Instruction No. 77/AMF-UMOA/2023 on the Internal Control and Risk Management Framework of the Regional Stock Exchange for Securities (BRVM)

AMF-UMOA FINANCIAL MARKETS AUTHORITY OF THE WEST AFRICAN MONETARY UNION The Secretary General

INSTRUCTION NO. 77/AMF-UMOA/2023 ON THE INTERNAL CONTROL AND RISK MANAGEMENT FRAMEWORK OF THE REGIONAL STOCK EXCHANGE FOR SECURITIES (BRVM)

The Financial Markets Authority of the West African Monetary Union,

Whereas the Revised Treaty of the West African Monetary Union (UMOA) dated July 12, 2019, entered into force on October 1, 2022, modifying the name of the Regional Council for Public Savings and Financial Markets (CREPMF) to the Financial Markets Authority of UMOA (AMF-UMOA);

Whereas the Convention of July 3, 1996 establishing the Regional Council for Public Savings and Financial Markets, particularly its Annex detailing the composition, organization, functioning, and powers of said Council;

Whereas General Regulation No. 001/97 of November 28, 1997 on the organization, functioning, and control of the regional financial market, particularly Articles 10 and 16;

Whereas Instruction No. 2/97 of November 29, 1997 on the authorization of the Regional Stock Exchange for Securities;

Whereas Decision No. 004 of April 29, 2021/CM/UMOA appointing the President of the Regional Council for Public Savings and Financial Markets;

Whereas the deliberations of AMF-UMOA at its 50th extraordinary session on September 24, 2021, held via videoconference;

Whereas the deliberations of AMF-UMOA at its 98th ordinary session on December 23, 2023, held in Cotonou, Republic of Benin;

HEREBY ADOPTS:

---

2/24 Instruction No. 77/2023/AMF-UMOA

TITLE 1. GENERAL PROVISIONS

Article 1 Definitions For the purposes of this Instruction, the following terms shall mean:

a) Internal audit: An independent and objective activity that provides an organization with assurance regarding the degree of control over its operations, offers advice to improve them, and contributes to creating added value. Internal audit must evaluate the organization's governance, risk management, and control processes, and contribute to their improvement based on a systematic, methodical, and risk-based approach.

b) Risk appetite: The level and type of risk that the BRVM is willing to assume in its exposures and activities to achieve its strategic objectives and obligations.

c) Regional Stock Exchange for Securities or BRVM: The company authorized, by AMF-UMOA approval, to exercise securities listing activities across the entire territory of UMOA member states, as well as the dissemination of stock exchange information.

d) Internal audit and compliance charters: Documents that define the positioning of internal audit and compliance functions within the approved structure and specify the organization, powers, responsibilities, and operating procedures of said functions.

e) Risk mapping: A synthetic and visual representation of the BRVM's risks. It serves as a tool to highlight priority risks to be covered. Risk mapping is established based on a rigorous system for identifying and evaluating risks inherent to the BRVM, derived from internal factors (business lines and activities, organizational changes, etc.) and external factors (economic conditions, technological advancements, legislative and regulatory changes, etc.).

f) Audit committee: A committee established by the governing body to assist it in exercising its duties, particularly verifying the reliability and transparency of financial information, assessing the relevance of accounting methods as well as the quality of the internal control framework and risk management system, evaluating the audit strategy, and proposing improvement measures where applicable.

g) Internal Control: Measures put in place by the executive bodies to ensure that:

• the objectives set by the BRVM are realistic and achieved;
• resources are used economically and efficiently, and risks are adequately controlled;
• assets are protected;
• financial and management information is complete and reliable;

---

3/24 Instruction No. 77/2023/AMF-UMOA

• the laws and regulations as well as internal policies, plans, rules, and procedures are respected.

h) Control cycle: The interval during which all activities and entities of the BRVM will have been verified at least once by the internal audit function.

i) Internal Control Framework (ICF): The set of rules, methods, and control measures governing the organizational and operational structure of the BRVM. It includes reporting processes and control functions.

j) Control functions: Independent functions separate from operational management, whose role is to provide objective assessments regarding the quality and effectiveness of the ICF, governance systems, compliance risk management systems, to facilitate the control of activities and incurred risks. They notably include the internal audit function, risk management function, and compliance function.

k) Risk management: The set of strategies, policies, and procedures put in place to ensure that all significant risks and associated risk concentrations are detected, measured, limited, controlled, and mitigated, with early and comprehensive reporting.

l) Applicable standards: The set of rules governing the BRVM's activities, particularly:

• legal and regulatory provisions;
• internal codes of conduct and ethics;
• principles for Market Infrastructures established by the Basel Committee and the International Organization of Securities Commissions (IOSC).

m) Governing body: The Board of Directors in joint-stock companies, or the collegiate body in companies constituted under another form. It is invested with all powers to act at all times on behalf of the BRVM, within the limits of its corporate purpose and powers reserved for the General Meeting.

n) Executive body: Any committee or structure that contributes to the day-to-day management of the BRVM and ensures effective implementation of the activity direction defined by the governing body.

o) Audit trail: A set of internal procedures ensuring operational traceability, justifying any information with an original document from which it must be possible to trace back, through an uninterrupted path, to the summary document and vice versa, and explaining the evolution of balances from one accounting period to another, through the retention of movements affecting accounting items.

p) Compliance risk: The risk of judicial, administrative, or disciplinary sanctions, financial loss, or reputational damage that the BRVM may suffer due to non-compliance with applicable standards governing its activities.

q) Operational risk: The risk of losses resulting from deficiencies or failures attributable to internal processes, people, systems, or external events.

---

4/24 Instruction No. 77/2023/AMF-UMOA

This concept includes legal risk but excludes strategic and reputational risks.

r) Strategic risk: The risk that the BRVM's business strategies are ineffective, poorly implemented, or not adapted to changes affecting the commercial context.

Article 2 Object This Instruction sets forth the rules regarding the internal control framework applicable to the BRVM, with the objective of:

• verifying that executed operations, organization, and internal procedures comply with applicable legislative and regulatory provisions, professional and ethical standards, as well as the orientations of the governing and executive bodies;
• ensuring that the risk-related directions, instructions, and limits set by the governing body are strictly respected;
• ensuring the reliability of accounting and financial information, particularly regarding the conditions for its collection, evaluation, recording, retention, and availability.

It also sets forth the rules regarding risk management applicable to the BRVM, as defined in Article 1 of said Instruction.

Article 3 Scope of Control The BRVM's corporate governance integrates an ICF on which the sound and prudent management of the entity must be based. This framework comprises:

• monitoring the reliability and integrity of financial and operational information, along with the means used to identify, evaluate, classify, and report this information;
• verifying the compliance of executed operations and organization with applicable legislative, regulatory, and prudential provisions, professional and ethical standards, orientations, and decisions of the governing and executive bodies, particularly regarding risks, powers, and signatures, as well as internal procedures;
• monitoring and evaluating the effectiveness of the entity's risk management system.

The internal control organization must be based on the control environment, risk assessment, control activities, information and communication, and monitoring.

---

5/24 Instruction No. 77/2023/AMF-UMOA

Article 4 Control Environment The governing body must ensure the establishment of an adequate control environment, which constitutes the framework and structure necessary to achieve the objectives of the internal control framework.

An adequate control environment implies:

• the commitment of governance bodies to promoting integrity and ethical values within the BRVM;
• the establishment of a culture that highlights, at all levels of the organization, the importance of internal control;
• effective involvement of the governing body in monitoring the components of the internal control framework;
• clear and coherent definition of missions, functions, and responsibilities, including explicit delegations of power regarding limits;
• the existence of competent personnel and a human resource management system enabling the BRVM to attract, develop, and maintain skills aligned with its objectives;
• strong staff adherence to assigned control requirements as well as the duty to account for their responsibilities;
• supervision by each hierarchical manager of the effective application of internal control procedures by their subordinates;
• the definition of qualitative criteria by the BRVM's governing and executive bodies to measure and evaluate the effectiveness of the Internal Control Framework.

Article 5 The Three Lines of Defense of the ICF The ICF is organized to provide objective assessments of the BRVM's situation, risk control, and compliance with applicable rules and procedures. It comprises:

• a permanent first-line control corresponding to all controls performed by operational units and their hierarchy in the course of daily operations, constituting the first line of defense;
• a permanent second-line control corresponding to controls executed by independent support functions separate from operational units, forming the second line of defense represented by compliance and risk management functions;
• a periodic control corresponding to post-facto controls carried out within the framework of an audit plan developed from risk mapping, constituting the last line of defense represented by the internal audit function. The audit plan developed through a risk-based approach must be realistic and flexible to allow for the respect of the control cycle and the handling of unforeseen activities. It must be regularly updated to respond to changes in the BRVM's internal and external environment.

---

6/24 Instruction No. 77/2023/AMF-UMOA

Article 6 Responsibilities of the Governing Body The governing body is ultimately responsible for the existence of an internal control framework within the BRVM and for the proper application of the ICF across the entire approved structure. It is required to:

• define and validate, at an appropriate periodicity, the acceptable risk level to which the BRVM is exposed, particularly by setting acceptable limits for counterparty, liquidity, and market risks, as well as implementing appropriate mechanisms to manage operational and compliance risks;
• ensure the establishment and updating of an organization, policies, and written internal control procedures for the sound and prudent management of BRVM activities;
• ensure the separation of incompatible duties, particularly decision-making, securities holding, recording, and control functions;
• ensure that control functions have appropriate means to execute their missions with full independence.

Article 7 Audit Committee The minimum prerogatives of the Audit Committee consist of:

• examining the effectiveness of the implemented ICF to identify, evaluate, manage, and control financial and non-financial risks;
• evaluating the internal audit policy and control cycle, including the escalation policy upon materialization of significant risks;
• participating in the selection of Statutory Auditors and examining the conclusions of their work, in accordance with legal and regulatory provisions;
• analyzing the compliance with ethical and accounting principles applied against applicable professional standards;
• thoroughly reviewing annual summary statements before their presentation to the governing bodies;
• providing governance bodies with reasonable assurance regarding the quality and effectiveness of the internal control framework, governance systems, and risk management to facilitate their control over BRVM activities and incurred risks.

It also makes proposals to said bodies to strengthen the effectiveness of these systems and frameworks.

Article 8 Responsibilities of the Executive Body The executive body is required to implement an ICF conforming to best practices and monitor its adequacy and effectiveness. The ICF must be adapted to the BRVM's risk profile.

The executive body ensures that policies and procedures are effectively developed and applied by competent personnel, and that all concerned persons understand and assume their responsibilities in this regard. It defines escalation criteria in response to the materialization of risks and ensures the implementation of appropriate measures.

It must notably:

• ensure the proper functioning of internal control and risk management systems, taking necessary measures to promptly remedy any identified deficiencies or shortcomings;
• inform control functions in a timely manner of all new developments, initiatives, projects, products, and operational changes as well as related risks;
• ensure that appropriate measures are taken within set deadlines to implement all corrective actions arising from internal audit, Statutory Auditors, or AMF-UMOA recommendations;
• promote the independence of control functions and provide them with necessary resources to carry out their missions;
• regularly report to the governing body on the effectiveness of the internal control framework.

Article 9 Staff Obligations Each BRVM staff member must:

• diligently perform all assigned control activities;
• have access to all necessary information, particularly to establish, operate, and monitor the internal control framework.

---

8/24 Instruction No. 77/2023/AMF-UMOA

TITLE 2. COMPLIANCE MANAGEMENT

Article 10 Characteristics of the Compliance Policy The BRVM must adopt a compliance policy that, among other things:

• ensures respect for fundamental principles established by the governing body;
• establishes a compliance function within the BRVM;
• prescribes the development of a compliance charter;
• specifies fundamental aspects of compliance risk;
• establishes the responsibilities of governance bodies in implementing the compliance risk management framework;
• institutes a continuous training program for employees and all responsible for implementing and monitoring the compliance policy.

Article 11 Compliance Charter The compliance charter must notably:

• outline the objectives of the compliance function, establish its independence, and define its responsibilities and competencies;
• clearly describe the compliance function's relationships with other control functions and BRVM services executing tasks related to its responsibilities;
• grant the compliance function the right to communicate with any staff member and access any physical or electronic file necessary for exercising its responsibilities;
• confer upon the compliance function the power to initiate investigations;
• formalize the tasks and obligations of the compliance function that may be delegated to other BRVM services and functions or outsourced to external providers;
• define the conditions under which the compliance function may, when necessary, resort to external experts.

The compliance charter must reflect developments in applicable standards. The BRVM is required to update it promptly to account for these changes.

Any project to outsource the compliance function must be approved by the governing body and submitted for AMF-UMOA authorization prior to implementation.

---

9/24 Instruction No. 77/2023/AMF-UMOA

Article 12 Independence The compliance function must be independent of the units it controls. To ensure this function's independence, the executive body must establish an organizational mechanism free from conflicts of tasks and functions. Furthermore, dedicated resources must not be in situations of conflict of interest.

Article 13 Resources The compliance function must have access to the governing and executive bodies, in order to report findings; it must be adapted to the size of the BRVM, the nature and complexity of its activities, as well as its risk profile.

The BRVM must appoint a compliance function manager responsible for coordinating the organization-wide management of compliance risk and supervising the function's activities. The compliance function manager must possess proven experience in audit and compliance.

Article 14 Competence Human resources assigned to the compliance function must possess a high level of knowledge regarding BRVM activities and applicable standards.

The BRVM must take provisions to ensure these human resources keep their knowledge of said standards up to date.

Article 15 General Responsibilities The compliance function is responsible for assisting the executive body in identifying and diligently managing any risk of non-compliance by the BRVM with applicable standards governing its activities.

Article 16 Specific Responsibilities The specific responsibilities of the compliance function consist notably of:

• identifying and communicating to all concerned personnel, the applicable standards governing BRVM activities;
• proactively identifying, evaluating, and managing compliance risks, including during the development of new products or markets, activities, or issuer and member relations to BRVM services.

Furthermore, if the BRVM has a New Products or Markets Committee, the compliance function must be represented therein.

The compliance function must also:

• centralize and analyze all non-compliances with applicable standards and the compliance policy;
• recommend corrective measures to address identified non-compliances and shortcomings;
• monitor the implementation of all its recommendations;

• evaluate the adequacy of the compliance policy, considering developments in BRVM activities, applicable standards, and based on identified shortcomings. It must, where appropriate, formulate amendment proposals;
• ensure diligent implementation of the compliance policy. The compliance function must ensure that rules established in the compliance policy are translated into procedures, compliance manuals, and internal controls for areas directly falling under the compliance function. Areas of intervention directly under the compliance function notably include anti-money laundering and counter-terrorist financing, as well as the protection of issuer and investor interests.

Furthermore, other prerogatives compatible with its missions may be entrusted to it, notably ensuring liaison with external regulatory and standardization bodies.

The compliance function must be involved and consulted prior to the implementation of internal control procedures.

It must continuously ensure that the BRVM's compliance policy is respected at all organizational levels, notably:

• Staff Awareness and Training: The compliance function must initiate actions to raise awareness and train staff on the importance of adopting applicable standards and respecting the compliance policy. It establishes and implements, for this purpose, a staff training program.
• Documenting its Work: The compliance function is required to document all its work to guarantee traceability of its interventions and conclusions.

Article 17 Detection of Compliance Anomalies All significant compliance anomalies and deficiencies constituting a breach of AMF-UMOA regulatory provisions must be documented and reported through a specific detailed report addressed to the BRVM's governing body and AMF-UMOA.

Reports from the compliance function containing findings that implicate management cannot be modified by said management.

---

11/24 Instruction No. 77/2023/AMF-UMOA

Nevertheless, implicated persons may submit observations on the findings drawn up. The submitted observations must be attached to the control report.

Non-compliance with these provisions exposes offenders to sanctions provided by regulations, without prejudice to criminal penalties.

Article 18 Control of the Compliance Function