Corporate Governance Guidelines for Banks

1 CORPORATE GOVERNANCE GUIDELINES FOR BANKS CENTRAL BANK OF SOMALIA CORPORATE GOVERNANCE GUIDELINES FOR BANKS SECTION ONE: INTRODUCTION I. Introduction: These Guidelines set out the Central Bank of Somalia’s expectations in relation to the minimum standards for corporate governance practice by all banks, and therefore will form part of the framework used to assess the effective of corporate governance, to ensure the safety and soundness of banks. They are not meant to substitute the requirements as laid out in the legal framework e.g. the Financial Institution Law, but to reinforce these requirements. The Organization for Economic Cooperation and Development (OECD) defines corporate governance as “A set of relationships between a company's management, its board, its shareholders and other stakeholders. Corporate governance also provides the structure through which the objectives of the company are set and the means of attaining those objectives and monitoring performance are determined.” The Basel Committee on Banking Supervision has been issuing guidelines on corporate governance since 1999, which is updated from time to time. The 2015 version, with 13 guiding principles, is the most recent revision and forms the basis of this document. The full document can be downloaded at: https://www.bis.org/bcbs/publ/d328.htm. II. Authority This guideline is made by the Central Bank of Somalia (“Central Bank”) pursuant to its authority set forth in Sections 34 of the Financial Institutions Law, 2012 (“FIL”).

III. Applicability This guideline applies on an individual and fully consolidated basis to all banks that are licensed by the Central Bank.

2 CORPORATE GOVERNANCE GUIDELINES FOR BANKS SECTION TWO: CORPORATE GOVERNANCE PRINCIPLES I. Board’s Overall Responsibilities The board of directors is ultimately responsible for the operations and financial soundness of the bank, through it engagement in strategic matters including setting the bank’s objectives and strategy, monitoring the implementation of strategic plans, establishing the bank’s corporate culture and values, overseeing implementation of the governance framework, periodically reviewing it for appropriateness, and selecting and overseeing the performance of key members of senior management and those with oversight responsibilities. With senior management and its Chief Risk Officer (CRO), the board develops the bank’s risk appetite, ensuring that limits are adhered to. It also approves and oversees implementation of policies relating to key areas (e.g. Capital adequacy), oversee the bank’s method to compensation, and oversees the framework for whistle blowing. It also needs to ensure that there is a robust finance function, and the bank approves the annual financial statement and requires periodic independent review of critical areas.

II. Board Qualification and Composition Given the critical role played by the board of a bank, it is important that board members are qualified, both individually and collectively for their positions. The board should be composed of an adequate number of independent directors. Collectively, the members should have a range of relevant knowledge and diverse experience, sound understanding of the operating environment, and an approach that encourages dialogue. The process to identify and decide on board candidates, should be clear and thorough, allowing for succession planning. The board should nominate candidates on the basis of their level of integrity, skills, experience, independence, and commitment to fulfil the role e.g. time to be spent on board duties. Board members should be free of conflict-of-interest situations and without undue influence from other persons (such as management or shareholders), past or present decisions held or other relationships with other board members.

3 CORPORATE GOVERNANCE GUIDELINES FOR BANKS Moreover, the board should ensure that its members participate in induction programs and have access to ongoing training, to close identified gaps e.g. with limited financial, regulatory or risk related experience. III. Board’s Own Structure and Practices For the board to be effective, it needs to work under appropriate governance structures and practices. In terms of structure, the board’s leadership, composition, size and appropriate use of committees, would determine its effectiveness and should be regularly evaluated. As for governance practices, the board should periodically update internal rules and maintain proper documentation including minutes of meetings and outlines of the decisions taken. The Chairperson of the board has a critical role to the proper functioning of the board, promoting checks and balances, and must hence be an independent or non-executive board member. IV. Senior Management Senior management are selected by the board of directors and are responsible for the sound and prudent day to day management of the bank. This includes the chief executive officer (CEO), the chief finance officer (CFO) and heads of departments. They should carry out the bank’s activities in line with the business strategy and policies approved by the board. Senior management should also have the necessary skills to manage the business under their responsibility and exercise appropriate control over key individuals in their areas. Senior Management is responsible for: • Implementing board approved strategies and policies; • Recommending organizational structure, objectives, strategies, plans and major policies for the bank; • Assisting the board in instituting core values including on those on ethics; • Providing resources and supporting the independent oversight functions, namely internal audit, compliance and risk management; • Providing the board with relevant information, including the bank’s business strategy, its performance and financial condition, violations in risk limits and compliance rules, break

4 CORPORATE GOVERNANCE GUIDELINES FOR BANKS down in internal control, legal or regulatory concerns and issues raised through “whistle-blowing”; • Assigning duties to staff and establishing a management structure that encourages accountability and transparency in the bank. The board should provide oversight of senior management by: • Monitoring their actions and ensuring they are aligned with the bank’s strategy. • Meeting regularly with them and enquiring about information they provide. • Setting appropriate performance targets and remuneration • Assessing whether their collective knowledge remains applicable. • Ensuring that a succession plan exists for such key personnel. V. Governance of Group Structures Senior management and board should avoid setting up complex structures. They should ensure that such structures are subject to a comprehensive review and that there is a centralised process for approval based on established criteria. They need to ensure that adequate procedures are in place to identify and manage all material risks that the structures may give risk to, including requiring internal and external audit to regularly review them. Moreover, supervisors should be able to access sufficient information about the group structure to allow an assessment and should take actions to safeguard sound corporate governance. VI. Risk Management Function For there to be an effective risk management function, it needs sufficient authority) within the organization e.g. being headed by a CRO who reports to the board Risk Committee. It should be independent from other risk-taking functions and for instance is not involved in activities that will result in a conflict of interest. It should be staffed with appropriate resources to effectively identify and assess material risks and measure the bank's exposure to these risks, developing and implementing an enterprise-wide risk governance framework, undertaking ongoing monitoring of risk-taking activities and risk exposures, and putting in place a trigger system for breaches of limits.

5 CORPORATE GOVERNANCE GUIDELINES FOR BANKS VII. Risk identification, monitoring and controlling. The bank’s risk governance framework includes policies, and internal controls, to ensure that the bank’s capability for risk management is commensurate with the bank’s size, complexity, and risk profile. Risk identification should cover all material risks to the bank, on- and off-balance sheet and at the level of the group, portfolio-wise and business. The board and senior management, including the CRO, should, at different periodicity, evaluate the risks faced by the bank and its overall risk profile. This include both quantitative and qualitative elements. the risk management function should assess ways to mitigate these exposures. For new products or plans to outsource banking functions, banks should have risk management and approval processes, otherwise its launch should be delayed. The risk management function should also be active in evaluating risks that could arise from mergers and acquisitions and inform the board and senior management of findings made. VIII. Risk communication. An effective risk governance framework necessitates robust communication within the bank about risk. When a risk culture exists, risk awareness is undertaken, and open communication takes place on risk. Risk reporting systems should be dynamic, comprehensive, and accurate, and should draw on a range of underlying assumptions. Banks should avoid organizational “silos” that can obstruct the sharing of information across an organization and can lead to decisions being taken independently.

IX. Compliance The board is responsible for overseeing the management of the bank’s compliance risk. Hence it should establish an independent compliance function, with relevant policies and processes. This function is responsible for ensuring that the bank is in compliance with applicable laws, regulations and policies. To be effective, the compliance function must have the necessary authority, be independence, have adequate resources and access to the board.

6 CORPORATE GOVERNANCE GUIDELINES FOR BANKS X. Internal audit The board shall set up an independent internal audit function, to provide assurance to the board and senior management on the quality and efficacy of the bank's internal control, risk management and governance systems and processes. It should have the authority, skills, resources for the auditors to undertake their work effectively and objectively. The internal audit function should have unrestricted access to any documentation or system, and its staff would follow professional standards e.g. those set out by the Institute of Internal Auditors. Senior management are required to address audit findings on a timely basis. To promote independence, the head of the internal audit function’s primary reporting line is to the Audit committee, being a board committee. The Audit Committee is also responsible for the appointment, performance management and, if necessary, dismissal of the head of this function. XI. Compensation The bank’s remuneration structure should support sound corporate governance and risk management principles. The bank’s compensation (also called remuneration) committee is responsible for the oversight of the remuneration system implemented by management and should, at least once per year, consider whether the incentives in the remuneration system is having the desired impact for managing risk, capital and liquidity. The board should approve the compensation of senior management and the head of internal audit. It should also have oversight over the formulation of compensation policies, whereby remuneration ought to be in accordance with the business and risk strategy, objectives, values and the bank’s long-term interests. XII. Disclosure and transparency The governance of the bank should be sufficiently transparent to its shareholders, depositors, other applicable stakeholders and market participants. This is in terms of disclosing relevant information which would allow for the effectiveness of the board and senior management to be evaluated. The information provided should be proportionate to the size, complexity, structure, economic significance and risk profile of the bank and at minimum, banks should disclose annually the recruitment approach for board selection and provide information on board committees, including the number of meetings held.

7 CORPORATE GOVERNANCE GUIDELINES FOR BANKS Such disclosure could be made by means of the bank’s public website. The OECD requirements on the extent of disclosure to be made includes information on the compensation policy, major share ownership and voting rights, and related party transactions. XIII. Role of supervisors Supervisors should provide guidance on the expectations for sound corporate governance, supervise corporate governance at banks, including evaluating governance practices, have regular interaction with the board and senior management and those responsible for the oversight functions, such that there is timely and open dialogue on relevant supervisory and regulatory issues; require corrective actions as necessary, which can be escalated, for instance, if the bank does not satisfactorily address the deficiencies identified; supervisory cooperation and information sharing.