LogoRegulatory Alerts
2018-07-18 | 127653

Regulation on Minimum Risk Management Requirements for Banks Operating in Accordance with Islamic Principles of Banking and Finance

The National Bank of the Kyrgyz Republic issued this regulation to establish minimum risk management and internal control requirements for commercial banks conducting Islamic banking operations. The document mandates the creation of independent risk management and Shariah supervisory functions, defines specific risk categories including Shariah compliance and fiduciary risks, and requires the Board of Directors to approve risk appetite and limits. It further outlines the governance structure, reporting obligations, and consolidation requirements for managing risks across all banking activities.

National Bank of the Kyrgyz Republic logo

Kyrgyzstan

National Bank of the Kyrgyz Republic

Click to view thumbnail

Return to previous page

Print version

Date of creation: 2025-09-18

Appendix to the Resolution of the Board of the National Bank of the Kyrgyz Republic of July 18, 2018 No. 2018-P-12/30-3-(BS)

REGULATION

"On Minimum Requirements for Risk Management in Banks Carrying Out Operations in Accordance with Islamic Principles of Banking and Finance"

(As amended by Resolutions of the Board of the National Bank of the Kyrgyz Republic of August 14, 2019 No. 2019-P-12/42-1, November 16, 2022 No. 2022-P-12/70-1-(NPA), December 20, 2023 No. 2023-P-12/80-3-(NPA), September 12, 2025 No. 2025-P-12/46-1-(NPA))

  1. General Provisions

  2. The purpose of this Regulation is to define minimum requirements for the formation of an adequate risk management system and requirements for organizing internal control in commercial banks carrying out operations in accordance with Islamic principles of banking and finance, including banks having an "Islamic window" (hereinafter referred to as "Banks").

  3. For the purposes of this Regulation, the following terms are used:

Risk - the probability that expected or unforeseen events may have a negative impact on the bank's capital or income.

Credit Risk - the risk of losses resulting from the failure or improper fulfillment by the client of its obligations stipulated in the contract conditions.

Equity Investment Risk - the risk arising from investing bank funds in the share capital of companies in accordance with Mudaraba and diminishing Musharaka agreements. (As amended by the Resolution of the Board of the National Bank of the Kyrgyz Republic of November 16, 2022 No. 2022-P-12/70-1-(NPA))

Market Risk - the probability of losses associated with unfavorable changes in the value of the bank's assets and liabilities resulting from changes in prices of raw materials, goods, exchange rates, and stock prices. Market risk may arise at various stages of contract implementation or exist constantly throughout the entire term of their action. Market risk includes price risk and currency risk.

Price Risk - the risk of losses to which the bank is exposed in the event of unfavorable changes in the value of financial instruments and other investments or assets belonging to the bank or any of its subsidiaries (on or off the balance sheet). The risk arises as a result of market activities, dealing activities, and positions held in capital, currency, and commodity markets.

Currency Risk - the risk of incurring expenses (losses) associated with changes in exchange rates in the course of the bank's activities. The probability of expenses (losses) arises due to the revaluation of the bank's currency positions in monetary terms.

Country Risk - the risk of incurring expenses (losses) due to the insolvency or unwillingness of a foreign state or a resident of a foreign state to meet its obligations to the bank for reasons not related to financial risks.

Country risk also includes transfer risk and sovereign risk:

Transfer Risk - the risk of direct or indirect losses to which the bank or any of its subsidiaries is exposed as a result of the inability of private clients/counterparties to fulfill their obligations due to government actions, such as the introduction of restrictions on transferring funds to foreign creditors in the debtor's country for financial or other reasons. This type of country risk applies only to private clients/counterparties. For example, transfer risk may arise in the event of the introduction of currency restrictions by the government, which leads to the client being unable to fulfill obligations in accordance with the agreement.

Sovereign Risk - the risk of possible direct or indirect losses to which the bank or any of its subsidiaries is exposed as a result of the inability or unwillingness of a foreign government to fulfill its obligations in accordance with the terms stipulated in contracts. Sovereign risk may arise, for example, as a result of a shortage of foreign currency or the unwillingness to service its sovereign debt.

Operational Risk - the risk of direct or indirect losses to which the bank is exposed as a result of failures in the bank's or its subsidiaries' operations caused by external events, personnel errors, as well as inadequacy or violation of processes, procedures, or control systems.

Shariah Compliance Risk - the risk arising from the non-compliance of banking products and bank contracts with the rules of conducting banking operations established by Shariah standards, which may adversely affect the bank's reputation.

Fiduciary Responsibility Risk - the risk arising from the improper management of bank clients' funds and non-compliance with the terms stipulated in investment agreements.

Yield Risk - the risk of losses to which the bank is exposed in a situation where the bank's assets and liabilities do not match in final maturity dates or as a result of changes in market yield rates.

Liquidity Loss Risk - the risk of losses to which the bank is exposed in the event of its inability to fulfill its obligations in a timely manner without incurring unacceptable losses (i.e., achieving liquidity only through the sale of assets, which will lead to unacceptable losses). It includes the inability to manage unplanned changes in funding sources. It also arises in the event of the bank's refusal to recognize or respond to changes in market conditions that affect the ability to quickly realize and minimize losses in the value of assets.

Reputational Loss Risk - the risk of losses to which the bank is exposed as a result of negative public opinion about the bank or its subsidiaries. This risk affects the bank's ability to cooperate and maintain existing relationships. Reputational loss risk may arise as a result of Shariah compliance risk, fiduciary responsibility risk, the bank's involvement in legal proceedings, negative information in the media, and other negative events, the consequence of which may be financial losses, outflow of funds from accounts, or loss of the bank's reputation.

Compliance Risk - the probability of losses arising from the bank's and its employees' failure to comply with the legislation of the Kyrgyz Republic, regulatory legal acts of the National Bank of the Kyrgyz Republic, internal documents of the bank, including the organization of internal control to counter the financing of terrorist activities and the legalization (laundering) of criminal proceeds (hereinafter referred to as "CFT/AML"), regulating the procedure for the bank to provide services and conduct operations in the financial market, as well as the legislation of foreign states affecting the bank's activities.

Concentration Risk - the risk of losses arising from the concentration of resources on a specific instrument, individual operations, or a specific sector of the economy.

Terrorist Financing and Money Laundering Risk (hereinafter referred to as "TF/ML") - the risk of direct or indirect losses to which the bank is exposed as a result of the bank's violation of legislative requirements, rules, or standards in the field of CFT/AML, due to the involvement of the bank, its clients, and partners in processes related to TF/ML.

Head of the Risk Management Service - a bank official with sufficient experience in banking who is responsible for the daily risk management activities of the bank.

Head of the Compliance Control Service - a bank official whose competence includes, at a minimum, conducting internal control over the bank's compliance with the legislation of the Kyrgyz Republic, regulatory legal acts of the National Bank, requirements of internal documents (rules, procedures, etc.) of the bank, as well as organizing internal control for CFT/AML.

Risk Management System - its process, including four main elements: risk identification, risk measurement, risk control, and risk monitoring.

Front Office - a group of bank subdivisions or processes responsible for direct work with the bank's clients/counterparties.

Back Office - a group of bank subdivisions or processes responsible for verifying, documenting, and accounting for operations based on primary documents received from the front office.

Gap - a method by which a bank can measure yield risk and liquidity loss risk, based on a comparison of the volumes of the bank's assets and liabilities exposed to changes in market yield rates or subject to maturity within a certain period.

Stress Testing - a group of methods for measuring the potential impact of exceptional but possible events on the bank's financial condition; it is an analytical tool for assessing the bank's potential losses in the event of adverse changes in the external environment (e.g., economic downturns, changes in market yield rates, exchange rates, changes in legislation, etc.) and in the activities of the bank's clients and counterparties (e.g., bankruptcy of major clients/counterparties, outflow of funds from accounts, impact of changes in external factors on the client's creditworthiness, etc.).

Back-testing - a method by which a bank investigates the effectiveness of its risk measurement procedures using historical data on the bank's previous transactions and comparing calculated results with current (actual) results of previous transactions.

Force Majeure Circumstances - circumstances of force majeure, independent of the bank's will and including, but not limited to, such events as natural disasters (floods, earthquakes, storms, fires, and other natural or technological catastrophes), technical catastrophes, epidemics, declaration of a state of emergency, mass riots, looting, military actions, etc.

Risk Appetite - the aggregate level and types of risks that the bank is willing to accept to achieve its strategic goals and business plan, taking into account hard-to-measure risks, such as the bank's reputation and unethical practices. Risk appetite is taken into account when developing the bank's development strategy and business plan.

Internal Document on Risk Appetite Level - a document in which the aggregate level and types of risks that the bank is willing to accept or avoid to achieve its strategic goals and business plan must be defined/established (definition of qualitative and quantitative indicators on profitability, capital, liquidity, and other relevant measures, e.g., growth, volatility), while it is necessary to take into account hard-to-measure risks, such as the risk of loss of the bank's reputation and unethical practices. At the same time, this document may be part of the bank's business plan.

Risk Limits - the distribution of the bank's aggregate risk appetite (a quantitative restriction imposed on certain indicators) across business areas, branches, subsidiaries of the bank, specific categories of risks, concentrations, products, and other necessary levels. The bank is responsible for the correct distribution of authority for the implementation of various types of limits.

Bank's Risk Profile - a summary information of all current types of risks and their levels, which reflect all key issues in the bank's activities and conclusions based on the current (last updated) assessment of available information on these risks.

Investment Accounts - client accounts on which funds attracted by the bank based on a Mudaraba agreement are reflected. Depending on the type of Mudaraba agreement, an investment account may be unlimited or limited. (As amended by the Resolution of the Board of the National Bank of the Kyrgyz Republic of August 14, 2019 No. 2019-P-12/42-1)

  1. Organization of Risk Management

  2. For the purpose of minimizing risks inherent in the bank's activities, the bank must have internal risk management documents approved by the Bank's Board of Directors, corresponding to its scale, needs, and complexity of operations conducted.

For the purpose of disclosing the bank's strategy and scale of activities, the bank must prepare a business plan in accordance with legislative requirements and the bank's internal documents.

  1. Bank risk management must be carried out comprehensively and simultaneously at all levels of the bank. In this regard:

  1. the activities of the Board of Directors and the Board of the Bank must be aimed at defining strategy and procedures for risk management, establishing an acceptable level of risks, and creating adequate control systems;

  2. the activity of the Risk Management Committee involves reviewing key strategic risk management issues, assessing its current state, ensuring control over the activities of the Bank's Board, as well as establishing and assessing risks when implementing new banking technologies;

  3. risk management at the level of structural subdivisions must cover the activities of middle management and functional subdivisions related to risk review;

  4. risk management at the level of persons/employees who assume risk on behalf of the bank must be limited to compliance with operational procedures, internal control procedures, and other requirements established by the bank's management.

  1. The bank's risk management strategy must provide for one of the following approaches:

  1. development and adoption of separate policies for each type of risk;

  2. the presence of a single bank policy on risk management, providing for risk management issues in other internal documents (asset and liability management policy, liquidity policy, or other policies).

  1. The bank's risk management policy must provide for the consideration and assessment of risks taken by the bank in aggregate, i.e., reflecting the mutual influence of risks in all operations conducted by the bank.

The bank's policy must define the mandatory nature of the following:

  1. risk identification must be carried out on a continuous basis and be oriented towards identifying current risks and risks arising from the expansion of activities and the introduction of new banking products and services, including their compliance with Shariah standards;

  2. risk measurement must be carried out taking into account external and internal conditions affecting the bank's activities. The risk measurement tools used by the bank must reflect the complexity and level of risk taken by the bank. The bank must periodically assess the risk measurement tools it applies;

  3. risk control must be carried out by establishing limits in internal policies, rules, and procedures that define the rights and responsibilities of bank employees. The policies must define the decision-making procedure in case of exceeding these limits. The control mechanisms applied by the bank must comply with Shariah rules and standards, legislative requirements, as well as the bank's internal policies and procedures, and ensure the integrity of the risk management process;

  4. risk monitoring must be conducted to ensure timely review of the bank's risk levels. Risk monitoring reports must be periodic, adequate, timely, and submitted to responsible bank officials for taking necessary corrective measures.

The risk management policy must provide for methods (ways) of restricting the bank from making transactions and conducting operations (transactions) of clients/partners that do not have an obvious economic sense or legitimate purpose (the transaction does not bring any benefit to the bank, the transaction/operation is confusing and unusual in nature, the operation does not correspond to the client's usual activity and/or has signs of suspicious operations and other criteria) and/or which may subsequently harm the bank's interests. (As amended by the Resolution of the Board of the National Bank of the Kyrgyz Republic of December 20, 2023 No. 2023-P-12/80-3-(NPA))

  1. The need to consider and assess risks on a bank-wide basis requires the presence of an independent risk management service.

  2. Banks must create a Risk Management Service. The Risk Management Service identifies, measures, monitors, and controls banking risks on a daily basis. The executive body and/or structural subdivisions supervising specific types of risks are directly responsible for risk management.

  3. The Risk Management Service must, at a minimum, submit reports to the Risk Committee on a monthly basis, and provide reports to the Board of Directors on a quarterly basis. At the same time, the Board of Directors and/or the Risk Committee may additionally establish a different frequency for submitting such reports, but not less frequently than the frequency established in this paragraph.

In carrying out current activities and for the expediency of decision-making, the Risk Management Service closely cooperates with members of the Bank's Board, structural subdivisions, and bank employees.

  1. The activities of the Risk Management Service, including its head, must be subject to audits by the bank's internal audit service. Internal audit must assess the adequacy and effectiveness of the bank's risk management system. Internal audit must conduct audits of this subdivision's activities similar to those conducted for other structural subdivisions of the bank. The internal auditor determines the necessary frequency of audits. In addition to regular audits, the internal auditor must check the risk manager's fulfillment of their direct duties defined in Section 6 of this Regulation.

  2. The functioning of an independent Shariah Board is mandatory in the bank. The bank's Shariah Board carries out its activities independently of the Board of Directors, the Board of the Bank, and the bank's structural subdivisions.

  3. Risk management must be carried out on a consolidated basis and applied to subsidiaries, both located within the territory of the Kyrgyz Republic and operating outside it.

  4. The internal document on the risk appetite level must clearly define cases where established limits may be exceeded with the mandatory approval of the Board of Directors, as well as the Shariah Board, if the issues involve operations in accordance with Islamic principles of banking and finance. At the same time, the Board of Directors independently determines the established/approved limits, who approves the exceeding of limits, to which body the report on the risk appetite level is provided and with what frequency, the procedure and deadlines for notification in case of violations, as well as the delegation of authority to authorized bank bodies to establish/approve risk limits.

At the same time, measures to reduce the level of risk limits may be provided.

  1. For the purpose of managing the bank's current risk profile, the bank must clearly formulate its risk appetite, in particular, all types of risks and their levels acceptable to the bank (i.e., levels that will not expose the bank to risk and will ensure the safety of deposits and the bank's profitability). At the same time, the risk appetite must be linked to the bank's short-term and long-term strategy, not contradict the bank's business plan, and be agreed upon at the level of the corresponding collegial bodies of the bank. For this, it is necessary:

  1. to develop and approve an internal document on risk appetite according to the definition specified in paragraph 31 of section 2 of this Regulation, which will be linked to the short-term and long-term strategy, the bank's business plan, its capital, and financial plans;

  2. to develop a policy containing the process of determining the bank's risk appetite, and on a continuous basis to monitor the bank's compliance with the risk appetite level. At the same time, this document defining the bank's risk appetite must be reviewed at least once a year;

  3. to develop procedures for the assessment, approval, notification (internal awareness), as well as processes for monitoring, auditing risk limits and principles defined and approved by the Bank's Board of Directors;

  4. to measure, establish, control, and manage risk limits that must not exceed the risk appetite approved by the Bank's Board of Directors.

  1. The Board of Directors monitors and is responsible for the bank's risk profile for the purpose of monitoring limits and values implemented by the Bank's Board.

It is necessary to establish a set of limits to control the bank's impact on various measurable risks related to the bank's operational activities (e.g., credit risk, market risk, interest rate risk, liquidity risk, etc.). Risk limits are usually expressed in relation to profitability, capital, liquidity, or other relevant indicators (e.g., growth and volatility). Risk limits should be established in accordance with the bank's risk appetite.

  1. Risk limits approved by the Board of Directors apply to persons/employees, departments, or structural subdivisions of the bank carrying out specific bank activities.

  2. Authorized structural subdivisions, persons/employees involved in the bank's operational processes must be informed about the established risk limits, and the bank must ensure their understanding of these limits. Careful monitoring of the use of limits is conducted, and the Bank's Board must be informed without delay about limits that have been violated in order to take appropriate measures.

  3. Risk Management Committee

  4. The purpose of establishing the Risk Management Committee (hereinafter referred to as the Risk Committee) is to assist the Board of Directors in defining priority areas of the bank's activities in the field of banking risks and to assist in creating conditions for proper risk management.

  5. The activities of the Risk Committee are governed by the Regulation "On the Risk Management Committee," which is approved by the Board of Directors.

This document must, at a minimum, define:

  • the purpose and tasks of the Risk Committee;

  • the organization of the Risk Committee - composition, frequency, and time of meetings;

  • the rights and duties of the Risk Committee;

  • the procedure for interaction with the Board of Directors, bank management, structural subdivisions, and bank employees;

  • the procedure for reporting on work done to the Board of Directors.

  1. The competence of the Risk Committee must, at a minimum, include:
  1. assessment of the effectiveness of the existing risk management system, at a minimum:

  • analysis of the bank's internal documents regulating the risk management process;

  • analysis of the adequacy of managerial risk reporting;

  • analysis of the adequacy of information support for the risk management process;

  • approval of the Risk Management Service's work plan and control over its implementation;

  • comparison with best and/or acceptable international practices in risk management;

  1. review of:

  • internal documents on banking risk management submitted by the executive body for approval by the Board of Directors;

  • regular reports on types of risks provided by the Risk Management Service, as well as the state of risk limits, gap and stress testing results;

  1. interaction with the Head of the Risk Management Service, Head of the Compliance Control Service, internal and external audit on issues of risk management in the bank, as well as, if necessary, with other structural subdivisions of the bank;

  2. development/preparation of recommendations for the Board of Directors:

  • on improving the effectiveness of existing risk management systems;

  • on risk restrictions regarding banking operations and other bank transactions;

  • on other significant issues in the field of risk management;

  1. advising the Board of Directors on risk appetite issues, controlling the fulfillment of the internal document on risk appetite and reporting on the state of risk culture. The Risk Committee bears responsibility for advising;

  2. bringing to the attention of the Board of Directors of the bank information on all significant banking risks for the bank, including issues of special significance.

  1. The quantitative and personal composition of the Risk Committee is determined and approved by the Board of Directors and must not be less than 3 (three) members of the Board of Directors. As m
Share