Circular 89-2 on Minimum Internal Control Standards

Bank of the Republic of Haiti CIRCULAR No. 89-2 FINANCIAL INSTITUTIONS

In accordance with Articles 84 and 161 of the Law of May 14, 2012, concerning banks and other financial institutions, and Article 16 of the Law of November 11, 2013, sanctioning money laundering and the financing of terrorism, financial institutions, with the exception of money transfer houses and foreign exchange agents, are required to comply with the following provisions regarding minimum internal control standards.

1. Definitions

The following definitions apply to this circular:

a) Internal Audit: An internal inspection and verification function established within a financial institution, the purpose of which, in accordance with international standards defined by the Institute of Internal Auditors (IIA), is to examine, evaluate, and control the activities of the institution on behalf of its board of directors and senior management. It aims to assist administrators and executives in fulfilling their responsibilities by providing analyses, evaluations, recommendations, advice, and information related to the activities examined.

b) Internal Control Framework: The structure within which the development, application, and monitoring of internal controls take place. The internal control framework consists of mechanisms and provisions designed to detect significant internal and external risks to which the financial institution and its consolidated subsidiaries are exposed, to develop and apply adequate and effective internal controls to ensure sound and prudent management of these risks, and to establish reliable and comprehensive systems to properly monitor the effectiveness of these controls, thereby enabling the institution to achieve its objectives.

c) Correlative Control: A self-control procedure that separates the responsibilities for initiating operations from those for recording them, so that an employee or group of employees ensures continuous and systematic verification of work performed by other employees. An essential characteristic of self-control is that no employee has full responsibility for an operation or a series of operations.

d) Internal Control: The set of rules and controls governing the organizational structure of the financial institution, including reporting procedures and risk management, compliance, and internal audit functions.

e) Periodic Control: Control performed by the internal audit function, consisting of examining all activities, operations, systems, functions, and others of the financial institution and its subsidiaries, over a time cycle as short as possible, to provide an independent assessment of risks and their level of control.

f) Permanent Control: Control performed by the risk management and compliance functions, consisting of continuously examining the regularity and security of the execution conditions of all operations against internal rules and legal and regulatory obligations.

g) Objectives of the Financial Institution: Concrete results that an institution seeks to achieve, in its entirety or in certain of its activities. Usually, objectives relate to the strategic orientation of the institution (the markets or activities it targets), its financial performance (the performance indicators it aims for), and the effectiveness and operational efficiency of its resources.

h) Policies, procedures, and methods related to money laundering and the financing of terrorism: The set of provisions taken by the financial institution to protect itself against the risk of money laundering and the financing of terrorism.

i) Exception Report: A report signaling situations where controls are not respected or powers are exceeded, allowing the financial institution to take measures to correct them.

j) Money Laundering Risk: The risk that the financial institution is used for money laundering purposes; a situation that may generate operational and reputational risks for the institution.

k) Concentration Risk: Risk inherent in an exposure likely to cause significant losses that could threaten the financial solidity of a financial institution or its ability to continue its essential activities. Concentration risk may arise from exposure to:

1. Individual counterparties;
2. Groups of related counterparties;
3. Counterparties belonging to the same business sector or the same geographic region;
4. Counterparties whose financial results depend on the same activity or the same underlying product. This risk includes on-balance sheet and off-balance sheet exposures related to credit operations as well as all other operations involving counterparty risk (interbank operations, market operations, foreign exchange, etc.).

l) Credit Risk: Risk incurred in the event of default by a counterparty or counterparties of the same group (related parties).

m) Annual Audit Plan: A document prepared annually by the head of internal audit and approved by the board of directors of the financial institution, which defines the internal audit objectives for the period under study, the activities, operations, systems, functions, and others to be examined, and a work schedule.

n) Terrorism Financing Risk: The risk that the financial institution is used for the purpose of funding terrorist activities; a situation that may generate operational and reputational risks for the institution.

o) Liquidity Risk: The risk for the financial institution of being unable to meet its commitments at their maturity under normal conditions.

p) Compliance Risk: The risk of judicial or administrative sanctions, significant financial loss, or reputational damage arising from non-compliance with provisions specific to banking and financial activities, whether legislative or regulatory in nature, or professional and ethical standards, or instructions from senior management taken notably in application of board orientations.

q) Settlement/Delivery Risk: The risk of occurrence, during the period necessary for the settlement/delivery of an operation, of a default or difficulties that prevent the counterparty of a financial institution from delivering the agreed financial instruments or funds, while said institution has already honored its commitments to said counterparty.

r) Interest Rate Risk: Risk incurred in the event of variation in interest rates on all on-balance sheet and off-balance sheet operations, except those covered by the market risk monitoring device.

s) Outsourced Activities Risk: Risk related to activities for which the financial institution entrusts to a third party, on a durable basis, the provision of services or operational tasks involving significant risks.

t) Operational Risk: Risk of losses resulting from deficiencies or faults attributable to internal procedures, personnel, and systems or to external events. This definition includes legal risk but excludes strategic and reputational risks. The major sources of operational risks are linked to:

1. Internal and external fraud;
2. Inappropriate employment practices and workplace safety practices;
3. Inappropriate practices concerning clients, products, and commercial activity;
4. Damage to physical assets;
5. Business interruptions and system failures;
6. Execution of operations, deliveries, and processes.

u) Significant Risk: A risk whose realization is likely to affect the proper functioning of the institution due to the importance of its potential impact on the financial level, image, objectives, or activities of the institution and by its probability of occurrence.

v) Internal Control System: The set of rules and controls that, following the reference framework defined by the "Committee of Sponsoring Organizations of the Treadway Commission" (COSO), govern the organizational and operational structure of a financial institution, including control and alert procedures and risk management, compliance, and internal audit functions.

w) Management Information System: A system that collects and provides information on the activities of a financial institution, its situation, and the risks to which it is exposed, to administrators and executives, to enable them to analyze this information and take appropriate measures. This system must also serve as a tool for combating money laundering and the financing of terrorism.

x) Independent Auditor or External Auditor: An accounting expert firm whose members are regulated by a professional order and appointed by the board of directors to conduct the audit of the financial institution.

y) Annual Compliance Verification: Annual evaluation of the mechanisms for combating money laundering and the financing of terrorism carried out by the compliance officer.

Any financial institution and its consolidated subsidiaries must have an adequate and effective internal control framework that allows the institution to ensure that its activities are managed and controlled in a sound and prudent manner, and that significant risks are identified and controlled appropriately.

The internal control framework consists of: a) Administrators and executives who understand their responsibilities and fulfill them with loyalty and diligence, ensuring that the institution's affairs are effectively managed and controlled to achieve set objectives; b) Administrators and executives who are regularly informed of the evolution of activities, significant risks, and results through a management information system that provides quality financial information; c) Supervision of operational department activities by an organization, rules, and procedures securing their operating conditions through self-control processes, automated controls, and hierarchical validation; d) An adequate risk management device and a well-defined permanent control system adapted to the significant risks and operations of the financial institution; e) An internal audit function whose role, in accordance with standards defined by the IIA, is to evaluate the institution's governance, risk management, and control processes, contribute to their improvement based on a systematic, methodical, and risk-based approach, monitor the effectiveness and consistency of the internal control system and the quality of financial information for internal or external use, and ensure follow-up on findings related to any problematic situation caused by non-compliance, insufficiency, or lack of control; f) An independent verification function that allows monitoring the effectiveness of the internal control system and the structure put in place for anti-money laundering.

2. Internal Control Framework

3. Responsibilities of Administrators and Executives Regarding the Internal Control System

Administrators and executives have the duty to ensure the implementation of a control culture and respect for the financial institution's internal control system by dictating the priority and imperative nature of internal controls in the institution's operational functioning, and by sensitizing personnel responsible for developing, applying, and monitoring them.

Administrators and executives are responsible for ensuring that the financial institution's internal control has the necessary resources, independence, and authority to control the significant risks to which the financial institution is exposed and to avoid any act that could compromise the continuity of operations, notably regarding money laundering and the financing of terrorism.

Administrators and executives must understand the shareholding structure and group organization, if applicable, as well as the objectives and activities of all companies within said group, both on national territory and abroad, and the links and relationships between them and with the parent company.

Administrators must define the institution's strategic directions and risk appetite. They must approve the risk strategy and policy, ensure that transactions with related parties, including intra-group operations, are identified, evaluated, and subject to appropriate restrictions. They must ensure the implementation of an effective internal communication and information dissemination system covering risk strategy and exposure levels.

Administrators must ensure the implementation of a risk measurement, control, and monitoring device in accordance with the rules defined in this circular.

Administrators must ensure the implementation of an integrated and harmonized steering device within the group, if applicable, ensuring effective supervision of the activities and risks of local and foreign subsidiaries.

Administrators must examine the internal control device at least once a year and pronounce on the achievement of risk control objectives.

4. Internal Control System

The scope and characteristics of an internal control system ensuring sound and prudent management may differ from one financial institution to another for several reasons, notably: the nature and diversity of activities, the volume, size, and complexity of operations, the level of risk associated with activities and operations, the degree of centralization or delegation of powers, as well as the scope and effectiveness of the information technology used.

The basic principles set out in Annex I of this circular must be respected when implementing an internal control system.

Financial institutions that exclusively or jointly control other entities with a financial character must ensure that the internal control systems implemented within them are consistent and compatible with each other to allow, notably, supervision and risk control at the group level. They also ensure that the aforementioned internal control systems are adapted to the group's organization and the nature of the controlled entities.

Financial institutions ensure that the internal control systems implemented within the parent company are: a) Consistent and compatible to allow supervision and risk control at the group level and the production of information required by the BRH within the framework of consolidated supervision of the financial institution; b) Adapted to the group's organization and the activity of controlled entities.

5. Organization of the Internal Control System

The internal control of a financial institution must comprise three levels:

1. A correlative control whose responsibility lies with responsible managers, carried out within the framework of activities and operations themselves to ensure their proper conduct, accuracy, and compliance with established procedures, depending on the nature, importance, and associated risks of each activity and operation.
2. A permanent control incumbent on the risk management function and the compliance function, which ensures, through adequate devices implemented permanently, the reliability and security of operations performed and the respect of procedures by the various structures of the financial institution.
3. A periodic control carried out by a specific function directly attached to the president of the board of directors or the president of the audit committee, if applicable. This function is generally called internal audit.

Depending on the size of the institution, the responsibilities of permanent and periodic control may not fall on different persons. In this case, these responsibilities may be assumed, subject to the non-objection of the BRH, either by a single person or directly by senior management. The request transmitted to the BRH must include a description of the organization and the modalities for exercising internal control in this context, to guarantee the proper fulfillment of these functions.

Any financial institution, given its size, must prepare and keep up to date a document, generally referred to as the "Internal Control Charter," which specifies the objectives and means intended to ensure the different internal control functions. This document clearly presents the following elements: a) The description of the role, powers, responsibilities, and organization of the different control functions, the interrelations between them, and the provisions ensuring their independence; b) The means made available to them to allow them to fulfill their role effectively; c) Their attributions and the conditions for carrying out the controls to be exercised; d) The procedures for formalizing and disseminating the results of controls performed; e) The follow-up process for recommendations issued.

No later than forty-five (45) days after the end of the fiscal year, the heads of the different permanent and periodic control functions each prepare, according to the format defined by the BRH in Annex II, a report on the conditions under which these functions are performed. This report notably includes: i) An overview of the main risks and the measurement and monitoring systems implemented; ii) A description of the organizational conditions of each function, the allocated means, and significant modifications made compared to the previous year; iii) An inventory of the main actions taken, highlighting the main results, findings, and lessons learned; iv) A presentation of the main projected actions.

6. On the Risk Management Function

The head of the risk management function must report to senior management and have access as needed to the board of directors and/or the risk management committee. The risk management function must have sufficient means in terms of personnel, information systems, and access to necessary internal and external information to carry out its mission.

The head of risk management must alert the risk management committee and senior management to any situation likely to have significant repercussions on risk control.

No later than thirty (30) days after the end of each quarter of the financial institution's fiscal year, the head of the risk management function must prepare a quarterly activity report for the board of directors. This report must be officially discussed at a board of directors meeting or a risk management committee meeting.

The quarterly activity report includes the following information: a) A description of activities carried out during the quarter; b) A description of the impact of shortcomings or deficiencies, the required corrections, and their implementation schedule; c) A follow-up on the effective implementation of actions aimed at remedying any dysfunction in the implementation of risk mitigation measures.

7. On the Compliance Function

Financial institutions must equip themselves with a compliance control device, responsible for monitoring compliance risk. This is a structure independent of operational entities.

Financial institutions must designate a compliance officer responsible for ensuring the consistency and effectiveness of the compliance risk control, the identity of which they communicate to the BRH. This responsible person must not perform any commercial, financial, or accounting operation to avoid any potential conflict of interest. This responsible person may be in charge of the risk management function depending on the size and complexity of the financial institution's activities, with the approval of the BRH.

The head of the compliance function reports to the board of directors and must have access as needed to the specialized committee in charge of compliance matters.

Financial institutions provide all concerned personnel with training on compliance control procedures, adapted to the operations they perform.

Financial institutions ensure that their subsidiaries put in place compliance control devices for their operations.

No later than thirty (30) days after the end of each quarter of the financial institution's fiscal year, the head of the compliance function must prepare a quarterly activity report for the board of directors. This report must be officially discussed at a board of directors meeting or a committee in charge of compliance matters.

The quarterly activity report includes the following information: a) A description of activities carried out during the quarter; b) A description of the impact of shortcomings or deficiencies, the required corrections, and the implementation schedule for corrections; c) A follow-up on the effective implementation of actions aimed at remedying any dysfunction in the implementation of compliance obligations; d) A follow-up on the mechanisms put in place in the framework of combating money laundering and the financing of terrorism in func