Micro Finance Deposit-Taking Institutions (Corporate Governance) Regulations, 2024

453 STATUTORY INSTRUMENTS 2024 No. 26. THE MICRO FINANCE DEPOSIT- TAKING INSTITUTIONS (CORPORATE GOVERNANCE) REGULATIONS, 2024 ARRANGEMENT OF REGULATIONS Part I—Preliminary Regulation

1. Title
2. Interpretation
3. Application
4. Objects
5. Rationale Part II—Regulatory Requirements
6. Board charter
7. Board composition
8. Board chairperson
9. Functions of the board chairperson
10. Managing director
11. Executive director
12. Company secretary
13. Selection of directors
14. Succession plan for directors STATUTORY INSTRUMENTS SUPPLEMENT No. 14 9th May, 2024 STATUTORY INSTRUMENTS SUPPLEMENT to The Uganda Gazette No. 32, Volume CXVII, dated 9th May, 2024 Printed by UPPC, Entebbe, by Order of the Government.

454 15. Functions of board 16. Duties of the directors 17. Directors’ code of conduct 18. Board meeting 19. Evaluation of the board of directors 20. Selection, performance, evaluation and succession planning 21. Managing conflict of interest 22. Disclosure and transparency 23. Risk management 24. Risk appetite statement 25. Board committees 26. Audit committee 27. Asset liability management committee 28. Risk committee 29. Credit committee 30. Compensation committee 31. Regulation of information technology 32. Control functions 33. Internal audit function 34. External auditors 35. Management risk committee 36. Head of risk 37. Risk identification, monitoring and control 38. Compliance function 39. Money laundering compliance officer Part III—Remedial Measures and Administrative Sanctions 40. Remedial measures 41. Administrative sanctions

455 STATUTORY INSTRUMENTS 2024 No. 26. The Micro Finance Deposit-Taking Institutions (Corporate Governance) Regulations, 2024 (Under section 89 (1) of the Micro Finance Deposit- Taking Institutions Act, 2003, Act No. 5 of 2003. IN EXERCISE of the powers conferred on the Central Bank under section 131(1) (k) of the Micro Finance Deposit-Taking Institutions Act, 2003, these Regulations are made this 29th day of April, 2024. Part I—Preliminary

1. Title These Regulations may be cited as the Micro Finance Deposit- Taking Institutions (Corporate Governance) Regulations, 2024.
2. Interpretation In these Regulations, unless the context otherwise requires— “Act” means the Micro Finance Deposit-Taking Institutions Act, 2003; “board” means the board of directors of a micro finance deposit￾taking institution; “control function” means a function that is directly related to the internal control processes of a micro finance deposit-taking institution and includes compliance, risk management and internal audit that is independent of operational functions in the micro finance deposit-taking institution; “corporate governance” means the process and structure used to direct and manage the business and affairs of a micro finance deposit-taking institution with the objective of enhancing the safety and soundness of a micro finance deposit-taking institution and shareholder value including

456 the overall environment in which the micro finance deposit-taking institution operates comprising a system of checks and balances which promotes a healthy balancing of risks and returns; “executive director” means a director who is an officer or employee of a micro finance deposit-taking institution; “executive manager” means a person who is either— (a) empowered to control, direct, and influence decision making of the micro finance deposit-taking institution; (b) principally accountable or responsible for implementing and enforcing policies and strategies approved by the board in their respective area of responsibility; or (c) principally accountable or responsible for developing and implementing systems, internal controls or processes that identify, measure, increase or decrease, monitor or control, a supervised micro finance deposit-taking institution’s risk; “independent director” means a director who has no relationship or interest in the micro finance deposit-taking institution or any of its subsidiaries or affiliates or their related interests; “non-executive director” means a director not involved in the day-to-day management of the micro finance deposit￾taking institution; “managing director” means a person employed by a micro finance deposit-taking institution in a high-level decision￾making position responsible for the overall management of a micro finance deposit-taking institution and reference to managing director includes chief executive officer.

457 3. Application These Regulations shall apply to a microfinance deposit taking institution and do not apply to a registered society. 4. Objects The objects of these Regulations are to— (a) provide for corporate governance principles that are in line with international standards; (b) require a micro finance deposit-taking institution to comply with corporate governance principles; and (c) promote a degree of uniformity in the application of corporate governance practices by micro finance deposit￾taking institutions. Part II— Regulatory Requirements 5. Rationale The rationale of these Regulations is that— (a) institutions play the important role of providing finance to commercial enterprises, basic financial services to a broad segment of the population and access to the payment systems. Accordingly, the importance of robust corporate governance practices in these institutions cannot be overemphasized; (b) given the special position of trust held by institutions in the Ugandan economy and their access to government safety nets, it becomes all the more important that institutions have strong corporate governance systems in place; (c) increasingglobalizationoffinancialmarkets,technological advances and innovations in financial products require new approaches to corporate governance practices; (d) weak corporate governance is one of the major causes of corporate entities’ failures in Uganda, therefore robust

458 governance practices are paramount for the safety and soundness of the institutions and the industry as a whole. 6. Board charter (1) A micro finance deposit-taking institution shall with the approval of the board develop a board charter. (2) The board charter referred to in subregulation (1) shall include— (a) general duties and responsibilities of the board and its committees; (b) board composition including minimum number of independent non-executive directors; (c) the role of the board chairperson and the role of the managing director and other executive directors; (d) directors’ nomination process; (e) the tenure and retirement age of directors; (f) remuneration of non-executive directors; (g) succession planning for board members; (h) areas that may constitute conflict of interest in relation to board operation and its activities; (i) matters reserved for the board; (j) terms of reference of board committees including the composition, purpose, quorum and any other related matter; (k) the role of the company secretary; and (l) general operations of the board including, board evaluations, remuneration.

459 7. Board composition (1) A micro finance deposit-taking institution shall have at least five directors who are fit and proper persons, vetted by the Central Bank and who satisfy the qualifications of directors under the Companies Act and section 23 of the Act. (2) Subject to subregulation (1), a micro finance deposit￾taking institution shall constitute and appoint the board members of an odd number and the majority of whom shall be independent non￾executive directors. (3) A person shall not be permitted to attend a board meeting as a board member unless, the person has been approved by the Central Bank to be appointed as board member by the micro finance deposit￾taking institution. (4) A micro finance deposit-taking institution shall, as part of the board of directors, appoint at least two executive directors who are residents in Uganda and are knowledgeable in the micro finance deposit-taking institution’s long-term strategy, have the ability to influence the institution’s policy and able to appropriately direct the business of the institution. (5) While appointing the board of directors, the micro finance deposit-taking institution shall appoint at least five directors who possess expertise and experience relevant to the functions of the micro finance deposit-taking institution including financial controls, capital management, banking risks and corporate planning. (6) Where there is vacancy or change in the composition of the board, a micro finance deposit-taking institution shall within five working days notify the Central Bank of any change in the composition of board of directors. (7) The executive director of a micro finance deposit-taking institution shall report to the managing director.

460 (8) The board of directors of a micro finance deposit-taking institution shall establish the necessary procedures to enable every director to discharge his or her duties in the best interest of the micro finance deposit-taking institution. 8. Board chairperson (1) A person shall not be appointed a chairperson of the board of directors of a micro finance deposit-taking institution unless, the person is qualified to be appointed an independent director of a micro finance deposit-taking institution and is resident in Uganda. (2) The board chairperson shall possess experience and competence to perform the functions of chairperson of a micro finance deposit-taking institution. (3) In exercise of the functions of the chairperson, the chairperson shall— (a) promote high standards of integrity and governance across the micro finance deposit-taking institution; and (b) promote effective communication between the board, management, shareholders and other stakeholders. (4) A managing director of a micro finance deposit-taking institution shall not serve as the chairperson of the board of directors. (5) The chairperson of the board shall not serve as a chairperson or member of a sub-committee of the board. (6) An independent non-executive director that has served on the board for more than nine years, shall be deemed to have lost their independence on the ground of length of service on the board and shall be ineligible to serve as a board chairperson or board committee chairperson. (7) A micro finance deposit-taking institution that wishes to appoint or designate a deputy chairperson of the board shall

461 follow the same procedure and requirements for the appointment of the chairperson of the board and define the functions of the deputy chairperson in the board charter. 9. Functions of board chairperson The board chairperson shall exercise the following functions— (a) provide overall leadership and direction to the board and the micro finance deposit-taking institution; (b) convene and chair meetings of the board of directors; (c) ensure that board meetings are properly conducted; (d) ensure that the board functions in a cohesive manner; (e) take a lead role in the assessment, improvement and development of the board; (f) facilitate effective communication between the board, management, shareholders and other stakeholders; and (g) represent the micro finance deposit-taking institution, together with the managing director to customers, the public, the media and staff. 10. Managing director (1) A micro finance deposit-taking institution shall appoint a managing director that shall be responsible for the overall day-to-day management of a micro finance deposit-taking institution as may be assigned to him or her by the board. (2) The managing director shall report to the board of directors. 11. Executive director (1) A micro finance deposit-taking institution shall, in addition to a managing director appoint at least one executive director who understands the strategy, products and risks of the micro finance deposit-taking institution.

462 (2) The executive director appointed under subregulation (1), shall be— (a) responsible for providing effective checks and balances on incidents of improper or imprudent day-to-day management actions; (b) involved in approving of management decisions and transactions committing the micro finance deposit-taking institution; and (c) responsible for providing leadership and direct strategy and policy, in consultation with the managing director. (3) The executive director shall report to the managing director in the execution of his or her day-to-day responsibilities of the micro finance deposit-taking institution. 12. Company secretary (1) A micro finance deposit-taking institution shall appoint a company secretary that shall be responsible for facilitating effective management of board affairs. (2) The company secretary shall be an executive manager of the micro finance deposit-taking institution and shall be vetted by central bank before his or her appointment. (3) The company secretary shall report to the board, through the managing director. (4) The duties of the company secretary shall be defined in the board charter and shall include— (a) draw up the annual calendar for board meetings; (b) circulate to the board members the meeting agenda and board packs at least seven days before the scheduled meeting;

463 (c) organise and send out notifications of board meetings and meetings of shareholders; (d) record and produce minutes of the board, board committees, annual general meeting and extraordinary meeting; (e) advise directors and shareholders on the legal and governance implications of proposed resolutions; (f) extract and file resolutionsfor registration with the relevant registries; (g) communicate board resolutions to the relevant persons; (h) coordinate the review of the board charter and committee terms of reference periodically for alignment with changes in the operating environment; and (i) monitor changes in the shareholding of the micro finance deposit-taking institution and maintain a shareholders’ register. 13. Selection of director (1) A micro finance deposit-taking institution shall establish a nomination committee or a similar body to identify and recommend to the shareholders, candidates to be appointed to the board in line with a selection criteria prescribed by the board with the approval of the shareholders. (2) A person shall not be recommended to be appointed to the board unless, the person is qualified to be appointed to the board, has a clear understanding of his or her role on the board and is not subject to undue influence from management or other parties. (3) The selection criteria referred to in subregulation (1), shall include— (a) knowledge, skills, and experience; (b) integrity and reputation;

464 (c) ability to fully carry out directorship duties; (d) possible conflicts of interest involving management and shareholders, past or present positions held and personal, professional, or economic relationships that may impede a director’s ability to perform their duties objectively and independently; and (e) ability to have frank and open discussion among the Board members. (4) The appointment of the non-executive director shall be formalised through letters of appointment which shall, provide for the duration of the appointment, remuneration terms, duties, and responsibilities of the director. (5) A director shall not simultaneously serve as a board member, member of a governing body or in any executive capacity of any other institution licensed and supervised by the Central Bank. (6) A micro finance deposit-taking institution shall establish an orientation program for new directors as well as refresher programs for the existing directors that shall include a discussion of the responsibilities and legal obligations of a director and the board as a whole, the nature of business of the institution, conditions in the industry, corporate strategy and expectations from directors. 14. Succession plan for directors (1) In the interest of board continuity, micro finance deposit￾taking institution shall have a succession policy to prepare for vacancies on the board. (2) The board charter shall include a policy statement outlining the process the board shall follow to plan for the replacement of directors. (3) The policy statement referred to in sub regulation (2) shall clearly state the authority responsible for directors’ succession planning.

465 (4) A micro finance deposit-taking institution shall require that each director has a personal development plan and have in place a succession roadmap taking into account the board of directors’ skills matrix and tenure of service. (5) The board shall develop a staggered retirement plan to facilitate orderly succession of board members. 15. Functions of board (1) The board shall exercise the following main functions— (a) providing strategic direction; (b) policy formulation; (c) decision making; (d) providing oversight on executive management; and (e) risk management and compliance obligations. (2) Notwithstanding the generality of subregulation (1), the board shall be responsible for— (a) defining the micro finance deposit-taking institution’s strategic goals and approving the micro finance deposit￾taking institution’s long and short-term business strategies including the annual operating plan and capital expenditure budget; (b) reviewing the performance of the micro finance deposit￾taking institution against the approved strategy and holding executive management accountable for the micro finance deposit-taking institution’s performance; (c) approving the overall risk appetite of the micro finance deposit-taking institution and ensuring that management strikes an appropriate balance between promoting long￾term growth and delivering short-term objectives;

466 (d) approving policies which spell out all elements of risk management as well as internal control processes; (e) setting limits of authority that specify the threshold for large transactions which the Board must approve, including approving delegated authorities for expenditure, lending and other risk exposures; (f) appointing and monitoring management and putting in place appropriate structure and procedures to achieve the corporate strategy; (g) ensuring clear demarcation of responsibilities of the board and management in the interest of an effective accountability regime; (h) steering the capital adequacy assessment process, capital and liquidity plans as well as the micro finance deposit-taking institution’s compliance with regulatory requirements and internal controls; (i) ensuring that a robust finance function responsible for accounting and financial data is in place; (j) promoting high standards of “risk culture” and reinforcing responsible corporate behavior across the business lines; (k) limiting risk taking within the boundaries set and in line with the approved risk appetite; (l) promoting appropriate legal and ethical behavior; (m) ensuring that staff are aware of the ramifications and disciplinary actions that may ensue for any conduct that is not in compliance with corporate goals set forth by the Board or management; (n) ensuring that the control functions of the micro finance deposit-taking institution are adequately staffed, and are able to perform their functions independently, effectively and efficiently;

467 (o) seeking expert opinion in fields where the Board may lack the necessary expertise. 16. Duties of director (1) In accordance with section 25 of the Act, a director shall stand in a fiduciary relationship and shall owe the micro finance deposit-taking institution and its shareholders the following duties— (a) a duty to act honestly and in good faith; (b) a duty to act in the best interest and for the benefit of the micro finance deposit-taking institution; (c) a duty to act independently, free from undue influence of any other person; (d) a duty to access necessary information to enable him or her to discharge his or her responsibilities; (e) a duty to understand his or her oversight role and provide a “checks and balances” function vis-à-vis the day-to￾day management of the micro finance deposit-taking institution; (f) to be aware of self-dealing prohibitions and unduly favorable treatment of related parties and always act in the best interest of the micro finance deposit-taking institution; and (g) dedicate sufficient time to meet his or her responsibilities. (2) The board of directors as an organ and each director individually shall immediately report in writing to the Central Bank if they have reason to believe that— (a) the micro finance deposit-taking institution may not be able to properly conduct its business as a going concern; (b) the micro finance deposit-taking institution appears to be or is likely in the near future to be unable to meet all, or any of its obligations;

468 (c) the micro finance deposit-taking institution has suspended or is about to suspend any payment of any kind, through no fault of the counterparty; or (d) the micro finance deposit-taking institution does not or may not be able to meet its regulatory capital requirements. 17. Director’s code of conduct (1) The board shall develop a code of conduct for its members. (2) A person shall not assume duty as director unless he or she has signed the code of conduct as proof of having read, familiarised and is willing to be bound by the code of conduct. (3) The code of conduct referred to in subregulation (1), shall apply to all board members including to a board member who is an employee of the micro finance deposit-taking institution’s subsidiary or the wider group of related companies. (4) The code of conduct referred to in subregulation (1), shall provide for rules relating to— (a) compliance with Laws of Uganda, rules and regulations by directors; (b) fair and honest dealing of directors with shareholders, employees and all stakeholders of the micro finance deposit-taking institution; (c) conflicts of interest; (d) material non-public information and insider information; (e) confidential information; (f) anti-discrimination; and (g) gifts and relationships with customers.

469 18. Board meeting (1) A board meeting shall not be convened without at least seven days’ notice to the board members. (2) The notice referred to in subregulation (1), shall be accompanied by information relating to the agenda of the board meeting. (3) The information referred to in subregulation (2) shall include— (a) changes in business strategy, risk profile or risk appetite; (b) the micro finance deposit-taking institution’s performance and financial condition; (c) breaches of risk limits or compliance rules; (d) internal control failures; (e) quantitative and qualitative performance of the institution or management, prudential norms, customer satisfaction, service quality, market share and market perception; (f) any legal or regulatory concerns; and (g) issues raised as a result of the micro finance deposit-taking institution’s whistleblowing procedures. (4) The board and board committee meetings shall be held at￾least once every after three months. (5) The company secretary shall ensure that minutes of board meetings are clearly recorded, complete and signed. 19. Evaluation of board of directors (1) The board shall perform evaluations of the board, board committees, and the individual directors including the board chairperson at least once a year.

470 (2) The evaluation process shall cover all aspects of the board’s structure, composition, responsibilities, and processes including individual directors’ competencies and respective performance on the board. (3) The board shall perform a review of the effectiveness of its own governance practices, as a part of the evaluation process under sub regulation (1) or as a separate review. (4) An action plan arising from evaluations under this regulation shall be discussed and agreed upon by the board. (5) The board evaluation process shall be a requisite to reappointment of a director. (6) A micro finance deposit-taking institution shall have a continuous professional development plan in place for directors to enable them keep up-to-date of emerging issues pertinent to the business conducted by the micro finance deposit-taking institution. 20. Selection, performance evaluation and succession planning of managing director and executive managers (1) The board shall establish a management team of a micro finance deposit-taking institution that consists of a core group of officers responsible for the micro finance deposit-taking institution. (2) Each member of the executive management team referred to in sub regulation (1) shall have the requisite skills to manage the business under their supervision. (3) The board shall be responsible for the selection of the managing director and members of executive management. (4) Except for appointments through a succession plan, the board shall interview at least three candidates for all executive management positions.

471 (5) An appointment letter for an executive manager shall include a requirement to undergo through the Central Bank vetting and shall explicitly state that the confirmation of the executive manager is subject to prior approval of the Central Bank. (6) The board shall develop the succession plan for all executive management positions. (7) The board shall review the succession plan referred to in sub regulation (6) at least annually, to ensure it is dynamic and reflects ongoing changes arising from the new hires, exits and restructuring of some functions. (8) The performance evaluation of the managing director and his or her appraisal instrument shall be completed by all the non￾executive directors, including the board chairperson and the results thereof consolidated into a report providing an overall rating and appropriate recommendations. (9) The board shall approve the institution’s objectives which are entrusted to the managing director and set out the basis for measuring the managing director’s effectiveness in achieving institutions objectives. (10) The managing director’s performance shall be assessed at least once a year, against both subjective and objective performance criteria as developed by the board and agreed at the beginning of the appraisal period. (11) The report referred to in sub regulation (8) shall be presented to the board by the chairperson of the committee responsible for Compensation and Human Resources for discussion and approval. (12) The managing director’s performance evaluation shall not be deemed complete unless the board has reviewed and approved the committee report.

472 (13) A micro finance deposit-taking institution may elect to evaluate the managing director’s performance by the full board directly. (14) The managing director shall be responsible for reviewing the performance of the executive director against agreed performance measures. (15) The board of directors shall review the evaluation of the executive director, completed by the managing director for final approval. (16) The effectiveness of the managing director and executive director as members of the board shall be evaluated during the annual board evaluation of individual directors. (17) An executive manager shall be evaluated by the managing director or executive director according to their approved reporting lines. (18) The report on the evaluation of executive manager shall be presented to the board for final approval. (19) The performance management cycle for an executive manager shall be deemed to be complete, only after final sign off by the board of directors. 21. Managing conflict of interest (1) The board shall develop a policy on conflict of interest providing for the process to identify and avoid possible conflicts of interest that may be detrimental to the board’s ability to perform its functions. (2) The conflict of interest policy referred to in subregulation (1), shall include—

473 (a) specific situations where conflict of interest can occur; (b) obligations for a director to disclose known interests that may conflict with the interests of the micro finance deposit￾taking institution at the commencement of every financial year and at any time thereafter that such an interest arises; (c) a requirement for a director to declare his or her interest and recuse himself or herself from the board or board committee deliberations and decision making process; (d) procedures covering related party transactions and arm’s length provisions; and (e) procedures for the board to follow where a board member has conflict of interest. (3) The board shall be responsible for making the appropriate public disclosures and transmitting the information on conflict of interest to the relevant regulators. 22. Disclosure and transparency (1) A micro finance deposit-taking institution shall operate with full disclosure and transparency in its operations towards its stakeholders including shareholders, depositors, and market participants. (2) Amicro finance deposit-taking institution shall disseminate information to their stakeholders on a timely basis to assess the effectiveness of the board and executive management regarding the governance of the micro finance deposit-taking institution. (3) The level and depth of disclosures referred to in subregulation (2) shall be commensurate with the size and complexity of the operations, as well as the risk profile of the micro finance deposit-taking institution. (4) The information referred to in sub regulation (2) shall be disclosed on an annual basis and shall include—

474 (a) information covering the micro finance deposit-taking institution’s objectives, organisational and governance structures and policies; (b) a list of specialised committees, their scope of responsibilities and meeting frequencies; (c) the remuneration approach, ownership structure and voting rights; (d) related party transactions; (e) incentive and compensation policy, including the performance measurement criteria and aggregate information on remuneration; and (f) the financial reporting framework applicable to the micro finance deposit-taking institution and explanation of any material differences between applicable analysis periods. (5) A micro finance deposit-taking institution shall disclose its risk profile, specific exposures, and risk mitigation measures in an aggregate fashion and without breaching any confidentiality duty. (6) The board shall satisfy itself that procedures are in place to ensure that the micro finance deposit-taking institution is satisfying its disclosure obligations and that the information being disseminated is true and accurate. (7) The board shall reinforce sound corporate governance principles which shall cover the following— (a) board structure, including size, membership, qualification, and relevant committees; (b) executive management structure, including responsibilities, reporting lines, qualifications, and experience of relevant individuals; (c) basic organisational structure, including line of businesses and legal entity structures;

475 (d) information about the incentive structure of the micro finance deposit-taking institution, including remuneration policies, executive compensation, bonuses, and stock options; (e) nature and extent of transactions with affiliates and related parties; (f) mandate of the Board, its duties and objectives, and composition while specifically providing guidance on “inside” and “independent” Directors; and (g) board’s expectations of management and its performance in meeting them; (h) institutional sustainability, including, social, and environmental considerations. (8) A micro finance deposit-taking institution shall document the feedback received from stakeholders and procedures established to deal with the concerns raised by the stakeholders. 23. Risk management (1) The Board has primary responsibility of understanding the risks ran by a micro finance deposit-taking institution and ensuring that the risks are managed appropriately. (2) Notwithstanding the generality of subregulation (1), the board shall— (a) formulate a clear philosophy for each risk area; (b) design and approve structures that include clear delegation of authority and responsibility at each level of administration; (c) review and approve policies that clearly quantify acceptable risk, and specify the quantity and quality of capital required for the safe operation of the micro finance deposit-taking institution;

476 (d) periodically review controls to ensure that they remain appropriate and make periodic assessment of the long￾term capital maintenance program; (e) obtain explanations where positions exceed limits, including reviews and approvals or authorisation of credit granted to substantial shareholders, directors and other related parties and executive management significant credit exposures, and adequacy of provisions made and institute a process that ensures adequate reporting of limit exceptions, compliance failures and any matters relevant to the overall control framework of the micro finance deposit-taking institution; (f) certify that the internal audit function includes a review of adherence to policies and procedures; (g) formally delegate to management, the authority to formulate and implement strategies; and (h) specify the content and frequency of reports. 24. Risk appetite statement (1) The board shall develop a micro finance deposit-taking institution’s risk appetite statement based on the institutions business environment, competitive environment, regulatory developments and the long term strategy of the institution. (2) The board shall through the executive management monitor the micro finance deposit-taking institution’s operations in accordance with the risk appetite statement developed in subregulation (1). (3) The risk appetite statement developed under subregulation (1), shall— (a) communicate the micro finance deposit-taking institution’s risk appetite effectively throughout the micro finance deposit-taking institution, linking it to daily operational decision-making and establishing the means to raise risk

477 issues and strategic concerns across the micro finance deposit-taking institution; (b) include both quantitative and qualitative considerations in the risk appetite statement; and (c) clearly establish the individual and aggregate levels and types of risk that the micro finance deposit-taking institution is willing to assume prior to engaging its business activities in order to conduct its operations within its risk capacity. 25. Board committees (1) The board shall establish board committees for better utilisation of its resources and attaining more in-depth review of issues or areas relating to the operations of the micro finance deposit-taking institution. (2) The board committees shall include the— (a) audit committee; (b) asset liability management committee; (c) risk management committee; (d) compensation committee; and (e) credit committee. (3) A micro finance deposit-taking institution may constitute additional board committees, depending on the complexity of its operations. (4) A board committee shall be chaired by an independent non-executive director. (5) A board committee shall have approved terms of reference that outline the committee’s functions, mandates and working procedures, including its membership, tenure for its members and a viable rotation schedule.

478 (6) The chairperson of the board committee shall maintain appropriate records, minutes and supporting documentation evidencing reviews and resolutions passed during the execution of functions specified in terms of reference. 26. Audit committee (1) The board of directors shall constitute from among its members a committee on audit comprising of at least three independent non-executive directors. (2) A person shall not be appointed a chairperson of the audit committee of the board unless, the person is qualified and has experience in accounting or audit. (3) The chairperson of the audit committee of the board shall not be appointed a chairperson of any other committee of the board. (4) The audit committee of the board shall meet at least once annually with the internal and external auditors and in the absence of management of the micro finance deposit-taking institution. (5) The functions of the audit committee of the board shall include— (a) recommend for the appointment or removal of the head of internal audit and any other staff of the micro finance deposit-taking institution that performs the audit function; (b) disclose the removal of the head of internal audit to the Central Bank as soon as practicable, but in any case, no later than two weeks after the date of removal, giving reasons for the removal; (c) conduct the performance evaluation of the head of internal audit; (d) take measures to enhance the independence and stature of internal auditors;

479 (e) recommend for the approve the internal audit charter, annual audit plan and budget; (f) receive and review periodic reports from the internal auditor on the results of the internal audit activities or other matters that the internal auditor deems necessary; (g) review the internal controls, operating procedures and systems, and management information systems of the micro finance deposit-taking institution; (h) bring matters surrounding the operational efficiency, independence, and effectiveness of the audit function to the attention of the board of directors on a regular basis; (i) review the financial statements of the micro finance deposit-taking institution and make recommendations on them; (j) provide oversight on the micro finance deposit-taking institution’s internal and external auditors; (k) ensure that management takes appropriate corrective actions in a timely manner to address control weaknesses, non-compliance with policies, laws and regulations and other problems identified by internal and external auditors; (l) utilize, in a timely and effective manner, the findings of internal and external auditors as an independent check on the information received from management on the operations and performance of the micro finance deposit￾taking institution; (m) require timely correction by management of problems identified by the internal and external auditors; (n) oversee the establishment of accounting policies and practices; and

480 (o) ensure the periodic review of the internal audit function by an independent party to establish the independence of the function in line with International Internal Audit Standards. 27. Asset liability management committee (1) The board of directors shall constitute an asset liability management committee consisting of not less than two non-executive directors. (2) The asset liability management committee shall perform such functions as the board of directors shall specify in relation to establishing guidelines on the micro finance deposit-taking institution’s tolerance for risk and expectations from investment to include— (a) limits on loan to deposit ratio; (b) limits on loan to capital ratio; (c) limits on exposure to single or related customers; (d) flexible limits on the percentage reliance on a particular deposit category; (e) maximum dependence on inter-bank and other volatile funding instruments; (f) limits on maximum and minimum maturities for newly acquired categories of assets and liabilities; (g) limits on maximum and minimum maturities for existing categories of assets and liabilities; (h) limits on the sensitivity of the net interest margin on changes in market interest rates; (i) maximum percentage imbalance between interest rate sensitive assets and liabilities; (j) limits on minimum spread acceptable between costs and yields of liabilities and assets;

481 (k) limits on minimum liquidity provision to be maintained to sustain operations while longer term adjustments are made; (l) quantification of primary sources of funds; (m) monitoring ofthe micro finance deposit-taking institution’s policies, procedures and holding portfolio to ensure that goals for diversification, credit quality, profitability, liquidity, community investment, pledging requirements and regulatory compliance are met; and (n) generally implementing the asset or liability management policy of the micro finance deposit-taking institution. 28. Risk committee (1) A micro finance deposit-taking institution shall have a risk committee of the board to provide oversight of the institution’s overall risk strategy. (2) The risk committee of the board shall have the majority of its membership comprised of independent directors and shall be chaired by an independent non-executive director. (3) The members of the risk committee of the board shall have experience in risk management practices relevant to the complexity of operations conducted by the micro finance deposit-taking institution. (4) The functions of the risk committee of the board shall include— (a) oversee executive management’s implementation of the duly approved risk management framework, limits and procedures relating to all key risks inherent in the micro finance deposit-taking institution’s business activities; (b) ensure the micro finance deposit-taking institution has in place appropriate policies and procedures governing its operations;

482 (c) review the micro finance deposit-taking institution’s risk policies at least annually and submit them to the board for approval; (d) advise the board on the development and implementation of the micro finance deposit-taking institution’s risk appetite and report on the state of key risk events, risk culture and the performance and interaction of the Head of Risk; (e) provide oversight over the micro finance deposit-taking institution’s capital management as well as all risks inherent in the micro finance deposit-taking institution’s operations including: strategic, operational, credit, liquidity, foreign exchange, interest rate, compliance and other emerging risks; (f) interact with the head of risk on an ongoing basis and receive regular reporting and communication with the head of risk about the micro finance deposit-taking institution’s risk profile, risk culture and its overall risk taking activities including limits, breaches and risk mitigation measures. 29. Credit committee (1) The credit committee of the board shall provide oversight on credit operations in line with the micro finance deposit-taking institution’s credit strategy. (2) The functions of the credit committee of the board shall include— (a) recommend for the approval and oversee compliance with the micro finance deposit-taking institution’s lending policy; (b) delegate lending limits to approved sanctioning authorities of the micro finance deposit-taking institution; (c) recommend for approval of credit facilities that are above the sanctioning authority of management;

483 (d) recommend for approval of credit facilities granted to shareholders, directors, executive management and other related parties; (e) recommend for approval of policies and procedures governing the implementation of the International Financial Reporting Standards; (f) ensure the micro finance deposit-taking institution has robust information technology systems, internal control processes and sufficient human resources for successful implementation of the International Financial Reporting Standards; (g) recommend for approval of the governance framework to oversee the implementation of International Financial Reporting Standards, highlighting the role of the board and executive management in the implementation of the standard; (h) recommend for approval of sound methodologies for measuring expected credit losses to enable appropriate and timely recognition of expected credit losses ; (i) review the quality of the loan portfolio; (j) ensure the micro finance deposit-taking institution holds adequate provisions for bad debts in compliance with the Central Bank’s guidelines on risk classification and provisioning; (k) recommend for approval of the write-off of non-performing credit facilities; (l) ensure that the credit policy and risk lending limits are reviewed at least annually. 30. Compensation committee (1) A micro finance deposit-taking institution shall establish a compensation committee responsible for overseeing the remuneration system’s design and operation and in ensuring that remuneration is

484 appropriate and consistent with the micro finance deposit-taking institution’s culture, long-term business strategy and risk appetite. (2) The compensation committee shall be chaired by an independent non-executive director. (3) The managing director and executive director shall not be members of the compensation committee of the board. (4) The functions of the compensation committee of the board shall include— (a) provide oversight on the remuneration of executive management and other key personnel and ensure that compensation is consistent with the micro finance deposit￾taking institution’s culture, objectives, strategy and control environment; (b) ensure that human resource policies and structures are sound, effective and consistent with the micro finance deposit-taking institution’s risk management practices; (c) recommend for approval of the organisational structure of the micro finance deposit-taking institution as well as any changes to the structure; (d) recommend for approval of the compensation of executive management and other key personnel as may be delegated by the board; (e) recommend for approval of salary scales, with a view to ensuring that staff do not overly depend on short-term performance or encourage excessive risk-taking. 31. Regulation of information technology (1) A micro finance deposit-taking institution shall develop an information technology framework which supports effective and efficient management of information technology resources

485 (2) The board may establish a board committee of information technology or assign the oversight of information technology to any other committee of the board. (3) The functions of the board committee referred to in sub regulation (2) shall include— (a) recommend for approval of the micro finance deposit￾taking institution’s information technology strategy and provide direction on information technology activities; (b) ensure that information technology staff are adequately skilled to manage information technology resources; (c) monitor the progress of information technology projects, services and investments as well as the disposal of information technology property; (d) provide oversight over information technology governance controls supporting outsourced information technology services; and (e) measure and understand the company’s overall exposure to information technology risks and ensure proper policies are in place to manage these; (4) A micro finance deposit-taking institution shall employ a head of information technology who shall be responsible for information technology operations. (5) The board shall ensure that the information and intellectual property contained in information systems of a micro finance deposit￾taking institution are protected. (6) The board shall ensure that information technology risk is considered as part of the micro finance deposit-taking institution’s enterprise-wide risk assessment.

486 (7) The board shall assume full oversight of the micro finance deposit-taking institution’s information technology and cyber security infrastructure and shall have access to all key reports on information technology operations including reports on assessments conducted by the group, for micro finance deposit-taking institution that are a part of group structures. 32. Control functions (1) A micro finance deposit-taking institution shall put in place control functions to include— (a) internal audit function; (b) risk management; and (c) compliance function. (2) The control functions referred to in sub regulation (1) shall be headed by different individuals except under exceptional circumstances and upon obtaining prior approval from the central bank. (3) The Central Bank may in granting approval under sub regulation (2) consider— (a) a micro finance deposit-taking institution with limited operations where the scope and depth of operations of the micro finance deposit-taking institution allows such consolidation; (b) resource constraints of a micro finance deposit-taking institution; (c) compatibility of the roles proposed to be merged into one individual; and (d) lack of overlap between control and operational functions; (4) An application for a waiver under this regulation shall indicate which factors under sub regulation (3) apply.

487 33. Internal audit function (1) The internal audit function shall have a direct reporting line to the board through the audit committee of the board. (2) The audit function shall be independent of the operational aspects of the micro finance deposit-taking institution. (3) A micro finance deposit-taking institution shall appoint an internal auditor in accordance with sections 28 of the Act to perform the functions stipulated in the Act. (4) An internal auditor appointed under subregulation (3), shall have adequate seniority to be able to carry out the internal audit mandate with sufficient standing and skills. (5) Subject to section 28 (2) of the Act, the head of internal audit shall have the following powers— (a) have full and unfettered access to any records of the micro finance deposit-taking institution; (b) conduct his or her functions in line with the national and international audit standards; (c) follow up on internal audit issues identified on a timely manner; and (d) perform an audit of the micro finance deposit-taking institution’s risk management framework commensurate with the level and depth of operations conducted by the micro finance deposit-taking institution at least annually. (6) A micro finance deposit-taking institution shall provide resources and adequate staff with adequate skills and knowledge to effectively audit the business lines and functions of the institution. (7) The head internal audit shall while exercising the audit function report to the audit committee of the board.

488 (8) The performance of the head of internal audit shall be evaluated at least annually by the audit committee of the board. (9) The audit committee of the board may use its discretion to seek the views of the managing director with regard to the performance of the administrative tasks assigned to the internal auditor. 34. External auditor A micro finance deposit-taking institution shall appoint an external auditor in accordance with sections 30 and 34 of the Act, to perform the functions stipulated in the Act for a continuous period of not more than four years. 35. Management risk committee (1) A micro finance deposit-taking institution shall constitute a management risk committee composed of heads of business units and chaired by the managing director or executive director. (2) The man function of the management risk committee is to formulate risk strategies and develop sound risk management policies and procedural guidelines with the approval of the board. (3) The committee shall review the identified institution-wide risks, measure and monitor the risk exposures and determine whether the risk decisions are in accordance with approved risk strategies, policies as well as risk tolerance and appetite levels. (4) The management risk committee shall have clear and well￾defined terms of reference and meet on a regular basis to effectively execute its mandate. 36. Head of risk (1) A micro finance deposit-taking institution shall employ a person to serve as head of risk with sufficient authority, stature, independence and resources.

489 (2) The head of risk shall be an executive manager and a member of the management risk committee. (3) The appointment and dismissal of the head of risk, including any changes to the head of risk position shall be approved by the board or by the risk management committee as the board may determine. (4) The head of risk shall report to the managing director and submit reports to the risk committee. (5) The head of risk shall not be assigned any other role relating to management or financial responsibility in respect of any operational business of micro finance deposit-taking institution or revenue generating functions. (6) The role of the head of risk shall be distinct from other executive functions and business line responsibilities. (7) The head of risk shall have unfettered access to the risk committee of the board for purposes of enhancing the independence of his or her role. (8) The head of risk and the risk committee of the board shall meet regularly and the record of the meeting shall be documented and submitted to the board. (9) The head of risk shall be responsible for the risk management function and the micro finance deposit-taking institution’s comprehensive risk management program across the entire organisation. (10) The head of risk shall coordinate the activities of the management risk committee, consolidate risk reports from heads of business units and report to the management risk committee. (11) The head of risk shall have access to all business lines to enable him or her gain in-depth understanding of the underlying risks in the micro finance deposit-taking institution.

490 37. Risk identification, monitoring and control (1) A micro finance deposit-taking institution shall develop an adequate risk management framework to enable the timely identification and management of inherent risks in its operations. (2) A micro finance deposit-taking institution shall have accurate data in order to adequately identify and mitigate risks and allow sound decisions to control its primary risks. (3) The risk management function shall have adequate systems in place to consolidate and assess relevant data, able to model and apply stress testing based on relevant scenarios. (4) The findings of the risk assessments conducted by the risk management function shall be disseminated to management and the board at the next management or board meeting following conclusion of the risk assessment. (5) The risk management function shall be involved in the assessment of new products or services that the micro finance deposit￾taking institution is planning to engage in and provide relevant risk assessment and impact analysis to management and the Board. (6) The risk management process shall include risk mitigation and techniques and approaches to mitigate inherent or emerging risks in the micro finance deposit-taking institution commensurate with the risk appetite statement of the bank. (7) The risk management function should be actively involved in the identification and mitigation of risks arising from mergers and acquisitions. 38. Compliance function (1) A micro finance deposit-taking institution shall have an independent compliance function mandated to assess, monitor and report on the compliance of the micro finance deposit-taking institution with existing rules and regulations, including these Regulations.

491 (2) The compliance function shall report to the managing director and submit reports to the risk committee of the board and shall have sufficient authority, independence, resources, and access to the board. (3) The compliance function shall provide advice to the board and management regarding the micro finance deposit-taking institution’s compliance with applicable laws, guidelines and standards while providing operational support to comply with the same. (4) The micro finance deposit-taking institution’s executive management shall develop the compliance policy with the approval of the board. (5) The board is responsible for the oversight of the compliance function, which includes approval of its policies and procedures governing the identification, assessment, continuous monitoring and reporting of the compliance risks inherent in its operations. 39. Money laundering control officer (1) A micro finance deposit-taking institution shall employ a person to serve as a money laundering control officer whose position shall be at level of executive management. (2) The money laundering control officer shall have a direct reporting line to executive management or the board of the micro finance deposit-taking institution. (3) The money laundering control officer shall be the contact point for internal and external authorities, including the Central Bank or the Financial Intelligence Authority, concerning anti-money laundering issues. (4) The money laundering control officer role may be held by an independent executive manager or by the head of compliance.

492 Part III—Remedial Measures and Administrative Sanctions 40. Remedial measures (1) Where the Central Bank determines, through an inspection, that a micro finance deposit-taking institution is not in compliance with these Regulations, it may impose any or all of the corrective actions under section 58 of the Act. (2) The Central Bank may, by order in writing, remove from office a chairperson, director, the managing director, executive manager of a micro finance deposit-taking institution if it deems it necessary, in the public or the institution’s interests, to do so. 41. Administrative sanctions In addition to the remedial measures under regulation 39, the Central Bank may impose any or all of the following administrative sanctions with regard to a micro finance deposit-taking institution that is not in compliance with these Regulations or whose compliance with these Regulations— (a) prohibition from declaring or paying dividends; (b) suspension of the establishment of new branches or expansion into new banking or financial activities; (c) suspension of access to credit facilities of the Central Bank; (d) suspension of the opening of letters of credit; (e) suspension of the acceptance of new deposits; and (f) suspension of the acquisition of fixed assets. MICHAEL ATINGI-EGO, Deputy Governor, Bank of Uganda.