Instruction No. 247 on the Formation of Risk Management and Internal Control Systems in Credit Financial Organizations

"Registered" "Approved" By the Ministry of Justice, Resolution of the Board of the National Bank of Tajikistan dated December 27, 2021, No. 1111; approved by the National Bank of Tajikistan dated November 19, 2021, No. 168

Instruction No. 247 on the Formation of Risk Management and Internal Control Systems in Credit Financial Organizations

Instruction No. 247 on the Formation of Risk Management and Internal Control Systems in Credit Financial Organizations (hereinafter - the Instruction) has been developed for banks, microcredit deposit organizations, Islamic banks, and Islamic microcredit deposit organizations (hereinafter - credit financial organizations (CFOs)) in accordance with Part 5 of Article 42 of the Law of the Republic of Tajikistan "On the National Bank of Tajikistan". It aims to assess, limit, and correctly define risks considering the form and volume of risk control methods and operations used, and establishes mandatory requirements for CFOs regarding the presence of a risk management and internal control system, as deemed necessary by the National Bank of Tajikistan.

1. GENERAL PROVISIONS

1. The following terms are used in this Instruction:

• risk - the probability that expected or unexpected events may adversely affect a CFO, its capital, or income;
• information security risk - the probability of damage arising from violations of integrity, confidentiality, and availability of a CFO's information assets, resulting from intentional destructive actions by CFO employees and/or third parties;
• unencumbered assets - CFO assets free from legal, regulatory, or technical obstacles (restrictions) for use as needed to meet the CFO's liquidity requirements;
• price risk - the probability of financial losses due to unfavorable changes in market values of financial instruments and goods;
• control functions - functions performed by structural subdivisions of a CFO to conduct independent audits and assess the effectiveness of risk management, internal control, information security, accounting accuracy, reporting, and other control functions in accordance with the CFO's internal documents;
• reputational risk - the probability of losses or failure to receive planned income due to a shrinking client base, declining development indicators, and the formation of negative public perception regarding the CFO's financial reliability, service quality, or overall activities;
• back-testing - a method for verifying the effectiveness of risk measurement procedures using historical data on CFO operations and comparing calculated results with actual outcomes from those operations;
• currency risk - the probability of financial losses due to unfavorable changes in foreign exchange rates during a CFO's operations;
• GAP analysis - a method by which a CFO measures interest rate and liquidity risk based on comparing the volumes of assets and liabilities subject to interest rate changes or due for maturity within a specified period;
• legal risk - the probability of losses resulting from: non-compliance by a CFO with Tajik legislation, and in relations with non-residents of Tajikistan - applicable foreign legislation; non-compliance with concluded contracts; legal errors in operations (incorrect legal advice or improperly drafted documents, including during dispute resolution in courts); imperfections of the legal system (legislative contradictions, absence of regulatory norms for specific issues arising during a CFO's operations); non-compliance by counterparties with regulatory legal acts and concluded contracts;
• compliance risk - the probability of losses resulting from non-compliance by a CFO and its employees with Tajik legislation, regulatory acts of the authorized body, internal CFO documents regulating service provision and financial market operations, as well as foreign legislation affecting a CFO's activities;
• credit risk - the probability of losses arising from a borrower or counterparty's failure to fulfill obligations under agreed terms;
• Financial Monitoring Department under the National Bank of Tajikistan (authorized body for combating money laundering, terrorist financing, and proliferation financing (AML/CFT/PF)) - an agency whose objectives, tasks, and powers are to implement countermeasures in the field of money laundering, terrorist financing, and proliferation financing, as defined by the Law of the Republic of Tajikistan "On Combating Money Laundering, Terrorist Financing, and Proliferation Financing" and other regulatory legal acts;
• financial monitoring - a set of activities conducted by organizations (entities conducting monetary transactions), the authorized body, and other state agencies in combating money laundering, terrorist financing, and proliferation financing;
• conflict of interest - a situation where a contradiction arises between the personal interests of CFO officials and/or employees and their proper performance of official duties or property/other interests, which may adversely affect a CFO and/or its clients;
• market risk - the probability of financial losses on balance sheet and off-balance sheet items due to unfavorable changes in market interest rates, foreign exchange rates, and market values of financial instruments and goods;
• operational risk - the probability of losses resulting from inadequate or insufficient internal processes, human resources, and systems, or external events, including legal risk (excluding strategic and reputational risks) and:
  • risk related to uncertain or inadequate organizational structure of a CFO, including responsibility distribution, reporting lines, and management structure;
  • risk caused by inadequate strategies, policies, and/or information technology standards, or software usage deficiencies;
  • risk related to inadequate information or its improper use;
  • risk related to inadequate personnel management and/or unqualified CFO staff;
  • risk related to poorly designed business processes or weak monitoring of compliance with internal documents and rules;
  • risk caused by unexpected or uncontrollable external factors affecting CFO operations;
  • risk related to non-compliance of internal CFO documents with legislation;
  • risk related to CFO staff actions that may negatively impact operations, including fraud;
• liquidity risk - the probability of losses resulting from a CFO's inability to fulfill obligations on time without significant losses;
• interest rate risk - the probability of financial losses due to unfavorable changes in market interest rates on assets, liabilities, and off-balance sheet instruments;
• comparative analysis - comparing results of applying various risk assessment tools, enabling evaluation of their effectiveness and providing a CFO with a more comprehensive view of its risk exposure level;
• policy - a set of internal documents, including policies and/or other internal documents defining necessary criteria, parameters, approaches, principles, standards, procedures, and mechanisms ensuring effective CFO functioning and alignment of its activities with strategy and risk appetite;
• strategic risk - the risk of losses or failure to receive planned income due to errors (deficiencies) in decision-making determining a CFO's activities and development strategy (strategic management), expressed in failing to account for or insufficiently accounting for potential threats, incorrect or inadequately justified determination of promising activity directions where a CFO can gain competitive advantages, absence or insufficient provision of necessary resources (financial, material-technical, human) and organizational measures (management decisions) required to achieve a CFO's objectives;
• stress testing - an assessment method for the potential impact of exceptional but possible events on a CFO's financial condition;
• scenario analysis - a process conducted by structural subdivisions jointly with the risk management department to identify potential risk events and assess their potential impact on a CFO's activities upon occurrence;
• risk map - a description of risk types and levels inherent to various business processes and/or structural subdivisions of a CFO for identifying weaknesses and prioritizing subsequent risk management actions;
• self-assessment of risks - a tool by which a CFO identifies and assesses risks inherent to its processes, evaluates the effectiveness of controls over identified risks, and determines the residual risk level;
• acceptable risk level - the maximum risk level accepted by a CFO, considering capital adequacy, risk management system, and regulatory constraints;
• risk appetite - pre-determined levels and types of risks within the acceptable risk level that a CFO is willing to accept to achieve its objectives, based on the scale and nature of its activities within strategy and business plans;
• key risk indicators - quantitative metrics characterizing a CFO's degree of risk exposure, used to identify the proximity to critical risk levels and trigger risk minimization measures;
• risk profile - a set of risk indicators and other information characterizing the degree to which a CFO is exposed to various types of risks;
• authorized body - National Bank of Tajikistan;
• organizational structure - an internal document and/or a set of internal documents establishing the quantitative composition and system of management bodies, executive officers, and structural subdivisions of a CFO, schematically reflecting reporting lines, accountability, and interaction procedures;
• systemically important credit organization - a credit organization recognized as systemically important in accordance with regulatory legal acts of the National Bank of Tajikistan;
• potentially systemically important credit organization - a credit organization included in the list of potential credit organizations that may be recognized as systemically important following the next assessment in accordance with regulatory legal acts of the National Bank of Tajikistan;
• systemically important microfinance organization - a microfinance organization recognized as a systemically important credit organization in accordance with regulatory legal acts of the National Bank of Tajikistan;
• Committee - a Supervisory Board committee formed and assigned duties established by the legislation of the Republic of Tajikistan in the banking sector;
• IFRS - International Financial Reporting Standards.

2. The purpose of this Instruction is to define requirements for the formation by CFOs of a risk management and internal control system ensuring effective oversight by the Supervisory Board and Management of a CFO over its activities and financial condition, including by ensuring:

• proper corporate governance practices and appropriate levels of business ethics and culture;
• compliance by a CFO and its employees with legislation and regulatory acts of the authorized body;
• compliance by a CFO and its employees with policies and other internal documents of the CFO;
• effective risk management by a CFO through timely identification, measurement, control, and monitoring to ensure capital adequacy relative to accepted risks;
• timely detection and correction of deficiencies in a CFO's activities and its employees' work;
• creation of adequate mechanisms within a CFO to address unexpected or emergency situations.

2. ORGANIZATION OF RISK MANAGEMENT AND INTERNAL CONTROL SYSTEMS 3. The Supervisory Board of a CFO, to effectively fulfill its assigned duties, monitors and controls risk management, audit, legislative compliance, and internal document adherence through Supervisory Board Committees. 4. For the purposes of implementing this Instruction and depending on size, nature, complexity level, organizational structure, risk profile, and number of Supervisory Board members, the Supervisory Board of a CFO decides to establish an Audit Committee and a Risk Management Committee in accordance with the Tajik Law "On Banking Activities" and the Tajik Law "On Microfinance Organizations". The Supervisory Board may establish other committees to effectively fulfill its duties. 5. A Risk Management Committee of the Supervisory Board is mandatory for systemically important and potentially systemically important credit organizations, as well as for systemically important microfinance organizations. Non-systemically important credit and microfinance organizations independently decide on establishing a Risk Management Committee. In the absence of a Risk Management Committee, corresponding functions are assigned to the Audit Committee of the Supervisory Board. 6. In cases provided by Tajik legislation where committee establishment is not required, these functions are performed directly by the Supervisory Board. 7. The Supervisory Board of a CFO excludes conflicts of interest when establishing Committees. 8. The internal control system represents an organization, policies, procedures, and methods adopted by a CFO to:

• ensure operational effectiveness, including banking risk management, asset and liability management, and asset preservation;
• ensure completeness, accuracy, and timeliness of financial and other reporting for internal and external users, as well as information security;
• ensure a CFO's compliance with legislative, regulatory requirements of the NBT, and internal documents;
• prevent involvement of a CFO and its employees in unlawful activities, including fraud, errors, inaccuracies, deception, money laundering, terrorist financing, and proliferation financing.

9. Internal audit is an activity providing independent and objective assurance and consulting, aimed at improving a CFO's operations. Internal audit helps achieve a CFO's objectives by using a systematic and disciplined approach to evaluate and enhance the effectiveness of risk management, control, and corporate governance processes.
10. The organization of the risk management and internal control system is ensured by aligning a CFO's activities, governance bodies, and employees with the minimum requirements specified in Appendix No. 1 to this Instruction.
11. If a CFO's activities involve other types of risk, the Supervisory Board approves policies for managing these risks, and the Management implements them by developing corresponding procedures and processes. Minimum requirements, such as risk identification, measurement, monitoring, and control, also apply to other types of risks.

Appendix No. 1 to Instruction No. 247 on the Formation of Risk Management and Internal Control Systems in Credit Financial Organizations Minimum Requirements for Organizing Risk Management and Internal Control Systems

№	Requirement	Responsible/Participating Personnel	Implementation Procedures	Form of Implementation	Implementation Deadline
1	Supervisory Board
1.1	The Supervisory Board of a CFO, to organize and control operations, create and operate an effective risk management and internal control system, and internal audit, approves an internal document defining the competencies of CFO bodies and officials in approving internal documents.	Supervisory Board, Management	The exclusive competence of the Supervisory Board in approving internal documents includes: approving the organizational structure; approving the organizational structure and appointing the head of the internal audit department (Chief Auditor); approving the organizational structure and appointing the head of the risk management department (Head of Risk Management); approving the organizational structure and appointing the head of the compliance service (Chief Compliance Officer); approving strategy, including risk appetite; establishing risk management standards; approving policies; approving the Regulations on the Audit Committee and Risk Management Committee of the Supervisory Board; approving stress-testing scenarios; approving Contingency Funding Plan; approving business continuity plan(s); approving an internal document defining the procedure for remunerating executive officers, Chief Auditor, Head of Risk Management, and Chief Compliance Officer, as well as employees directly accountable to the Supervisory Board.	Internal document/Protocol/Resolution of the Supervisory Board	-
1.2	The Supervisory Board ensures the existence and compliance of the CFO charter with Tajik legislation, and maintains its currency.	Supervisory Board	1) The Supervisory Board is responsible for monitoring and controlling charter compliance with current Tajik legislation; 2) Upon monitoring results, the Supervisory Board prepares draft amendments to the charter and submits them to the Shareholders' Meeting.	Internal document/Protocol/Resolution of the Supervisory Board / Protocol/Resolution of the Shareholders' Meeting	-
1.3	The Supervisory Board ensures the organizational structure matches the size, structure, nature, and complexity level of a CFO's activities.	Supervisory Board, Management	1) The Supervisory Board determines the Management responsible for the organizational structure project and monitoring its compliance with current market/economic conditions, risk profile, financial potential, and this Instruction; 2) Protocols/Resolutions on organizational structure review are issued; 3) Upon monitoring results, the Supervisory Board reviews Management's report and, if necessary, instructs Management to prepare draft amendments to the organizational structure.	Internal document/Protocol/Resolution of the Supervisory Board	At least once a year
1.4	The Supervisory Board approves the strategy of a CFO.	Supervisory Board, Management	1) The Supervisory Board determines the Management responsible for submitting the strategy project for approval; 2) Protocols/Resolutions on strategy approval are issued upon review.	Internal document/Protocol/Resolution of the Supervisory Board	By October 1 of the year preceding the strategy period
1.5	The Supervisory Board, within strategy approval, establishes and approves the risk appetite of a CFO.	Supervisory Board, Risk Management Committee	1) The Supervisory Board determines the Risk Management Committee responsible for preliminary review and submission of the risk appetite definition and calculation methodology; 2) Protocols/Resolutions on methodology approval are issued upon review; 3) The Supervisory Board receives a report on risk appetite calculation results and its comparison with current risk levels.	Internal document/Protocol/Resolution of the Supervisory Board	By October 1 of the year preceding the strategy period
1.6	The Supervisory Board monitors strategy execution and assesses alignment with current market/economic conditions, risk profile, financial potential, and Tajik legislation.	Supervisory Board, Risk Management Committee	1) The Supervisory Board entrusts the Risk Management Committee with monitoring and assessing strategy alignment...	Internal document/Protocol/Resolution of the Supervisory Board	-