Regulation on Minimum Requirements for Risk Management in Banks of the Kyrgyz Republic

Back

Print version

Date of creation: 2024-04-30

Appendix to the Resolution of the Board of the National Bank of the Kyrgyz Republic dated June 15, 2017 No. 2017-P-12/25-8-(NPA)

REGULATION

on minimum requirements for risk management in banks of the Kyrgyz Republic

(As amended by Resolutions of the Board of the NBKR dated June 20, 2018 No. 2018-P-12/24-1, October 17, 2018 No. 2018-P-12/43-2, August 14, 2019 No. 2019-P-12/42-1, September 9, 2019 No. 2019-P-33/47-4, September 15, 2021 No. 2021-P-12/51-1, January 17, 2024 No. 2024-P-12/1-3, April 12, 2024 No. 2024-P-12/17-2-(NPA))

1. General Provisions

2. This Regulation establishes mandatory compliance by commercial banks, guarantee funds (hereinafter - banks) with minimum requirements for risk management organization.

(As amended by Resolution of the Board of the NBKR dated January 17, 2024 No. 2024-P-12/1-3)

2. The purpose of this Regulation is to define minimum requirements for establishing an adequate risk management system in banks and requirements for internal control organization, providing for banks to apply risk control methods that ensure effective identification, assessment, and limitation of bank risks considering the type and volume of operations conducted.

3. For the purposes of this Regulation, the following terms are used:

Risk - the probability that expected or unexpected events may have a negative impact on the bank's capital or income.

Risk management system - a process including four main elements: risk identification, risk measurement, risk control, and risk monitoring.

Head of the Risk Management Department - a bank official with sufficient experience in banking who is responsible for the daily risk management activities of the bank.

Credit risk - the risk of clients failing to fulfill their obligations according to the terms and conditions of the contract.

Market risk - the probability of losses to which the bank is exposed in the event of adverse changes in the value of the bank's assets and liabilities resulting from changes in market interest rates, their fluctuations, exchange rates, stock prices, credit spreads, and/or commodity prices. The following three subcategories of risk apply to market risk and include:

Price risk - the risk of losses to which the bank is exposed in the event of adverse changes in the value of financial instruments and other investments or assets owned by the bank or any of its subsidiaries (on or off-balance sheet) resulting from changes in market prices. The risk arises from market activity, dealing activities, and positions held in capital, currency, and commodity markets.

Interest rate risk - the risk of losses to which the bank is exposed in situations where the bank's assets and liabilities do not match in final maturity dates, revaluation dates, or as a result of changes in market interest rates.

Currency risk - the risk of incurring expenses (losses) related to changes in foreign exchange rates during the bank's operations. The probability of expenses (losses) arises from the revaluation of the bank's currency positions in monetary terms.

Country risk - the risk of incurring expenses (losses) due to the insolvency or unwillingness of a foreign state or a resident of a foreign state to meet its obligations to the bank for reasons unrelated to financial risks.

The country risk component also includes:

Transfer risk - the risk of direct or indirect losses to which the bank or any of its subsidiaries is exposed as a result of the inability of private borrowers to fulfill their obligations due to government actions, such as the introduction of restrictions on transferring funds to foreign creditors in the debtor country for financial or other reasons. This type of country risk applies only to private borrowers. For example, transfer risk may arise if the government introduces currency restrictions, leading to the debtor (in this case, a non-state debtor) being unable to repay obligations as agreed.

Sovereign risk - the risk of possible direct or indirect losses to which the bank or any of its subsidiaries is exposed as a result of the inability or unwillingness of a foreign government to repay its obligations according to the terms stipulated in contracts. Sovereign risk may arise, for example, due to a shortage of foreign currency or unwillingness to service its sovereign debt.

Operational risk - the risk of direct or indirect losses to which the bank is exposed as a result of failures in the bank's or its subsidiaries' operations caused by external events, personnel errors, fraud, as well as inadequacy or violation of processes, procedures, or control systems.

Liquidity loss risk - the risk of losses to which the bank is exposed in the event of its inability to timely fulfill its obligations without incurring unacceptable losses (i.e., achieving liquidity only through asset liquidation, which would lead to unacceptable losses). It includes the inability to manage unplanned changes in funding sources. It also arises in the event of the bank's refusal to recognize or respond to changes in market conditions that affect the ability to quickly realize assets with minimal loss of value.

Reputational loss risk - the risk of losses to which the bank is exposed as a result of negative public opinion about the bank or its subsidiaries. It affects the bank's ability to establish new relationships or maintain existing ones. This risk may arise from the possibility of the bank being involved in litigation, which could lead to financial losses or damage its reputation.

Compliance risk - the probability of losses arising from the bank's and its employees' failure to comply with the legislation of the Kyrgyz Republic, regulatory legal acts of the National Bank of the Kyrgyz Republic, internal bank documents, including the organization of internal control to counter the financing of terrorist activities and the legalization (money laundering) of criminal proceeds, regulating the procedure for the bank's service provision and operations in the financial market, as well as the legislation of foreign states affecting the bank's activities.

Head of the Compliance Control Department - a bank official whose competencies include, at a minimum, conducting internal control over the bank's compliance with the legislation of the Kyrgyz Republic, regulatory legal acts of the National Bank, internal document requirements (rules, procedures, etc.), as well as organizing internal control to counter the financing of terrorist activities and the legalization (money laundering) of criminal proceeds.

Front office - a group of bank departments or processes responsible for direct work with the bank's clients/counterparties.

Back office - a group of bank departments or processes responsible for verification, documentation, and accounting of operations based on primary documents received from the front office.

Gap - a method by which a bank can measure interest rate risk and liquidity loss risk, based on comparing the volumes of the bank's assets and liabilities exposed to interest rate changes or subject to maturity within a certain period.

Stress testing - a group of methods for measuring the potential impact of exceptional but possible events on the bank's financial condition; it is an analytical tool for assessing potential bank losses in the event of adverse changes in both the external environment (e.g., economic downturns, changes in interest rates, exchange rates, legislative changes, etc.) and the activities of the bank's clients and counterparties (e.g., bankruptcy of major bank clients, deposit outflows, impact of external factors on client creditworthiness, etc.).

Back-testing - a method by which a bank investigates the effectiveness of its risk measurement procedures using historical data on the bank's previous transactions and comparing calculated results with current (actual) results of previous transactions.

Concentration risk - the risk of losses arising from the concentration of resources on a specific instrument, individual operations, or a specific sector of the economy.

Force majeure circumstances - circumstances of force majeure independent of the bank's will, including but not limited to such events as natural disasters (floods, earthquakes, storms, fires, and other natural or technological catastrophes), technical catastrophes, epidemics, declaration of a state of emergency, mass riots, looting, military actions, etc.

Risk of ML/TF - the risk of direct or indirect losses to which the bank is exposed as a result of the bank's violation of legislation, rules, or standards in the field of AML/CFT, due to the involvement of the bank, its clients, and partners in processes related to ML/TF.

Risk appetite - the aggregate level and types of risks that the bank is willing to accept to achieve its strategic goals and business plan, taking into account hard-to-measure risks such as the bank's reputation and unethical practices. Risk appetite is considered when developing the bank's development strategy and business plan.

Internal document on risk appetite level - a document in which the aggregate level and types of risks that the bank is willing to accept or avoid to achieve its strategic goals and business plan must be defined/established (definition of qualitative and quantitative indicators for profitability, capital, liquidity, and other relevant measures, e.g., growth, variability), while it is necessary to take into account hard-to-measure risks such as the bank's reputational loss risk and unethical practices. This document may be part of the bank's business plan.

Risk limits - the distribution of the bank's aggregate risk appetite (a quantitative restriction imposed on specific indicators) across business areas, branches, subsidiaries, specific risk categories, concentrations, products, and other necessary levels. The bank is responsible for the correct distribution of authority for implementing various types of limits.

Bank risk profile - a summary of all current types of risks and their levels, reflecting all key issues in the bank's activities and conclusions based on the current (last updated) assessment of available information on these risks.

(As amended by Resolutions of the Board of the NBKR dated June 20, 2018 No. 2018-P-12/24-1, August 14, 2019 No. 2019-P-12/42-1)

4. A bank's risk management system is assessed by the National Bank in accordance with the regulatory legal acts of the National Bank and the legislation of the Kyrgyz Republic.

5. Organization of Risk Management

6. Within the framework of the requirements of this Regulation, banks must develop and approve by the Board of Directors internal risk management documents commensurate with the scale, needs, and complexity of their operations.

For the purpose of disclosing the bank's strategy and scale of operations, the bank must prepare a business plan in accordance with legislative requirements and internal bank documents. The internal document on risk appetite level indicating risk limit levels may also be reflected in the bank's business plan.

(As amended by Resolution of the Board of the NBKR dated June 20, 2018 No. 2018-P-12/24-1)

6. The bank's risk management policy must provide for the mandatory implementation of the following actions:

1. risk identification - a process carried out on a continuous basis, which must be oriented towards identifying current risks and risks arising from business expansion and the introduction of new banking products and services;

2. risk measurement, which must be conducted taking into account the external and internal conditions of the given bank. Risk measurement tools used by the bank must reflect the complexity and levels of risk accepted by the bank. The bank must periodically assess the risk measurement tools it applies;

3. risk control. The bank must establish and set forth in internal policies, rules, and procedures limits defining the rights and responsibilities of bank employees. Control restrictions must be adjustable, meaning the bank must have the ability to make exceptions or modify the specified limits in the order established by policies;

4. risk monitoring to ensure timely review of the bank's risk levels. Risk monitoring reports must be periodic, accurate, timely, and submitted to responsible bank officials for taking necessary corrective measures.

The risk management policy must provide for methods (ways) to restrict the bank from conducting transactions and operations (transactions) by clients that lack obvious economic sense or a legitimate purpose (the transaction does not bring any benefit to the bank, the transaction/operation has a confusing and unusual nature, the operation does not correspond to the client's usual activity and/or has signs of suspicious operations and other criteria) and/or which may subsequently harm the bank's interests.

(As amended by Resolution of the Board of the NBKR dated September 15, 2021 No. 2021-P-12/51-1)

7. When determining the risk management strategy, it must be defined whether the bank will develop and adopt separate policies for each type of risk, or develop a unified risk management policy and integrate risk management into other internal documents (such as credit and investment policies, asset and liability management policy, liquidity policy, or other policies).

8. Bank risk management must be carried out comprehensively and simultaneously at all levels of the bank, including:

1. strategic level, which covers the functions of the Board of Directors and the Board of Directors, such as risk identification, establishing an acceptable risk level for the bank, defining strategy, risk management procedures, and creating adequate control systems;

2. macro level, covering the functions of the bank's structural units, risk management activities of middle management, and functional units related to risk review;

3. micro level, including the activities of persons/employees who accept risk on behalf of the bank and limited to compliance with operational procedures, internal control procedures, and other instructions established by bank management.

9. The bank's risk management strategy must provide for the consideration and assessment of risks taken by the bank in aggregate, i.e., reflecting the interaction of risks in all operations conducted by the bank.

10. The need to consider and assess risks at the bank-wide level requires the presence of an independent risk management department.

11. Banks must establish a Risk Management Department. The Risk Management Department identifies, measures, monitors, and controls banking risks on a daily basis. The executive body and/or structural units supervising specific types of risks are directly responsible for risk management.

12. The Risk Management Department must, at a minimum, submit reports to the Risk Committee on a monthly basis, and to the Board of Directors on a quarterly basis. The Board of Directors and/or the Risk Committee may additionally establish a different reporting frequency, but not less frequently than specified in this paragraph.

In carrying out current activities and for the expediency of decision-making, the Risk Management Department closely cooperates with members of the Bank's Board of Directors, structural units, and bank employees.

(As amended by Resolution of the Board of the NBKR dated June 20, 2018 No. 2018-P-12/24-1)

13. The activities of the Risk Management Department, including its head, must be subject to audits by the bank's internal audit department. Internal audit must assess the adequacy and effectiveness of the bank's risk management system. Internal audit must conduct reviews of this department's activities similar to those performed for other structural units of the bank. The internal auditor determines the necessary frequency of audits. In addition to routine audits, the internal auditor must verify the risk manager's fulfillment of direct duties defined in Section 6 of this Regulation.

14. Risk management must be carried out on a consolidated basis and applied to subsidiaries, both located within the territory of the Kyrgyz Republic and operating outside it.

14-1. The internal document on risk appetite level must clearly define cases where established limits may be exceeded with mandatory approval by the Board of Directors. The Board of Directors independently determines the established/approved limits, who approves limit exceedances, to which body the risk appetite level report is submitted and with what frequency, the procedure and deadlines for notification in case of violations, as well as the delegation of authority to bank's authorized bodies to establish/approve risk limits.

In this regard, measures to reduce risk limit levels may be provided.

(As amended by Resolution of the Board of the NBKR dated June 20, 2018 No. 2018-P-12/24-1)

14-2. For the purpose of managing the bank's current risk profile, the bank must clearly formulate its risk appetite, in particular, all types of risks and their levels acceptable to the bank (i.e., levels that will not endanger the bank and will ensure the safety of deposits and bank profitability). The risk appetite must be linked to the bank's short-term and long-term strategy, must not contradict the business plan, and must be agreed upon at the level of the corresponding collegiate bodies of the bank. For this, it is necessary to:

1. develop and approve an internal document on risk appetite according to the definition specified in paragraph 28 of Section 3 of this Regulation, which will be linked to the short-term and long-term strategy, the bank's business plan, its capital, and financial plans;

2. develop a policy containing the process for determining the bank's risk appetite, and continuously monitor the bank's compliance with the risk appetite level. This risk appetite determination document must be reviewed at least once a year;

3. develop procedures for assessment, approval, notification (internal awareness), as well as processes for monitoring, auditing risk limits, and principles defined and approved by the Bank's Board of Directors;

4. measure, establish, control, and manage risk limits, which must not exceed the risk appetite approved by the Board of Directors of the bank.

(As amended by Resolution of the Board of the NBKR dated June 20, 2018 No. 2018-P-12/24-1)

14-3. The Board of Directors monitors and is responsible for the bank's risk profile for the purpose of monitoring limits and values implemented by the Bank's Board of Directors.

It is necessary to establish a set of limits to control the bank's impact on various measurable risks related to the bank's operational activities (e.g., credit risk, market risk, interest rate risk, liquidity risk, etc.). Risk limits are usually expressed in relation to profitability, capital, liquidity, or other relevant indicators (e.g., growth and variability). Risk limits should be established in accordance with the bank's risk appetite.

(As amended by Resolution of the Board of the NBKR dated June 20, 2018 No. 2018-P-12/24-1)

14-4. Risk limits approved by the Board of Directors apply to persons/employees, departments, or structural units of the bank conducting specific bank activities.

(As amended by Resolution of the Board of the NBKR dated June 20, 2018 No. 2018-P-12/24-1)

14-5. Authorized structural units, persons/employees involved in the bank's operational processes must be informed of the established risk limits, and the bank must ensure their understanding of these limits. Careful monitoring of limit usage is conducted, and the Bank's Board of Directors must be informed immediately of any breached limits to take appropriate measures.

(As amended by Resolution of the Board of the NBKR dated June 20, 2018 No. 2018-P-12/24-1)

3. Risk Management Committee

4. The purpose of establishing the Risk Management Committee (hereinafter - Risk Committee) is to assist the Bank's Board of Directors in defining priority areas of bank activity in the field of banking risks and to assist in creating conditions for proper risk management.

5. The activities of the Risk Committee are governed by the Regulation on the Risk Management Committee, which is approved by the Bank's Board of Directors.

This document must, at a minimum, define:

• the purpose and objectives of the Risk Committee;

• the organization of the Risk Committee - composition, frequency, and time of meetings;

• the rights and duties of the Risk Committee;

• the procedure for interaction with the Board of Directors, bank management, structural units, and bank employees;

• the procedure for reporting on work done to the Board of Directors.

17. The competencies of the Risk Committee include, at a minimum:

1. assessment of the effectiveness of the existing risk management system, at a minimum:

• analysis of internal bank documents regulating the risk management process;

• analysis of the adequacy of managerial risk reporting;

• analysis of the adequacy of information support for the risk management process;

• approval of the Risk Management Department's work plan and control over its implementation;

• comparison with best and/or acceptable international practices in risk management;

2. consideration of:

• internal documents on banking risk management submitted by the executive body for approval by the Board of Directors;

• regular reports on risk types provided by the Risk Management Department, as well as the state of risk limits, gap and stress testing results;

3. interaction with the Head of the Risk Management Department, Head of the Compliance Control Department, internal and external audit on issues of risk management in the bank, as well as, if necessary, with other structural units of the bank;

4. development/preparation of recommendations for the Bank's Board of Directors:

• on improving the effectiveness of existing risk management systems;

• on risk restrictions regarding banking operations and other bank transactions;

• on other significant issues in the field of risk management;

5. advising the board on risk appetite, controlling the implementation of the internal document on risk appetite and reporting on the state of risk culture. The Risk Committee bears responsibility for advising;

6. bringing to the attention of the Bank's Board of Directors information on all significant banking risks to the bank.

(As amended by Resolution of the Board of the NBKR dated June 20, 2018 No. 2018-P-12/24-1)

18. The quantitative and personal composition of the Risk Committee is determined and approved by the Bank's Board of Directors and must not be less than 3 (three) members of the Board of Directors. At a minimum, two members of the Risk Committee must be elected from among the independent members of the Board of Directors, one of whom is the Chairman of the Risk Committee and does not chair the Audit Committee.

All members of the Risk Committee have voting rights; invitees have non-voting rights.

(As amended by Resolution of the Board of the NBKR dated June 20, 2018 No. 2018-P-12/24-1)

19. Members of the Risk Committee and the Chairman of the Risk Committee are approved by the Board of Directors, while as members of the Bank's Board of Directors they are elected by the shareholders' meeting.

(As amended by Resolutions of the Board...