Recommendation H regarding the internal control system in banks

Financial Supervision Authority Recommendation H regarding the internal control system in banks Warsaw, April 2017

Recommendation H Page 2 of 57 INTRODUCTION This Recommendation is issued pursuant to Article 137(1)(5) of the Act of 29 August 1997 – Banking Law (Journal of Laws of 2016, item 1988, as amended) and Article 11(1) and Article 67(2) of the Act of 21 July 2006 on the supervision of the financial market (Journal of Laws of 2017, item 196, as amended), and constitutes a new Recommendation H of the Financial Supervision Authority (hereinafter: KNF) regarding the internal control system in banks (hereinafter: Recommendation)1.

The amendment to the Recommendation aims to ensure consistency of KNF expectations regarding good practices in the internal control system in banks with changed legal provisions and prevailing market standards.

This Recommendation constitutes a collection of good practices regarding the internal control system, which present KNF's expectations towards banks in terms of conduct consistent with regulations concerning the principles of the functioning of the internal control system in banks, as specified in the Act of 29 August 1997 – Banking Law and the Act of 7 December 2000 on the functioning of cooperative banks, their association and associated banks (Journal of Laws of 2016, item 1826) as well as the Regulation of the Minister of Development and Finance of 6 March 2017 on the risk management system and the internal control system, remuneration policy, and the detailed method of estimating internal capital (hereinafter: the Regulation).

The Recommendation also takes into account national standards relating to issues connected with the internal control system, including in particular the Corporate Governance Principles for supervised institutions, issued by KNF on 22 July 2014, and the KNF-developed draft Recommendation Z regarding internal governance principles in banks, as well as standards issued by other institutions (supervisory and industry), including:

• Guidelines of the European Banking Authority (EBA) from September 2011, on internal governance (Guidelines on Internal Governance, GL44);
• Guidelines of the Basel Committee on Banking Supervision (BCBS): (a) Corporate governance principles for banks from July 2015, (b) The internal audit function in banks from June 2012, (c) Compliance and the compliance function in banks from April 2005;
• International Standards for the Professional Practice of Internal Auditing issued by The Institute of Internal Auditors (IIA) from 2016;
• Good Practices of Listed Companies on the Warsaw Stock Exchange 2016, adopted on 13 October 2015 by the Warsaw Stock Exchange;

1 The first Recommendation H regarding internal control in banks was developed in 1999 and updated in 2002 by the General Inspectorate of Banking Supervision.

Recommendation H Page 3 of 57

• Guidelines of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control — Integrated Framework from 2013.

Taking into account significant changes that have occurred in the regulatory environment since the last amendment of the Recommendation in 2011 (i.e., the aforementioned changes in Polish legal provisions and recommended standards, as well as international solutions, including especially European ones), this Recommendation is based on the following assumptions:

1. Basing the internal control system on the Anglo-Saxon concept of internal control system, i.e., a set of control mechanisms ensuring the achievement of statutorily defined goals of the internal control system (i.e., effectiveness and efficiency of the bank's operations, reliability of financial reporting, compliance with risk management principles in the bank, and conformity of the bank's actions with legal provisions, internal regulations, and market standards).
2. Perceiving the internal control system as a separate system from the risk management system by distinguishing these two systems (in accordance with the Act of 29 August 1997 – Banking Law), along with separate internal control mechanisms (control mechanisms) and risk control mechanisms.
3. Placing the compliance unit within the internal control system and treating it as a key element (alongside the control function) in ensuring compliance in the bank (i.e., ensuring that banks comply with laws, internal regulations, and market standards), thereby strengthening the position of the compliance unit, addressing the needs to mitigate the growing risk of non-compliance while considering best practices in this area.
4. Placing the internal audit unit within the internal control system, tasked with conducting independent and objective advisory and assurance activities, in particular by examining and assessing the adequacy and effectiveness of the risk management system and the internal control system.
5. Incorporating the internal control system within the so-called three-lines-of-defense model.

The provisions of this Recommendation take precedence in application over provisions regarding internal control mentioned in other KNF recommendations and guidelines, including in particular regarding the provisions of:

• Chapter 8 of the Corporate Governance Principles for supervised institutions, issued by KNF in July 2014,
• Recommendation 14 of KNF Recommendation M regarding operational risk management in banks, issued by KNF in January 2013,

Recommendation H Page 4 of 57

• regarding the assessment of the risk of failing to achieve the goals of the internal control system, resulting from Recommendation 17.2 of Recommendation P regarding financial liquidity risk management in banks, issued by KNF in March 2015, and Recommendation 21.2 of Recommendation U regarding good practices in bancassurance, issued by KNF in June 2014,
• Recommendations regarding the functioning of the Audit Committee, issued by KNF in November 2010, in the part concerning monitoring the effectiveness of internal control and internal audit systems.

The provisions of the Recommendation should be applied with due regard to the principle of proportionality, particularly with regard to cooperative banks. In the case of a cooperative bank or an associated bank that is a participant in the protection system referred to in the Act of 7 December 2000 on the functioning of cooperative banks, their association and associated banks, the tasks referred to in parts A, B, C of the Recommendation should be performed based on the guidelines of the associated bank managing that protection system or the entity managing that protection system.

The provisions of this Recommendation regarding internal audit tasks should be applied correspondingly in the case of a cooperative bank or an associated bank where, pursuant to Article 22i(4) of the Act of 7 December 2000 on the functioning of cooperative banks, their association and associated banks, internal control, referred to in Article 9c(2)(3) of the Act of 29 August 1997 – Banking Law, has been entrusted to the body managing the protection system. In particular, with regard to recommendations 22.4a, 22.4e, 23, 24.1h, 25, 29.1, 30.3, 30.4, and 31, the management board and supervisory board in a cooperative bank and an associated bank being a participant in the protection system should be understood correspondingly as the body managing or the supervisory body of the associated bank managing the protection system, or the body managing or the supervisory body of the entity managing that protection system.

The Financial Supervision Authority expects that this Recommendation will be implemented in banks no later than 31 December 2017.

Recommendation H Page 5 of 57 Glossary of Terms Used

1. Risk appetite – the current and future willingness of the bank to take on risk.
2. Internal audit – a separate, independent, and objective advisory and assurance activity of the internal audit unit within the bank's internal control system, aimed at adding value and improving processes in the bank and assessing the adequacy and effectiveness of the risk management system and the internal control system (excluding the internal audit unit itself).
3. Internal auditor – an employee of the internal audit unit participating in the audit process.
4. Audit examination – an examination and assessment of a selected or selected audit objects conducted by the internal audit unit, taking into account the assessment of the effectiveness and adequacy of the risk management system and the internal control system.
5. Goals of the internal control system – four general goals, the achievement of which should be ensured by the internal control system, in accordance with prevailing legal provisions (Article 9c(1) of the Act of 29 August 1997 – Banking Law) and specific goals distinguished within them.
6. Internal audit advisory activity – activity conducted by the internal audit unit aimed at adding value and improving processes in the bank, which is not assurance activity.
7. Internal audit assurance activity – activity conducted by the internal audit unit aimed at assessing the adequacy and effectiveness of the risk management system and the internal control system, through audit examinations conducted in the bank covering the entire activity of the bank.
8. Control function – an element of the internal control system, consisting of all control mechanisms in processes functioning in the bank, independent monitoring of compliance with these control mechanisms, and reporting within the control function.
9. Audited entity – an organizational unit, organizational cell, or organizational position of the bank that is subject to an audit examination, and in the case of a cooperative bank or an associated bank being a participant in the protection system, the bank that is subject to an audit examination.
10. Organizational unit – a fundamental element of the organizational structure, separated due to functions in the organization or according to other criteria (e.g., geographical or product-based); organizational units include, for example: headquarters, branches, regions, brokerage office; organizational units may also be separated within the organizational structure of higher-level organizational units – e.g., sub-branches within branches, cash points, outposts, within branches or sub-branches.

Recommendation H Page 6 of 57 11) Audit charter – regulations governing the functioning of the internal audit unit in the form of one or more documents. 12) Key control mechanism – a control mechanism of key importance for achieving a specific goal of the internal control system in a given process, without compliance with/implementation of which there may be an unacceptable risk for the bank that such a goal will not be achieved. 13) Risk management unit (position) – an organizational unit (or position) responsible for risk management within the second line of defense. 14) Organizational cell – a single- or multi-person element of the organizational structure separated within an organizational unit to carry out specific tasks, including projects; organizational cells include, for example: department, office, team, project team, section, single-person work position, etc.; organizational cells may be part of higher-level organizational cells – e.g., divisions within a department, sections within divisions. 15) Control function matrix – a description of the connection between the general goals and specific goals distinguished within them of the internal control system with processes important for the bank's functioning, as well as key control mechanisms and independent monitoring of compliance with these control mechanisms (e.g., in the form of a table). 16) Control mechanism – a solution or action distinguished within the control function, performed and applied within all three lines of defense, especially within the first line of defense, aimed at ensuring the achievement of the goals of the internal control system. 17) Risk control mechanism – a solution or action distinguished within the risk management system, performed and applied within the first and second lines of defense, aimed at maintaining risk at a specified level (e.g., limits on the permissible size of granted loans, principles of assessing creditworthiness, securing loan repayment). The action of the risk control mechanism is ensured by applying appropriately designed control mechanisms (e.g., recording the exceedance of a given limit, division of tasks in the creditworthiness assessment process, documentation of loan repayment security). 18) Vertical monitoring – independent monitoring by the second line of defense (current verification or testing) of compliance with control mechanisms within the first line of defense.

Recommendation H Page 7 of 57 19) Horizontal monitoring – independent monitoring within a given line of defense (current verification or testing) of compliance with control mechanisms. 20) Audit object – organizational units, cells, and positions, as well as processes functioning in the bank and its dependent entities, constituting a potential subject of audit examination. 21) Audit plans – strategic (long-term) and operational (annual) plans of audit examinations. 22) Dominant entity, dependent entity – these terms should be understood in accordance with Article 4(1)(8) and (9) of the Act of 29 August 1997 – Banking Law. 23) Process – a set of all mutually related activities performed by units, cells, organizational positions of the bank and its dependent entities, the implementation of which is necessary to achieve a specific result (e.g., granting a loan, selling receivables, booking a transaction of a specific type, preparing a financial report). Within processes, operations, transactions, and other activities necessary to achieve a specific result are performed. 24) Non-compliance risk management process – a process carried out by the compliance unit (with possible support from other units of the first or second line of defense), involving the identification, assessment, control, and monitoring of the risk of non-compliance of the bank's activity with legal provisions, internal regulations, and market standards, and reporting on this matter. 25) Audit process – a formalized process including the preparation of audit plans, preparation of audit examinations, conducting audit examinations, and monitoring the effectiveness of implementing post-audit recommendations. 26) Audit examination report – a document or documents concluding audit examinations, including at least:

• description of the audit examination, including its purpose, deadline, and scope,
• findings of the audit examination along with detected irregularities and their categorization,
• assessment of the adequacy and effectiveness of the risk management system and the internal control system,
• post-audit recommendations along with designated addressees and implementation deadlines.

27. Non-compliance risk – the risk of consequences of non-compliance with legal provisions, internal regulations, and market standards in processes functioning in the bank.
28. Organizational position – a basic element of the organizational structure of the bank, organizational unit, or organizational cell, separated for the implementation of specific tasks by one person; managerial positions (e.g., president, vice-president, board member), managerial positions (e.g., director, head, manager), and executive positions – subordinate to managerial or executive positions and not performing managerial functions, can be distinguished.

Recommendation H Page 8 of 57 29) Protection system – should be understood as the protection system referred to in the Act of 7 December 2000 on the functioning of cooperative banks, their association and associated banks. 30) Management system, internal control system, and risk management system – these terms should be understood in accordance with Articles 9, 9b, and 9c of the Act of 29 August 1997 – Banking Law. 31) Testing – comparing the actual state with the required state on a selected test sample, carried out to assess at least compliance with control mechanisms regarding completed activities performed within processes functioning in the bank or individual stages of these activities. Testing, as an element of independent monitoring within the control function, can be horizontal monitoring (horizontal testing within a given line of defense) or vertical monitoring (vertical testing of the first line of defense by the second line of defense). 32) Three lines of defense – a system of risk management and internal control functioning in the bank, organized in the bank at three independent levels, as referred to in §3 of the Regulation, where:

• the first line of defense consists of risk management in the bank's operational activity,
• the second line of defense consists of at least risk management by employees on specially appointed positions or in organizational cells, independent of risk management on the first line of defense, as well as the activity of the compliance unit,
• the third line of defense consists of the activity of the internal audit unit. On all three lines of defense, within the risk management system and the internal control system, bank employees, in connection with performing official duties, appropriately apply control mechanisms or independently monitor compliance with control mechanisms. In the case of a cooperative bank or an associated bank being a participant in the protection system, control mechanisms on the third line of defense and independent monitoring of their compliance are applied by the associated bank managing that protection system or the entity managing that protection system.

Recommendation H Page 9 of 57 33) Audit universe – a set of audit objects covering the entire activity of the bank and its dependent entities. 34) Current verification – comparing the actual state with the required state, carried out to assess at least compliance with control mechanisms, before starting or during ongoing activities performed within processes functioning in the bank. Current verification, as an element of independent monitoring within the control function, can be horizontal monitoring (horizontal current verification within a given line of defense) or vertical monitoring (vertical current verification of the first line of defense by the second line of defense). 35) Ensuring compliance – ensuring compliance with legal provisions, internal regulations, and market standards, respectively through the control function and non-compliance risk management.

Recommendation H Page 10 of 57 LIST OF RECOMMENDATIONS A. ORGANIZATION OF THE INTERNAL CONTROL SYSTEM IN THE BANK Recommendation 1 Within the three lines of defense, the bank should design, implement, and ensure the functioning of an adequate and effective internal control system, establish criteria for assessing the adequacy and effectiveness of this system, define the tasks of the bank's management board and supervisory board, and publish, in a generally accessible manner, a description of the internal control system.

Recommendation 2 Within the general goals of the internal control system, the bank should distinguish specific goals and link them with processes functioning in the bank.

Recommendation 3 The bank should develop principles for categorizing, documenting, and reporting irregularities discovered by the internal control system.

B. CONTROL FUNCTION Recommendation 4 The bank's management board is responsible for designing, implementing, and ensuring the functioning of the control function, and the supervisory board is responsible for supervision and annual assessment of the control function.

Recommendation 5 The bank should determine the criteria taken into account when designing control mechanisms and document their design, implementation, and application.

Recommendation 6 The bank should ensure independent monitoring of compliance with control mechanisms, including current verification and testing.

Recommendation 7 Current verification should be carried out continuously within processes functioning in the bank.

Recommendation 8 Testing should include an assessment of at least compliance with control mechanisms and should be carried out in the case of completed activities performed within processes functioning in the bank or individual stages of these activities.

Recommendation 9 The bank should provide documentation of the control function in the form of a control function matrix and should define the scope of tasks regarding ensuring the functioning of the matrix.

Recommendation 10 The bank should determine reporting principles including at least the results of vertical testing and the status of implementing remedial and disciplinary measures.

C. ENSURING COMPLIANCE Recommendation 11 The bank should distinguish ensuring compliance as one of the four general goals of the internal control system. The bank should ensure compliance through the control function and non-compliance risk management.

Recommendation 12 The bank should distinguish a compliance unit, ensure its appropriate placement in the bank's organizational structure, formally define its powers and duties, and ensure independence and appropriate status for the head of the compliance unit and its employees.

Recommendation 13 Ensuring compliance, within the control function, should include the application of control mechanisms, independent monitoring of their compliance, and reporting.

Recommendation 14 The non-compliance risk management process should include identification, assessment, control, monitoring, and reporting on non-compliance risk by the compliance unit. The bank should define non-compliance risk and develop appropriate procedures and methodologies.

Recommendation 15 Within the non-compliance risk management process, the bank should identify non-compliance risk. The bank should specify in detail the scope of information used to identify non-compliance risk.

Recommendation 16 Within non-compliance risk management, the bank should assess identified non-compliance risks through quantitative measurement or qualitative estimation.

Recommendation 17 Within the non-compliance risk management process, the bank should design, implement, and apply, based on the assessment of non-compliance risk, non-compliance risk control mechanisms aimed at maintaining non-compliance risk at a specified level.

Recommendation 18 Within the non-compliance risk management process, the bank should monitor the size and profile of non-compliance risk. The bank should determine the scope of testing the implementation and compliance of non-compliance risk control mechanisms.

Recommendation 19 Within non-compliance risk management, the bank should ensure the transmission to the bank's management board and supervisory board or audit committee (if established) of quarterly reports regarding the results of identification, assessment, control, and monitoring of the size and profile of non-compliance risk.

Recommendation 20 The bank should develop principles for cooperation between the bank's compliance unit and analogous