framework. 4.3.5 Sound Capital Assessment requires ICAAP design to be comprehensive and provide for identification, quantification and reporting of all the material risks faced by the bank.

10 4.3.6 Banks must have a sound counterparty credit risk management framework shall include the identification, measurement, management, approval and internal reporting of CCR. Banks shall also have counterparty credit risk (CCR) management policies, processes and systems that are conceptually sound and implemented with integrity relative to the sophistication and complexity of a bank’s holdings of exposures that give rise to CCR. Banks’ risk management policies must take account of the market, liquidity, legal and operational risks that can be associated with CCR and, to the extent practicable, interrelationships among those risks. 4.3.7 In addition, banks are expected to develop effective internal policies, systems and controls to identify, monitor, measure and control counterparty credit risk and credit risk concentrations. 4.3.8 Banks must have documented written policies and procedures around its credit risk mitigation practices and conduct regular reviews to assess effectiveness and the function of the process. Credit risk mitigation policies and procedures must give full recognition to each credit risk mitigant and to ensure that the policies and procedures are appropriate to the level of the capital benefit. 4.3.9 For ILAAP, banks must have the liquidity management strategy that include specific policies on liquidity management, such as: a) the composition and maturity of assets and liabilities; b) the diversity and stability of funding sources; c) the approach to managing liquidity in different currencies, across borders, and across business lines and legal entities; and d) the approach to intraday liquidity management. 4.3.10 A bank must have adequate policies, procedures and controls in place to ensure that the Board and senior management are informed immediately of new and emerging liquidity concerns. These include increasing funding costs or concentrations, increases in any funding requirements, the lack of availability of alternative sources of liquidity, material and/or persistent breaches of limits, a significant decline in the cushion of unencumbered liquid assets or changes in external market conditions that could signal future difficulties. 4.4 Identifying, measuring, monitoring and reporting of risk 4.4.1 Banks must establish an adequate system for identifying, measuring, monitoring and reporting risk exposures and assessing how the bank’s changing risk profile affects the need for capital. Additionally, banks shall have adequate management information systems (MIS) that provide the board and senior management with timely and relevant reports on the bank’s risk profile and capital needs. 4.4.2 A bank must have a sound process for identifying, measuring, monitoring and controlling liquidity risk. This process must include a robust framework for comprehensively projecting cash flows arising from assets, liabilities and off-balance sheet items over an appropriate set of time horizons. 4.4.3 These reports must allow senior management to: a) evaluate the level and trend of material risks and their effect on capital levels; b) evaluate the sensitivity and reasonableness of key assumptions used in the capital assessment measurement system; c) determine that the bank holds sufficient capital against the various risks and is in compliance with established capital adequacy goals; and d) assess its future capital requirements based on the bank’s reported risk profile and make necessary adjustments to the bank’s strategic plan accordingly. e) actively manage its intraday liquidity positions and risks in order to meet payment and

11 settlement obligations on a timely basis under both normal and stressed conditions, thus contributing to the orderly functioning of payment and settlement systems. f) actively manage its collateral positions, differentiating between encumbered and unencumbered assets. A bank must monitor the legal entity and physical location where collateral is held and how it may be mobilised in a timely manner. g) design a set of early warning indicators to aid its daily liquidity risk management processes in identifying the emergence of increased risk or vulnerabilities in its liquidity risk position or potential funding needs. Such early warning indicators must be structured so as to assist in the identification and escalation of any negative trends in the bank’s liquidity position and lead to an assessment and potential response by management to mitigate the bank’s exposure to these trends. h) develop and implement a costs and benefits allocation process for funding and liquidity that appropriately apportions the costs of prudent liquidity management to the sources of liquidity risk and provides appropriate incentives to manage liquidity risk. 4.4.4 The information must include all risk exposures, including those that are off-balance sheet. Management must understand the assumptions behind and limitations inherent in specific risk measures. 4.5 Appropriate Management Information Systems (MIS) 4.5.1 A bank must have a reliable management information system that provides the Board, senior management and other appropriate personnel with timely and forward-looking information on the liquidity position of the bank. 4.5.2 The key elements necessary for the aggregation of risks are an appropriate infrastructure and MIS that: a) allow for the aggregation of exposures and risk measures across business lines; and b) support customized identification of concentrations and emerging risks. 4.5.3 MIS developed to achieve this objective must support the ability to evaluate the impact of various types of economic and financial shocks that affect the whole of the bank. Further, banks’ systems must be flexible enough to incorporate hedging and other risk mitigation actions to be carried out on a bank wide basis while taking into account the various related basis risks. 4.5.4 Banks’ MIS must be adaptable and responsive to changes in underlying risk assumptions and must incorporate multiple perspectives of risk exposure to account for uncertainties in risk measurement. In addition, MIS must be sufficiently flexible so that banks can generate forward looking bank wide scenario analyses that capture management’s interpretation of evolving market conditions and stressed conditions. Third party inputs or other tools used within MIS (eg credit ratings, risk measures, etc) must be subject to initial and ongoing validation. 4.5.5 Banks’ MIS must be capable of capturing limit breaches and there must be procedures in place to promptly report such breaches to senior management, as well as to ensure that appropriate follow￾up and remedial actions are taken. For instance, similar exposures must be aggregated across business platforms (including the banking and trading books) to determine whether there is a concentration or a breach of an internal position limit. 4.5.6 Information on risk data, aggregation and IT systems: On risk data, aggregation and IT systems, banks shall ensure that they submit the following: a) description of the framework and process to gather, store and aggregate risk data across various levels of a bank, including flow of data from subsidiaries to the group; b) description of data flow and data structure of risk data used for ICAAP and ILAAP; c) description of data checks applied for risk data used for ICAAP and ILAAP;

12 d) description of IT systems used to gather, store, aggregate and disseminate risk data used for ICAAP and ILAAP. 5. ELEMENTS SPECIFIC TO ICAAP 5.1 Sound capital assessment and capital planning 5.1.1 The analysis of a bank’s current and future capital requirements in relation to its strategic objectives is a vital element of the strategic planning process. The strategic plan must clearly outline the bank’s capital needs, anticipated capital expenditures, desirable capital level, and external capital sources. 5.1.2 Banks are responsible for ensuring that their internal capital assessments are comprehensive and adequate to the nature of risks posed by their business activities and operating environments. 5.1.3 Fundamental elements of sound capital assessment include: a) a clear and documented process for evaluating risks and determining whether or not a risk must result in an explicit amount of capital being held; b) policies and procedures designed to ensure that banks identify, measure, and report all material risks; c) a process that relates current and anticipated future capital to the level of risk in accordance with board’s approved risk tolerance; d) a process that states capital adequacy goals with respect to risk, taking account of the bank’s strategic focus and business plan; e) a process on internal controls, reviews and audit to ensure the integrity of the overall management process. 5.1.4 Banks are also responsible for ensuring that they have in place an effective capital planning process. This process requires banks to: a) assess both the risks to which they are exposed and the risk management b) processes in place to manage and mitigate those risks; c) evaluate the capital adequacy relative to their risks; and d) consider the potential impact on earnings, liquidity and capital from potential economic downturns. 5.1.5 Banks must identify the time horizon over which capital adequacy is being assessed and must evaluate whether long run capital targets are consistent with short run goals. During the capital planning process, the banks must be cognizant that additional capital needs can require significant lead time and capital planning which can be costly. As such, banks must factor in the potential difficulties of raising additional capital during downturns or other times of stress. 5.2 Comprehensive assessment of risks and approach 5.1.1 Banks must base their ICAAP on the results of the Pillar I calculation with additional risks (e.g. concentration risk, interest rate risk in the banking book etc.) assessed separately and added to Pillar I. The description here shall indicate clearly which risks are covered by which modelling or calculation approach. This would include details of the methodology and process used to calculate risks in each of the categories identified and reason for choosing the method used in each case.

13 5.1.2 Banks must ensure that their ICAAPs identify and assess all material risks. The ICAAP must address: a) risks considered under Pillar 1 that are not fully captured by the Pillar 1 process (e.g. large exposures and credit risk concentration, FX lending risk, residual risk-CRM); b) risks inherent in banks that are not considered or captured by the Pillar 1 process (e.g. interest rate risk in the banking book, country/sovereign risk, reputational risk, business and strategic risks, insurance risk, pension obligation risk, reputational risk and implicit support, and other material risks); and c) risks and factors that are external to the Bank (e.g. business cycle effects and the macroeconomic environment). 5.1.3 Banks use credit risk mitigation (CRM) techniques to reduce their credit risk, these techniques give rise to other risks that may render the overall risk reduction less effective. These additional risks are legal risk, documentation risk and liquidity risk and are of supervisory concern. The Central Bank will expect banks to have in place appropriate written CRM policies and procedures in order to control these residual risks. 5.1.4 This document is not intended to give exhaustive guidance on the various risk exposures inherent in banks, however the appendix on the Regulation No 03/2012 of 30/04/2012 on Risk Management provides guidance on the minimum types of risks, management and controls that banks can use in preparation of their ICAAPs. 5.3 Relating capital to risk 5.3.1 The ICAAP shall include a consistent approach to deriving capital requirements from the bank’s risk measurement, in line with its established level of risk tolerance. For instance, when calibrating its capital needed against Pillar 1 or minimum regulatory capital, a bank may use internal models (see appendix 3) only in Pillar 2 of the Basel II Framework. However, the bank shall aim to achieve confidence levels for those other risks that are no lower than the Pillar 1 assumed confidence levels. Depending on proportionality considerations and industry developments over time, banks may design their ICAAP in various ways. 5.3.2 To assess overall capital adequacy, banks shall consider not only quantitative techniques but shall also include an element of qualitative assessment or management judgment of both capital model inputs and outputs. 5.3.3 Banks are likely to ascertain that some risks they face are easier to measure than others. An ICAAP can hence involve a mixture of rigorous risk capital estimates and more judgment-based estimates. Risks shall be included if they are material, even if they are hard to quantify. However, there could be a trade-off between the importance of allocating capital to such risks, and the robustness of the bank’s approach to mitigating and managing these risks. 5.3.4 In addition to addressing the risks discussed in the previous paragraphs, banks must also have appropriate systems to address specific risk management issues. Some of these risk management issues include valuation practices and stress testing practices. 5.4 Issue of Valuation practices 5.4.1 Banks must ensure that they have adequate governance structures and control processes for fair valuing exposures for risk management and financial reporting purposes. The valuation governance structures and related processes must be embedded in the overall governance structure of the bank, and consistent for both risk management and reporting purposes.

14 5.4.2 Banks must have clear and robust governance structures for the production, assignment and verification of financial instrument valuations. Policies must ensure that the approvals of all valuation methodologies are well documented. In addition, policies and procedures must set forth the range of acceptable practices for the initial pricing, marking-to-market/model, valuation adjustments and periodic independent revaluation. New product approval processes must include all internal stakeholders relevant to risk measurement, risk control, and the assignment and verification of valuations of financial instruments. 5.4.3 Banks’ control processes for measuring and reporting valuations must be consistently applied across the bank and integrated with risk measurement and management processes. In particular, valuation controls must be applied consistently across similar instruments (risks) and consistent across business lines (books). These controls must be subject to internal audit. Regardless of the booking location of a new product, reviews and approval of valuation methodologies must be guided by a minimum set of considerations. Furthermore, the valuation/new product approval process must be supported by a transparent, well documented inventory of acceptable valuation methodologies that are specific to products and businesses. 5.4.4 In order to establish and verify valuations for instruments and transactions in which it engages, banks must have adequate capacity, including during periods of stress. This capacity must be commensurate with the importance, riskiness and size of these exposures in the context of the business profile of the bank. In addition, for those exposures that represent material risk, banks are expected to have the capacity to produce valuations using alternative methods in the event that primary inputs and approaches become unreliable, unavailable or not relevant due to market discontinuities or illiquidity. Banks must test and review the performance of its models under stress conditions so that it understands the limitations of the models under stress conditions. 5.4.5 Banks are expected to apply the accounting guidance provided to determine the relevant market information and other factors likely to have a material effect on an instrument's fair value when selecting the appropriate inputs to use in the valuation process. Where values are determined to be in an active market, banks must maximise the use of relevant observable inputs and minimise the use of unobservable inputs when estimating fair value using a valuation technique. 5.4.6 Where a market is deemed inactive, observable inputs or transactions may not be relevant, such as in a forced liquidation or distress sale, or transactions may not be observable, such as when markets are inactive. In such cases, accounting fair value guidance provides assistance on what must be considered, but may not be determinative. In assessing whether a source is reliable and relevant, banks must consider, among other things: a) the frequency and availability of the prices/quotes; b) whether those prices represent actual regularly occurring transactions on an arm's length basis; c) the breadth of the distribution of the data and whether it is generally available to the relevant participants in the market; d) the timeliness of the information relative to the frequency of valuations; e) the number of independent sources that produce the quotes/prices; f) whether the quotes/prices are supported by actual transactions; g) the maturity of the market; and h) the similarity between the financial instrument sold in a transaction and the instrument held by the bank.

15 5.5 Forward looking and Sound stress testing practices Role of board and management: 5.5.1 A bank is required to perform rigorous and forward-looking stress tests that identify plausible severe loss events or adverse changes in market conditions, and assess their impact on the bank’s capital adequacy. 5.5.2 Stress testing must form an integral part of the overall governance and risk management culture of the bank. Board and senior management involvement in setting stress testing objectives, defining scenarios, discussing the results of stress tests, assessing potential actions and decision making is critical in ensuring the appropriate use of stress testing in banks’ risk governance and capital planning. Senior management must take an active interest in the development and operation of stress testing. 5.5.3 For ICAAP purposes, bank management shall ensure that the capital adequacy would be appropriate for a range of business conditions at different points in the business cycle. 5.5.4 The ICAAP shall take into account forward-looking factors such as changes in the bank’s strategic plans. It is important for both the board and senior management to examine a bank’s current and future capital requirements in relation to its strategic business objectives. The strategic plan shall clearly delineate the bank’s near- and longer-term capital needs, capital expenditures required for the foreseeable future, target capital levels, and external capital sources. Capital planning and budgeting shall be a key feature in the strategic planning process. 5.5.5 Stress testing can assist in the formulation of capital targets and trigger levels by: a) assisting the regulated bank to understand its risk profile; b) indicating and validating key assumptions (such as those assumptions to which the outcome is most sensitive); c) testing the appropriateness of proposed capital targets; d) testing the risk appetite of the bank against its ability to bear risk (i.e. the risk capacity); e) providing a reasonableness check on the outputs of capital modeling; and f) being readily understandable to the Board and senior management. Methodologies for stress testing: 5.5.6 The use of appropriate methodologies in stress testing programmes is key to fulfilling their purposes. Whilst this guideline does not prescribe specific methodologies for banks to use, the methodologies illustrated are intended to enhance banks’ practices in stress testing, in particular by identifying the types of methodologies that shall be considered by the bank in designing its stress testing programme. 5.5.7 In a general sense, an effective stress testing programme of the bank shall consist of sensitivity analyses (single and simple multi-factor analyses) and scenario analyses addressing all material risks at various levels of the bank. The combination of approaches as well as the level of details of the stress testing and scenario analysis will depend on the size and complexity of the specific bank. 5.5.8 The following ranges of approaches shall be used by the bank for an effective stress testing programme: a) Scenario analysis including: 5.5.9 Banks will typically make use of a range of stress scenarios in its testing program. The Central Bank expects that stress scenarios considered will typically cover the full range of material risks range in impact and include very severe scenarios to which the bank is exposed.

16 5.5.10 Scenario design shall take into account systematic and bank-specific changes in the present and near future and thus be forward-looking. Moreover, scenarios shall: (i) Address all the material risk types of the bank (e.g. credit risk, market risk, operational risk, interest rate risk-in the banking book and liquidity risk). No material risk type shall be left unconsidered. (ii) Address the main risk factors the bank may be exposed to. In this regard the results obtained from single factor analyses (see above), which aim at providing information about the sensitivity towards single risk factors, may be used to identify scenarios that include a stress of a combined set of highly plausible risk factors. No material risk factor shall be left unstressed or unconsidered. (iii) Address major bank-specific vulnerabilities. These shall take the regional and sectoral characteristics of the bank into account as well as considering specific product or business line exposures and funding policies. Therefore, concentration risk, both intra- and inter–risk types, shall be identified a priori. (iv) Contain a narrative scenario which shall include various trigger events, such as monetary policy, financial sector developments, commodity prices, political events and natural disasters. Narrative in this regard means that the co-movement of risk factors and the corresponding reaction of market participants are not implausible or paradoxical but yield a consistent picture of a possible overall future state. (v) Be internally consistent so that identified risk drivers behave in ways which are consistent with the other risk drivers in a stress. (vi) Take into account developments in technology such as newly developed and sophisticated financial products and their interaction with the valuation of more traditional products. (vii) Be forward-looking and include severe outcomes. b) Sensitivity testing: 5.5.11 Sensitivity analysis is the simple stressing of one risk driver to assess the sensitivity of the bank to that risk driver. For example the default of their largest counterparties, wholesale deposit run-off or a decline in value of high quality liquid assets. Such analyses provide information about key risks and enhance understanding about potential risk concentrations in one or several risk factors. 5.5.12 A bank shall identify relevant risk drivers in particular: macro-economic risk drivers (e.g. interest rates), credit risk drivers (e.g. a change in bankruptcy law or a shift in NPLs), financial risk drivers (e.g. increased volatility in financial instruments markets), and external events (e.g. operational risk events, market events, events affecting regional areas or industry sectors etc). 5.5.13 The bank shall then stress the identified risk drivers using different degrees of severity. The severity of single factor shocks is likely to be influenced by long-term historical experience but banks are advised to supplement this with hypothetical assumptions to test the bank’s vulnerability to specific risk factors. 5.5.14 The bank can conduct sensitivity analyses at the level of individual exposures, portfolios, sectorial or business units, as well as bank-wide, against specific risk areas as sensitivity analysis is likely to lend itself to risk-specific stress testing. 5.5.15 Furthermore single factor analysis can be supplemented by simple multi-factor sensitivity analyses, where a combined occurrence is assumed, without necessarily having a scenario in mind. 5.5.16 Also, banks must develop methodologies to measure the effect of reputational risk in terms of other risk types, namely credit, liquidity, market and other risks that they may be exposed to in order to avoid reputational damages and in order to maintain market confidence. This could be done by including reputational risk scenarios in regular stress tests. For instance, including non- contractual

17 off balance sheet exposures in the stress tests to determine the effect on a bank’s credit, operation, market and liquidity risk profiles. c) Frequency 5.5.17 The frequency of stress testing shall be determined in accordance with the nature of the risks which the banks are exposed to and the types of tests performed. Thus, stress tests may be run on a daily, weekly, monthly, quarterly or yearly basis, depending on the nature of the portfolio and risks as well as circumstances. 5.5.18 Stress tests shall be produced regularly enough to take account of changing market conditions and the bank’s changing risk profile. Generally, the trading portfolio would be subject to more frequent stress testing. Similarly, in times of greater volatility and unstable market conditions, more stress testing would be conducted. 5.5.19 However under specific circumstances, ad-hoc stress tests may also be required to assess the impact of observed deterioration which banks had not taken into account or to assess the impact of similar stress across the industry. d) Magnitude of Shock 5.5.20 Banks may vary the level of stress to assess its vulnerability under different scenarios. Accordingly, banks would need to determine the magnitude of shocks to be administered. 5.5.21 Selecting the worst movement in the previous one-year period may not be optimal as the period may not include any stressful event. The time interval shall include at least one business cycle (appropriate to the portfolio). 5.5.22 The magnitude of the shock used shall be greater than the conservative estimate of potential losses over the business cycle. Banks shall consider its adverse market movement (point of worst movement) relevant to the long-term risk profile of the specific portfolio. 5.5.23 The shocks shall have some reference to but not be bound by historical events nor be so large that the exercise becomes purely hypothetical. The scenarios shall be forward looking and also have some relevance to the current events or circumstances. e) Reporting of Stress Test Results to the Central Bank 5.5.24 Banks are expected to conduct several different stress tests in terms of scenarios and frequency. However, the reporting to the Central Bank on the latest stress test conducted by the banks will be demonstrated in three scenarios only; baseline scenario, exceptional but plausible event scenario and a worst case scenario, based on the minimum requirements. 5.5.25 The results of stress tests must contribute to strategic decision making and foster internal debate regarding assumptions, such as the cost, risk and speed with which new capital could be raised or that positions could be hedged or sold. Board and senior management involvement in the stress testing program is essential for its effective operation. 5.5.26 Banks are required to submit the stress test results to the Central Bank’s Bank Supervision Department after the internal assessment as guided by this guideline. The submission shall cover the following: i) Coverage  A description of the risk areas being subjected to stress tests.  Conditions prevailing and assumptions used for the stress test. Banks are required to describe the event as well as give details of the conditions prevailing in each scenario such as the level

18 of GDP, interest rates, unemployment, concentration in properties. Banks shall also include any other significant assumptions used in the stress tests. ii) Results of the Stress Test  The results of the stress test to be reported shall include, at a minimum, the impact on the profitability, capital and asset quality and liquidity at end of each reporting quarter.  A bank shall identify outputs in relation to its regulatory capital and resources, and also relevant balance sheet and P&L impacts, as a result of its stress testing programme.  Both absolute amounts and key financial ratios shall be reported. Other indicators and ratios may be included by the bank if deemed useful. 5.5.27 Banks shall identify credible management actions addressing the outputs of stress tests and aimed at ensuring their ongoing solvency through the stressed scenario. 5.6 Risk monitoring and reporting processes 5.6.1 The bank shall establish an adequate system for monitoring and reporting risk exposures. The system shall help assess how changes in the bank’s risk profile affect capital needs. 5.6.2 The board and senior management shall receive regular reports or updates on the bank’s risk profile and capital needs. These reports shall enable senior management to carry out the following tasks: a) Evaluate the level and trend of material risks and their effect on capital requirements; b) Evaluate the sensitivity and reasonableness of central assumptions used in the capital measurement system; c) Determine that the bank holds sufficient capital against various risks; d) Determine that the bank meets its internal capital adequacy goals; and e) Assess its future capital requirements based on the bank’s reported risk profile and in turn make necessary adjustments to the bank’s strategic plan accordingly. 5.7 ICAAP document 5.7.1 Banks are required to prepare and submit the ICAAP report atleast annually, with minimum elements as provided in the appendix I, approved by the board. A comprehensive report shall have descriptive and analytical elements to enable the Central Bank to appraise the following: a) the organizational and methodological structure of the process for determining internal capital, with the assignment of responsibilities among the various functions or units involved in the ICAAP; the risk assessment/measurement systems; the main control and mitigation tools for the most significant risks; the strategic and competitive scenarios that the bank used in its capital planning; b) the bank’s self-assessment of its internal capital planning process. It shall identify areas for methodological and organizational improvement, specifically identifying any deficiencies in the process, the corrective actions to be taken and the timetable for such actions. 5.7.2 The ICAAP shall be embedded in the bank’s business and organizational processes, and not simply regarded as an add-on that permits the management body (both supervisory and management functions) to indicate that supervisory expectations have been met. 5.7.3 The Central Bank recognizes that there may be a fair degree of variation in the length and format of ICAAP submissions since banks’ business and risk profiles differ and the ICAAP document shall be proportional to the size, nature and complexity of a bank’s business. However, while the suggested format by the Central Bank may be considered to be convenient for some banks as on a general basis, it covers most of the matters which typically would be the subject of review through the Supervisory Review and Evaluation Process (SREP) which would be carried out by the Central Bank.

19 5.7.4 Once an ICAAP has been drawn up, the Central Bank stresses that in line with the provisions of the Directive on Capital requirements and this guideline, it shall be subject to regular internal review and such assessment of the ICAAP is to be conducted at least annually. 5.7.5 Where appropriate, technical information on risk measurement methodologies, capital models and all other works carried out to validate the approach (e.g. Board papers and minutes, internal or external reviews), could be contained in appendices. 5.7.6 Where the bank already possesses documentation that provides information concerning one or more parts of the reporting areas, it may refer to the existing documentation without preparing documents specifically for ICAAP reporting purposes. Annual updating of some sections is not required if no significant changes have occurred. Specifically, for sections of a structural or descriptive nature (including risk control and mitigation tools and systems), banks may confirm the information submitted the previous year. 5.7.7 Where the documentation shall prove inadequate, insufficient or in need of further clarification, the Central Bank may request additional information. 5.7.8 In addition to the information items referred to in the Sections 5.1-5.7, banks shall ensure that they submit all relevant supporting information including minutes of relevant committees and management body meetings evidencing the sound set-up and implementation of ICAAP, and in particular: a) approval of overall set-up of ICAAP; b) approval of key ICAAP elements, such as general objectives and main assumptions, risk measurement and assessment, risk aggregation, internal capital, capital allocation, capital planning, stress scenarios , their main assumptions and outcomes, etc. c) discussion on (changes in) risk and capital situation, limit breaches, etc., including decisions on management actions or the explicit decision not to take any action; d) decisions on new product approval committees (or the respective decision making body) evidencing the impact on the risk and capital profile is taken into account; e) decisions on management actions related to internal capital estimates, their aggregation and their comparison to the available internal capital (current situation and forward-looking); f) discussion of the outcome of stress testing in ICAAP and decision on any management action; g) where available, internal self-assessments in which institutions can take the opportunity to justify their level of compliance against publicly available criteria regarding risk management and control that affect ICAAP. 5.8 ICAAP reporting, Internal Control and review 5.8.1 A bank shall attach to their information package a concise statement about their capital adequacy, supported by an analysis of the ICAAP set-up and outcomes and signed by the management body. 5.8.2 It shall contain an explicit internal definition of capital adequacy and, in addition, it shall include the relevant outcomes from the ICAAP, including the forward-looking view of the main factors affecting capital adequacy. This statement shall be substantiated by a compilation of the most relevant arguments and facts supporting the conclusions, covering the overall ICAAP architecture, the short-term quantitative view (including internal and regulatory metrics and requirements – capital ratios, etc.), the medium-term view, with a focus on the critical scenarios, forecasted impacts and links with strategy and capital planning, the role of the management bodies and strategic decisions (regarding the risk management frameworks, business models, strategies, risk appetite, etc.) linked to the ICAAP outcomes, highly relevant changes since the previous year, forward￾looking considerations, and main weaknesses and how they are being addressed.

20 5.8.3 A bank’s internal control structure is essential to the capital assessment process. The board of directors has a responsibility to ensure that management establishes an internal control structure for assessing the various risks, develops a system to relate risks to banks’ capital levels, and establish a method for monitoring compliance with internal policies. The Board must regularly verify whether its system of internal controls is adequate to ensure well-ordered and prudent conduct of business. 5.8.4 Effective control of the capital assessment process includes an independent review and, where appropriate, the involvement of internal or external audits. Internal as well as external auditors must frequently monitor and test risk management processes. The aim is to ensure that the information on which decisions are based is accurate so that processes fully reflect management policies and that regular reporting, including the reporting of limit breaches and other exception based reporting, is undertaken effectively. 5.8.5 Banks must conduct periodic reviews of their risk management processes to ensure its integrity, accuracy, and reasonableness. Areas that must be reviewed include: a) appropriateness of the bank’s capital assessment processes given the nature, scope and complexity of its activities; b) identification of large exposures and risk concentrations; c) accuracy and completeness of data inputs into the bank’s assessment processes; d) reasonableness and validity of scenarios used in the assessment process; and e) stress testing and analysis of assumptions and inputs. 5.8.6 Banks must review and update their ICAAP at least on an annual basis taking into account actual results against projections, as well as examine and document significant variances and capture any new or additional risks that may have emerged. 6. ELEMENTS SPECIFIC TO ILAAP 6.1 Liquidity and funding risk management framework 6.1.1 As part of the overall liquidity regulation, a bank must have in place robust strategies, policies, processes and systems that enable it to identify, measure, manage and monitor liquidity risk and funding risk over an appropriate set of time horizons, including intra-day, so as to ensure that it maintains adequate levels of liquidity buffers and an appropriate funding profile. These strategies, policies, processes and systems must be tailored to business lines, currencies, branches and legal entities and must include adequate allocation mechanisms of liquidity costs, benefits and risks. 6.1.2 The strategies, policies, processes and systems referred to in the previous paragraph must be proportionate to the complexity, risk profile and scope of operation of the bank, and the liquidity risk appetite and funding risk appetite set by the bank’s management body in accordance with liquidity/funding risk appetite, and must reflect the bank’s importance in each country in which it carries on business. 6.1.3 A bank must put in place risk management policies to define its approach to asset encumbrance, as well as procedures and controls that ensure that the risks associated with collateral management and asset encumbrance are adequately identified, monitored and managed. 6.2 Intra-day management of liquidity 6.2.1 A bank must actively manage its intra-day liquidity positions and any related risks so that it is able to meet its payment and settlement obligations on a timely basis.

21 6.2.2 For the purposes of above paragraph, a bank must ensure that its intra-day liquidity management arrangements enable it: a) to meet its payment and settlement obligations on a timely basis under both normal financial conditions and under the stresses required by section 6.8; b) to identify and prioritize the most time-critical payment and settlement obligations; and c) in relation to the markets in which it is active and the currencies in which it has significant positions, to measure, monitor and deal with intra-day liquidity risk. A bank must in particular be able to: i) measure expected daily gross liquidity inflows and outflows, anticipate the intra-day timing of these flows where possible, and forecast the range of potential net funding shortfalls that might arise at different points during the day; and ii) manage the timing of its liquidity outflows such that priority is given to the bank’s most time￾critical payment obligations. 6.3 Transfer pricing 6.3.1 Banks shall ensure that liquidity and funding costs, benefits and risks are fully incorporated into banks’ product pricing, performance measurement and incentives, and new product and transaction approval processes. All significant business lines shall be included, whether on or off-balance sheet. Both stressed and business-as-usual costs shall be assessed. The process shall be transparent and understood by business line management, and regularly reviewed to ensure it remains appropriately calibrated. The Central Bank expects to review these arrangements as part of its review of firms’ liquidity management. 6.3.2 A bank must implement an adequate transfer pricing system to ensure that it accurately quantifies liquidity and funding costs, benefits and risk in relation to all significant business activities. 6.4 Management of collateral 6.4.1 A bank must actively manage collateral positions and distinguish between pledged and unencumbered assets that are available at all times, in particular during emergency situations. 6.4.2 A bank must also take into account the legal entity in which assets reside, the country where assets are legally recorded either in a register or in an account as well as their eligibility and must monitor how assets can be mobilised in a timely manner. 6.5 Managing liquidity across legal entities, business lines, countries and currencies 6.5.1 A bank must actively manage its liquidity risk exposures and related funding needs and take into account: a) existing legal, regulatory and operational limitations to potential transfers of liquidity and unencumbered assets amongst entities; and b) any other constraints on the transferability of liquidity and unencumbered assets across business lines, countries and currencies. 6.6 Funding diversification and market access 6.6.1 A bank must ensure that it has access to funding which is adequately diversified, both as to source and tenor. 6.6.2 A bank must develop methodologies for the identification, measurement, management and monitoring of funding positions. Those methodologies must include the current and projected material cash-flows in and arising from assets, liabilities, off-balance-sheet items, including contingent liabilities and the possible impact of reputational risk.

22 6.7 Management of asset encumbrance 6.7.1 A bank must actively manage its asset encumbrance position and must ensure that: a) its risk management policies take into account: i) the bank’s business model; ii) the countries in which it operates; iii) the specificities of the funding markets; and iv) the macroeconomic situation; and b) its management body receives timely information on: i) the current and expected level and types of asset encumbrance and related sources of encumbrance, such as secured funding or other transactions; ii) the amount, expected level and credit quality of unencumbered assets that are capable of being encumbered, specifying the volume of assets available for encumbrance; and iii) the expected amount, level and types of additional encumbrance that may result from stress scenarios. 6.7.2 For the purpose of this section, a bank must treat an asset as encumbered if it is subject to any form of arrangement to secure, collateralise or credit enhance any transaction. 6.8 Stress testing Role of Board and senior management 6.8.1 A bank must ensure that its management body reviews regularly the stresses and scenarios tested to ensure that their nature and severity remain appropriate and relevant to the bank. 6.8.2 The bank shall have in place description of the policy framework on liquidity stress testing, including items such as the number of scenario’s used, scope, reporting frequency, risk drivers (macro and idiosyncratic), and, where relevant, split in currencies / regions / business units. 6.8.3 Also the policy shall include a description of the criteria for calibrating scenarios, selecting appropriate time horizons (including intraday, where relevant), quantification of the impact of stress on the liquidity value of buffer assets, etc. 6.8.4 The extent and frequency of testing is commensurate with the size and complexity of the bank and its liquidity risk exposure, as well as with its relative importance within the financial sector. Stress scenarios and tools 6.8.5 A bank must consider alternative scenarios on liquidity positions and on risk mitigants and must review the assumptions underlying decisions concerning the funding position at least annually. For these purposes, alternative scenarios must address, in particular, off-balance sheet items and other contingent liabilities, including special purpose entities or other special purpose entities, as referred to in the capital regulation and directive on computation of RWA in relation to which the bank acts as sponsor or provides material liquidity support. A bank therefore must: a) conduct on a regular basis appropriate stress tests so as to: (i) identify sources of potential liquidity strain; (ii) ensure that current liquidity exposures continue to conform to the liquidity risk and funding risk appetite established by that bank's management body; and (iii) identify the effects on that bank's assumptions about pricing; and b) analyse on a regular basis the separate and combined impact of possible future liquidity stresses on its:

23 (i) cash flows; (ii) liquidity position; (iii) balance sheet position; (iv) profitability; and (v) solvency (regulatory capital and resources). 6.8.6 A bank must consider different liquidity risk mitigation tools, including a system of internal limits and liquidity buffers in order to be able to withstand a range of different stress events and an adequately diversified funding structure and access to funding sources. It must review those arrangements regularly. 6.8.7 Banks must use stress scenarios and tools described below to test and assess liquidity risk on an ongoing basis. This does not preclude the bank to use other stress scenarios. 6.8.8 Banks shall adopt a conservative approach when assessing the future behaviour of cash flows and their expected maturities-cashflow mismatch. Significant judgement is involved in making assumptions, which will vary for each bank, and also vary under normal business operation and crisis scenario analyses. Each bank shall document in its liquidity risk management policy in detail, the underlying assumptions relating to the cash flow mismatches and justify the reasoning behind these assumptions. 6.8.9 When making assumptions of future cash flows, the bank must as a minimum determine: (i) the proportion of maturing assets and liabilities that the bank will rollover or renew; (ii) the expected growth level of new loans and deposits; (iii) the behaviour of assets and liabilities that have uncertain maturity dates; (iv) the behaviour of interest rates for assets and liabilities; (v) the behaviour of cash-flows from off-balance sheet activities; (vi) access to standby facilities, interbank money market and intra-group funding; and (vii) the convertibility of foreign currencies. 6.8.10 Guidance on the assumptions that a bank shall use for the maturity mismatch: a) Specific Guidance (assumptions) for contractual maturity mismatch. (i) No rollover of existing liabilities is assumed to take place. For assets, the bank is assumed not to enter into any new contracts. (ii) Contingent liability exposures that would require a change in the state of the world (such as contracts with triggers based on a change in prices of financial instruments or a downgrade in the bank's credit rating) need to be detailed, grouped by what would trigger the liability, with the respective exposures clearly identified. (iii) A bank shall record all securities flows. This will allow supervisors to monitor securities movements that mirror corresponding cash flows as well as the contractual maturity of collateral swaps and any uncollateralized stock lending/borrowing where stock movements occur without any corresponding cash flows. (iv) A bank shall report separately the customer collateral received that the bank is permitted to rehypothecate as well as the amount of such collateral that is rehypothecated at each reporting date. This also will highlight instances when the bank is generating mismatches in the borrowing and lending of customer collateral. b) Guidance on Behavioural Assumptions. (i) Assumptions regarding future cash flows from assets include (but are not limited to) the marketability of existing assets, the extent to which maturing assets will be renewed, the extent to which new assets will be acquired hence reducing contractual cash inflows. (ii) A bank experiencing asset quality problems shall not assume that assets will materialise when due. A more realistic set of assumptions on asset roll-over shall be embodied in the maturity mismatch analysis.

24 (iii) With regard to assets with embedded options such as timing and amount of withdrawal being uncertain, a bank shall conduct an analysis of historical observations to determine its cash flow patterns and derive behavioural assumptions applicable to its cash flows. (iv) A bank shall also examine the probability for significant cash flows from off-balance sheet activities. The contingent nature of most off-balance sheet instruments increases the complexity of managing the associated cash flows. Off-balance sheet activities such as letters of credit, financial guarantees, undrawn committed loans, derivatives and margin calls could lead to a significant drain on liquidity. Therefore, to manage all these, the bank must evaluate its impact on funding and ascertain a normal level of net cash flows arising from such activities on an on-going basis. (v) The bank’s stress tests take into account how the behaviour of counterparties (or their correspondents and custodians) may affect the timing of cash flows, including on an intraday basis. Where the bank uses a correspondent or custodian to conduct settlement, it is expected to analyse the impact of those agents restricting their provision of intraday credit. The bank is also expected to understand the impact of a particular stress event on its customers’ use of intraday credit, and how those needs may affect its own liquidity position. (vi) The behavioural assumptions of all the assets shall be documented and approved by the board. These assumptions shall be reviewed on an ongoing basis to ensure their continued validity. The scenario design is subject to regular reviews to ensure that the nature and severity of the scenarios tested remain appropriate and relevant to the bank. These reviews take account of changes in market conditions, changes in the nature, size or complexity of the bank’s business model and activities, and actual experiences in stress situations. (vii) Stress test results are analysed as to their sensitivity to the most important assumptions. 6.8.11 Stress scenarios to be recognised by a bank a) A bank shall develop and apply number of scenario’s used and risk drivers or trigger points. Such scenarios shall incorporate both scenarios of extreme stress (for example, to determine survival periods) and of less extreme stress (for example, to help gauge the funding plan’s feasibility or to test the compliance with internal targets or minimum requirements during periods of market turmoil). b) In designing the stress scenarios, the bank must take into consideration the nature of its activities, concentrations and vulnerabilities in relation to its business model, funding risks and market risks so that the scenarios enable the bank to evaluate the potential adverse impact of these factors on its liquidity position. c) Careful consideration is given to the design of stress scenarios and the variety of shocks simulated in them. When designing stress tests, a bank must not only consider the past, but also make use of hypotheses based on expert judgement. This means that the bank considers both short-term and protracted, and both bank-specific and market-wide (occurring simultaneously in a variety of markets) stress scenarios and a combination of both. d) The bank shall take into account the link between reductions in market liquidity and constraints on access to funding liquidity, particularly if the bank has a significant market share in, or is heavily reliant upon, specific funding markets. In stress testing its liquidity position, the bank considers the insights and results of stress tests performed for various other risk types as well as possible interactions with these. e) The bank recognizes that stress events may simultaneously give rise to time-critical liquidity needs in multiple currencies and multiple payment and settlement systems. These liquidity needs can be caused by both the bank’s own activities, and those of its banking and other business customers (e.g. when the bank acts as correspondent for other banks’ settlement

25 obligations). They can also arise from special roles the bank may play in a particular settlement system, such as acting as a back-up liquidity provider or settlement bank. f) The tests reflect accurate or prudent time-frames for the settlement of any assets to be liquidated or for the cross-border transfer of liquidity. g) The bank shall consider the risk that operational or financial disruptions may prevent or delay funds flows across systems to the extent that it relies on liquidity outflows from one system to enable it to meet obligations in another, particularly if the bank relies on intra-group transfers or centralized liquidity management. h) The stress scenarios include stress on the liquidity value of buffer assets due to market value movements or changes in the haircuts applied by Central Banks. A simple comparison between stressed outflows and current liquidity value of the buffer assets is insufficient. i) Next to stress scenarios considering extreme, but plausible assumptions aimed at testing the survivability of the bank, also stress tests with less extreme assumptions are performed. These stress tests are aimed at testing the risk of undershooting the regulatory minimum requirements during times of less extreme (e.g. market wide, but not idiosyncratic) stress. The bank shall take a conservative approach in setting stress testing assumptions. j) Depending on the type and severity of the scenario, the bank is expected to consider the appropriateness of a number of assumptions, including those based on the following illustrative but not exhaustive examples: (i) asset market illiquidity and erosion of the value of liquid assets; (ii) the run-off of retail funding; (iii) the degree of availability of secured and unsecured wholesale funding; (iv) the correlation between funding markets and the effectiveness of diversification across different sources of funding; (v) additional margin calls and collateral requirements; (vi) funding tenors (for example where the funding provider has call options); (vii) contingent claims and more specifically, potential draws on committed credit lines extended to third parties or the bank’s subsidiaries; (viii) the liquidity absorbed by off-balance sheet entities and activities (for example conduit financing); (ix) the availability of contingent credit lines extended to the bank ; (x) liquidity drains associated with complex products/transactions; (xi) the impact of any deterioration of the bank’s credit rating; 6.8.12 Minimum duration and severity of the stress scenarios: Unless special circumstances necessitate different assumptions, the stress tests shall be developed on the basis that the following elements are necessary in order to obtain sufficient information about the adequacy of the liquidity positions and controls: a) the duration of the total stress period shall be 1-3 months or longer; b) unsecured wholesale funding is not rolled over for three months; c) retail deposit outflow doubles or rises to at least 20% of the original retail volume during the first month of the bank-specific stress period; d) 50% drawdown of contingent obligations (excluding official standby facilities) during the first three months; e) the 5 percentage increases of haircuts are realistic for the liquid assets or instruments concerned in stressed conditions; f) the market values of liquid assets fall until price levels are reached that are realistic for them in stressed conditions; g) FX markets close for the first two weeks; h) 2-notch rating downgrades within the first three months.

26 6.8.13 The scenarios based on the elements described above are minimum. The bank can itself estimate the possibility of obtaining liquidity on the basis of assets that are not recognized by the supervisor as highly liquid. The bank can apply not only a very extreme scenario but also milder scenarios in which only highly liquid assets are used as a cushion. 6.8.14 A bank must consider the potential impact of bank-specific, market-wide and combined alternative scenarios. Different time periods and varying degrees of stressed conditions must be considered. 6.8.15 In carrying out the liquidity stress tests required by the paragraph above, a bank must make appropriate assumptions around the major sources of risk, including the major sources of risk in each of the following categories where they are relevant to the bank given the nature and scale of its business: a) retail funding risk; b) wholesale secured and unsecured funding risk; c) risks arising from the correlation between funding markets and lack of diversification between funding types; d) off-balance sheet funding risk; e) risks arising from the bank’s funding tenors; f) risks associated with a deterioration of a bank’s credit rating; g) cross currency funding risk (currency and FX swap risk); h) risk that liquidity resources cannot be transferred across entities, sectors and countries; i) funding risks resulting from estimates of future balance sheet growth; j) franchise risk; k) marketable assets risk; l) non-marketable assets risk; m) intra-group relationship and currency risk (shifting assets between subsidiaries or parent); and n) internalisation risk-occurs where firm or customer long positions are funded using the proceeds from customer short trades. o) intra-day risk. 6.8.16 Consequences of the stress-scenarios for a bank’s risk drivers The bank’s risk drivers are the liquidity risk factors that are recognised by the bank and are of essential importance to the bank’s liquidity position and continuity in normal and stressed conditions. In this connection, the following risk drivers are recognized (minimum). a) Wholesale funding risk b) Retail funding risk c) Intraday liquidity risk d) Intra-group and intra-company liquidity risk e) Liquidity risk of marketable assets f) Liquidity risk of non-marketable assets g) Funding concentration risk and market access h) Liquidity risk connected with off-balance-sheet items i) Liquidity risk related to the bank’s reputational risk, business model and strategy j) Currency liquidity risk 6.8.17 As regards the development of the risk drivers in normal conditions (business-as-usual), a bank must be aware of the extent to which the liquidity position is sensitive to the different risk drivers (and changes in them) from month to month over a period of six months after the reporting date on which the bank has supplied the Central Bank with the data required for the Central Bank evaluation. 6.8.18 As regards the development of the risk drivers in the various stress scenarios, the bank must be aware of the extent to which the liquidity position is sensitive to the different risk drivers (and changes in them) from month to month over a period of at least three months after the reporting

27 date on which the bank has supplied the Central Bank with the data required for the Central Bank evaluation. The bank shall apply stressed conditions that relate to bank-specific conditions, market￾wide conditions and a combination of the two. 6.8.19 On the basis of the results of the stress tests the bank must assess the adequacy of the risk-driver￾related assumptions made by it beforehand in respect of: a) correlations between market, funding and credit risk; b) the funding diversification; c) restrictions in respect of the actual availability of assets; d) the margin calls applied and/or additional collateral required; e) the impact on the liquidity position of meeting contingent liabilities; f) the access to open market operations and/or other liquidity facilities; g) balance sheet developments; h) the behavioural assumptions in respect of market access to and the possibilities for rolling over encumbered and unencumbered funding sources (withdrawal percentages or (net) growth per funding source per period); i) the operation of foreign exchange markets in which the bank is active; j) the operation of funds transfer and securities clearing and settlement systems on which the bank is dependent; k) other assumptions used by the bank. l) As regards the development of the risk drivers in relation to the risk limits formulated for them, the bank shall have information about: m) the manner in which the risk drivers develop in relation to the risk limits fixed by the bank in both normal and stressed conditions; the bank shall take into account in this connection the correlated effects on its assets and liabilities, including second-round effects as a consequence of market-wide and bank-specific developments; n) the manner in which the scenario outcomes are translated into policy consequences for liquidity risk management; o) whether and, if so, to what extent provision shall be made for additional risk mitigation by the bank; p) what measures from the contingency funding plan or possible adjustments to the plan are necessary. 6.8.20 A bank must ensure that the results of its stress tests are: a) reviewed by its senior management; b) reported to that bank's management body, specifically highlighting any vulnerabilities identified and proposing appropriate remedial action; c) reflected in the processes, strategies and systems established in accordance with section 6.1 on strategies for liquidity; d) used to develop effective liquidity contingency plans; e) integrated into that bank's business planning process and day-to-day risk management; and f) taken into account when setting internal limits for the management of that bank's liquidity risk exposure. 6.8.21 Banks shall keep a written record of special factors and assumptions made in respect of the various stress scenarios, the expected or planned changes in their balance sheet items and the results of these scenarios. 6.8.22 A bank must report the results of its liquidity stress tests to the Central Bank in a timely manner.

28 6.9 Liquidity contingency plan (LCP) 6.9.1 A bank must adjust its strategies, internal policies and limits on liquidity risk and funding risk and develop an effective liquidity contingency plan, taking into account the outcome of the alternative scenarios referred to in the stress test under section 6.8. 6.9.2 The liquidity contingency plan must include strategies to address the contingent encumbrance resulting from relevant stress events including downgrades in the bank’s credit rating, devaluation of pledged assets and increases in margin requirements. 6.9.3 The liquidity contingency plan must also set out adequate strategies and proper implementation measures in order to address possible liquidity shortfalls. The plan must be regularly evaluated and tested to ensure its effectiveness and operational feasibility, updated on the basis of the outcome of the alternative scenarios referred to in section 6.8, and be reported to and approved by the bank's senior management, so that internal policies and processes can be adjusted accordingly. 6.9.4 The senior management shall update the LCP at least once a year or more often as business activities or market circumstances change for Board of Directors for approval before submission and submits the updated version to the Central Bank. 6.9.5 A bank must take the necessary operational steps in advance to ensure that liquidity contingency plans can be implemented immediately, including holding collateral immediately available for Central Bank funding. This includes holding collateral where necessary in the currency of another country to which the bank has exposures. 6.10 ILAAP document 6.10.1 In line with the ICAAP, banks are requested to provide a concise statement, with minimum element in Appendix II, on the liquidity adequacy, approved by the board. 6.10.2 The Central Bank recognises that for small banks with simple business models it may not be necessary to follow the template, or all elements in the template, provided all the key aspects are covered. 6.10.3 The Central Bank expects the document to be bank specific, not prepared in a formulaic manner, and to reflect the applicable business model. The Central Bank is equally sceptical of overly large, unwieldy documents as it is of documents providing too little detail. 6.10.4 Banks shall refer to section on SREP when assessing the soundness, effectiveness and comprehensiveness of their ILAAP document. In particular, the Central Bank expects a bank to demonstrate the following components in its ILAAP document. a) The assessment of the liquidity adequacy based on strategic and business plans and shall be shared and discussed with supervisors, and the data provided in the contractual maturity mismatch shall be utilized as a basis of comparison. b) When banks are contemplating material changes to their business models, it is crucial for banks to provide Central Bank projected mismatch reports as part of an assessment of impact of such changes to prudential supervision. Examples of such changes include potential major acquisitions or mergers or the launch of new products that have not yet been contractually entered into. In assessing such data, banks need to be mindful of providing assumptions underpinning the projected mismatches and whether they are prudent. c) A bank shall indicate to the Central Bank as to how it plans to bridge any identified gaps in its internally generated cashflow mismatches and explain why the assumptions applied differ from the contractual terms.

29 6.10.5 In addition to the information referred to in section 6.1- 6.10, banks shall ensure that they submit all relevant supporting information including minutes of relevant committees, management body meetings evidencing the sound set-up an implementation of ILAAP, and in particular: a) approval of overall set-up of ILAAP; b) approval of key ILAAP elements and established documents, such as the Funding Plan, Contingency Funding Plan, liquidity cost benefit allocation mechanism, stress test assumptions and conclusions on outcomes, specific liquidity and funding risk appetite, targeted size and composition of liquid asset buffer, etc.; c) discussion on (changes in) the liquidity and funding risk profile, limit breaches, etc., including decisions on management actions or the explicit decision not to take any action; d) decisions in new product approval committees evidencing, if applicable, the use of LTP and risk views in these decisions; e) discussion of the analysis of the feasibility of the Funding Plan based on (changes in) market depth and volatility; f) decisions on management actions related to intraday liquidity risk, where relevant; g) discussion of the outcome of Liquidity Stress Tests and decision on any management action; h) discussion on the regular testing of the Contingency Funding Plan and decisions on adjusting the management actions listed in the CFP; i) decision relating to the size and composition of the liquid asset buffer; j) discussion regarding the testing of the liquidity value of and time to sell or repo assets included in the liquid asset buffer; k) where available, internal self-assessments in which institutions can take the opportunity to justify their level of compliance against publicly available criteria regarding risk management and control that affect ILAAP. 6.11 ILAAP reporting, Internal Control and review 6.11.1 For ILAAP reporting, the bank is requested to measure and assess its liquidity and funding risk in proportion to the size, business model, risk and complexity of the bank. Furthermore, the internal liquidity adequacy statement of the bank shall align with the risk appetite of the bank and must be signed by the management body. 6.11.2 The additional information submitted as part of the short-term exercise relating to the liquidity coverage ratio, the net stable funding ratio (NSFR), funding plans and the selected additional liquidity monitoring templates play an important role in the quantitative assessment of the ILAAP in the SREP. Banks are requested to ensure reliable and complete reporting in line with the applicable guidelines. 6.11.3 This statement shall be in line with current risk appetite and provide an overview of the current liquidity and funding position in relation to the corresponding limits, regulatory or otherwise, applicable to the bank, covering the main liquidity risks. 6.11.4 This shall be substantiated by relevant arguments and facts supporting the conclusion, covering both the short-term (liquidity) and longer-term (funding) view. There shall be a focus on the critical scenarios linking the strategy and liquidity planning, the role of the relevant management bodies, and strategic decisions (covering the risk management framework, strategy, risk appetite, etc.) linked to the ILAAP outcomes. Where applicable, any changes or identified weaknesses (i.e. following the self-assessment) and resulting gaps are to be taken into consideration in the overall conclusion on liquidity adequacy. 6.11.5 The Board must regularly verify whether its system of internal controls is adequate to ensure well￾ordered and prudent conduct of business.

30 6.11.6 Effective control of the liquidity assessment process includes an independent review and, where appropriate, the involvement of internal or external audits. Internal as well as external auditors must frequently monitor and test risk management processes. The aim is to ensure that the information on which decisions are based is accurate so that processes fully reflect management policies and that regular reporting, including the reporting of limit breaches and other exception¬ based reporting, is undertaken effectively. 6.11.7 Banks must conduct periodic reviews of their risk management processes to ensure its integrity, accuracy, and reasonableness. Areas that must be reviewed include: a) appropriateness of the bank’s liquidity assessment processes given the nature, scope and complexity of its activities; b) identification of large depositors and risk concentrations; c) accuracy and completeness of data inputs into the bank’s assessment processes; d) reasonableness and validity of scenarios used in the assessment process; and e) stress testing and analysis of assumptions and inputs. 6.11.8 Banks must review and update their ILAAP at least on an annual basis taking into account actual results against projections, as well as examine and document significant variances and capture any new or additional risks that may have emerged. 7. ICAAP AND ILAAP REPORTING AND REVIEW PROCESS 7.1 On an annual basis, banks and banking groups shall transmit to the Central Bank the ICAAP and ILAAP report not later than the following period of the calendar year: a) 31 March: individual banks; b) 30 April: banking groups or subsidiaries on a stand-alone basis (if belong to banking groups). 7.2 However, the Central Bank may require banks to submit ICAAP and ILAAP outcomes more than once a year as it may deem fit, either for specific banks or all banks in general. 7.3 Based on the capital reported at the close of the previous year, the ICAAP document shall plan the bank’s strategies for taking on risk and ensuring that the related capital needs through the end of the current year are met. 7.4 An ILAAP document sets out a bank’s approach to liquidity and funding. 7.5 On an annual basis, banks shall describe to the Central Bank in a structured report the key features of the process, their risk exposure and the determination of the minimum capital, liquidity and funding deemed adequate to support those risks. 7.6 The reports shall also contain a self-assessment of the ICAAP and ILAAP, indicating areas for improvement, any deficiencies in the process and the corrective measures to be taken. 7.7 The documents shall be updated more frequently if changes in the business, strategy, nature or scale of its activities or operational environment suggest that the current level of capital or liquid resources or the bank’s capital and funding profile is no longer adequate. 7.8 In their annual planning, banks shall also identify corrective actions to be taken in the event of errors or changes in estimates. 8. SREP AND SUPERVISORY ADJUSTMENTS 8.1 SREP Process 8.1.1 Banks must be able to demonstrate to the Central Bank that the chosen internal capital and liquidity target levels are well founded and that these targets are consistent with their overall risk profile and current operating environment.

31 8.1.2 For the purposes of determine the need for specific capital and liquidity requirements by the banks on an annual basis, the Central Bank will: a) Identify, review and evaluate the bank’s business model, viability and sustainability and risks, internal governance and control. b) Assess, review and evaluate the ICAAP and other documents and compliance with regulatory minimum standards. c) Assess, review and evaluate the ILAAP and other documents and compliance with regulatory minimum standards. d) Assess linkages with ILAA and ICAAP. 8.1.3 Banks are expected to have their ICAAP and ILAAP processes intertwined with the business strategy of the bank. Bank’s risk appetite and stressed scenarios reflect the business model, and the parameters and results emanating from the ICAAP and ICAAP processes shall be used for the business decision making. Also ILAAP shall be used as a tool for maintaining the viability of the bank, by ensuring an adequate supply of liquidity and stable funding on the short and medium term. 8.1.4 ICAAP and ILAAP will therefore be used as management tools not simply regulatory documents. 8.1.5 Without prejudice to the annual calculation of total internal capital and liquidity targets, the assessment/measurement of exposures to individual risks shall be performed on a more frequent basis, to be determined in relation to the type of risk and the methodologies used. In the absence of innovative or extraordinary events, stress testing scenarios may be updated frequently-at least once a year, taking account of the advisability of ensuring their stability over time in order to facilitate the inter-temporal assessment of stress tests. 8.2 Supervisory assessment and adjustment for ICAAP 8.2.1 The Central Bank has the ability to review the submitted ICAAP and shall apply a supervisory adjustment (Pillar 2 supervisory adjustment) such that the bank is required to meet Capital Adequacy Ratio (CAR) greater than the absolute minimum levels. In these cases, the bank’s CAR will be the amounts determined by the Central Bank in respect of Common Equity Tier 1 Capital, Tier 1 Capital and Total Capital. 8.2.2 As a non-exhaustive indication, the Central Bank may consider imposing a supervisory adjustment on a regulated bank in a range of circumstances, including: a) the calculation of required capital set out in the prudential standards does not adequately address the risks specific to the bank (e.g. strategic risk, reputation risk or other risks not adequately catered for by those capital calculations due to some aspect of the bank’s business or operations); b) the bank is using a business model, has an organizational structure or is following a business strategy that the Central Bank regards as highly risky, or overly difficult to assess, in a way that is not captured under the calculation of required capital set out in the prudential standards; c) the bank is newly licensed or has recently materially changed, or plans to materially change, its business mix; d) The Central Bank has identified material issues with the competence or probity of responsible persons associated with the bank; e) The Central Bank has identified material weaknesses in the bank’s governance, or deficiencies in the suitability, adequacy or effectiveness of its risk management framework or strategy; f) the bank has failed to comply with applicable prudential standards, or has complied in a way that, in bank’s view, is not consistent with the spirit or intent of those standards; g) the bank’s ICAAP is not well-defined or documented, or its target capital policy is assessed as being inadequate, e.g. due to a lack of sufficiently rigorous stress and scenario testing;

32 h) The Central Bank has concerns about the relative levels of the different components of capital held by the bank or about the quality of the surplus capital and its loss-absorbing ability; i) the bank has been unable to restore its capital position to target capital levels in accordance with its ICAAP in a timely manner. 8.3 Supervisory assessment and adjustment for ILAAP 8.3.1 The Central Bank shall determine through the SREP liquidity assessment whether the liquidity held by the bank provides appropriate coverage of the risks to liquidity and funding assessed in ILAAP document. Also the Central Bank shall determine through the SREP liquidity assessment whether it is necessary to set specific liquidity requirements to cover risks to liquidity and funding to which a bank is or might be exposed. 8.3.2 The Central Bank shall conduct the SREP liquidity assessment process using the following: a) review the arrangements, strategies, and processes implemented by a bank to comply with the liquidity standards laid down in the ILAA document, liquidity standards of the Liquidity regulations; b) evaluate the liquidity and funding risks to which the bank is or might be exposed; c) assess the risks that the bank poses to the financial system; d) determination of the need for specific liquidity measures- evaluate the further liquidity and funding risks revealed by stress testing; e) quantification of potential specific liquidity requirements; evaluate whether the level and composition of the bank’s liquidity resources are adequate to meet the bank’s liquidity needs over different time horizons.– using the benchmark calculations; f) articulation of specific liquidity requirements. 8.3.3 The following benchmarks shall be used to assess the specific liquidity requirements and adjustments for banks. a) comparative analysis, under stressed conditions, of net cash outflows and eligible liquid assets over a set of time horizons: up to 1 month (including overnight), from 1 month to 3 months and from 3 months to 1 year; for this purpose, the Central Bank shall project net outflows (gross outflows and inflows) and counterbalancing capacity throughout different maturity buckets, considering stressed conditions (for example, prudent valuation under stress assumptions for liquid assets versus current valuation under normal conditions and after a haircut), building a stressed maturity ladder for the year ahead; b) The Central Bank shall assess other risks relating to cashflow mismatch risk: HQLA monetisation risks, ‘Cliff risk’, FX mismatch risks. c) the assessment of liquidity and funding risk shall be based on of the cashflow mismatch risk using the net cumulative funding mismatch stress test. The time period considered shall be divided into two phases: a short acute phase of stress (up to two weeks) followed by a longer period of less acute, but more persistent stress (up to three months); d) Stress test on the net Cumulative Funding Mismatch: The bank’s net cumulative negative mismatches shall not exceed 15% and 20% of the cumulative cash outflow during the 0-2 weeks and 0- 3 month buckets, respectively. The Central Bank may order a bank to establish stricter limits of maturity match other than those established by the bank, shall it estimate that the originally established limits do not correspond to the bank’s risk profile or that the bank does not manage liquidity risk in a proper manner. e) Financing of Gap- Limits on the net Cumulative Funding Mismatch In case the net cumulative negative mismatches exceeds the limit of 15% and 20% of the cumulative cash outflows in the respective time buckets, the bank may shall by way of an

33 action foot note- as to how it proposes (plan to hold, or have access to, excess liquidity over and above a business-as-usual scenario over the short, medium, and long-term time horizons in response to stress scenarios) to fill the gap to bring the mismatch within the prescribed limits-counterbalancing capacity. The gap can be filled by liquid assets available from various funding sources/financed from market borrowings (call / term), Bills Rediscounting, Repos, Liquidity Alternative Facility and deployment of foreign currency resources after conversion into rupees (unswapped foreign currency funds), etc. f) HQLA monetisation risks: banks may not be able to monetise sufficient non-cash HQLA to cover cumulative net outflows under the cashflow maturity mismatch stress on a daily basis. There are likely limitations to the speed with which cash can be raised in the repo market or through outright sales, linked to market depth, the number of a bank’s regular counterparties, individual turnover, settlement times etc. The Central Bank includes in its assessment, assumptions provided by banks on the limitations they are likely to face in monetising non￾cash HQLA. Banks will assess, at least annually, the speed with which they expect to be able to monetise different types of non-cash HQLA, on a daily basis, via repo markets and outright sales, in times of stress. Banks will not include public liquidity insurance as a monetisation channel in this assessment. This enables the Central Bank to monitor banks’ resilience to different stresses using self-insurance alone. g) ‘Cliff risk’: The cashflow mismatch risk focuses on a 2 weeks and 3 months calendar horizon. Banks may ‘window-dress’ their net cashflows by pushing maturity mismatches just beyond the horizon. Hence the enhanced stress test limit on the net cumulative funding mismatch shall be extended to over 90 days by performing sensitivity checks on assessing the bank’s vulnerability to an acute retail run by amplifying outflow rates on uninsured deposits to the maximum withdrawal rate observed during the financial crisis. A further assessment on bank’s reliance on wholesale markets and their vulnerability to a market shutdown through an enhanced wholesale stress. This assumes a complete closure of secured and unsecured wholesale markets for over 90 days, with all claims and obligations running off at the earliest possible date (according to contractual rights). h) FX mismatch risks: banks typically assume that currencies are fungible given the depth of liquidity in the spot FX and FX swap markets, particularly in reserve currencies. However, banks may not be able to access FX markets as normal in times of stress. The Central Bank will monitor banks’ worst net liquidity position under (c) and (e) above on a single currency basis. The Central Bank will also monitor banks’ survival days for each significant currency. i) Given that the above metric is based solely on contractual maturities with no behavioral assumptions, banks shall conduct their own maturity mismatch analyses, based on going￾concern behavioral assumptions of the inflows and outflows of funds in both normal situations and under stress. j) The bank shall also determine the minimum liquidity buffer of liquid assets with stand liquidity and funding risk, taking into account the bank’s risk profile and market and macro￾economic conditions; and k) The Central Bank may estimate additional amounts of liquid assets (additional liquidity buffers) to be held by the bank to extend its minimum buffer desired. 8.4 Processes for Pillar 1 and Pillar 2 supervisory adjustments 8.4.1 Any supervisory adjustment will typically be determined as part of the Central Bank’s regular supervisory assessment of the bank, and banks are already familiar with the Central Bank’s overall supervisory approach. As with other supervisory decisions, consideration by the Central Bank of the need for, and nature of, any supervisory adjustment to prescribed capital will typically involve dialogue with the bank.

34 8.4.2 The Central Bank reserves the right, however, to impose a supervisory adjustment outside of the ordinary supervisory process if it is considered necessary to do so. This may occur, for example, where the Central Bank determines it is necessary to act rapidly to protect the interests of policyholders or depositors. 8.4.3 A decision whether to impose a supervisory adjustment, and the size of that adjustment, will be based on information available to the Central Bank from the full range of the Central Bank’s supervision activities, including: a) off-site analysis; b) on-site reviews; c) review of the ICAAP; d) discussions with the bank; e) any plans by the bank to address the Central Bank’s concerns, including the clarity, viability and timeliness of the plans; and f) any other information held or sought by the Central Bank. 8.4.4 The reasons leading to the decision to apply a supervisory adjustment will be disclosed to the bank. Depending on the basis for the proposed adjustment, the Central Bank may first seek to have the bank address the areas of concern through, for example, changes to its operations, governance or risk and capital management framework or processes. 8.4.5 If a supervisory adjustment has been imposed and the bank has subsequently addressed the issues that led to the adjustment, the Central Bank will review the need for continuation of the supervisory adjustment. 8.4.6 The process for determining any supervisory adjustment, including implementation timing, will be subject to the Central Bank’s internal governance processes, including review at appropriate levels within the Central Bank. The Central Bank’s processes for determining supervisory adjustments will be proportional to size include comparisons of the bank within relevant peer groups. Done at Kigali, on 15/02/2018 (sé) RWANGOMBWA John Governor

35 Appendices: Appendix I: Elements of the ICAAP document

1. Executive Summary This section shall present a summary of the subsequent sections covered in the reporting template and shall include: 1.1 Purpose of ICAAP report and entities covered therein. 1.2 Summary of current financial position of the bank, its business strategy, balance sheet structure, and projected profitability. 1.3 Assessment of the adequacy of bank’s risk management processes. 1.4 Commentary on the material risks, risk materiality level, their assessment, and actions planned for their mitigation. 1.5 Composition and amount of capital required in addition to Pillar 1 requirements based on ICAAP exercise and the final results be reflected in risk management regulation and guideline. 1.6 Summary of bank’s capital planning, dividend policy, adequacy of capital resources over its planning horizon including periods of economic downturn. 1.7 Impact of stress scenarios on the Capital Adequacy Ratio (CAR) of the bank. 1.8 Comments on the adequacy of ICAAP exercise and its key findings, ICAAP implementation within the bank, review and approval process of ICAAP.
2. Structure and Operations This section shall provide information about the bank’s structure and its operations and shall include: 2.1 Bank’s structure and management team (including group entities, if any). 2.2 Capital, its composition and ownership structure (including the main shareholders of the bank-that is shareholders owning more than 5% of the share capital). 2.3 Primary customer focus (corporate/ retail, etc.) and summary of the products offered by the bank. 2.4 Current financial results indicating contribution of each business line as per Basel Capital Accord (if not available, then bank’s own categorization). 2.5 Financial data for the last five years, e.g., operating profit, profit after tax, shareholder’s funds, total assets, loans, investments, deposits and regulatory capital, etc. Also provide the conclusions that may be drawn from the analysis of the historical data which have implications for the bank’s future and commentary on the significant changes in the bank’s financial condition during these years. 2.6 Significant developments during the past five years, e.g., acquisitions, mergers, changes in the share capital and regulatory/ accounting changes and its impact etc. 2.7 comparison of the internal capital which is maintained against the risks that are assumed with the minimum regulatory capital over the last years.
3. Governance Structure This section shall include an overview of the Board and senior management structure identifying key individuals and committees and their contribution in improving the overall control environment and shall include: 3.1 Composition of the Board including brief on the relevant banking experience of its members and number of independent directors, etc.

36 3.2 Organizational structure and senior management team along with their portfolios. 3.3 List of Board’s sub-committees and management committees. Moreover, provide summary of main areas covered and decision taken by the Board, Board's sub-committees and main management committees. 3.4 List of policies in the key areas approved by the Board along with date(s) of initial approval and subsequent updates/ review(s). 3.5 Risk management framework and its review by the Board and senior management. 3.6 Independent review of internal controls, its key findings and steps taken in the light of such findings for improving the bank’s internal controls. 3.7 Key audit findings submitted to the Board/ Board's sub committees and actions taken there against. 4. Risk Assessment and Capital Adequacy This section shall cover the identification, measurement/ quantification, control and mitigation of all material risks faced and capital maintained there against by the bank so as to reflect an overall risk position. In this regard, some of the key risks are mentioned in the risk management regulation. 4.1 A high level overview of the bank’s risk appetite and frequency of the review of risk tolerance by the Board and management. 4.2 Identify material risks and for each risk type specify: 4.2.1 Definition and identification procedure of material risks. 4.2.2 Detail of risk assessment and quantification methodology for each risk type. 4.2.3 For each risk type, specify the risk controls / limits, number of times when these limits have been breached, remedial actions taken there against and changes in such limits (if any) along with reasons. 4.2.4 Composition and amount of capital (under normal as well as stressed circumstances) allocated for each material risk identified during the ICAAP exercise. 4.3 State the periodicity for reporting of material risks to the Board and senior management. 4.4 Provide the details of internal and external (if any) review of bank’s risk management system to verify its relevance with the business activities. 4.5 Bank shall determine an overall risk position by aggregating the material risks and capital allocation there against. While aggregating the risk position, bank shall preferably take into account the interdependencies or correlations among various risk types. 4.6 Where relevant, provide an explanation of any other method apart from capital used to mitigate the risks. 5. Stress Testing This section shall cover the details vis-à-vis development of an appropriate and rigorous stress testing framework within the bank while taking into account the impact of economic cycles and sensitivity to other external risks and shall include: 5.1 General stress testing framework within the bank and its key features. 5.2 Role of the Board in the approval and review of bank’s stress testing framework including the periodicity of any such review. 5.3 Provide a list of material risks covered under stress testing program along with reasons for their inclusion. Also state the reasons for non-inclusion of material risks (if any) in the stress testing program. 5.4 Provide details of scenarios, methodologies, assumptions, controls/ mitigating actions applied results and amount of capital required for all the stress tests (both in-house as well as regulatory stress tests).

37 In case of similar/ overlapping internal and supervisory shocks, ICAAP capital amount would be higher of the two. 5.5 Review of the stress test results by the Board and senior management and remedial actions taken there￾against. 6. Capital Planning This section shall outline the bank’s capital needs, anticipated capital expenditures, desirable capital level and external capital sources and must be in line with the bank’s desired strategic objectives. Capital Planning shall also take into account dividend policy and planned growth while determining the adequate capital level. This section shall include: 6.1 Projected financial statements for the next three to five years based on the approved business plan. 6.2 Future capital requirements based on approved business plan and projections, including capital contingency plan highlighting the sources, quality and composition of capital and/ or alternative arrangements in case of sudden internal business shocks and/ or external economic downturn, major investments, merger, acquisitions and sources to fund new ventures, etc. It would also include capital needs for group entities, foreign branches and subsidiaries. 6.3 Review of capital planning process by the Board and senior management to assess its appropriateness in the light of any change in the bank’s risk profile and other relevant factors. 7. Design, Review, Approval and Use of ICAAP This section shall include the following: 7.1 Role of the Board in approving the conceptual design of ICAAP with reference to its scope, methodologies and objectives. 7.2 Role of the senior management in the implementation of ICAAP. 7.3 In case the design of ICAAP (whole or parts thereof) has been outsourced, provide the details of outsourcing entity and associated risks. 7.4 Review of ICAAP by the Board and senior management, external source (if any) and internal audit. For each review, provide separately the periodicity, detailed findings of any such review along with follow￾up actions on such findings. 7.5 How ICAAP is embedded in the decision making process, business planning and risk management processes substantiated with appropriate examples. 7.6 List of all the relevant documents and policies used in the preparation, review, approval and implementation of ICAAP. 7.7 Highlight the significant changes made in the current ICAAP report in comparison with the last exercise. 8. Challenges and Further Steps This section shall summarize the extent of challenges for bringing improvements in the overall risk management framework, control processes and other relevant areas within the bank. Bank may also discuss the details of any anticipated future refinements envisaged in the internal assessment process in addition to the information already furnished by the bank.

38 Appendix II: Elements of the ILAAP document

1. Overview This section is for introductory text describing: 1.1 The business model, the reach and systemic presence of the bank. 1.2 Internal and external changes since the last liquidity review shall be described. 1.3 Changes in the scope of the document since the last review by the management body shall be included.
2. Summary conclusions This section shall include information on the following: 2.1 Banks shall provide the summarized conclusions of their overall liquidity adequacy review, stating how and whether they meet the Overall Liquidity Adequacy Rule (Internal Liquidity Adequacy Assessment), and the Central Bank’s approach to supervising liquidity and funding risks. Any shortcomings and remedial plans shall be discussed. 2.2 The bank shall present its assessment of any additional liquidity it believes it shall hold on account of risks not captured in Pillar 1.
3. LCR reporting In this section, banks shall present a discussion on their approaches to ensure compliance with the Liquidity regulation overall: 3.1 Assessment of LCR in respect of HQLA, Outflows and Inflows; 3.2 The following areas, where relevant, shall receive particular focus: the approach to implementation of Article 12, the work undertaken in response to Article 12 of the regulation on liquidity requirements, the operational requirements, the approach to classification of retail deposits and classification of operational deposits specified in the guideline on computation of liquidity standards.
4. Liquidity Risk Assessment 4.1 Evaluation of liquidity needs in the short and medium term In this section, banks shall describe their liquidity profile at appropriate time horizons out to 12 months. 4.1.1 the sources and uses on gross and net basis, and their activities undertaken to cover such liquidity needs in both BAU and stress. 4.1.2 The bank shall also describe any ways in which the LCR metric does not capture its liquidity risks within 30 days and how that risk will be managed. 4.2 Evaluation of intraday risk In this section, banks shall describe how intraday risk is created within their business 4.2.1 Whether part of the payments system or not, their appetite for and approach to managing intraday liquidity risk of both cash and securities accounts and in both business as usual and stress conditions. 4.2.2 They shall include the approach to stress testing and conclusions. 4.3 Evaluation of liquidity buffer and counterbalancing capacity In this section, banks shall describe the procedures for: 4.3.1 calculating, controlling and monitoring the liquid assets buffer and counterbalancing capacity, and

39 4.3.2 Their effectiveness in different scenarios which shall include those affecting the liquidity of the assets and counterbalancing capacity. 5. Inherent funding risk assessment 5.1 Evaluation of risks to stability of the funding profile 5.1.1 In this section, banks shall describe the funding risk strategy and appetite, and the profile, both the sources and uses on a gross and net basis. 5.2 Evaluation of risks to stability of the funding profile In this section, banks shall analyse: 5.2.1 The stability of the liabilities within the funding profile and the circumstances in which they could become unstable. 5.2.2 This could include market shifts including changes in collateral values, excessive maturity mismatch, inappropriate levels of asset encumbrance, concentrations (including single or connected counterparties, or currencies). 5.3 Evaluation of market access 5.3.1 In this section, banks shall analyze market access and current or future threats to this access, including the impact of any short-term liquidity stresses or negative news. 5.4 Evaluation of expected change in funding risks based on firms’ funding plan. 5.4.1 In this section, banks shall analyze and evaluate the expected change in funding risks based on the bank’s funding plan. 6. Risk management assessment (both liquidity and funding) 6.1 Assess risk strategy and risk appetite In this section, banks shall describe: 6.1.1 the risk appetite and strategy, how they were devised, approved, monitored and reported, and 6.1.2 How they are communicated throughout the bank. 6.2 Organisational framework, policies and procedures In this section, banks shall describe: 6.2.1 The governance and management arrangements around the ILAAP including the involvement of the governing body. 6.2.2 They shall describe also the risk framework overall and as it pertains to liquidity and funding risks, the technical and staff resources. 6.3 Risk identification, measurement, management, monitoring and reporting In this section, banks shall describe: 6.3.1 The framework and IT systems for identifying, measuring, managing and monitoring and both internal and external reporting of liquidity and funding risks, including intraday risk. 6.3.2 The assumptions and methodologies adopted shall be described. 6.3.3 Key indicators shall be evidenced and the internal information flows described. 6.4 Bank’s liquidity specific stress testing In this section, banks shall analyse and present the internal stress testing framework: 6.4.1 Including the process and governance of and challenge to scenario design, derivation of assumptions and design of sensitivity analysis, and the process of review and challenge and relevance to the risk appetite.

40 6.4.2 The process by which the stress results are produced, and incorporated into the risk framework and strategic planning, and the liquidity recovery process shall be scrutinised. 6.4.3 The results and conclusions must be analysed, with breakdown by each relevant risk driver. 6.5 Liquidity risk internal In this section, banks shall: 6.5.1 Describe their internal limit and control framework, including the limits and controls around liquid asset buffers, and the appropriateness of the limit. 6.6 Control framework In this section, banks shall: 6.6.1 Describe the structure to the risk appetite. 6.6.2 The transfer pricing framework shall also be described here, for example how the methodology was developed, the process controlled, monitored and reviewed, and the results cascaded throughout the firm to drive behaviours and support performance measurement and business incentives. 6.7 Liquidity contingency plans In this section, banks shall detail: 6.7.1 The policies, procedures and action plans for responding to severe disruptions in the bank’s ability to fund itself. 6.7.2 The plan shall be that which is contained within their Recovery and Resolution Plan, and it shall be either cross referenced or included within the ILAAP document. 6.8 Funding plans Banks shall provide the full funding plan to demonstrate: 6.8.1 How it will support the projected business activities in both business as usual and stress, implementing any required improvements in the funding profile and evidencing that the risk appetite and key metrics will not be breached by the planned changes. 6.8.2 Risks to the plan shall be discussed. 6.8.3 Where a funding strategy is new, implementation procedures shall be detailed. 7. Challenges and Further Steps This section shall summarize the extent of challenges: 7.1 For bringing improvements in the overall risk management framework, control processes and other relevant areas within the bank. 7.2 Bank may also discuss the details of any anticipated future refinements envisaged in the internal assessment process in addition to the information already furnished by the bank.

41 Appendix III. Summary of ICAAP Review Summary of Internal Capital Adequacy Assessment Process (ICAAP) As of DD/MM/YYYY Thousands (RWFs) Amount Pillar 1 Minimum Regulatory Capital Capital under ICAAP Methodology Regulatory capital (i) Eligible Core capital (Tier 1) (ii) Eligible Supplementary capital (Tier 2) Risk covered under Pillar 1 Credit risk (i) Standardised approach Market risk (i) Standardised approach Operational risk (i) Revised Standard approach Pillar 1 total capital requirement (a) Risks not fully covered under Pillar 1 Residual risk (from credit, market and Op. risk: mitigation techniques, etc) Securitization risk Model risk Risks covered under Pillar 2 Concentration risk (i) Individual/ Group (ii) Sectoral (iii) Other Interest rate risk in banking book Liquidity risk Country risk Reputation risk Strategic/ Business risk Other material risks identified during ICAAP ICAAP/ Pillar 2 capital (b) Additional capital under stress test (c) Risk diversification adjustment* (d) Overall capital requirement (e): (a) + (b) + (c)– (d) Current Total Capital (f) Surplus/ deficit capital (g) : (f)-(e)

42 (*) The individual estimate of the capital required for the various risks carried out previously will be used to determine the capital requirement in this row. For the aggregation, the bank establishes an adjustment relative to the simplified option (total capital needs by simple summation of the capital required to cover each of their risks separately, as per the result of the individual measurements in (a) above of the total minimum capital requirements under Pillar 1) and a general option for banks using advanced approaches to measure some of their risks and quantitative approaches for joint management of all their risks. Please provide a brief explanation of the risks’ diversification adjustment. Also note that the Central Bank will generally not take into account any inter-risks diversification benefit unless it is quantified by a rigorous model with adequate support.

43 Appendix IV. Summary of ILAAP Review Sight - 8 days over 8-14 days over 14 days - 1 month over 1 month

• 3 months over 3 months – 6 months over 6 months - 1 year over 1 year ASSETS (Inflows)

1. CASH AND BALANCES WITH BANKS 0 Cash in hand 0 Balance with the National Bank of Rwanda 0 Balance with banks and inter-bank loans 0 Inter-group operations (Parent, Subsidiaries and Branches) 0 Receivables in transit 0
2. FINANCIAL INSTRUMENTS 0 Financial instruments held for trading 0 Financial instruments available for sale 0 Financial instruments held to maturity 0 Equity investments and subsidiaries investments 0 Derivative instruments 0
3. CASH COLLATERAL GIVEN 0
4. LOANS AND ADVANCES TO CLIENTS (INCLUDING OTHER FINANCIAL INSTITUTIONS) 0 Loans-Other than mortgages 0 Loans-Mortgages 0
5. FIXED ASSETS 0 Intangible fixed assets 0 Tangible fixed assets 0 6.OTHER ASSETS 0 A. Cash Inflows from Assets 0 LIABILITIES (Outflows)
6. BORROWINGS FROM BANKS 0 Central Bank 0 Due to banks and inter-bank borrowings 0 Inter-group operations with parent, subsidiaries and branched 0 Payables in transit 0
7. FINANCIAL INSTRUMENTS 0 Financial instruments held for trading 0 Derivative instrument 0 Issued debt securities 0 Guarantees on securities 0
8. DEPOSITS WITH CLIENTS (INCLUDING OTHER FINANCIAL INSTITUTIONS) 0 Deposits – Retail and small business Deposits – Wholesale
9. COLLATERAL DEPOSITS (INCLUDING CASH COLLATERAL RECEIVED) 0
10. PROVISIONS FOR CONTINGENT LIABILITIES 0
11. OTHER LIABILITIES 0 B. Cash Outflows from Liabilities 0 CAPITAL ITEMS
12. Core Capital 0
13. Tier 2 ( including subordinated debts) 0 C. Total Shareholders' Equity 0 D. Cash Outflows from Total Liabilities and Shareholders' Equity 0 COLLATERAL SECURITIES
14. Pledging and Encumbrances - Derivative and Clearing 0
15. Reverse Repo (R.Repo) Collateral In 0
16. Repo Collateral Out 0 E. Cashflows from Collateral 0 OFF BALANCE SHEET COMMITMENTS
17. Commitments 0 Credit Facilities Undrawn/committed to clients 0 Liquidity Facilities Undrawn/committed to or from Fis 0 Liquidity Facilities Drawn 0
18. Contingent liabilities 0 LC/Guarantees given 0 LC/Guarantees received 0 Cashflows from Off Balance Sheet Commitments 0 NET CASH FLOWS (TOTAL) (A-B) 0 NET ADJUSTED MISMATCH 0 CUMULATIVE MISMATCH 0 CUMULATIVE OUTFLOW (X) 0 #DIV/0! #DIV/0! #DIV/0! #DIV/0! #DIV/0! #DIV/0! #DIV/0! #DIV/0! #DIV/0! Proposed Action to close the financing gap No Maturity Total NET ADJUSTED MISMATCH AS PERCENTAGE OF NET CUMULATIVE OUTFLOW [(A-B)/X] Cash flow Residual Maturity (days/months)

44 Appendix V. Risk Appetite Statement Risk appetite is defined as the total impact of risk; a bank is willing to accept in pursuit of its strategic objectives. The definition of a suitable risk appetite is a basic operational pre-requisite for a bank to set consistent risk limits. The amount of risk, a bank is willing to accept will vary from one bank to another depending upon the circumstances unique to each one of them. Factors such as the external environment, business, systems, people and policies will all influence a bank’s risk appetite. Apart from this, within the bank, risk appetite may also vary across different business units and risk types. For example, a bank’s risk appetite for market risk may be quite different from that of credit risk. Financial institutions use different ways to measure risk appetite, ranging from simple qualitative measures to developing complex quantitative models. Nevertheless, whichever approach is followed, risk appetite, if properly articulated, shall provide a cornerstone for the bank’s risk management framework. To ensure effective monitoring and governance, the risk appetite statement will incorporate a balanced mix of both quantitative and qualitative measure. However, a well-defined risk appetite statement, approved by the board, shall have the following characteristics.

1. It shall be reflective of strategy, including institutional objectives, business plans and stakeholders’ behavior covering all key aspects of business.
2. It shall be reflective of acknowledgement of willingness and capacity to take on risks.
3. It shall consider the skills, resources and technology required to manage and monitor risk exposure in the context of risk appetite.
4. It shall include tolerance for loss or negative events that can be reasonably quantified.
5. It shall be periodically reviewed and reconsidered with reference to evolving industry and market conditions.
6. It shall quantify the desired level of risk the bank is willing to take typically expressed as risk limits, however for ICAAP/ILAAP purposes, these risk limits shall be quantified in terms of capital (solvency perspective), liquidity and funding targets.

45 Appendix VI. Use of Internal Models for Capital Assessment Review of ICAAP When the bank uses internal models for capital assessment, it shall explain for each of those models:

1. A description of how assessments for each of the major risks have been approached as well as the key assumptions and parameters within the capital modeling work and background information on the derivation of any key assumptions.
2. Criteria for selection of parameters including the historical period used and the calibration process.
3. Limitations of the model.
4. Sensitivity of the model to changes in the key assumptions/ chosen parameters.
5. Validation work undertaken to ensure the continuing adequacy of the model.