Instruction No. 002/DGSIF/DSB of December 2, 2013, on Internal Control

INSTRUCTION N°002/DGSIF/DSB of December 2, 2013 ON INTERNAL CONTROL The Governor of the Central Bank of the Republic of Guinea,

• In view of Ordinance O/2009/046/CNDD of February 7, 2009, on the statutes of the Central Bank of the Republic of Guinea,
• In view of Law L/2013/060/CNT/2013 of August 12, 2013, on banking regulation,
• In view of Decree D/2010/010/PRG/SGG of December 27, 2010, on the appointment of the Governor of the Central Bank of the Republic of Guinea, Decides

Article 1: This instruction sets out the internal control system that credit institutions must implement in application of Article 56-9 of Law L/2013/060/CNT/2013 of August 12, 2013, on banking regulation, hereinafter referred to as the "banking law". The institutions subject to this instruction are Banks, Financial Institutions, and Specialized Financial Institutions as referred to in Article 15 of the banking law. This instruction defines the provisions applicable to the following points: I Organization of internal control II Documentation and information system III Compliance function IV Anti-money laundering and counter-terrorist financing system V Accounting organization and processing VI Information system and business continuity plan VII Risk monitoring system VIII Outsourcing of activities and services IX Obligations towards the Central Bank

I. Organization of internal control Article 2: Subject institutions are required to implement an internal control system under the minimum conditions provided by this instruction. The responsibility for ensuring that the subject institution complies with its obligations under this instruction rests with the Board of Directors, the Internal Audit Committee, and General Management. The internal control system must be adapted to the nature and volume of the activities of the subject institutions, the number of their locations, and the different types of risks to which they are exposed. Article 3: The internal control system includes, in particular:

• a system for controlling operations and internal procedures;
• a documentation and information system;
• a legal and regulatory watch and compliance control function;
• a system for combating money laundering and terrorist financing;
• an accounting organization and information processing;
• systems for measuring, monitoring, controlling, and reducing risks. Article 4: The internal control system for operations and internal procedures aims, in particular, to ensure compliance, security, reliability, completeness, and ethics in the exercise of the subject institution's activities. As such, internal control must:

1. verify that the organization, internal procedures, and operations carried out comply with legislative and regulatory provisions, professional and ethical standards, as well as the guidelines of the Board of Directors and the instructions of General Management;

2. verify that decision-making procedures, risk-taking, and management standards set by General Management and approved by the Board of Directors, particularly in the form of limits, are strictly respected;

3. verify the existence and implementation of measures intended to ensure the protection and safeguarding of assets against internal and external risks, particularly those related to irregularities, errors, and fraud, and against other operational and legal risks;

4. verify the quality of published accounting and financial information, and that intended for General Management, the Board of Directors, and the Central Bank;

5. verify the conditions for evaluation, recording, retention, and availability of accounting and financial information, particularly by guaranteeing the existence of an audit trail as defined in this instruction;

6. verify the protection, security, and quality of information and communication systems;

7. verify safeguard measures to ensure business continuity in the event of a crisis;

8. ensure in all cases that corrective measures required by the Central Bank, the Board of Directors, on the recommendation of the Internal Audit Committee or General Management, are implemented and executed within reasonable deadlines to reduce risks;

9. be authorized without any restriction to perform the same types of controls as above on all outsourced functions. Article 5: Subject institutions are required to establish an Internal Audit Committee. This committee is composed of at least three directors. It may include independent persons chosen for their expertise. The Heads of permanent control structures, compliance control, and periodic control report to this committee. Article 6: The Internal Audit Committee must:

10. ensure that General Management implements appropriate internal control and risk management strategies, policies, and procedures, approved by the Board of Directors;

11. approve the annual permanent and periodic internal control program;

12. examine all observations and reservations of the Statutory Auditors on the financial statements;

13. validate and revise, if necessary, the accounting and valuation methods used for the preparation of financial statements;

14. give its opinion and revise, if necessary, the subject institution's annual report, including financial statements, before transmission to the Board of Directors;

15. examine the conclusions and recommendations formulated in periodic and permanent control reports, compliance reports, and external audit reports, including, where applicable, reports carried out by the group to which the credit institution belongs;

16. examine the Central Bank's requirements following its controls;

17. ensure the follow-up of measures taken in consideration of the three preceding paragraphs.

Article 7: To ensure internal control, the subject institution must have agents with appropriate training and the required experience to carry out permanent or periodic controls, respecting the following provisions:

1. a first level of permanent control consisting of persons who ensure the day-to-day validation of all risky operations and hierarchical control of activities and operations within operational or support services, the frequency of which is related to the risks incurred;
2. a second level of permanent control of operations and risks, ensured by the structure(s) responsible for internal control, equipped with adapted monitoring tools;
3. a "compliance" function responsible for ensuring that procedures and operations comply with laws, regulations, and standards, as well as the instructions of the Board of Directors and General Management;
4. a periodic control system for the compliance of operations, the level of risks actually incurred, adherence to procedures, and the effectiveness and appropriateness of permanent control systems through central and local investigations. Article 8: For the control and validation of risky operations referred to in Article 7-1, the organization adopted by the subject institution must be designed to ensure strict independence between the commercial units or units responsible for committing operations and the units responsible for their validation, particularly legal and accounting, and their settlement. Depending on the nature and importance of the risks, independence must be ensured by a clear separation of functions and by procedures, particularly IT procedures, designed for this purpose, and by a different hierarchical reporting line for these units. The levels of authority and responsibility, as well as the areas of intervention of the different operational units, must be clearly specified and delimited. Areas presenting potential conflicts of interest or risks of overlapping competence or responsibility must be identified, minimized, and subject to continuous monitoring and regular evaluation. Article 9: The Head of the internal control structure referred to in Article 7-2, the Head of the compliance function referred to in Article 7-3, and the Head of the periodic control system referred to in Article 7-4 report directly to General Management and account for their activity to the Internal Audit Committee. The responsibility for second-level permanent control and the compliance function, and that for periodic control, cannot be entrusted to the same person, except in the case of a small institution and with the prior agreement of the Central Bank.

Persons assigned to second-level permanent control, the compliance function, and periodic control, as well as their hierarchical superiors, must not carry out any commercial, financial, or accounting operations. Article 10: Controls carried out under Article 7-2 must follow a defined program, according to a predetermined frequency, specifying the different control points, the methods of execution, and the reporting of the results of these controls. Subject institutions regularly ensure that the permanent control program covers all areas of activity and risk zones. They keep up-to-date a document on risk mapping specifying the measured or estimated degree of risks. The verifications carried out must be formalized so that they can be examined by periodic control, Statutory Auditors, external auditors, and the Central Bank's services. Article 11: For permanent control, risk monitoring, and the compliance function, the organization of the subject institution must be designed to ensure strict independence of these units from the operational units they are responsible for controlling. Depending on the size of the subject institution and the nature of its activities, the responsibility for permanent control of operations and risks (Article 7-2) and the responsibility for the compliance function (Article 7-3) may be entrusted to the same person, with the prior agreement of the Central Bank. Permanent risk monitoring may be carried out by one or more dedicated structures (credit risk monitoring, accounting control, internal control of operations, others). General Management appoints the Heads of these functions, after a concurring opinion from the Internal Audit Committee. In the event of multiple permanent control structures, General Management must ensure the completeness, consistency, and effectiveness of the permanent control system. Article 12: For the periodic control referred to in Article 7-4, the subject institution designates a Head hierarchically attached to the institution's General Management, after a concurring opinion from the Internal Audit Committee. Their functions are terminated under the same conditions. The Head of periodic control presents each mission to General Management and reports on the results of their missions to the Internal Audit Committee at a frequency not exceeding six months. The periodic control program must be defined according to a multi-year plan and cover all areas of activity and functions of the subject institution, including outsourced functions. It must be submitted to the Internal Audit Committee, which must monitor its execution. Reports lead to recommendations to be implemented by the audited units, and their follow-up must be ensured by the permanent control function, which must report to the Internal Audit Committee. Agents in charge of periodic control carry out their mission completely independently of the departments they control. They may contact any staff member and access any information deemed useful for the proper conduct of their mission. When the size of the subject institution does not justify the creation of a periodic control structure, the missions may be entrusted to an external auditor after prior agreement from the Central Bank. Article 13: When a subject institution belongs to a banking group, the periodic control referred to in Article 7-4 may be carried out by another legal entity within the group, subject to the prior agreement of the Central Bank. The Central Bank's agreement is notably conditional on that of the Boards of Directors of the two institutions concerned, and on the execution of a periodic control program approved by the Internal Audit Committee of the audited subject institution. Professional secrecy or any other form of restriction on information exchange cannot in this case be invoked against the Central Bank by the persons carrying out these controls. Article 14: The Internal Audit Committee must formulate an opinion on the compliance of the internal control organization with Articles 6 to 12 of this instruction before this organization or any modification to it is validated by the Board of Directors.

II. Documentation and information system Article 15: Subject institutions must adopt an internal control charter that specifies at least:

• the organization of the internal control system;

• the areas of responsibility entrusted to the various committees in charge of internal control and risk monitoring, as well as the composition and frequency of meetings of these committees;

• the modalities for informing the Internal Audit Committee and the Board of Directors;

• the tools and dashboards implemented as part of permanent control and risk monitoring;

• the distribution of different responsibilities among staff regarding internal control and risk monitoring;

• the resources allocated to the internal control system, particularly to the structures defined in Article 6 of this instruction;

• the modalities for implementing the provisions of Articles 7 to 10 of this instruction relating to the separation of functions within the subject institution. The internal control charter is validated and reviewed annually by the Internal Audit Committee after being updated according to the evolution of the institution's risk profile. It must include the nominal list of members of the Internal Audit Committee and the Heads of the various internal control functions. It is communicated within the institution and the banking group, as well as to the Statutory Auditors and the Central Bank, accompanied by a document indicating major changes in internal control and risk management strategies and policies. The Central Bank may request amendments to the charter. Article 16: When the Board of Directors has entrusted it with setting risk limits, General Management informs the Board of Directors and the Internal Audit Committee of the decisions taken in this regard and regularly reports to them, at least once every six months, on the conditions under which the set limits are respected. Article 17: Subject institutions develop and keep up-to-date procedure manuals related to and adapted to their different activities. These documents must notably describe the modalities for recording, processing, and reporting information, accounting schemes, and procedures for committing operations, associated risks, and controls to be performed. Each department or operational unit must have a manual in which the procedures for executing the operations it is responsible for are recorded: these specify, in particular, the modalities for committing, recording, and processing operations, as well as the corresponding accounting schemes. Subject institutions keep up-to-date, under the same conditions, documentation that specifies the means intended to ensure the proper functioning of the internal control system, including:

• procedures relating to the security of information and communication systems and business continuity plans;

• a description of risk measurement, limitation, and monitoring systems;

• a description of the information system, validation, and control of accounting records;

• the organizational method of the compliance control system and the fight against money laundering and terrorist financing. The documentation is organized so that it can be made available, upon request, to General Management, the Internal Audit Committee, the Board of Directors, the Statutory Auditors, and the Central Bank. Article 18: Reports established following periodic controls are communicated to General Management, the Internal Audit Committee, and, upon its request, to the Board of Directors. These reports are kept at the disposal of the Central Bank, the Statutory Auditors, and external auditors intervening, where applicable, at the request of the Central Bank. Article 19: At least once a year, subject institutions prepare a report on the functioning of the internal control system, in accordance with the model provided by the Central Bank. This report includes, in particular:

• a description of actions carried out as part of permanent control, the results of these actions, and any corrections that have been implemented;

• an inventory of investigations carried out in application of Article 7, highlighting the main lessons learned, and in particular, the main shortcomings identified, as well as the follow-up of corrective measures taken;

• a description of significant modifications made in the areas of permanent and periodic controls during the review period, particularly to take into account changes in activity and risks;

• a description of the conditions for applying procedures implemented for new activities;

• a development relating to permanent and periodic controls of subsidiaries in Guinea or abroad;

• the presentation of the main actions planned in the area of internal control. Subject institutions monitored on a consolidated basis also prepare, at least once a year, a report on the conditions under which internal control is ensured at the group level. Subject institutions include this group report in their report prepared on an individual basis. These various reports are communicated to the Central Bank, accompanied by the minutes of the meetings of the Board of Directors and the Internal Audit Committee that examined them. Article 20: When compliance with limits is monitored by a Risk Committee, it must be composed not only of heads of operational units and representatives of General Management, but also of persons chosen for their competence in risk control and independent of the operational units.

Article 21: Subject institutions define information procedures, at least quarterly, for General Management, and where applicable, for the risk committee, on compliance with risk limits, particularly when global limits are likely to be reached. Article 22: For the monitoring of their operations, subject institutions must prepare adapted summary statements for General Management, the Risk Committee, where it exists, the Internal Audit Committee, and the Board of Directors. Exceptions to policies, procedures, and limits must be immediately submitted for authorization by hierarchical superiors and immediately reported to General Management and the Risk Committee, where it exists, and, where applicable, to the Audit Committee and the Board of Directors. They must be accompanied by appropriate documents. Article 23: At least once a year, subject institutions prepare a report on the measurement and monitoring of the risks to which they are exposed, based on a template provided by the Central Bank. When they are monitored on a consolidated basis including other credit institutions, the report covers the risks to which the group is exposed. This report is submitted to the Internal Audit Committee and the Board of Directors. It is communicated to the Central Bank under the same conditions as the report on the functioning of the internal control system. Furthermore, these institutions must establish adequate mechanisms for informing the Central Bank of any event likely to result in a significant increase in their risk exposure, which could have important consequences for their financial situation or undermine the financial stability of the market. III. Compliance control system Article 24: For the purposes of this instruction, non-compliance risk is the risk of judicial, administrative, or disciplinary sanction, significant financial loss, or damage to reputation, arising from non-compliance with legislative or regulatory provisions or professional and ethical standards, or internal instructions from General Management or the Board of Directors. Article 25: Subject institutions designate a Head responsible for ensuring the consistency and effectiveness of non-compliance risk control. This person is appointed by General Management upon a concurring opinion from the Internal Audit Committee, to which they periodically report on their activities.

Article 26: The compliance function monitors legal and regulatory developments to adapt, if necessary, the organization and internal procedures. Article 27: Subject institutions provide for specific compliance review procedures, including systematic prior approval procedures, notably including a written opinion from the Head of compliance, or a person duly authorized by the latter for this purpose, for new products or for significant transformations made to existing products. Their effective launch requires a prior opinion from the Internal Audit Committee. Subject institutions also implement procedures for controlling the compliance of operations.