Regulation No. 011/2015 IBCC/DSBR on Internal Control, Management, and Risk Management Systems for Credit Institutions

REGULATION No. 011/2015 IBCC/DSBR RELATING TO THE INTERNAL CONTROL, MANAGEMENT, AND RISK MANAGEMENT SYSTEMS OF CREDIT INSTITUTIONS

Having regard to Law 80/08 of June 26, 1980, relating to currency and the role of the Central Bank of the Comoros in the supervision of banks, financial institutions, and credit and exchange;

Having regard to the Banking Law No. 13-003/AU of June 12, 2013, regulating the activity of financial institutions, particularly Articles 26, 36, and 103;

Having regard to the Banking Law No. 12-008/AU of June 28, 2012, combating money laundering and the financing of terrorism;

Having regard to Law 12-011/AU of June 28, 2012, regulating and organizing credit leasing;

THE GOVERNOR OF THE CENTRAL BANK OF THE COMOROS,

Fixes the rules organizing the internal control, management, and risk management systems of credit institutions in application of Article 36 of Law 13-003/AU.

Place de France. BP 405 MORONI TEL: (269) 773 18 14 - (269) 773 10 02 - FAX: (269) 773 03 49 E-mail: secretariat@banque-comores.km Site: www.banque-comores.km

TITLE I: Definitions and General Provisions

Chapter I: Definitions.

Article 1: For the application of this Regulation, the following terms are understood as: a) Deliberative Body: Board of Directors or equivalent body, the body that ensures the strategic orientation of the institution and the effective supervision of the management of activities on behalf of shareholders. b) Executive Body: Body composed of responsible executives in charge of general management, the operational conduct of the institution, the effective steering of the process for achieving strategic objectives set by the deliberative body, and the management and control of risks. c) Audit Committee: A committee that may be created by the deliberative body to assist it in the exercise of its missions, particularly the evaluation of the quality of internal control and the assessment of the coherence of systems for identifying, measuring, monitoring, and controlling risks. This committee must include among its members experienced independent professionals in audit. d) Outsourced Essential Activities: Activities for which a credit institution entrusts to a third party, on a durable and habitual basis, the provision of services or important operational tasks related to banking operations. e) Audit Trail: A permanent and integrated process ensuring the clear and exhaustive description of the flow of accounting operations, their documentation, and their control, allowing:

• to reconstruct operations in chronological order;
• to justify any information with an original document from which it must be possible to trace back through an uninterrupted path to the summary document and vice versa;
• to explain the evolution of balances from one closing to another by retaining the movements affecting accounting items. f) Compliance Risk: The risk of exposure of a credit institution to reputational risk, financial losses, or sanctions due to non-compliance with legal and regulatory provisions, standards and practices applicable to its activities, or codes of conduct. g) Credit Risk: The risk of actual or potential loss borne by a credit institution resulting from the default of a counterparty that is no longer able to honor its commitments to the institution. h) Counterparty: Any legal or natural person benefiting from a credit or commitment, notably by signature, issuing a debt instrument, or party to a financial derivative instrument. i) Credit Concentration Risk: The risk inherent in an excessively concentrated exposure to a segment of activity or clientele likely to generate significant losses that could threaten the financial solidity of a credit institution. j) Liquidity Risk: The risk for the institution of being unable to meet its commitments at their maturity. k) Operational Risks: The risk of loss resulting from deficiencies or failures attributable to internal procedures, personnel, and systems or to external events. This definition includes legal risk but excludes strategic and reputational risks. l) Market Risks: The risk of loss related to market price variations. It includes:
• the risk of loss on positions in financial instruments on and off the balance sheet due to unfavorable developments in market prices;
• exchange risk resulting from adverse developments in the prices of foreign currencies converted into domestic currency due to an open position, or spot or forward, in a foreign currency. m) Business Continuity Plan: The formalized action plan describing, in the event of major operational disruption, including an external shock, the practical modalities, procedures, and systems necessary to continue or restore, within a predetermined time, the essential activities and functions of the institution to limit the consequences of this disruption for the institution itself and the financial system as a whole.

Chapter II: General Provisions

Article 2 The internal control system comprises:

• An accounting organization and information processing system;
• Internal procedures and an operational control device;
• Systems for monitoring, controlling, and measuring accounting, credit, liquidity, and operational risks, as well as a business continuity device;
• The anti-money laundering and counter-terrorism financing device, as defined by law and Regulations on anti-money laundering.

Article 3 Each credit institution with a balance sheet size equal to or greater than one billion Comorian francs must officially designate the Head of Internal Control, who may also be responsible for compliance and risk monitoring. The Head of Internal Control is hierarchically attached to the Executive Body and functionally attached to the Deliberative Body and the Audit Committee.

Article 4 Credit institutions must put in place an adequate internal control device by adapting all devices provided for by this Regulation to the nature and volume of their activities, their size, and the various types of risks to which they are exposed. The internal control device relies on the one hand on permanent first and second-level control, and on the other hand on periodic third-level control. a) Permanent first-level control is carried out by operational teams themselves within the framework of their usual activities under the authority of the concerned hierarchical managers. b) Permanent second-level control is carried out by a dedicated internal control team that does not exercise operational functions, having skills in accounting, operational audit, and risk assessment, to ensure that first-level controls are effective. c) Third-level control is exercised by the internal auditor in large credit institutions or in umbrella structures for decentralized financial institutions operating in networks. The latter intervene to carry out document and on-site checks within the framework of spot audits to: (i) verify the compliance of operations and respect for procedures; (ii) ensure good management of incurred risks; (iii) evaluate the effectiveness and efficiency of operational processes; and (iv) assess the quality of permanent first and second-level controls. This control may be carried out by external auditors with competence in this field, or by the parent company in the context of subsidiaries. The Central Bank may authorize, depending on the size and nature of activities, that the responsibilities of second-level control and periodic control be entrusted to the same person.

Article 5 For decentralized financial institutions belonging to a network, the central body or umbrella structure is responsible for organizing the internal control system in coordination with the affiliated base caisses. Decentralized financial institutions whose balance sheet size exceeds 10% of the total balance sheet of the network must put in place their own first and second-level internal control device. Third-level control is carried out by the internal auditors of the umbrella structure.

Article 6 Every credit institution must establish an internal audit and control charter defining the roles of internal controllers and internal auditors.

Article 7 Credit institutions that control entities with a financial character must ensure that these entities apply the provisions of this Regulation. These provisions apply, for subsidiaries and branches abroad, without prejudice to the legal and regulatory provisions applicable in the host country. If a foreign provision that the credit institution is required to respect is incompatible with the provisions of this Regulation, the Central Bank must be informed to determine the course of action.

TITLE II GOVERNANCE OF THE INTERNAL CONTROL SYSTEM

Chapter I: The Operational Control Device

Article 8 The operational control device and internal procedures must allow credit institutions to ensure in particular:

• The compliance of operations carried out and internal procedures with current legislative, regulatory, and prudential provisions as well as professional and ethical usages;
• Respect for decision-making and risk-taking procedures as well as management standards set by deliberative and executive bodies;
• The quality of accounting and financial information disseminated internally and externally;
• The quality of the information processing and reporting computer system for accounting and financial information.

Article 9 Credit institutions must ensure the execution within a reasonable time of corrective measures recommended notably by executives, the control manager, internal audit, the umbrella structure of a DFI network, the statutory auditor, or the Central Bank.

Article 10 Each service or operational unit must be equipped with a procedure manual in which the modalities for carrying out the operations it is charged to perform are recorded. These procedures must be formalized, updated, and disseminated in each concerned service. Personnel must be trained in the proper implementation of these procedures.

Article 11 Levels of authority and responsibility, as well as the areas of intervention of different operational units, must be clearly specified and delimited in procedures. A separation must be established between units charged, each regarding its own area, with the initiation, validation, execution, and control of operations. This organization must be adapted to the size and activities of each credit institution. Procedures must also provide for formalized delegations of power within the organization.

Article 12 Areas and situations presenting a risk of conflict of interest must be identified and reported by the internal controller to the executive manager with a copy to the deliberative body and the audit committee. They must be subject to continuous monitoring and regular evaluation for the purpose of prevention and, if necessary, resolution. Confirmed cases of conflict of interest involving a member of the executive body must be reported by the internal controller directly to the deliberative body and the audit committee. Confirmed cases of conflict of interest must be mentioned in the annual internal control report.

Article 13 The Head of Internal Control of credit institutions is also responsible for monitoring compliance risk, particularly regarding ethics and the fight against money laundering and the financing of terrorism. The Executive Body develops a compliance policy, approved by the Deliberative Body. Each credit institution develops a program for regular staff training on respect for and monitoring of ethical rules, including rules relating to the fight against money laundering and the financing of terrorism.

Chapter II: Internal Audit

Article 14 Credit institutions, depending on the nature, volume of their activities, and risks to which they are exposed, may put in place an audit committee attached directly to the Board of Directors. Its organization and mode of operation must be defined in the internal audit charter.

Article 15 The internal audit charter drawn up by credit institutions must define in particular:

• The principle of independence of internal audit;
• The powers, responsibilities, and objectives of the internal audit function;
• The conditions for carrying out its work;
• The modalities for communicating the results of its control missions. The audit charter must be validated by the deliberative body and communicated to the Central Bank for observation and opinion if necessary.

Article 16 Credit institutions with a balance sheet size equal to or greater than one billion Comorian francs must designate a Head of Internal Audit who must be attached directly to the deliberative body and the audit committee. The Head of Internal Audit reports on the exercise of his mission to the deliberative body and the audit committee, if it exists, to alert them to any difficulties encountered in the exercise of his mission not resolved by the executive body. He also reports to the executive body, at its request or on his own initiative. For each audit mission, internal audit records identified shortcomings in a written report and formulates recommendations to strengthen internal control and risk management devices.

Article 17 Credit institutions must:

• Make available to their audit and internal control service the necessary means for the accomplishment of their missions;
• Ensure that the auditor and internal controller have unrestricted access to any useful information for the needs of his mission, notably to files, the computer system, personal data, and archives of the credit institution, of any related entity, and its outsourced providers;
• Ensure that the scope of intervention of internal audit covers all activities of the credit institution, including outsourced ones.

Article 18 The internal auditor is responsible for periodically evaluating the effectiveness of risk management, the quality of the organization, the adequacy of procedures, as well as the proper functioning of different control levels. He evaluates notably the risk management, measurement, and monitoring device, including operational risks and in particular the business continuity plan.

Article 19 The internal auditor in charge of periodic third-level controls, as defined in Article 1, paragraph c, of this Regulation, must:

• Rely on a risk map approved by the executive body allowing identifying each significant risk incurred by the institution to determine audit priorities;
• Prepare a triennial audit plan covering all sensitive and priority activities. This plan must be validated by the executive body, and if applicable, the audit committee. It must be attached to the annual internal control report, communicated to the deliberative body, and transmitted to the Central Bank for information.

Chapter III Role of Governing Bodies

Article 20 The responsibility to ensure that the subject institution complies with its obligations under this Regulation lies with the Executive Body and the Deliberative Body. The Executive Body and the Deliberative Body have relevant information on the evolution of risks incurred by the subject institution. They are required to periodically evaluate and control the effectiveness of policies, devices, and procedures put in place to comply with this Regulation and take appropriate measures to remedy any failures.

Article 21 Credit institutions must draw up summary statements adapted for the monitoring of their operations, notably for the information of the Executive Body, the Deliberative Body, and, if applicable, the Audit Committee. These statements must include quantitative and qualitative information, notably allowing explaining the scope of measures used to assess the level of incurred risks and set limits.

Article 22 At least twice a year, the Deliberative Body examines the activity and results of internal control based on information transmitted to it by the Executive Body and the Heads of Control and Internal Audit.

Chapter IV: Reporting

Article 23 The Executive Body of credit institutions establishes annually an internal control report according to the format attached to this Regulation and within 90 days following the end of the fiscal year. This report is sent to the Deliberative Body and, if applicable, the Audit Committee. A copy of this report is sent to the Central Bank one month after approval by the Deliberative Body. For DFI networks, reports established by the internal controller of each affiliated caisse are submitted to the umbrella structure in the forms and deadlines fixed in the paragraph above. It is up to the umbrella structure to establish a consolidated internal control report relating to the entire network transmitted to the Central Bank under the aforementioned conditions.

Article 24 The annual internal control report includes in particular, for the different categories of risks mentioned in this Regulation: a) A description of the main actions carried out within the framework of control and the lessons learned; b) An inventory of periodic controls carried out by internal audit highlighting the main lessons and, in particular, the main shortcomings identified as well as a follow-up of corrective measures taken; c) A description of significant modifications made in the areas of permanent and periodic control, particularly to take into account the evolution of activity and risks; d) A description of the conditions of application of procedures put in place for new activities and new products; g) An appendix listing commitments and operations concluded with executives, administrators, and shareholders. h) An up-to-date description of the classification of money laundering and terrorism financing risks, as well as a presentation of the analyses on which this classification is based. i) A description of measures taken to ensure business continuity and the assessment of the effectiveness of devices in place; j) A description of measures taken to ensure the control of outsourced activities and the eventual risks resulting therefrom for the credit institution.

TITLE III ORGANIZATION OF ACCOUNTING AND RISK MANAGEMENT

Chapter I: Organization of the Accounting Function and Control of Accounting Risk

Article 25 Credit institutions must put in place an organization, a recording and control device, and an information processing system that are adapted to their size, the nature, and complexity of their activities, allowing: a) To ensure the reliability and completeness of accounting and financial information, whether intended for the Executive Body, the Audit Committee, the Deliberative Body, or the statutory auditors; b) To ensure the accuracy, compliance, and availability of accounting and financial information declared to the Central Bank or appearing in publishable statements in application of the provisions of Chapter 1 and 2 of Title III of Banking Law No. 13-003/AU; c) To verify the conditions of evaluation, recording, conservation, and availability of accounting and financial information.

Article 26 The accounting organization of credit institutions must guarantee the existence of a structured and formalized audit trail. All operations carried out by the credit institution must include a supporting document allowing to ensure the regularity, reliability, and security of these operations as well as the respect of other diligence linked to the monitoring of associated risks.

Article 27 The accounting organization of credit institutions must ensure the separation of tasks which must be carried out under distinct responsibilities. Within the accounting department:

• The recording of accounting entries must be dissociated from their validation;
• The preparation of accounting procedures must be dissociated from their approval;
• The accounting control function must be independent of accounting management and

Article 28 Manuals of accounting procedures adapted to the different activities exercised by credit institutions must be drawn up and kept up to date. These documents must notably describe the modalities of recording, processing, and

[End of Document]