Circular 89-3 on Minimum Internal Control Standards

Bank of the Republic of Haiti CIRCULAR No 89-3

TO FINANCIAL INSTITUTIONS

In accordance with Articles 84 and 161 of the Law of May 14, 2012, on Banks and Other Financial Institutions, Article 37 of the Decree of June 5, 2020, on the Organization and Operation of Microfinance Institutions (MFIs), Article 45 of the Decree of November 25, 2020, on Exchange Intermediaries, and Article 31 of the Decree of April 30, 2023, sanctioning Money Laundering, Terrorist Financing, and the Financing of Proliferation of Weapons of Mass Destruction, financial institutions are required to comply with the following provisions regarding minimum internal control standards.

1. Definitions

The following definitions apply to this Circular:

a) Internal Audit: An internal inspection and verification function established within a financial institution, whose purpose, in accordance with international standards defined by the Institute of Internal Auditors (IIA), is to examine, evaluate, and control the institution's activities on behalf of its Board of Directors and Senior Management. It aims to help directors and executives fulfill their responsibilities by providing analyses, evaluations, recommendations, advice, and information regarding the activities examined.

b) Internal Control Framework: The structure within which the development, implementation, and monitoring of internal controls take place. The internal control framework consists of mechanisms and provisions aimed at detecting significant internal and external risks to which the financial institution and its consolidated subsidiaries are exposed, developing and applying adequate and effective internal controls to ensure sound and prudent management of these risks, and establishing reliable and comprehensive systems to properly monitor the effectiveness of these controls, thereby enabling the institution to achieve its objectives.

c) Correlative Control: A self-control procedure that separates the responsibilities for initiating operations from those for recording them, so that an employee or group of employees ensures continuous and systematic verification of work performed by other employees. An essential characteristic of self-control is that no single employee has full responsibility for an operation or a series of operations.

d) Internal Control: The set of rules and controls governing the organizational structure of the financial institution, including notification procedures and risk management, compliance, and internal audit functions.

e) Periodic Control: Control assumed by the internal audit function, consisting of examining all activities, operations, systems, functions, and others of the financial institution and its subsidiaries, according to a time cycle that should extend over as few fiscal years as possible, in order to provide an independent assessment of risks and their level of control.

f) Ongoing Control: Control assumed by the risk management and compliance functions, consisting of continuously examining the regularity and security of the execution conditions of all operations against internal rules and legal and regulatory obligations.

g) Internal Whistleblowing Mechanism: A process allowing personnel of the financial institution to report to the Board of Directors or the Audit Committee any illegal or unethical misconduct while protecting their identity and ensuring adequate handling of reports.

h) Objectives of the Financial Institution: Concrete results that an institution seeks to achieve, either as a whole or in certain of its activities. Usually, objectives relate to the strategic direction of the institution (the markets or activities it targets), its financial performance (the performance indicators it aims for), and the effectiveness and efficiency of its resources.

i) Policies, Procedures, and Methods Related to Money Laundering and Terrorist Financing: A set of provisions taken by the financial institution to protect itself against the risk of money laundering and terrorist financing.

j) Annual Audit Plan: A document prepared annually by the Head of Internal Audit and approved by the Board of Directors of the financial institution, which defines the internal audit objectives for the period under review, the activities, operations, systems, functions, and others to be examined, and a work schedule.

k) Exception Report: A report signaling situations where controls are not respected or powers are exceeded, allowing the financial institution to take measures to correct them.

l) Money Laundering Risk: The risk that the financial institution is used for money laundering purposes; a situation that may generate operational and reputational risks for the institution.

m) Concentration Risk: Risk inherent in an exposure likely to generate significant losses that could threaten the financial solidity of a financial institution or its ability to continue its essential activities. Concentration risk may arise from exposure to:

1. individual counterparties;
2. groups of related counterparties;
3. counterparties belonging to the same industry sector or geographic region;
4. counterparties whose financial results depend on the same activity or underlying product. This risk includes on-balance sheet and off-balance sheet exposures related to credit operations as well as any other operations involving counterparty risk (interbank operations, market operations, foreign exchange, etc.).

n) Credit Risk: Risk incurred in the event of default by a counterparty or counterparties from the same group (related parties).

o) Terrorist Financing Risk: The risk that the financial institution is used for the financing of terrorist activities; a situation that may generate operational and reputational risks for the institution.

p) Liquidity Risk: The risk for the financial institution of being unable to meet its obligations at maturity under normal conditions.

q) Compliance Risk: The risk of judicial or administrative sanctions, significant financial loss, or reputational damage arising from non-compliance with provisions specific to banking and financial activities, whether legislative or regulatory in nature, or professional and ethical standards, or instructions from Senior Management taken notably in application of Board of Directors' guidelines.

r) Settlement/Delivery Risk: The risk of occurrence, during the time necessary for the settlement of a settlement/delivery operation, of a failure or difficulties that prevent the counterparty of a financial institution from delivering the agreed financial instruments or funds, while said institution has already honored its commitments to said counterparty.

s) Interest Rate Risk: Risk incurred in the event of variation in interest rates on all on-balance sheet and off-balance sheet operations, except those covered by the market risk monitoring system.

t) Outsourced Activities Risk: Risk related to activities for which the financial institution entrusts to a third party, on a durable basis, the provision of services or operational tasks involving significant risks.

u) Operational Risk: Risk of losses resulting from deficiencies or defects attributable to internal procedures, personnel, and systems or to external events. This definition includes legal risk but excludes strategic and reputational risks. The major sources of operational risks are related to:

1. internal and external fraud;
2. inappropriate employment practices and workplace safety practices;
3. inappropriate practices regarding clients, products, and business conduct;
4. damage to physical assets;
5. business interruptions and system failures;
6. execution of operations, deliveries, and processes.

v) Significant Risk: A risk whose realization is likely to affect the proper functioning of the institution due to the importance of its potential impact on the financial level, image, objectives, or activities of the institution and by its probability of occurrence.

w) Internal Control System: The set of rules and controls that, following the framework defined by the "Committee Of Sponsoring Organizations of the Treadway Commission" (COSO), govern the organizational and operational structure of a financial institution, including control and whistleblowing procedures and risk management, compliance, and internal audit functions.

x) Management Information System: A system that collects and provides information on the activities of a financial institution, its situation, and the risks to which it is exposed, for the benefit of directors and executives, to enable them to analyze this information and take appropriate measures. This system must also serve as a tool for combating money laundering and terrorist financing.

y) Independent Auditor or External Auditor: An accounting firm whose members are licensed by a professional order and appointed by the Board of Directors for the purpose of auditing the financial institution.

z) Annual Compliance Verification: Annual assessment of anti-money laundering and terrorist financing mechanisms carried out by the Compliance Officer.

2. Environment and Internal Control Framework

The Board of Directors of the financial institution ensures the establishment of an adequate control environment, necessary for the achievement of the internal control system's objectives. An adequate control environment implies: a) the commitment of governance bodies to promote integrity and ethical values within the institution; b) the establishment of a culture that highlights, at all levels of the institution, the importance of internal control; c) the effective involvement of the Board of Directors and/or the Audit Committee in monitoring the components of the internal control system; d) a clear and consistent definition of missions, functions, and responsibilities, including explicit delegations of authority; e) the existence of competent personnel and a human resources management system enabling the establishment to attract, develop, and maintain skills linked to its objectives; f) strong adherence by personnel to the control requirements assigned to them as well as the duty to account for their responsibilities in this matter; g) the exercise of the internal whistleblowing right allowing employees to report illegal and unethical behavior, in a secure environment guaranteeing protection for any reprehensible act internally or externally.

Any financial institution as well as its consolidated subsidiaries must have an adequate and effective internal control framework that allows the institution to ensure that its activities are managed and controlled in a sound and prudent manner, and that significant risks are identified and controlled appropriately.

The internal control framework consists of:

a) directors and executives who understand their responsibilities and fulfill them with loyalty and diligence, ensuring that the institution's business is effectively managed and controlled to achieve set objectives;

b) directors and executives who are regularly informed of the evolution of activities, significant risks, and results through a management information system that provides quality financial information;

c) supervision of operational services' activities by an organization, rules, and procedures securing their operating conditions through self-control processes, automated controls, and hierarchical validation;

d) an adequate risk management system and a well-defined and adapted ongoing control system suited to the significant risks and operations of the financial institution;

e) a compliance function to ensure respect for legal and statutory provisions, notably in combating money laundering, terrorist financing, and the financing of proliferation of weapons of mass destruction, and respect for the financial institution's social responsibility towards its employees, environment, and community in which it is established;

f) an internal audit function whose role, in accordance with standards defined by the IIA, is to evaluate the institution's governance processes, risk management, and control, contribute to their improvement based on a systematic, methodical, and risk-based approach, monitor the effectiveness and consistency of the internal control system and the quality of financial information for internal or external use, and ensure follow-up on findings related to any problematic situation caused by non-compliance, insufficiency, or lack of control;

g) an independent verification function that allows monitoring the effectiveness of the internal control system and the structure put in place for anti-money laundering.

3. Information and Communication Channels

The information and communication channels established within the financial institution must allow any staff member to have, in a timely manner, the information needed to perform the control activities assigned to them. Information systems must, on the one hand, cover all important activities of the establishment and, on the other hand, guarantee the quality of accounting, prudential, operational, or compliance-related data and information. These data must be complete, reliable, up-to-date, accessible, and presented in a consistent format to facilitate the functioning of all components of internal control.

Data archived physically or electronically must be available for inspection for a period of at least ten (10) years. Procedures for data and system backup, information disclosure and security, and internal control must be developed. The financial institution is required to establish a contingency and business continuity plan.

4. Responsibilities of Directors and Executives Regarding the Internal Control System

Directors and executives have the duty to ensure the establishment of a control culture and respect for the financial institution's internal control system by dictating the priority and imperative nature of internal controls in the institution's operational functioning, and by raising awareness among personnel responsible for developing, applying, and monitoring them.

Directors and executives are responsible for ensuring that the financial institution's internal control has the resources, independence, and authority necessary to manage the significant risks to which the financial institution is exposed and to avoid any act that could compromise the continuity of operations, notably regarding money laundering and terrorist financing.

Directors and executives must understand the shareholding structure and group organization, if applicable, as well as the objectives and activities of all companies within said group, both domestically and abroad, and the links and relationships between them and the parent company.

Directors must define the institution's strategic directions and risk appetite. They must approve the risk strategy and policy, ensure that transactions with related parties, including intra-group operations, are identified, evaluated, and subject to appropriate restrictions. They must ensure the establishment of an effective internal communication and information dissemination system covering risk strategy and exposure levels.

Directors must ensure the establishment of a risk measurement, control, and monitoring system in accordance with the rules defined in this Circular.

Directors must ensure the establishment of an integrated and harmonized steering system within the group, if applicable, ensuring effective monitoring of the activities and risks of local and foreign subsidiaries.

Directors must conduct at least an annual review of the internal control system and pronounce on the achievement of risk control objectives.

5. Internal Control System

The scope and characteristics of an internal control system ensuring sound and prudent management may differ from one financial institution to another for several reasons, including: the nature and diversity of activities, volume, size, and complexity of operations, the level of risk associated with activities and operations, the degree of centralization or delegation of powers, as well as the scope and effectiveness of the information technology used.

The basic principles set out in Annex I of this Circular must be respected when implementing an internal control system.

Financial institutions that exclusively or jointly control other financial entities must ensure that the internal control systems implemented within them are consistent and compatible with each other to allow, among other things, monitoring and risk control at the group level. They also ensure that the aforementioned internal control systems are adapted to the group's organization as well as to the nature of the controlled entities.

Financial institutions ensure that the internal control systems implemented within the parent company are: a) consistent and compatible to allow monitoring and risk control at the group level and the production of information required by the BRH as part of the consolidated supervision of the financial institution; b) adapted to the group's organization as well as to the activity of the controlled entities.

6. Organization of the Internal Control System

The internal control of a financial institution must comprise three levels:

1. A correlative control whose responsibility lies with responsible managers, carried out within the framework of activities and operations to ensure their smooth running, accuracy, and compliance with established procedures, based on the nature, importance, and risks associated with each activity and operation.

2. An ongoing control which falls to the risk management and compliance functions and which ensures, through adequate devices implemented permanently, the reliability and security of operations carried out and the respect of procedures by the various structures of the financial institution.

3. A periodic control which is carried out by a specific function directly attached to the Chairman of the Board of Directors or the Chairman of the Audit Committee, if applicable. This function is generally called internal audit.

Depending on the size of the institution, the responsibilities of ongoing and periodic control may not fall to different persons. In such cases, these responsibilities may be assumed, subject to the non-objection of the BRH, either by a single person or directly by Senior Management. The request transmitted to the BRH must include a description of the organization and the modalities for exercising internal control in this framework, to guarantee the proper fulfillment of these functions.

Any financial institution, given its size, must prepare and keep up to date a document, generally qualified as the "Internal Control Charter," which specifies the objectives and means intended to ensure the different internal control functions. This document clearly presents the following elements:

a) the description of the role, powers, responsibilities, and organization of the different control functions, the interrelations between them, as well as the provisions ensuring their independence; b) the means made available to them to enable them to fulfill their role effectively; c) their attributions and the conditions for carrying out the controls to be exercised; d) the procedures for formalizing and disseminating the results of controls performed; e) the follow-up process for recommendations issued.

No later than forty-five (45) days after the end of the fiscal year, the heads of the different ongoing and periodic control functions each establish, according to the format defined by the BRH in Annex II, a report on the conditions under which these functions are performed. This report includes notably:

i) an exposition of the main risks and the measurement and monitoring systems implemented; ii) a description of the organizational conditions of each function, the means allocated, and significant modifications made compared to the previous year; iii) an inventory of the main actions taken, highlighting the main results, findings, and lessons learned; iv) a presentation of the main projected actions.

This report is communicated for examination and opinion, if applicable, to the Risk Management Committee and the Audit Committee, and submitted to the Board of Directors, which deliberates on it specifically.

7. Risk Management Function

The risk management function is responsible for ensuring, permanently and through dedicated means, the identification, measurement, monitoring, and control of the financial institution's risks.

The Head of the Risk Management Function must report to Senior Management and have access as needed to the Board of Directors and/or the Risk Management Committee. The Risk Management Function must have sufficient means in terms of personnel, information systems, and access to internal and external information necessary to carry out its mission.

The Head of Risk Management must alert the Risk Management Committee and Senior Management of any situation likely to have significant repercussions on risk control.

No later than thirty (30) days after the end of each quarter