Ordinance No. 7 of the BNB of 24 April 2014 on Organisation and Risk Management of Banks

Ordinance No. 7 of the BNB 1

Ordinance No. 7 of the BNB of 24 April 2014 on the organisation and risk management of banks (Published in "State Gazette", No. 40 of 13 May 2014; amended and supplemented, SG, No. 40 of 2019; amended and supplemented, No. 11 and No. 40 of 2021; supplemented, No. 97 of 2025; amended and supplemented, No. 4 of 2026)

Chapter One General Provisions

Art. 1. (1) This Ordinance determines:

1. the requirements for the organisation and risk management of banks;
2. the criteria that the banks' policy for risk management and control must meet, as well as the process for maintaining internal capital adequate to cover these risks;
3. (repealed – SG, No. 40 of 2021);
4. the elements of the supervisory review and evaluation process.

(2) (Amended – SG, No. 40 of 2021, effective from 26 June 2021) This Ordinance contains provisions related to the exercise of national discretions by the Republic of Bulgaria under Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and amending Regulation (EU) No 648/2012 (OJ, L176/1 of 27 June 2013), hereinafter referred to as "Regulation (EU) No 575/2013", including the transitional treatments under Part Ten, Title I of Regulation (EU) No 575/2013.

Chapter Two Requirements and Criteria for the Organisation and Risk Management

Section I General Requirements

Art. 2. The Supervisory Board of the bank, respectively the Board of Directors, approves and conducts a periodic review of the strategies and policies adopted under Art. 73, para. 1, item 4 of the Credit Institutions Act (CIA) for assuming, managing, monitoring and reducing the risks to which it is or may be exposed, including risks arising from the macroeconomic environment, according to the respective phase of the economic cycle.

Art. 3. (1) The Management Board (Board of Directors) allocates the necessary time for considering issues related to risk. The Board participates actively and ensures the allocation of sufficient resources for the management of all material risks under Regulation (EU) No 575/2013 and this Ordinance, including for asset valuation processes, as well as the use of external credit ratings and internal models related to these risks.

(2) The bank adopts and maintains rules and procedures for reporting to the Management Board (Board of Directors) and the Supervisory Board on all material risks and their management policies.

(3) The Supervisory Board or the non-executive members of the Board of Directors, as well as the Risk Committee, determine the nature, volume, format and frequency of the information provided to them regarding the bank's risk profile.

(4) The Supervisory Board or the non-executive members of the Board of Directors, as well as the Risk Committee, have adequate access to information on the overall risk profile of the bank, the risk management structure under Art. 5, and the opinions of external experts.

(5) The Management Board (Board of Directors) and the Supervisory Board exercise control over the overall disclosure and communication process.

Art. 4. (Repealed – SG, No. 40 of 2019)

Section II Risk Management Structure and Risk Committee

Art. 5. (1) Banks, adhering to the principle of proportionality, establish and maintain a risk management structure that is independent of operational units and has the necessary powers, status, resources and adequate access to the Supervisory Board or Board of Directors.

(2) The risk management structure encompasses the systems, processes, organisational units and persons whose primary purpose is to perform the function of identifying, monitoring and managing the risk assumed by the bank, independent of operational units.

(3) In the management of risk in the bank, the identification, measurement and reporting of all material risks are ensured. The relevant responsible persons performing risk management functions in the bank participate in the development of the risk management strategy, in taking all decisions related to the management of material risks, and are able to present a full overview of the risks to which the bank is or may be exposed.

(4) (Supplemented – SG, No. 40 of 2019) The head of the bank's risk management structure is an independent senior manager with clearly defined responsibility. When the nature, scale and complexity of the bank's activities do not justify the presence of a specifically designated person, another senior employee of the bank may perform this function, provided that there is no conflict of interest. The head of the structure must have a good reputation, appropriate qualifications and at least 5 years of professional experience in the measurement, monitoring, assessment and control of risk.

(5) The person referred to in para. 4 may report directly to the Supervisory Board or Board of Directors, regardless of the senior management, and may express an opinion when the development of a specific risk affects or may affect the bank. This does not relieve the Supervisory Board or the Management Board (Board of Directors) of their usual responsibilities.

(6) The head of the risk management structure cannot be dismissed without prior approval from the Supervisory Board or the non-executive members of the Board of Directors.

Art. 6. (1) (Amended – SG, No. 40 of 2019) Every significant bank establishes a Risk Committee.

(2) (Amended – SG, No. 40 of 2019) Only members of the Supervisory Board or persons who are not executive members of the Board of Directors may participate in the Risk Committee.

(3) The persons referred to in para. 2 possess the necessary knowledge, skills and expert experience to monitor and understand the bank's strategy and risk appetite.

(4) The Risk Committee advises the Supervisory Board and the Management Board (Board of Directors) regarding the overall current and future strategy concerning risk and the bank's risk appetite, and assists in controlling its implementation by the senior management. The Supervisory Board and the Management Board (Board of Directors) are responsible for the management and control of risks.

(5) The Risk Committee, independent of the Remuneration Committee, checks whether the incentives determined by the remuneration system take into account risks, capital, liquidity, as well as the probability of realization of planned revenues and their distribution over time.

(6) The Risk Committee submits to the Supervisory Board or the Management Board (Board of Directors) proposals for correcting the pricing of the bank's products when the price is not an adequate reflection of the business model and the risk strategy.

(7) (New – SG, No. 40 of 2019) The Risk Committee consists of at least three persons, one of whom is elected by them as chairman. The majority of the members of the committee in significant banks under § 1, item 14, letter "a" must be independent within the meaning of Art. 10a, para. 2 of the CIA.

(8) (New – SG, No. 40 of 2019) The chairman of the Risk Committee cannot simultaneously be the chairman of the Nomination Committee under Art. 73v of the CIA, the Remuneration Committee under Ordinance No. 4 of 2010 on requirements for remuneration in banks (SG, No. 102 of 2010) or the audit committee of the bank under the Law on Independent Financial Audit, as well as chairman of the Supervisory Board or Board of Directors of the bank.

(9) (New – SG, No. 40 of 2019) The Risk Committee conducts its meetings according to a pre-determined agenda and prepares a protocol specifying the decisions taken by it.

(10) (New – SG, No. 40 of 2019) To perform its functions, the Risk Committee has the right to access all information necessary for it, including the right to request information and documents from administrators and other employees in the bank.

(11) (New – SG, No. 40 of 2019) The functions of the Risk Committee of banks that are not significant and have not established such a committee are performed by the members of the Supervisory Board, respectively the non-executive members of the Board of Directors.

Chapter Three Requirements and Criteria for the Treatment of Individual Risk Categories

Section I Credit Risk and Counterparty Risk

Art. 7. (1) The bank's credit activity is based on reasonable and clearly defined criteria, and the process for approving, amending, renewing and refinancing loans is clearly defined.

(2) The bank has internal rules and procedures for assessing credit risk related to:

1. individual debtors;
2. exposures in the form of securities;
3. exposures in the form of securitisation positions; and
4. the entire credit portfolio.

(3) The bank uses effective systems for the current administration and monitoring of different portfolios and exposures to credit risk, including for the establishment and management of non-performing loans and the making of adequate value adjustments.

(4) The bank maintains comprehensive documentation for each exposure, which contains all essential conditions and circumstances of the transaction, as well as information on assessment and establishment of credit risk adjustments.

(5) The internal rules and procedures for assessing credit risk on exposures cannot be based solely or mechanically on external credit ratings.

(6) The bank collects and analyses all relevant information related to the assessment of the distribution of its internal capital and in cases where the calculation of capital requirements is based on a rating assigned by an External Credit Assessment Institution (ECAI), or when no rating has been assigned to the exposures.

(7) The structure of the bank's credit portfolio corresponds to its credit and market strategy.

Section II Interest Rate Risk in the Banking Book, Concentration Risk, Securitisation Risk and Residual Risk

Art. 8. (Amended – SG, No. 40 of 2021, effective from 28 June 2021) (1) Banks use the standardised methodology, the simplified standardised methodology or apply internal systems for establishing, assessing, managing and limiting risks arising from potential changes in interest rates that affect the economic value of capital and the net interest income from their activities in the banking book.

(2) Banks apply systems for assessing and monitoring risks arising from potential changes in credit spreads that affect the economic value of capital and the net interest income from their activities in the banking book.

(3) The Bulgarian National Bank may require a bank to use the standardised methodology under para. 1 when the internal systems for assessing the risks under para. 1 are not satisfactory.

(4) The Bulgarian National Bank may require a bank that is a small and non-complex institution within the meaning of Art. 4, paragraph 1, point 145 of Regulation (EU) No 575/2013 to use the standardised methodology under para. 1 when it deems that the simplified standardised methodology is not suitable for reflecting the interest rate risk arising from its activities in the banking book.

(5) The standardised and simplified standardised methodologies under para. 1 are the methodologies under the Delegated Regulation of the European Commission issued on the basis of Art. 84, paragraph 5 of Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on the access to the activity of credit institutions and on the prudential supervision of credit institutions, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC.

Art. 9. (1) In their internal rules, banks:

1. determine the cases in which a general risk arises for the bank due to increased credit concentration resulting from newly arising connectivity;
2. introduce limits on concentration of exposures to a specific economic sector and/or geographical area.

(2) Banks analyse their exposures to issuers of collateral for the presence of concentration risk when establishing concentrations exceeding 10% of own funds.

Art. 10. (1) Banks that are investors, originators or sponsors in securitisation schemes monitor whether the risks arising from the scheme are assessed and managed through appropriate policies and procedures, so that the economic substance of the transaction is reflected in the risk assessment and management decisions.

(2) Banks that are originators of a revolving securitisation scheme including early repayment conditions have liquidity management plans that take into account the effect of planned and expected early repayment.

Art. 11. The bank monitors and controls through appropriate written rules and procedures the residual risk arising from lower-than-expected effectiveness of the techniques used for reducing credit risk and expected loss.

Section III Market Risk

Art. 12. Banks apply rules and procedures for establishing, measuring and managing all material sources of market risks and their impact on activities.

Art. 13. (1) Banks maintain adequate internal capital to cover significant market risks for which no market risk capital requirements apply under Art. 92 of Regulation (EU) No 575/2013.

(2) Banks that, in calculating capital requirements for position risk according to Part Three, Title Four, Chapter Two of Regulation (EU) No 575/2013, have not hedged their positions in one or more securities participating in the composition of a stock index against one or more positions in a stock index-linked futures contract or other stock index-linked product, maintain adequate internal capital to cover basis risk from losses that may occur due to a mismatch between the change in the value of the futures contract or the corresponding other product and the change in the value of the securities participating in the index composition. Banks maintain adequate internal capital also in cases where they hold opposite positions in stock index-linked futures contracts that are not identical with regard to their maturity and/or composition.

(3) Banks maintain sufficient internal capital to cover the risk of loss existing between the moment of initial assumption of the obligation and the next working day when they apply the treatment under Art. 345 of Regulation (EU) No 575/2013.

Art. 14. Banks take measures against the risk of shortage of liquid funds when short positions have an earlier maturity than long positions.

Section IV Operational Risk

Art. 15. (1) (Supplemented – SG, No. 40 of 2021) Banks have policies and procedures for assessing and managing their exposure to operational risk, including model risk and risks arising from outsourcing of activities, as well as for covering low-frequency and highly adverse impact events.

(2) For the purposes of para. 1, banks determine the risk factors and events related to operational risk.

Art. 16. (1) (Previous text of Art. 16, amended – SG, No. 40 of 2019, supplemented – SG, No. 97 of 2025) Banks have contingency plans and plans for ensuring business continuity, including plans for business continuity of information and communication technologies (ICT) and response and recovery plans regarding ICT in compliance with the requirements of Art. 11 of Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ, L 333/1 of 27 December 2022), hereinafter referred to as "Regulation (EU) 2022/2554", which ensure the ability to maintain activities and limit losses in the event of a serious disruption.

(2) (New – SG, No. 40 of 2019, supplemented – SG, No. 97 of 2025) The plans under para. 1 are prepared based on a detailed analysis of the bank's activity exposure to serious disruptions and an assessment of their potential impact according to Art. 11, paragraph 5 of Regulation (EU) 2022/2554. In preparing the plans, the bank uses internal and/or external data and scenario analyses that cover all business lines and structural units, including the risk management structure.

(3) (New – SG, No. 40 of 2019; supplemented – SG, No. 97 of 2025) Banks conduct regular reviews of the plans under para. 1, with respect to ICT plans the review is conducted in accordance with Art. 11, paragraph 6 of Regulation (EU) 2022/2554, and upon establishing deficiencies or incompleteness, they adopt corresponding amendments and supplements to remedy them.

Section V Excessive Leverage Risk

Art. 17. (1) Banks introduce and apply policies and processes for establishing, managing and monitoring excessive leverage risk. Indicators of excessive leverage risk include the leverage ratio, calculated in accordance with Art. 429 of Regulation (EU) No 575/2013, as well as mismatches between assets and liabilities.

(2) Banks manage excessive leverage risk through various scenarios, including by taking into account its possible increase due to a reduction in Tier 1 capital as a result of possible losses.

Chapter Four Internal Approaches for Calculating Capital Requirements for Credit and Market Risk

Section I General Requirements

Art. 18. (1) Banks that are particularly significant in terms of size, internal organisation and nature, scale and complexity of activities, ensure the necessary prerequisites for:

1. internal assessment of credit risk and for the use of internal ratings-based approaches when exposures are significant in absolute size and at the same time there is a large number of significant counterparties;
2. internal assessment of specific risk and for the use of internal models for specific risk related to debt instruments in the trading book, as well as internal models for default and migration risk, when exposures to specific risk are significant and at the same time there is a large number of significant positions in debt instruments of different issuers.

(2) Paragraph 1 does not affect the requirements for issuing permission to use:

1. internal ratings-based approach according to Part Three, Title One, Chapter Three, Section I of Regulation (EU) No 575/2013; and
2. internal model according to Part Three, Title Four, Chapter Five, Sections I–V of Regulation (EU) No 575/2013.

Section II Comparative Supervisory Analysis Regarding Internal Approaches for Calculating Capital Requirements

Art. 19. (1) (Amended – SG, No. 4 of 2026) Banks that have obtained permission to use internal approaches, with the exception of the Advanced Measurement Approach for operational risk, report the results of calculations for exposures included in the comparative portfolios through reporting templates developed by the EBA.

(2) Banks provide the results of calculations to the BNB at least once a year, applying a justification of the methodologies used to obtain them. The Bulgarian National Bank provides the relevant information to the EBA.

Art. 20. In cases where the BNB decides, after consultation with the EBA, to develop special portfolios, banks report the results of these calculations separately from the results of calculations for the EBA portfolios.

Art. 21. Based on the information submitted by banks in accordance with Art. 19, para. 1, the BNB monitors changes in the size of risk-weighted exposures or capital requirements for comparative portfolios under internal approaches. At least once a year, the BNB conducts a qualitative assessment, paying particular attention to approaches leading to:

1. significant differences in capital requirements for the same type of exposure;
2. particularly large differences or similarities in results, manifesting as a significant and systematic underestimation of capital requirements.

Art. 22. (1) When a bank deviates significantly from other banks using internal approaches, or when the approaches have few common characteristics, leading to large differences in results, the BNB investigates the reasons for this and, if it establishes that the bank's approach leads to an underestimation of capital requirements, which is not due to differences in the underlying risks of exposures or positions, it may take corrective actions.

(2) Corrective actions under para. 1:

1. do not lead to standardisation or preferred approaches;
2. do not create perverse incentives; or
3. do not lead to "herd behaviour".

Chapter Five Supervisory Review

Art. 23. The supervisory review under Art. 79v of the CIA covers:

1. the bank's governance rules, its corporate culture and values, as well as the ability of the members of the Management Board (Board of Directors) and Supervisory Board to perform their duties;
2. the levels of credit, market and operational risk assumed by the bank;
3. the business model used by the bank;
4. the results of stress tests;
5. the level of interest rate risk in the banking book;
6. the degree and management of liquidity risk;
7. exposure to concentration risk and the management of this risk by banks, including compliance with the requirements under Part Four of Regulation (EU) No 575/2013 and under Art. 9;
8. the appropriateness, reliability and manner of application of the bank's rules and procedures for managing residual risk arising from the use of recognised techniques for reducing credit risk under Art. 11;
9. (repealed – SG, No. 40 of 2021, effective from 28 June 2021);
10. the impact of diversification and the manner of its reflection in the risk measurement system;
11. the existence of indirect support in the event of a securitisation and the adequacy level of own capital reserved against the bank's securitised exposures, taking into account the economic substance of the transactions and the achieved level of risk transfer;
12. the assessment that must be made in accordance with Art. 79v, para. 2 of the CIA, including regarding whether the value adjustments under Art. 105 of Regulation (EU) No 575/2013 allow the bank to sell or hedge its positions in the short term without incurring significant losses under normal market conditions;
13. the geographical location of the banks' exposures;
14. indicators of excessive leverage, including the leverage ratio, calculated in accordance with Art. 429 of Regulation (EU) No 575/2013, taking into account the business model.

Art. 24. (1) (Previous text of Art. 24 – supplemented, SG, No. 40 of 2021) When the BNB determines within the supervisory review and evaluation (SRE) process that banks with similar risk profiles, such as similar business models or geographical location of exposures, are or may be exposed to similar risks or create such risks for the financial system, it may apply a similar or identical SRE process to these banks.

(2) (New – SG, No. 40 of 2021) The similar or identical process under para. 1 may include risk-oriented comparative and quantitative indicators that allow proper consideration of the specific risks to which an individual bank is or may be exposed.

Chapter Six Recovery Plans

Art. 25. (Repealed – SG, No. 40 of 2019)

Chapter Seven Provisions on the Exercise of National Discretion under Regulation (EU) No 575/2013

Section I Qualified Shareholdings ...