Financial Institutions (Lending Limits) Regulations, 2016

LESOTHO Government Gazette Vol. 61 Friday – 6th May, 2016 No. 25 CONTENTS No. Page LEGAL NOTICES 37 Financial Institutions (Lending Limits)........................................... 246 Regulations, 2016 38 Financial Institutions (Consolidated Supervision) .......................... 255 Regulations, 2016 39 Financial Institutions (Banks) (Risk Management)......................... 263 Regulations, 2016 OTHER NOTICES (See Supplement of the Gazette) Published by the Authority of His Majesty the King Price: M49.00

LEGAL NOTICE NO. 37 OF 2016 Financial Institutions (Lending Limits) Regulations, 2016 Pursuant to sections 28 and 71 of the Financial Institutions Act, 2012 1 , I, DR. RETŠELISITSOE MATLANYANE Governor of the Central Bank, being the Commissioner of Financial Institutions make the following regulations - Citation and commencement

1. These regulations may be cited as the Financial Institutions (Lending limits) Regulations, 2016 and shall come into operation on the date of publication in the Gazette. Interpretation
2. In these regulations, unless the context otherwise requires - (a) words used have the same meanings assigned to them under the Act; (b) “the Act” means the Financial Institutions Act, 2012. Objectives
3. The objectives of these regulations are to - (a) encourage risk diversification and limit excessive concentration of risk exposure of a bank to a single borrower or a group of bor￾rowers, industry, economic sector, or activity, thereby enhan￾cing financial stability; (b) promote good relations in dealings between a bank and its re￾lated parties; (c) ensure that a bank adopt sound credit granting standards and practices that promote public confidence in the banking system. 246

Application 4. These regulations shall apply to a bank issued a licence under the Act. Risk management 5. A bank shall adopt sound and prudent credit risk management systems consistent with risk management principles or guidelines specified for financial institutions by the Commissioner. Determination of exposure 6. (1) A bank shall determine its overall exposure using the following - (a) “use-test” where the proceeds are used for the benefit of a single borrower shall be used. (b) “source-test” where the expected source of repayment is the same. (c) “control-test” where the persons are related through common control, including where one person is con￾trolled directly or indirectly by another person or where the persons are so financially interconnected that finan￾cial difficulties in payment by anyone of them would be likely to result in payment difficulties for the other. (2) The tests in subregulation (1) shall be determined by the facts and circumstances of each particular situation or transaction to assess whether the total indebtedness should be calculated on a single borrower basis or for a group of connected borrowers. Lending limits 7. (1) A bank shall have an adequate management information system that shall enable it at all times to identify large exposures within the credit port￾folio and to ensure compliance at a consolidated level (head or main office and branches) with the following lending limits under section 28 of the Act - 247

(a) 25 percent of unimpaired capital, unimpaired balance in the statutory reserve account, and audited retained earn￾ings for total direct or indirect advances, credit facilities or financial guarantees to any person or single borrower, subject to certain exclusions enumerated in the Act; (b) 25 percent of unimpaired capital, unimpaired balance in the statutory reserve account, and audited retained earn￾ings for total direct or indirect advances, credit facilities or financial guarantees to a group of related parties, sub￾ject to subregulation (g) and other exclusions enumer￾ated in the Act; (c) a bank shall not directly or indirectly, have exposures of an amount in excess of 10 percent of the aggregate of unimpaired capital, unimpaired balance in the statutory reserve account, and audited retained earnings with any of its related parties; (d) notwithstanding subregulation (b), a bank shall not have an exposure in excess of one percent of the aggregate of unimpaired capital, unimpaired balance in the reserve account, and audited retained earnings for aggregate di￾rect or indirect unsecured advances or credit facilities to anyone of its directors or officers within the meaning of section 2 of the Act or to their related parties; (e) the total amount of the bank’s exposure with related pa￾rties shall not exceed one hundred percent of the aggre￾gate of unimpaired capital, unimpaired balance in the statutory reserve account, and audited retained earnings; (f) the equivalent of one year's emoluments for aggregate direct or indirect unsecured advances or credit facilities for an employee excluding the chief executive officer; and (g) outright prohibition for granting direct or indirect ad￾vances, credit facilities or financial guarantees of its shareholders holding at least 10 percent share in the bank. 248

(2) Any excess of the limitations applicable to single large exposures under subsection 28 (1) of the Act, shall be deducted from the core capital therein defined. (3) A bank’s total amount of large exposures shall not exceed 800 percent of its core capital as defined in section 28(1) of the Act, and any excess of this limitation shall be deducted from such core capital. (4) A bank shall not grant any credit facility to politically exposed persons, employees and officers of regulatory bodies on preferential terms which may jeopardise the interests of depositors or creditors or potential depositors or creditors of the bank including the interest of other banks. Credit concentration 8. (1) Loans and advances with a settlement period of not more than thirty days to a bank licensed to do business in Lesotho and fully covered by de￾posits, shall be exempt from the twenty five percent single borrower's limit spec￾ified in regulation 7(1)(a). (2) Where two or more banks collectively make a loan or advance to a single borrower, only the amount actually loaned by each bank and repre￾senting its pro rata share of the syndicated loan shall count against the loan limits specified in regulation 7(1) (a). (3) If an advance, credit facility or financial guarantee complies with the lending limits in regulation 7 when it is made but later fails to comply be￾cause the bank's capital and reserve account declines or the collateral securing the loan or guarantee fails to qualify as an exception, such account shall be treated as non-conforming and in such a case the bank shall bring this matter to the attention of the Commissioner and shall agree with the Commissioner on a plan to regularise such loan. (4) A bank shall comply with limitations of its exposure to specific economic sectors as shall from time to time be prescribed by the Commissioner. 249

Related party transactions 9. (1) For the purposes of this regulation, related party transactions shall include but not be limited to the following - (a) credit, financial leasing, letter of credit, guarantees on behalf of related party, acquiring a loan made by third party to a related party; (b) placements made by the bank with the related party; (c) conditional sales agreements; (d) consulting or professional service contracts with affili￾ates and insiders; (e) investment in equity of related parties; (f) deposits placed with the bank by related parties; and (g) acquisition, sale or lease of assets with related parties. (2) Loans, advances or other credit facilities granted to directors, of￾ficers or to other related persons shall not be on terms and conditions more favourable than the general terms and conditions applicable to other borrowers. (3) Fringe benefits plans or internal policies shall be disclosed to the Commissioner upon request. (4) An officer of a bank who becomes indebted to another financial institution on an unsecured basis in an aggregate amount greater than one percent of the unimpaired capital, unimpaired balance in the statutory reserve account and audited retained earnings of the bank in which that person is an officer, shall, within thirty days from exceeding the one percent level, make a written report to the board of directors of the bank in which that person is an officer. (5) The report referred to in sub-regulation (4) shall state the lender's name, date and amount of each loan, use of the proceeds and source of repay￾ment. 250

(6) A bank shall not - (a) grant a loan or credit facility to its officers, including an executive director, while another loan to that person is non-performing; (b) purchase a non-performing asset from its affiliates and insiders; and (c) enter into a related party transaction which involves purchasing of low quality assets. (7) For the purpose of this regulation, low quality asset means an asset - (a) whose issuer is rated below the investment grade or circumstances dictate eminent loss of market value; or (b) that would be internally classified as special mention or worse in accordance with Financial Institutions (Asset Classification) Regulations 2016 or directives issued by the Commissioner. (8) For purposes of subregulation 6 (c), a bank shall evaluate all as￾sets acquired from related parties for their creditworthiness. Reporting requirements 10. (1) To enable the Commissioner to monitor compliance with the prudential lending limits set out in regulation 7, a bank shall, in accordance with the Schedule, submit, within 30 days from the end of each calendar quarter, a report on - (a) exposures to top 20 borrowers; (b) loans to directors, officers, shareholders, and related persons; (c) credit concentration and large exposures; 251

(d) all non-conforming accounts as determined in regulation 8(3), within 30 days from the date it became non￾conforming and shall use all reasonable efforts to promptly bring the account into compliance with the lending limits; and (e) top 10 holding of shares, investment or placements. (2) All audited annual financial statements shall disclose the names of, and the amount, range of interest rates and performance status of any lending to affiliates and insiders. Remedial measures 11. Where a bank fails to comply with these regulations, the Commissioner may impose all or any other sanctions under these regulations. Supervisory action 12. (1) Without prejudice to the other penalties and actions prescribed by law and unless otherwise prescribed in these regulations, the Commissioner may impose on a bank, any of the following sanctions for non-compliance - (a) prohibition from declaring or paying dividends; (b) suspend lending, investment or other credit operations; (c) prohibit payment of bonuses, salary incentives, manage￾ment fees or other discretionary compensation to direc￾tors or officers; (d) suspension from establishment of new branches and ex￾pansion into new banking and financial activities; (e) requirement of infusion of additional capital; (f) suspension of acquisition of fixed assets; (g) suspension of acceptance of new deposits; 252

(h) a repayment by the offending insider lending of any amount which exceeds the prescribed lending limits; and (i) require additional collateral against the excess amount. Penalties 13. Where the Commissioner determines that a bank is not in compliance with the limits set out in these regulations, it may invoke any of the penalties specified in the First Schedule of the Act. Transitional provisions 14. (1) All banks which, prior to the commencement of the Act, had en￾tered into any transactions incompatible with the limits stated in these regulations are required to submit to the Commissioner, within three months from the com￾mencement of these regulations, a plan indicating how such transactions may be liquidated or brought into compliance as soon as possible. (2) A plan of compliance shall be subject to approval by the Com￾missioner. DATED: DR. RETŠELISITSOE MATLANYANE GOVERNOR OF THE CENTRAL BANK OF LESOTHO NOTE

1. Act No. 21 of 2012 253

SCHEDULE REPORT ON EXPOSURES TO DIRECTORS, OFFICERS, SHAREHOLDERS AND OTHER RELATED PERSONS (regulation 10) institution id: financial year: start date: end date: total collateral amount total amount outstanding name of category account amount % of collateral performing classification borrower (director, number outstanding capital, / npl officer reserves & amount description shareholder or audited other related retained person) earnings total total npls to outstanding to total total capital(%) capital(%) Report on exposures to top 20 borrowers institution id: financial year: start date: end date: total name of outstanding total % of sector % of % of classification collateral borrower amount capital, total total reserves & deposits loan portfolio on- off- audited amount balance balance retained description sheet sheet earnings 254

total total to capital LEGAL NOTICE NO. 38 OF 2016 Financial Institutions (Consolidated Supervision) Regulations, 2016 Pursuant to sections 71(1) and 71(4) (c), (d), and (e) of the Financial Institutions Act 2012 1 , I, DR. RETŠELISITSOE MATLANYANE Governor of the Central Bank, being the Commissioner of Financial Institutions make the following Regulations - Citation and commencement

1. These regulations may be cited as the Financial Institutions (Consoli￾dated Supervision) Regulations, 2016 and shall come into operation on the date of publication in the Gazette. Interpretation
2. (1) In these regulations unless, the context otherwise requires - “affiliate” means a financial institution that is related to another financial institution through common ownership by a parent institution; “financial conglomerate” means a company or other legal form in Lesotho operating in more than one financial service through more than one entity; “parent bank” means a bank that owns or controls 25 percent or more of another financial institution directly or indirectly; “parent company” means a company whether a financial insti￾tution or otherwise, that owns or controls a bank or other finan￾cial institution regulated under the Act; 255

“parent institution” means either a parent bank or a parent com￾pany; “related” means associated by common ownership; “subsidiary” means a financial institution that is owned or con￾trolled by a parent company or parent bank. “the Act” means the Financial Institutions Act, 2012. (2) All other words used have the same meaning to them under the Act. Objectives 3. The objectives of these regulations are to - (a) specify the situations in which a licensed institution, in cluding those forming part of groups or financial con￾glomerates shall be subject to supervision on a consoli￾dated basis; (b) stipulate how the requirements established for individual institutions by or pursuant to the principal law apply to such institutions on a consolidated basis; (c) prescribe rules regarding transactions between licensed institutions and their affiliates. Application 4. These regulations shall apply to a bank issued a license under the Act. Supervision on a consolidated basis 5. (1) The Commissioner shall supervise banks on a consolidated basis where - (a) a bank located in Lesotho is a parent bank; 256

(b) a bank located in Lesotho is a subsidiary of a parent company located in Lesotho; (c) a bank located outside of Lesotho is a subsidiary or af￾filiate of a parent company located in Lesotho; and (d) in other circumstances, the Commissioner has assumed responsibility for such consolidated supervision based on an agreement with the supervisory authority in an￾other jurisdiction. (2) In conducting consolidated supervision, the Commissioner shall - (a) ensure that the parent institution has adequate procedures for monitoring its activities in Lesotho and worldwide; (b) obtain information on the condition of the parent insti￾tution and its subsidiaries, affiliates and other offices in Lesotho and worldwide through regulatory returns, re￾ports of examination, audit reports and other sources of information; (c) obtain information on the dealings and relationship be￾tween the parent institution and its subsidiaries, affiliates and other offices both foreign and domestic; (d) receive from the parent institution financial reports that are consolidated on a worldwide basis or comparable in￾formation that permits analysis of the parent institution’s financial condition on a consolidated basis; (e) receive on an unconsolidated basis financial reports on significant subsidiaries to permit analysis of such insti￾tutions and for specifically identified affiliates; and (f) evaluate prudential standards such as capital adequacy and risk asset exposures on a consolidated basis. 257

(3) The Commissioner shall in the following circumstances and where it considers appropriate, exempt entities from consolidated supervision - (a) where the entity by virtue of its nature or activities may not be of significance with respect to the objectives of supervision of institutions; (b) where inclusion in consolidation would give rise to in appropriate or misleading results with regards to the ob￾jectives of supervision on a consolidated basis unless the parent institution shall demonstrate to the Commissioner that such is the case by submitting documentation spec￾ifying the reasons and the entities to be exempted; and (c) in the case of an entity that represents one percent or less of the consolidated assets of the parent institution or of the bank. Responsibilities of the parent institution and subsidiaries 6. (1) A subsidiary and affiliate shall provide a parent institution with information which it requires in order to comply with its obligations under the Act and Regulations on a consolidated basis and in any case shall at a minimum, provide the information specified in regulation 9. (2) A parent institution shall provide a subsidiary and affiliate with information which it requires to facilitate consolidated supervision by the Com￾missioner including but not limited to information or guidance on development and implementation of policies and procedures. (3) A parent institution shall, on a consolidated basis, and at each subsidiary and affiliate, identify, measure, monitor and control its risks in ac￾cordance with the applicable risk management laws to ensure that the organiza￾tional structure, processes and systems within the group are consistent and well integrated to facilitate effective risk management. Capital adequacy requirements 7. (1) A parent institution shall meet the minimum capital adequacy requirements established under the Financial Institutions (Risk-Based Capital 258

Requirements) Regulations, 2016 both on a consolidated basis and on a stand￾alone basis for each banking institution in the group that is located in Lesotho. (2) In the event that an institution requests approval from the Com￾missioner for the use of a specific approach or combination of approaches for calculating capital requirements for particular types of risk, the calculation of capital shall be on a consolidated basis. Manner for calculating credit risk exposures 8. (1) The credit risk exposure of a parent institution and its group en￾tities in aggregate shall not exceed the limits specified in the Financial Institu￾tions (Lending Limits) Regulations 2016 for a single borrower or a group of interrelated persons which limits shall represent the credit risk exposure permit￾ted on a consolidated basis. (2) For the purposes of this regulation, the parent institution’s ex￾posure to a single borrower or to a group of interrelated persons shall be calcu￾lated on the basis of asset items and off-balance sheet items on a consolidated basis; and (3) In the calculation of the exposure from trading items, a parent institution may net the positions from its trading book and the positions from the trading books of the other entities included in the calculation of exposure on a consolidated basis. Content and extent of information furnished to the Commissioner 9. Information required to be provided under regulation 6 (1) shall include- (a) financial information, including but not limited to balance sheet and income information; (b) asset quality information; (c) information on the adequacy of the loan loss and other reserves; (d) results of internal and external audits; 259

(e) information on compliance with institution policies and procedures, and banking laws and regulations; (f) capital adequacy information; (g) information related to the management of market risk, including foreign exchange and interest rate risk; (h) information on losses resulting from operational defi￾ciencies; (i) performance relative to approved budgetary goals; and (j) other information that the Commissioner may require. Supervision of transactions with subsidiaries, affiliates and other related parties 10. A parent bank or a bank that is owned by a parent institution or is other￾wise part of a financial group shall report to the Commissioner the nature, vol￾ume and type of transactions in which it engages with the parent bank or parent institution and its subsidiaries and affiliates in a manner stipulated by the Com￾missioner. Credit risk exposure 11. (1) A bank’s credit risk exposure to a parent bank or a parent insti￾tution or its subsidiaries or affiliates may not exceed 10 percent of its core capital for a single borrower and 25 percent of its core capital as defined in section 28 of the Act for the aggregated credit risk exposure for all such borrowers. (2) Capital has the meaning assigned to it under the Financial Insti￾tutions (Lending Limits) Regulations, 2016. Reporting 12. (1) A parent institution shall compile a report on the structure of the group and submit it to the Commissioner annually for an assessment to be made of whether and to what extent the group is to be the subject of consolidated su￾pervision; 260

(2) The report required under subregulation (1), shall contain a list of the entities, ownership interest, whether held directly or indirectly, and the manner in which held (including if held through a nominee or trustee arrange￾ment), and a description of its activities; (3) A parent institution shall not be required to submit a report on the structure of the group if there have been no significant changes since the pre￾vious reporting period, but it shall notify the Commissioner of this fact. (4) The report required under subregulation (1) shall be submitted as of 28th February for the preceding year ending 31st December. (5) The information on entities required under subregulation (1) shall include at a minimum - (a) the title, business activity and total assets; (b) the share capital of the entities, the group’s share of the capital and/or voting rights, and a list of the other entities that have an ownership interest; (c) the members of the entities’ governing bodies, and an indication of any membership that they hold in the gov￾erning bodies of other entities, including the other enti￾ties’ business activities; (d) a listing of the most common transactions that the enti￾ties conduct for other entities in the group; (e) the method of consolidation of the entities for the pur￾poses of this regulation; (f) any additional information required by the Commis￾sioner for the overview of the structure of the group. (6) A parent institution shall file regulatory returns with the Com￾missioner on a consolidated basis unless stipulated otherwise in the instructions for the specific return. 261

Cooperation with other supervisory authorities 13. (1) The Commissioner shall, upon request in writing from other fi￾nancial sector supervisory authorities in Lesotho and worldwide, provide such authorities with information of key importance or significance relative to the su￾pervision of a financial institution under their jurisdiction. (2) Such authorities shall notify each other of any irregularities or other circumstances identified during the supervision of a financial institution with operations in each other’s jurisdiction. (3) These exchanges of information shall be governed by a written agreement in the form of a memorandum of understanding or other similar doc￾ument that establishes the rules for cooperation and the exchange of information for institutions that have operations both in Lesotho and elsewhere. (4) Cooperation with other supervisory authorities and the exchange of information shall be governed by Part IV of the Act. DATED: DR. RETŠELISITSOE MATLANYANE GOVERNOR OF THE CENTRAL BANK OF LESOTHO NOTE

1. Act No. 21 of 2012 262

LEGAL NOTICE NO. 39 OF 2016 Financial Institutions (Banks) (Risk Management) Regulations, 2016 Pursuant to section 71(1) of the Financial Institutions Act of 2012 1 , I DR. RETŠELISITSOE MATLANYANE Governor of the Central Bank, being the Commissioner of Financial Institutions, make the following regulations - PART I – PRELIMINARY Citation and commencement

1. These regulations may be cited as the Financial Institutions (Banks) (Risk Management) Regulations, 2016 and shall come into operation on the date of publication in the Gazette. Interpretation
2. In these regulations, unless the context otherwise requires - (a) words used have the same meanings assigned to them under the Act; (b) “the Act” means the Financial Institutions Act, 2012. Objectives
3. The objectives of these regulations are to ensure that banks have put in place adequate risk management policies, procedures and systems in line with international standards and best practices, appropriate operational guidelines and internal controls intended to identify, measure, monitor and control risks. Application
4. These regulations shall apply to a bank issued a licence under this Act. 263

PART II – RISK MANAGEMENT FRAMEWORK Board of Directors and senior management in risk management framework 5. (1) A bank’s Board of Directors and senior management shall - (a) establish and maintain a risk management framework that develops and communicates policies, standards pro￾cedures and limits that define responsibility and author￾ity to control exposure to various risks that arise from the activities of the bank; (b) be responsible for establishing and maintaining policies, key functions and strategies for the bank for risk man￾agement, internal controls, internal audit and compliance and for ensuring their implementation; (c) ensure that risk management policies, standards and pro￾cedures are modified when necessary to respond to sig￾nificant changes in the banks’ activities or business con￾ditions. (2) The Board of directors shall ensure that senior management of a bank is fully capable of managing the activities that the bank undertakes and is able to implement the policies, controls, and risk monitoring systems estab￾lished by the bank’s board of directors and are capable of being accountable to the board of directors in that regard. (3) A bank’s risk management policies, procedures, and limits shall at a minimum - (a) provide for adequate identification, measurement, monitoring and control of material risks posed by activities of the bank; (b) be consistent with management's experience level, the banks’stated goals and objectives and the overall finan￾cial condition of the bank; 264

(c) clearly delineate accountability and lines of authority across the bank’s activities; and (d) provide for the review of activities new to the bank to ensure that the infrastructures necessary to identify, mon￾itor, and control risks associated with an activity are in place before the activity is initiated. (5) A bank’s senior management shall be responsible for implement￾ing strategies in a manner that risks associated with each strategy are managed prudently and that laws and regulations on both a long-term and day-to-day basis are complied with. Risk monitoring system 6. (1) A bank shall establish an effective risk monitoring system to identify and measure all material risk exposures. (2) A bank’s risk monitoring activities shall be supported by infor￾mation systems that provide senior management and the board of directors with timely, accurate and reliable reports on the financial condition, operating per￾formance, and risk exposure of the bank, as well as with regular and sufficiently detailed reports for line managers engaged in the day-to-day management of the bank’s activities. (3) To ensure effective measurement and monitoring of risk and ad￾equate management information systems, a bank shall ensure that - (a) its risk monitoring practices and reports address all material risks; (b) key assumptions, data sources, and procedures used in measuring and monitoring risk shall be appropriate and adequately documented and tested for reliability on an on-going basis; (c) reports and other forms of communication are consistent with the bank’s activities, structured to monitor expo￾sures and compliance with established limits, goals, or objectives and, as appropriate, compare actual versus 265

expected performance; and (d) reports to management or to the bank's directors are accurate and timely, and contain sufficient information for decision-makers to identify any adverse trends and to evaluate adequately the level of risk faced by the bank. Internal controls 7. (1) A bank shall establish and maintain an effective system of con￾trols that - (a) is appropriate to the type and level of risks posed by the nature and scope of its activities; (b) establishes clear lines of authority and responsibility for monitoring adherence to policies, procedures, and limits; (c) ensures that reporting lines provide sufficient independ￾ence of the control areas from the business lines and ad￾equate separation of duties throughout the bank such as those relating to trading, custodial, and back-office activities; (d) ensures that official institutional structures shall reflect actual operating practices; (e) ensures that financial, operational, and regulatory reports shall be reliable, accurate and timely; wherever applica￾ble, exceptions shall be noted and promptly investigated; (f) provides adequate procedures for ensuring compliance with applicable laws and regulations; and (g) ensures that internal audit or other control review practices provide for independence and objectivity. 266

(2) A bank shall have and maintain an independent internal audit function which shall report directly either to the board of directors or its Audit Committee. (3) A bank shall adequately document the results of internal audits or reviews and management's responses and shall ensure that identified material weaknesses are given appropriate and timely high level attention and manage￾ment's actions to address material weaknesses are objectively verified and re￾viewed. (4) A bank’s Audit Committee shall review the effectiveness of in￾ternal audits and other control review activities on a regular basis. (5) Internal audits shall be based on an annual audit plan that iden￾tifies areas of risk in the bank, and is supplemented by audits of other areas of the bank’s operations to ensure that all material bank operations are audited on an identified cycle. (6) A bank shall establish internal control practices which ensure that deviations from policies, procedures, limits and prudential guidelines are promptly reported to appropriate levels of management. Stress testing 8. (1) A bank shall establish and maintain a system of stress testing to identify possible events or future changes in economic conditions and other events that could have unfavourable effects on a bank risk exposures and assess￾ing the bank’s ability to withstand such changes. (2) Stress test analysis shall include - (a) economic downturns, in the whole economy or in particular sectors; (b) market-risk events; (c) liquidity conditions, and (d) contingency plans regarding actions management might take given certain scenarios including hedging against 267

the outcome or reducing the size of the risk exposure. (3) Results of stress tests conducted by a bank shall be reviewed pe￾riodically by senior management which shall ensure that action is taken in cases where the results exceed agreed tolerances and the bank’s policies and limits are updated as may be necessary. (4) A bank shall perform stress tests or scenario analysis on a regular basis in order to identify and quantify its exposures to possible stresses to liq￾uidity or the interest rate, price and foreign exchange positions relative to the bank’s balance sheet, events that would affect the quality of credit risk exposure and shall analyze possible impacts on the bank cash flows, liquidity position, profitability, capital adequacy and solvency. (5) The results of these stress tests shall be discussed thoroughly by Assets and Liability Committee, senior management of the bank, as well as the bank’s credit committee for credit risk management in order to form the basis for taking remedial or mitigating actions as appropriate. Asset and Liability Committee 9. (1) Management of a bank shall establish an Asset and Liability Committee responsible for managing its overall liquidity, interest rate, price and market risks. (2) At a minimum, the Assets and Liability Committee shall com￾prise senior management from each section of the bank that has a link with mar￾ket, interest rate and liquidity risks. (3) Assets and Liability Committee meetings shall be held as fre￾quently as is required to enable the Committee carry out its duties effectively, but at least on a monthly basis. (4) The responsibilities of the Assets and Liability Committee shall include - (a) developing and recommending policies for approval by the Board for liquidity, interest rate, price, foreign ex change and other market risks; 268

(b) developing and recommending strategic direction for the risks enumerated in subregulation (4) (a); (c) reviewing periodic management reports for the risks enumerated in subregulation (4) (a), to facilitate decision making; (d) evaluating the results of stress tests for banking opera￾tions possessing the risks enumerated in subregulation (4) (a). PART III – CREDIT RISK MANAGEMENT Board of Directors oversight in credit risk management 10. (1) A bank’s Board of Directors shall oversee the bank’s credit￾granting and credit risk management functions and it shall be its overall respon￾sibility to - (a) approve the bank’s credit risk strategy and policies which shall be based on the bank overall business strategy; (b) define the bank’s overall risk tolerance in relation to credit risk; (c) ensure that bank credit risk exposure is maintained at prudent levels and consistent with the available capital; (d) ensure that the bank implements sound policies that facilitate the identification, measurement, monitoring and control of credit risk; (e) ensure that senior management is fully capable of man￾aging the credit activities conducted by the bank and that such activities are done within the risk strategy, policies and procedures approved by the board; (f) approve the overall lending authority structure, and explicitly delegate credit sanctioning authority to senior 269

management and credit committee; (g) ensure that there is an internal audit function capable of assessing compliance with the credit policies and the management of the entire credit portfolio; (h) review exposures to insiders and their related parties including policies related thereto; (i) review trends in the quality of credit portfolio and its concentration, to identify emerging problems and take action to deal with the problems; and (j) ensure that senior management provide periodic reports on insider loans, provisioning and write-offs of credit loan losses and audit findings on the credit granting and monitoring processes, as well as reports addressing over all portfolio quality, sectoral and product trends and prof￾itability. (2) A bank’s senior management shall be responsible for implement￾ing the credit strategy and policies approved by the board of directors and for developing procedures for effective management of credit risk as well as for - (a) developing and establishing the credit policies and pro￾cedures for approval by the Board; (b) implementing the credit policies and procedures; (c) developing lines of communication to ensure the timely dissemination of credit risk management policies and procedures and other credit risk management informa￾tion to all individuals involved in the credit process; (d) monitoring and controlling the nature and composition of the bank credit portfolio; (e) ensuring compliance with internal exposure limits, prudential limits and that regulatory requirements are enforced; 270

(f) developing and implementing an appropriate internal risk rating and reporting system, to permit the effective analysis, sound and prudent management as well as con￾trol of existing and potential credit risk exposure; (g) monitoring the quality of the credit portfolio and ensur￾ing that the credit portfolio is soundly and conservatively valued, and uncollectible credits are written off; (h) maintaining loan loss provisions at appropriate level and overseeing the credit risk assessment and provisioning processes; and (i) reporting comprehensively on significant credit activi￾ties, the composition and quality of the credit portfolio, and the credit risk management program to the Board. (3) A bank shall develop a credit risk strategy or plan that establishes the objectives guiding its credit-granting activities and adopt the necessary poli￾cies and procedures for conducting such activities. (4) The credit risk strategy shall - (a) clearly set acceptable credit risk appetite and tolerance of the bank; (b) cover relevant activities of the bank in which credit ex￾posure is a significant risk; (c) indicate the bank plan to grant credit based on the type of exposure i.e. commercial, retail, real estate, economic sector, geographical location, currency and maturity; (d) define the target market within each lending segment, indicating preferred levels of concentration; (e) outline the pricing strategy; (f) give recognition to the goals of credit quality, earnings and growth; 271

(g) be approved and periodically be at least annually re￾viewed by the Board of Directors; and (h) be periodically assessed and amended, however it shall be viable in the long-run and through various economic cycles. Credit risk policies and procedures 11. (1) Senior management of the bank shall develop and establish credit policies and credit administration procedures as part of overall credit risk management framework and those shall be approved by the Board of Directors. (2) Such policies and procedures shall provide guidance to the staff on various types of lending and at a minimum shall include - (a) detailed and formalised credit evaluation or appraisal process; (b) clearly defined delegation of approval at various hierar￾chy levels including authority for approving exceptions; (c) credit risk acceptance criteria; (d) types of credit offered by the bank; (e) terms and conditions of credits, such as pricing, tenure and limit; (f) acceptable types of collateral and security documents; (g) concentration limits on a single borrower and on a group of connected persons, which shall be in line with pru￾dential limits set out by the Central Bank; (h) credit origination, credit administration and documenta￾tion requirements; (i) credit classifications; 272

(j) roles and responsibilities of units and staff involved in origination and management of credit; (k) guidelines on management of problem credits; and credit granted to insiders or their related parties. (3) In addition to subregulation (2), bank’s credit policies shall ad￾dress the important functions of reviewing credits on an individual basis and en￾suring appropriate diversification at the portfolio level. (4) Credit policies shall be communicated throughout the organisa￾tion, implemented through appropriate procedures, monitored and revised at least annually to take into account changing internal and external circumstances. (5) Bank’s credit policy shall clearly outline the provisioning pro￾cedures for all credit facilities and the capital charge to be held, in accordance with the International Financial Reporting Standards, and regulatory and statu￾tory requirements prescribed from time to time by the Commissioner. Credit criteria 12. (1) A bank shall establish sound, well-defined credit-granting crite￾ria to ensure that credit approval is done in a safe and sound manner. (2) The criteria required under subregulation (1) shall set out eligi￾bility requirements for credit and for how much, what types of credits are avail￾able, and under what terms and conditions the credits shall be granted. (3) A bank shall collect sufficient information to enable a compre￾hensive assessment of the true risk profile of the borrower or counterparty. (4) Depending on the type of credit exposure and the nature of the credit relationship, factors to be considered and documented when approving credits shall include - (a) purpose of the credit and sources of repayment; (b) current risk profile including the nature and aggregate amounts of risks of the borrower or counterparty and collateral and its sensitivity to economic and market 273

developments; (c) for commercial credits, the borrower’s business expert￾ise and status of the borrower’s economic sector and po￾sition within that sector; (d) proposed terms and conditions of credit, including con￾ditions designed to limit changes in the future risk profile of the borrower; (e) adequacy and enforceability of collateral or guarantees under various scenarios; (f) borrower’s repayment history and current capacity to repay, based on historical financial trends and future cash flow projections, under various scenarios; (g) integrity and reputation of the borrower or counterparty as well as their legal capacity to assume the loan; (h) situations where in considering credits, it is appropriate to classify a group of borrowers who are connected counterparties as a single borrower. This shall include aggregating exposures to groups of borrowers exhibiting financial interdependence, where they are under com￾mon ownership or control; and (i) conditions and terms for granting credit to insiders or their related parties. (5) A bank shall ensure that the information it receives from prospective borrowers is sufficient to make proper credit-granting decisions and to serve as the basis for rating the credit under the bank’s internal rating system. (6) In considering potential credits, a bank shall recognise the ne￾cessity of establishing provisions for identified and expected losses and holding adequate capital to absorb unexpected losses. (7) A bank shall factor these considerations into credit-granting de￾cisions, as well as into the overall portfolio risk management process. 274

(8) Security accepted by a bank to mitigate credit risk shall satisfy the following conditions - (a) the collateral must have legal enforceability and all doc￾umentation used for collateralised lending must be bind￾ing to all relevant parties; (b) in the event of default, the contractual relationship must provide for the right to liquidate or right to repossess in a timely manner; (c) necessary steps shall be taken to obtain and maintain an enforceable security; (d) procedures for timely liquidation of collateral shall be in place; (e) ongoing valuations of the collateral shall be undertaken to confirm that it remains realisable; and (f) guidance on the various acceptable forms of collateral shall be documented. Credit limits 13. (1) A bank shall establish overall credit limits at the level of indi￾vidual borrowers and counterparties, and groups of connected counterparties, both in the banking and trading book as well as on- and off-balance sheet. (2) Credit limits in subregulation (1) shall be based on the internal risk rating system subject to the exposure limits set by the Central Bank which shall include the following - (a) acceptable exposure to individual borrowers; (b) maximum exposure to connected parties and insider dealings; (c) maximum exposure for particular industries, economic sectors or geographic regions; and 275

(d) acceptable limits on specific products. (3) A bank shall comply with such credit exposure limits as may be specified by the Commissioner from time to time. Credit administration, measurement and monitoring 14. (1) A licensed bank shall ensure completeness of credit documen￾tation in accordance with approved terms and conditions and among other things shall ensure that terms of each credit transaction are adequately and accurately documented. (2) A bank shall establish credit documentation requirements for each type of credit it offers based on factors including the type of credit exposure, complexity of transaction and the extent of the borrower’s banking and credit relationship with the bank. Such credit documentation requirements shall, at a minimum - (a) identify the borrower by name and occupation or type of business, and identify endorsers, guarantors and con￾nected counterparties; (b) provide evidence of the borrower's legal ability to bor￾row, financial condition, and ability to repay including, the timing and source of repayment as reflected in credit analyses of the borrower’s performance, the borrower’s current financial statements, and officer call reports; (c) describe the terms of the credit obligation, including the purpose of the credit; (d) describe and evaluate the collateral, indicating the marketability and condition thereof; (e) provide a history of the credit, including copies of the most recent credit authorisation and internal credit re￾views, and evidence of the level of approval; and (f) where applicable, describe the relationship of the borrower to owners, directors and management of the bank. 276

(3) Bank’s credit administration function shall ensure that a loan ap￾plication obtains proper consideration and approval before it is entered into its management information system. (4) Bank shall disburse an approved credit only after relevant prior conditions and covenants have been satisfactorily met by the borrower, relevant collateral received and perfected, and where necessary, relevant regulatory ap￾proval obtained from appropriate authorities. (5) A bank shall continuously monitor approved loans to ascertain the extent of the borrowers’ compliance with credit terms, to identif yearly signs of irregularity, to conduct periodic valuation of collateral, and to monitor appro￾priate repayments. (6) A bank shall establish and maintain management information systems that capture all credit repayments accurately and timely, identify past due and non-performing loans and communicating same to management, and reflecting a proper record and update of receipts of payment from the borrower. (7) A bank shall devise procedural guidelines and standards for maintenance of credit files including all correspondence with the borrower and sufficient information necessary to assess the borrower’s financial health and repayment performance, in a manner that promotes easy retrieval. (8) A bank shall as part of its overall credit risk management system, measure on an ongoing basis the risk inherent in its credit portfolio using ap￾propriate qualitative and quantitative techniques, and establish a credit risk rating framework across all types of credit activities to measure credit risk. (9) An internal risk rating system shall be established and main￾tained to - (a) monitor the quality of individual credits, as well as the bank’s total credit portfolio; (b) determine the overall characteristics of the credit port￾folio, concentrations, problem credits, and the adequacy of loan loss provisioning; 277

(c) classify credit facilities based on perceived levels of risks they pose; (d) rate the riskiness of the borrower or counterparty, the risks associated with a specific transaction, or both; and (e) respond to indicators of potential or actual deterioration in credit risk and to trigger additional oversight and mon￾itoring by management of credits with deteriorating rat￾ings; (10) A bank shall ensure that, ratings assigned to individual borrowers or counterparties at the time credit is granted are reviewed on a periodic basis and that each credit facility shall be assigned a new rating when conditions either improve or deteriorate. (11) Each bank shall have in place a system to monitor the overall composition and quality of its credit portfolio to enable management to identify deteriorations in the portfolio and to take remedial measures. (12) The credit monitoring system shall be consistent with the nature, size and complexity of the bank credit portfolio, to ensure that the bank - (a) understands the current financial condition of the bor￾rower; (b) monitors compliance with the existing terms and condi￾tions of credit; (c) assesses the value and adequacy of collateral in relation to the borrower’s current condition; (d) identifies non-performing accounts and enforces proper classification and loan loss provisioning; and (e) brings prompt attention to non-performing accounts in order for remedial actions to be taken. (13) A bank credit policy shall establish the procedures for dealing with credit facilities to allow for effective determination of loan loss potential. 278

(14) A bank shall clearly articulate and document policies in respect of past due and non-performing credit facilities, and shall at a minimum, have approval levels and reporting requirements in respect of granting extensions, de￾ferrals, renewals and additional credit facilities to existing accounts. (15) Policies referred to in subregulation (13) shall define a follow￾up procedure for all loans and identify reports to be submitted both to manage￾ment and the Board of Directors. (16) (a) a bank shall have in place an effective management in formation system for the credit risk management process. (b) a bank Board and senior management shall be provided with credit information which shall be sufficient, fre￾quent, current and reliable with appropriate desegrega￾tion. (c) a bank shall generate reports from on-balance sheet and off-balance sheet credit activities to ensure that at a min￾imum, such reports identify credit exposures according to - (i) type of activities; (ii) credit concentration, including, type of expo￾sure, economic sector, geographic region, com￾mercial, industrial sector, individual borrowers and group of interrelated borrowers, loans to connected borrowers and transactions with related persons; (iii) maturity schedule of credits within a portfolio for the purpose of monitoring interest rate risk and maturity risk; (iv) comparison of actual credit exposures with the actual limits; (v) exceptions made to the bank credit granting 279

standards; (vi) past-due and non-performing credits by age of delinquency relating to each credit type; (vii) credits on non-accrual status; (viii) credit classifications; (ix) restructured credits; (x) off-balance sheet commitments, specifically identifying large exposures; (xi) status reports on large exposures and adversely classified credits; and (xii) comparison of bank actual credit facilities to business plan and budget. Board of Directors and senior management oversight in liquidity risk management 15. (1) The Board of Directors and senior management of a bank shall ensure at all times that the bank has sufficient liquid assets to meet its obligations when they fall due. (2) The bank’s Board of Directors shall be responsible for - (a) the liquidity risk assumed by the bank and the manner in which the risk is managed; and (b) in particular, the Board of Directors shall - (i) establish the bank liquidity risk tolerance which shall define the level of liquidity risk that the bank is willing to accept; (ii) review and approve the bank strategy, policies and practices on an annual basis to guide the 280

management of the bank liquidity risk; (iii) ensure that senior management and appropriate personnel have the necessary expertise and that the bank has processes and systems to measure, monitor, and control all sources of liquidity risk; (iv) review reports regularly on the liquidity position of the bank and be informed of new or emerging liquidity concerns; and (v) review the adequacy of the contingency liquidity plan of the bank. (3) A bank shall have an appropriate senior management structure to oversee the day-to-day and long term management of liquidity risk in line with the Board approved strategy, policies and procedures. (4) The responsibilities of senior management shall include - (a) development and implementation of procedures and practices to manage liquidity risk in accordance with the risk tolerance level and ensure that the bank maintains sufficient liquidity; (b) ensuring that liquidity is managed and controlled within the parameters of the liquidity policy; (c) establishment of effective internal controls over the liquidity risk management process and ensure that they are communicated to all appropriate staff; (d) adherence to the lines of authority and responsibility that the Board has established for managing liquidity risk; and (e) establishment of the bank’s contingency liquidity plan for handling liquidity crisis such as cash flow short falls in emergency situations. 281

(5) A bank shall adopt, maintain, and constantly review a set of docu￾mented liquidity risk policies, strategies, procedures and limits approved by the Board of Directors to reflect its general approach to liquidity appropriate for the nature, scale and complexity of the bank. (6) A bank’s liquidity risk management policy shall include the fol￾lowing key elements - (a) roles and responsibilities of individuals performing liquidity risk management functions; (b) liquidity risk management structure for identifying, monitoring, reporting and reviewing the liquidity position; (c) liquidity risk management tools for identifying, measur￾ing, monitoring and controlling liquidity risk (including the types of liquidity limits and ratios in place and rationale for establishing those limits and ratios); and (d) contingency plan for handling liquidity crises. (7) A bank’s liquidity management strategy shall address the fol￾lowing - (a) composition of assets and liabilities with a view to maintaining liquidity; (b) diversification of funding sources to help fund day-to-day liquidity requirements; (c) management of liquidity in different currencies especially where foreign currency represents a significant percentage of the total liabilities; and (d) strategies to deal with both short and long-term potential liquidity disruptions. (8) A bank’s procedures and processes to implement its liquidity policy shall include - 282

(a) a procedure manual detailing the necessary steps and processes to implement the relevant liquidity risk con￾trols and the manual shall be reviewed periodically and updated to take into account new activities, changes in risk management approaches and systems; and (b) identification of existing and future risks that the bank can be exposed to. (9) A bank’s limits to control its liquidity risk exposure and vulner￾abilities shall - (a) be in line with the prudential limits set out by the Central Bank; (b) be used for managing day-to-day liquidity within and a risk managers lines of business under normal conditions; (c) include measures aimed at ensuring that the bank can continue to operate in a period of market stress, bank￾specific stress and a combination of the two; and (d) be documented in the liquidity policies and reviewed periodically (at least annually) or when conditions or risk tolerances change. (10) A bank shall establish and maintain adequate management in￾formation system that provides access to relevant information on a timely basis for measuring, monitoring, controlling and reporting liquidity risk under both normal and stressed situations and for monitoring compliance with the Com￾missioner’s prudential requirements on liquidity. (11) A bank shall establish and maintain an adequate system of in￾ternal controls over its liquidity management process to promote effective and efficient operations, reliable financial and regulatory reporting, and compliance with relevant laws, regulations and institutional policies. 283

Interest rate risk management 16. (1) A bank’s Board of Directors shall - (a) approve broad business strategies and policies that govern or influence interest rate risk of the bank; (b) review the overall objectives of the bank with respect to interest rate risk; (c) provide clear guidance regarding the level of interest rate risk acceptable to the bank; (d) approve policies that govern interest rate risk manage￾ment and that identify lines of authority and responsibil￾ity for managing interest rate risk exposures; (e) ensure that senior management has full understanding of the risk assumed by the bank and that the bank has per￾sonnel who possess the necessary technical skills to eval￾uate, monitor and control interest rate risks; (f) periodically review board itself or its designated com￾mittee information, which is sufficient in detail and time￾liness to understand and assess senior management per￾formance in monitoring and controlling interest rate risk in compliance with the policies approved by the Board; (g) conduct reviews more frequently, where a bank holds significant positions in complex instruments; and (h) periodically re-evaluate significant interest rate risk management policies including the overall business strategies that affect interest rate risk exposure of the bank. Senior management oversight in interest rate risk management 17. A bank’s senior management shall ensure that the structure of the bank’s business and the level of interest rate risk it assumes are correctly aligned and 284

effectively managed and in particular shall - (a) ensure that the bank has adequate policies and proce￾dures for managing interest rate risk on both long-term and day-to-day bases; (b) ensure that the bank maintains clear lines of authority and responsibility for managing and controlling this risk; (c) maintain appropriate limits on risk taking; (d) maintain adequate management information systems and standards for measuring interest rate risk; (e) maintain standards for valuing positions and measuring performance; (f) maintain a comprehensive interest rate risk reporting and management review process; (g) maintain effective internal controls; (h) review periodically, the bank interest rate risk manage￾ment policies and procedures to ensure that they remain appropriate and sound; (i) ensure that the analysis and risk management activities related to interest rate risk are conducted by competent staff with technical knowledge and experience consistent with the nature and scope of the bank activities; and (j) ensure that there is sufficient depth in staff skills or resources to manage interest rate risk and to accommo￾date the temporary absence of key personnel. Interest rate risk management policies and procedures 18. (1) A bank’s interest rate risk management policies and procedures shall clearly define and be consistent with the nature and complexity of a bank activities. 285

(2) A bank’s interest rate risk management policies and procedures shall - (a) outline lines of responsibility and accountability over interest rate risk management decisions; (b) clearly define authorised instruments either specifically or by their characteristics, hedging strategies, and posi￾tion taking opportunities; (c) identify quantitative limits that define the level of inter￾est rate risk acceptable for the bank; (d) where appropriate, such restrictions shall further be specified for certain types of instruments, portfolios and activities; (e) define procedures and approvals necessary for excep￾tions to policies, limits, and authorisations; (f) define a clear set of institutional procedures for acquiring specific instruments, managing portfolios, and control￾ling the bank aggregate interest rate risk exposure; and (g) be reviewed periodically and revised as needed. (3) Prior to introducing a new product, hedging, or position-taking strategy - (a) senior management shall ensure that adequate opera￾tional procedures and risk control systems are in place; and (b) the Board of Directors or its appropriate delegated com￾mittee shall approve major hedging or risk management initiatives prior to their implementation. 286

Interest rate risk limits 19. (1) A bank shall maintain a system of interest rate risk limits which - (a) set boundaries for the level of interest rate risk of the bank; (b) where appropriate, provide the ability to allocate limits to individual portfolios, activities or business units depending on the nature of a bank holdings and its general sophistication; (c) ensure that positions that exceed certain predetermined levels receive prompt management attention; (d) enable management to control interest rate risk exposures, initiate discussion about opportunities and risks; (e) enable management to monitor actual risk taking against predetermined risk tolerances; (f) be consistent with the overall approach to measuring interest rate risk; (g) be approved by the Board of Directors and re-evaluated periodically; and (h) be appropriate to the size, complexity and capital adequacy of the bank, and its ability to measure and manage its risk. (2) A bank shall maintain interest rate a risk measurement system that assess the effects of rate changes and which are consistent with the scope of their activities and which - (a) assess all material interest rate risk associated with a bank assets, liabilities, and off-balance sheet positions; 287

(b) utilise generally accepted financial concepts and risk measurement techniques; (c) have well documented assumptions and parameters. The assumptions underlying the system shall be clearly un￾derstood by risk managers and senior management; (d) incorporate interest rate risk exposures arising from a bank activities, including both trading and non-trading sources; (e) address all material sources of interest rate risk including, repricing, yield curve, basis and option risk exposures; and (f) provide rigorous treatment of those instruments which might materially affect a bank aggregate position, even if they do not represent a major concentration. Interest rate risk monitoring and reporting 20. (1) A bank’s Board of Directors shall review reports detailing the interest rate risk exposures of the bank on a regular basis. (2) The reports shall include at a minimum, the following - (a) a summary of the bank aggregate interest rate exposures; (b) reports demonstrating the bank compliance with interest rate risk policies and limits; (c) sensitivity of key assumptions, such as those dealing with changes in the shape of the yield curve or in the speed of anticipated loan prepayments or deposit with￾drawals; (d) results of stress tests including those assessing breakdowns in key assumptions and parameters; (e) adequacy of internal controls; and 288

(f) summaries of the findings of reviews of interest rate risk policies, procedures and the adequacy of the interest rate risk measurement systems, including any findings of internal and external auditors and any other independe￾nt reviewer. Internal controls and audit 21. A bank shall maintain adequate internal controls as part of its overall system of internal control, to ensure the integrity of its interest rate risk man￾agement process. PART IV – FOREIGN EXCHANGE RISK MANAGEMENT Board of Directors oversight in foreign exchange risk management 22. (1) The Board of Directors shall have ultimate responsibility for un￾derstanding the nature and level of foreign exchange risk taken by the bank and the management thereof and shall ensure that appropriate foreign exchange risk management policies, processes and procedures are in place to measure, manage and control all aspects of foreign exchange risk. (2) The Board of Directors shall at a minimum - (a) review and approve policies, procedures and currency limits regularly in line with changes in the economic environment; (b) set the foreign exchange risk management strategy and limits for acceptable currency positions tolerance levels; (c) ensure that there is an independent review or audit of the foreign exchange operations and that the scope and frequency of the programme is appropriate to the foreign exchange risks; (d) ensure the selection and appointment of qualified and competent management to administer the foreign ex￾change function; and 289

(e) review and assess foreign exchange risk reports to ensure that the nature and size of exposure are maintained at prudent levels and are consistent with available capital. Senior management oversight in foreign exchange risk 23. A bank’s senior management shall be responsible for managing and con￾trolling the exposure to foreign exchange risk in accordance with approved pol￾icy and shall at a minimum - (a) develop and document appropriate foreign exchange policies for approval by the Board; (b) ensure that foreign exchange risk is managed and con￾trolled within the foreign exchange risk management program especially in relation to identifying the risks in￾herent in new services and products and establishing ad￾equate procedures and controls before start-up; (c) develop and implement techniques that will accurately and continually measure the bank’s exposure to foreign exchange risk and its foreign exchange gains and losses; (d) have clear procedures for measuring and managing exposures to individual counterparties across the group; (e) implement an appropriate accounting and management information systems which complement the risk man￾agement strategy; (f) develop a framework of limits to control foreign exchange risk exposures; (g) ensure segregation of duties between trading, risk meas￾urement and monitoring, settlement and accounting functions; (h) have an effective risk management system and internal controls system in place; and 290

(i) ensure that foreign exchange operations within the bank are in compliance with foreign exchange applicable laws. Risk management policies, procedures and limits 24. (1) A bank shall have written policies and procedures for identify￾ing, measuring and controlling foreign exchange risk, which shall be consistent with the bank strategies, financial condition and risk tolerance levels. (2) Policies and procedures shall identify the foreign exchange risks inherent in services and activities and shall - (a) define lines of responsibility and identify individuals or committees responsible for developing foreign exchange risk management strategies, making foreign exchange risk management decisions, and conducting oversight; (b) clearly identify or define authorized types of financial instruments and hedging strategies; (c) describe a set of strategies for controlling the bank aggregate foreign exchange risk exposure; (d) define quantitative limits on the acceptable level of foreign exchange risk for the bank; and (e) define procedures and conditions for dealing with exceptions to policies, limits and authorisations. Foreign exchange risk limits 25. A bank shall establish and constantly review a comprehensive frame￾work of limits to control foreign exchange risk exposures for different levels of reporting including at a minimum - (a) open position limits for individual currencies to which the banks have material exposures, both during the day and overnight; 291

(b) open position limits on the aggregate of all currencies, both during the day and overnight; (c) open position limits by each centre where the bank operates; (d) stop loss and/or management-action-trigger limits; and (e) limits for settlement risk of all counterparties. Foreign exchange risk measurement 26. (1) A bank shall maintain risk measurement systems that take into account all the sources of foreign exchange risk and evaluate the effect of foreign exchange rate changes on profitability and economic value of the bank. (2) The system shall at a minimum - (a) evaluate all foreign exchange risks by maturity, on both gross and net bases, arising from the full range of bank’s assets, liabilities and off-balance sheet positions; (b) employ accepted financial models or methods for meas￾uring risk of foreign exchange derivatives; (c) be able to calculate comprehensive risk factor sensitivi￾ties for the purpose of capturing the non-linearity nature of price risk of foreign exchange positions; (d) have accurate and timely data; (e) incorporate daily mark-to-market value of trading positions; and (f) enable the bank to monitor their foreign exchange settlement risk in real-time in order to ensure that settle￾ment limits will not be exceeded. 292

Board of Directors and senior management oversight in price risk moni￾toring 27. (1) A bank’s Board of Directors shall - (a) define the risks and determine the bank’s risk appetite; (b) review and approve sound strategies and policies that govern or influence price risk of a bank; (c) review regularly the bank’s overall price risk exposure to ensure that it is consistent with the overall bank risk appetite; (d) approve policies that identify lines of authority and responsibility for managing price risk exposures; and (e) ensure that adequate resources, both technical and human, are available for evaluating and controlling this risk. (2) A bank’s senior management shall - (a) develop and implement policies and procedures; (b) ensure adherence to the lines of responsibility and set limits on risk taking; (c) establish effective internal controls to monitor and control price risk; (d) establish adequate systems and standards for measure￾ment of price risk; (e) ensure that the risk management personnel have the requisite skills; and (f) ensure that the risk management procedures remain appropriate and sound. 293

(3) A bank shall maintain written policies, governing investment and other trading activities including off- balance sheet items, which clearly define and are consistent with the nature and complexity of bank activities and which at a minimum set out the following - (a) clear lines of responsibility and authority over price risk management; (b) specific limits for types of instruments, portfolios and activities; (c) specific authorised instruments by their type or charac￾teristics, hedging strategies and position taking opportu￾nities; (d) institutional procedures for acquiring specific instru￾ments, managing portfolios and controlling the bank overall exposure to price risk; (e) the frequency with which positions are revalued and reported to both the senior management and Board of Directors; and (f) approvals necessary for exceptions to policies, limits and authorisations. (4) A bank’s management shall define a consistent set of price risk limits based on the bank risk appetite and which shall at the minimum - (a) encompass all risks relating to price movements; (b) be consistent so that limits are aggregated appropriately across various levels of activities and instrument types; (c) provide reasonable thresholds; (d) be monitored in a strict and timely manner, with proce￾dures in place to address limit breaches; and (e) be reviewed and adjusted in order to continue to be 294

reasonable and suitable. (5) A bank's system for measuring the various risks from trading and investment activities shall be both comprehensive and accurate and shall measure risk aggregated across trading and non-trading activities on bank-wide basis to the fullest extent possible. (6) The measurement systems shall at a minimum - (a) capture all material sources of risk, the assumptions underlying the system shall be documented and be clearly understood by risk managers and senior manage￾ment; (b) ensure that transactions are captured on a timely basis; (c) ensure that marked-to-market positions are revalued frequently; (d) establish and enforce operating limits and other practices that maintain risk exposures within the levels identified in the internal policies; (e) assess vulnerability to loss under stressful market con￾ditions, including the breakdown of key assumptions; (f) ensure that when using vendor purchased applications for the measurement and/or management of price risk, that the vendors share the model’s parameters with them; and (g) provide adequate information systems for measuring, monitoring, controlling and reporting exposures. Price risk monitoring and reporting 28. A bank shall - (a) commit adequate resources to generate information on compliance with relevant risk limits; and 295

(b) design standardised reports to communicate the infor￾mation regarding risk concentration, current positions, country or sectoral exposures which shall include at a minimum - (i) total value of outstanding investments and current market values; (ii) profit and loss, totals and comparison to previous mark to market; (iii) investment limits; (iv) limit or sectoral excesses; and (v) valuation of derivatives instruments, if any. Board of Directors oversight in operational risk management 29. (1) A bank’s Board of Directors shall be responsible for creating an organisational culture that places high priority on effective operational risk man￾agement, adherence to sound operating controls, and integrity for all employees in conducting business. (2) The Board of Directors shall at a minimum - (a) define the operational risk strategy and ensure that the strategy is aligned with the bank overall business objectives; (b) approve and review periodically a written bank-wide operational risk framework; (c) ensure that the operational risk management framework is subject to independent and comprehensive review by internal audit, group audit or other oversight functions; (d) approve and review annually the policies and procedures developed by senior management; 296

(e) establish management structure with clear lines of responsibility, accountability and reporting; (f) ensure that senior management is taking necessary steps to implement appropriate policies, processes and proce￾dures; (g) review periodic high-level reports on the bank overall operational risk profile, which identify material risks and strategic implications for the bank; and (h) ensure compliance with regulatory disclosure require￾ments on operational risk. (3) A bank’s senior management shall be responsible for the imple￾mentation of the bank’s operational risk management framework approved by the Board and in so doing shall - (a) clearly assign authority and responsibility and reporting relationships to encourage and maintain accountability; (b) develop policies, processes and procedures for managing operational risk in all of the bank material products, activities, processes and systems; (c) ensure that the bank operational risk management poli￾cies, processes and procedures have been clearly com￾municated to all staff at all levels; (d) ensure that the bank activities are conducted by qualified staff with the necessary experience, technical capabilities and access to resources; (e) ensure that staff responsible for monitoring and enforc￾ing the bank operational risk policy is independent from the operational risk function; (f) ensure that there is an effective communication between staff responsible for managing operational risk with staff responsible for managing credit, market, liquidity and 297

other risks; and (g) put in place clear reporting systems of operational risk failures and provide for their subsequent resolution. Operational risk management policies and procedures 31. (1) A bank shall be required to maintain well documented policies and procedures for managing operational risk including - (a) the strategy given by the Board of Directors; (b) the systems, processes and procedures to institute effective operational risk management framework; (c) the organisational structure which defines operational risk management roles, the responsibility and reporting lines of the Board, committees, senior management, risk management function, business line management and other operational risk related functions; (b) a definition of operational risk, including the loss event types that will be monitored; (c) an outline of the types of data/information to be included in the risk management reports; (d) internally derived analytical framework used to quantify the operational risk exposure of the bank; and (e) qualitative and risk mitigants and how they are incorpo￾rated into the operational risk framework. (2) A bank shall at a minimum establish and maintain policies and procedures for the following - (a) anti-money laundering and terrorist-financing; (b) conflicts of interest; 298

(c) new product and new system approvals; (d) banking operations such as cash operations and recon￾ciliation of accounts; (e) information technology processes; (f) outsourcing arrangements; (g) agency banking; and (h) corporate governance. Operational risk management process 32. (1) A bank’s management shall include in its operational risk frame￾work, processes to be followed to identify the nature and types of operational risk including internal and external factors that could adversely affect the achievement of the bank objectives and causes and impacts on the bank. (2) A bank shall adopt techniques which shall be reviewed regularly, that provide meaningful information for identifying and assessing the bank ex￾posure to operational risk using one or more of the following tools to identify and assess operational risk - (a) self risk assessment; (b) risk mapping; (c) risk indicators; (d) thresholds or limits; and (e) measurement. Risk control, monitoring and reporting 33. A bank shall - (a) have systems in place for ensuring compliance with doc￾299

umented set of internal policies and procedures concern￾ing the bank’s operational processes; (b) implement a process to regularly monitor operational risk profiles and material exposures to losses, with reg￾ular reporting of pertinent information to senior manage￾ment and the Board of Directors that supports proactive management of operational risk; (c) ensure that its risk management control infrastructure keeps pace with growth or changes in its business activ￾ities; and (d) establish and maintain an effective internal control system which ensures - (i) appropriate segregation of duties and that all personnel are not assigned responsibilities which may create a conflict of interest; (ii) that the scope and frequency of the audit pro￾gramme is appropriate to the risk exposures; (iii) that the audit function is not responsible for the operational risk management function; (iv) close monitoring of adherence to assigned risk limits or threshold and investigation of breaches; (v) that access to, and use of, bank assets and records are safeguarded; (vi) appropriate expertise and training for the staff; (vii) regular verification and reconciliation of trans￾actions and accounts; and (viii) identification of business lines or products where returns appear to be significantly out of line with reasonable expectations. 300

Outsourcing Risk Management Policy 34. (1) A bank shall develop an appropriate outsourcing risk manage￾ment policy addressing oversight of critical service providers that includes - (a) risk assessment to identify and assess the risk associated with specific outsourcing decisions; (b) due diligence in the selection of service providers to verify operational and financial capacity to meet the bank’s needs; (c) requirements for contracts to be clearly written and suf￾ficiently detailed to provide assurances for performance, reliability, security, confidentiality and reporting; (d) manuals guiding routine operational functions such as reconcilements; and (e) oversight of each service provider’s controls, financial condition and performance. Insurance Policy 35. A bank shall have in place an All Risk Insurance Policy (Blanket Cover), which shall ensure that the bank is covered against unforeseen events which may have an adverse impact on the bank and its operations. Business continuity management 36. (1) A bank shall establish and maintain a documented and imple￾mentable business continuity management system to ensure the bank ability to operate as a going concern and to minimise losses in the event of severe business disruption. (2) The business continuity management system shall take into ac￾count different types of scenarios to which the bank may be vulnerable and shall be commensurate with the size and complexity of the bank’s operations. 301

(3) The Board of bank shall be responsible for approving the busi￾ness continuity management system and its senior management shall ensure that it is accordingly implemented. (4) The business continuity management system shall at a minimum

(a) define the bank’s continuity strategy and describe all the necessary steps to ensure continuity for any chosen strategy; (b) include a business continuity plan outlining or describing how critical services and products delivery will be ensured at minimum service levels within tolerable down times and shall at a minimum address the follow￾ing key areas - (i) roles and responsibilities of key personnel and other staff members in the business continuity plan; (ii) procedures to be followed to ensure that the Business Continuity Plan is smoothly and effec￾tively implemented; and (iii) the impact that that third parties such as insur￾ance companies, emergency services, suppliers and clients outside the bank could have on the continuity of the bank. (4) A bank shall conduct regular testing and rehearsals to ensure that the business continuity plan is implementable and appropriate. Board of Directors oversight in compliance risk 37. (1) A bank’s Board of Directors shall be responsible for the level of risk taken by the bank and for ensuring that the bank complies with all relevant laws and regulations. 302

(2) At a minimum, the Board of Directors shall - (a) allocate sufficient resources for compliance programmes covering compliance issues associated with the bank operations; (b) approve the bank compliance policy and legal risk man￾agement policy and ensure that it is implemented; (c) ensure that management takes steps necessary to iden￾tify, measure, monitor, and control key risks. Toward that end, establish a compliance function or appoint a com￾pliance officer; and (d) ensure that compliance issues are quickly resolved whenever they occur. Senior management oversight in compliance risk 38. (1) A bank’s senior management shall, through a compliance officer or compliance function - (a) ensure that all staff is aware of the regulatory environ￾ment in which the bank operates; (b) establish a written compliance policy that contains the basic principles explaining the main processes by which compliance and legal risks are to be identified and man￾aged at all levels of the bank; (c) ensure that there is sufficient depth and skill in staff re￾sources to manage compliance risk; (d) ensure that the bank compliance and legal risk manage￾ment framework has clear lines of authority; (e) periodically review the bank compliance risk manage￾ment framework to ensure that it remains appropriate and sound; and 303

(f) report periodically to the Board of Directors on manage￾ment of compliance risk. Risk management policies and procedures 39. (1) A bank shall have policies and procedures to control or mitigate material compliance and legal risks applicable to the nature of the bank’s activ￾ities. (2) At a minimum, the policy in relation to compliance risks shall contain the following - (a) the relationship with internal audit function and other risk management functions within the bank; (b) the right to conduct investigations of possible breaches of the compliance policy; (c) the right to freely express and disclose its findings to senior management; (d) the right to obtain access to information necessary to carry out its responsibilities and the duty of the bank staff to cooperate in supplying this information; (e) how responsibilities are to be allocated among the departments in cases where compliance responsibilities are carried out in different departments; and (f) the right of direct access to the Board of Directors. (3) A bank policies and procedures approved by the Board of Di￾rectors for managing legal risk shall provide for the following - (a) maintenance of a central inventory of key documents such as contracts, licences, policy statements and others; (b) maintenance of records in line with relevant statutory requirements; 304

(c) adequate documentation on all significant transactions including security administration; (d) a framework for dealing with legal matters; (e) maintenance of confidentiality provisions; and (f) regular review and assessment of legal risk in the bank’s activities. Compliance risk monitoring and reporting 40. (1) A bank shall ensure that it has adequate management information systems that provide management with timely reports on compliance and which is able to - (a) identify the regulatory risk to which the bank is exposed; (b) work with line management and corporate staff to incor￾porate legal and regulatory requirements into the busi￾ness quality assurance process and management reports; and (c) identify and highlight instances where procedures or controls designed to minimize or eliminate regulatory risk have failed and resulted in a breach of the relevant laws, guidelines or regulations. Such breaches shall be investigated and any procedural or control issues be resolved. (2) A bank shall manage its compliance process through tools in￾cluding - (a) a compliance programme showing all aspects and the specific activities of the compliance function for a given period, and showing when and by whom the programme shall be executed; (b) education, training and communication; 305

(c) effective monitoring to identify the main potential dan￾ger areas and to help management pay special attention to those areas on a regular basis; (d) to ensure that required procedures are being followed properly, help restore difficulties at an early stage; and serve as an early-warning device; and (e) an effective complaint system that maintains effective records is an important part of compliance systems and also serves as an early-warning device. Reputational risk 41. (1) A bank shall pay special attention to events or circumstances which may give rise to downside risks to its reputation including inherent risk, environmental risk, government and control risks. (2) A bank’s Board of Directors shall be responsible for ensuring that an appropriate structure and process is in place to effectively manage the bank’s reputation risk. (3) Audit and risk management committees of bank’s Board of Di￾rectors shall be responsible for reviewing adequacy and effectiveness of internal control systems including those relating to reputation risk and means through which exposures related to reputation risk are managed. (4) A bank’s public relations team, in managing communication, shall be responsible for - (a) building reputation capital; (b) minimising the impact of adverse reputation risk events; and (c) monitoring the bank’s reputation within the market place. 306

Reputation risk management and monitoring 42. (1) A bank shall adopt policies and procedures under which they shall - (a) adopt sound risk management practices that include building reputation capital and earning the goodwill of key stakeholders; (b) manage reputation risk through a process of anticipation, risk analysis and planning, and then attempting to mana￾ge both internal and external expectations; (c) measure trends in a bank reputation as a prerequisite to remedial action; and (d) identify risk events as being either specific or systemic as this will determine the course of corrective action. (2) A bank shall ensure among other things that - (a) it establishes a crisis management procedure to manage potential impact of reputation events; (b) there is no general release of information to the public press without approval from the Board of Directors; and (c) it establishes non-financial reputation risk indicators so that appropriate action could be instituted to manage the communication of information into the market place. (3) A bank shall regularly review its reputation risk policies, guide￾lines, checklists processes and other assessment tools. Penalties 43. Where the Commissioner determines that a bank is not in compliance with the provisions of these regulations, it may impose any penalties or invoke any corrective measures specified in the Act. 307

Repeal 43. The Financial Institutions (Internal Control Systems) Regulations, 2000 are repealed. DATED: DR. RETŠELISITSOE MATLANYANE GOVERNOR OF THE CENTRAL BANK OF LESOTHO NOTE

1. Act No. 21 of 2012
2. L.N. No. 132 of 2000 Printed by the Government Printer, P.O. Box 268, Maseru 100 Lesotho 308