Bank of Jamaica Corporate Governance: Board Oversight

1

2 1.0 Background and Context 3 2.0 Board Expertise and Experience 5 3.0 Overseeing the Risk Governance Framework 6 4.0 Key Reports to Board 8 5.0 Managing Conflicts of Interest 9 6.0 Tone at the Top - Corporate Culture 10 7.0 Oversight of Compensation Policies 10 8.0 Assessment of Board Performance 11 APPENDIX 1 12 APPENDIX 2 13

3

1. A well-functioning banking system is critical to the achievement of sustainable economic growth and development. Deposit-taking institutions (DTIs) in Jamaica play a critical role in providing financial intermediation and payment services. The banking system is built on the trust and confidence of all its stakeholders – depositors, lenders, investors and shareholders. As a consequence, any event that results in a loss of confidence and trust can have significant implications for DTIs’ liquidity and capital positions (and therefore the ability to continue as a going concern). Loss of confidence and trust can also be a destabilizing force for financial stability and economic growth and, by extension, can negatively impact depositors.
2. The Bank of International Settlements’ Corporate Governance principles for Banks outlines that “The Board has ultimate responsibility for the bank’s business strategy and financial soundness, key personnel decisions, internal organization and governance structure and practices, and risk management and compliance obligations”.
3. Given the potentially negative impact that loss of confidence and trust can have on financial stability, the boards of DTIs must ensure that they exercise diligence and care in executing their mandate to protect the interest of the depositors and shareholders of the institution.
4. Board members individually and collectively have a duty to provide effective oversight of the DTI and to employ the utmost care and prudence in the execution of their responsibilities. Board members who fail in the execution of those responsibilities will fail the Bank of Jamaica’s fit and proper test, will be deemed unsuitable to serve in a financial institution and, as such will be debarred from serving in any relevant position in a financial institution. Further, because of the importance of DTIs to the lives and livelihood of Jamaicans, lack of proper oversight by DTIs’ boards can result in penalties, fines and civil litigation being levied against board members under relevant statutes. Specifically, Part 7 of the Banking Services Act, 2014 (BSA), requires that all directors execute sound governance of the DTI and remain fit and proper. Failure to honour these obligations constitutes a breach and will result in fines or conviction as determined by the resident magistrate as per the Seventh Schedule of the BSA. Additionally, since each director has ultimate responsibility for the DTI, failure of the institution or any of its officers to comply with any anti-money laundering, counter-terrorism financing and counter-proliferation financing constitutes a breach and can result in directors facing fines under the fixed penalty regime as per the Second Schedule of the Proceeds of Crimes Act, 2019.
5. Bank of Jamaica (“the Bank” or “BOJ”) uses a principles-based approach to assess boards and to rate board effectiveness. This assessment of boards is dynamic and commences from the onboarding of each board member in the form of a fit and proper assessment. On an ongoing basis, we assess board characteristics and effectiveness, using the risk-based methodology. Periodically, the Bank also undertakes follow-up fit and proper assessments to supplement our analysis of board members’ ongoing suitability, fitness and probity.

4 6. Accordingly, arising from ongoing supervision of licensed institutions, the Bank has found it necessary to re-iterate minimum expectations of the boards of all licensees, which must be observed while discharging their responsibilities. 7. This document will discuss some areas of governance that should be at the forefront of every board member’s mind. 8. This document is not intended to replace any provisions relating to the board of directors in the BSA, or any other relevant laws. Additionally, this document should not be taken as a comprehensive guide on what constitutes good governance. Instead, it should be used as a complement to international guidance on corporate governance in banks, and BOJ’s Standard of Best Practice for Effective Corporate Governance of Deposit-Taking Entities. It is to be noted that the Bank plans to amend the latter as part of its strategic project to strengthen the accountability framework of DTIs.

5

1. Given the critical role DTIs play in economic development and the need to protect stakeholder confidence, it is imperative that the board is comprised of members who possess the requisite expertise to ensure that risks to the institution’s safety and soundness are managed appropriately. Board members individually and collectively must have a deep understanding of the DTI’s business model, the risks the DTI faces and the opportunities for the business.
2. All boards should have a majority of independent board members with sufficient knowledge of risks inherent in banking (such as credit risks, market risks, liquidity risks, operational risks, and business model risks), as well as the mechanism to manage these risks effectively. This expertise will enable board members to have a good understanding of relevant issues and to challenge senior management where necessary.
3. With this objective in mind, the nomination committees for all board of directors must undertake a robust due diligence process for appointments to a board, to ensure that candidates are fit and proper under section 37 of the BSA before the appointments. This due diligence process must be supported by strong onboarding protocols, which allow for the transfer of the requisite information.
4. Additionally, given the dynamic evolution of the financial landscape, regulatory requirements and operating environment for DTIs, boards must have an ongoing program to assess any gaps in the knowledge and expertise of the board and that of individual members and to implement initiatives to address these gaps, for example, by appointing additional board members with the requisite expertise; training and upskilling the existing board members or hiring outside expertise. This is important in ensuring that boards remain sufficiently equipped to discharge their roles and responsibilities. KEY TAKEAWAY A DTI’s board duty of care obligation to preserve the long-term value of the DTI and to protect the interests of depositors, shareholders and the wider public should be the impetus for the board to ensure it collectively has the requisite knowledge and expertise to effectively oversee the specific business model, operations, risk profile and strategic direction of the licensee.

6

1. DTIs are required to have a strong risk management framework and internal control environment in place to effectively: (i) identify material risks which can impact its financial safety and soundness (and therefore its ability to operate as a going concern); (ii) measure and monitor these risk exposures; and (iii) implement controls to manage and mitigate these risk exposures. In satisfying this requirement, the tone must be set by the board. All boards must ensure there is an effective risk governance framework in place, characterized by the following: • A strong risk appetite statement and tolerance limits, which should be established considering the economic, competitive and regulatory landscape of Jamaica, as well as the bank’s existing business model, long-term objectives, risk exposures and ability to manage these risks (i.e. relative to the bank’s capital and liquidity). This is critical, given these tolerance limits act as guardrails within which senior management is required to operate. It is important that tolerance limits are established, considering not only prudential requirements established by the Central Bank but also the institution’s capital and liquidity position, business model and strategic direction. For example, credit exposure limits should be set higher than the minimum exposure limits established under section 59 of the BSA and be determined by each entity’s loan portfolio, strategic direction and operating environment. The risk tolerance limits must be reviewed and revised routinely to ensure they remain effective, considering changes to the institution’s operations and risk exposures which may be driven by any changes in the economic, competitive and regulatory landscape. • A comprehensive board-approved procedural framework which governs all the operations within a DTI. It should be noted that policies and procedures are effective only when they are relevant to the operations of the licensees, rather than a generic document that would amount to academic exercise or done to satisfy a regulatory or supervisory requirement. Accordingly, policies must be: (i) tailored to the business model, operations and risk profile of the licensee; and (ii) must be routinely updated to reflect changes to the business’ risk profile, operations and operating environment. For example, a bank that is entering a new market or offering a new financial service must ensure the policies and procedures are updated to capture these changes and the attendant requirements. • A strong and empowered risk management function, independent of revenue generation, with the responsibility to independently monitor, assess and advise the board on senior management’s effectiveness in managing the institution’s risk profile and to ensure compliance with the board-approved risk appetite statement and tolerance limits. Members of the risk management

7 function must remain independent from all revenue-generating activities. Whilst members may serve on revenue￾related committees such as the credit committee, their sole purpose should be to opine on risk-related matters and should therefore not be involved in approving any transactions. Appendix 1 outlines the board or designated committee’s key responsibilities, with respect to the risk management function and framework. • A strong and empowered internal audit function, independent of all operations of the institution, to provide independent assurance on the strength of the internal control environment. Internal audit must be viewed as a trusted advisor for the organization and when operating effectively, will equip the board with the necessary information to ensure that the policies and procedures the DTI has in place are appropriate to allow the company to achieve its objectives, manage and mitigate risks, take advantage of opportunities and create value for the organization. This requires the execution of a robust audit plan to ensure sufficient coverage of all areas of the institution which introduce material risks to the entity. We take this opportunity to highlight that the minimum audit cycle for each area must be established. High-risk areas must be frequently audited and the lowest-risk areas must be routinely audited. Of note, the audit cycle for any area must not exceed five years, to give the board adequate assurance that the internal control environment across all areas is operating efficiently and effectively as intended. Appendix 2 outlines the board or designated committee’s key responsibilities, with respect to the internal audit function and practices. KEY TAKEAWAY The board has ultimate and full responsibility for effective risk management in the DTI. While BOJ fully supports and recommends the establishment of specialized board committees for risk, it must be understood that risk management is not a task or commitment that can or should be delegated.

8

1. It is critical that the board of directors understand all the material risks of the DTI and how individual risks can aggregate to pose problems or create opportunities for the DTI. The board must ensure that there are effective reporting requirements in place to keep them adequately apprised of the operations of the institution, the evolution of the risk profile and the effectiveness of the executive management in overseeing the operations of the institution. We wish to highlight that: • The board must ensure that it is informed of the deliberations of its sub-committees that focus on risk, internal audit, governance and other relevant committees. Further, the board must review, deliberate and challenge the information contained in the reports from these sub-committees and evidence of this deliberation and decision-making must be documented in relevant board minutes. Therefore, it is not sufficient to circulate reports from the sub-committees for individual members to read at their convenience. • The board must ensure that mechanisms are in place for all relevant stakeholders (including the regulator, the board and its sub-committees) to have the same assessment of the affairs of the DTI. The board must prohibit scenarios that will result in material variances in the information sent to the aforementioned persons. • The board must ensure that the frequency and content of reports it receives are driven by the issues and risks being faced by the licensee at the point in time. For example, during periods of stress which could impact the viability of an institution, the frequency of board engagements must be increased and moved from quarterly to weekly, weekly to daily, etc. depending on the severity of the event. This puts the board in a position to make timely and informed decisions, commensurate with the risks or challenges facing the DTI. • The board must be informed and up￾to-date on economic developments, emerging risks and regulatory reforms to ensure that it is focused on the significant issues and is prepared to tackle them in order to preserve the long-term value of the DTI and to protect the interest of stakeholders. In this regard, the board must ensure that the reporting framework in place adequately apprises them of these developments and emerging risks.

9

1. Conflicts of interest will arise from various aspects of the operations of a bank, such as a bank entering a relationship with connected parties or affiliated companies. Conflicts of interest may also arise within the financial group to which the DTI belongs. In this regard, the board must oversee the implementation and operationalization of policies to ensure all conflicts are managed effectively and business activities are conducted on an arms-length basis.
2. The board must prioritize the financial safety and soundness of a DTI. In this regard, boards must refrain from significant cross-directorships among entities within a group or with the financial holding company, which could create a conflict between the decisions that prioritize the bank’s health and performance with that of the financial group or other subsidiaries. BOARD OVERSIGHT OF CONFLICT OF INTEREST
3. The board must ensure the interest of the DTI is always placed ahead of the interest of any related parties and in circumstances where there is uncertainty; the board should intervene to prevent the DTI’s interest from being subordinated to that of any other party.
4. The board must ensure appropriate policies and procedures are in place to guarantee that all transactions with related parties are conducted at arm’s length.
5. The board must require full transparency from all board members, senior management, and other key employees that may create an actual or perceived conflict of interest.
6. The board must ensure that appropriate mechanisms are in place to prohibit self-dealing, insider trading and any other activity that puts the interest of any person above the interests of the DTI.

10

1. DTIs are organizations of trust. Therefore, boards must ensure and promote a culture of ethical behaviour throughout the organization.
2. The board should ensure that they have appropriate systems that reward good behaviour and values of the DTI and at the same time have appropriate penalties in place to prevent deviant behaviour. Deviant behaviour such as employee fraud, employee theft, and deliberate disclosure of confidential information to unauthorized third parties can put the reputation of the DTI in disrepute and cause significant harm to the institution. Accordingly, the board must have a zero￾tolerance approach to all forms of deviant behaviour and non-compliance to the DTI’s corporate values.
3. Additionally, the board must ensure it holds senior management for promoting the corporate culture of the DTI and hold them accountable for enforcing appropriate penalties for behaviours that are contrary to the corporate culture and values of the DTI. KEY TAKEAWAY To reinforce how important the DTI’s values and ethics are to the board, the board must ensure that every job description includes explicit ethical expectations of all employees across the organization and the requirement to report instances of misconduct and non-adherence to company values.
4. The compensation policies approved by the board must prioritise the long-term interest of the DTI and should be consistent with the DTI’s risk appetite. The board must ensure that the compensation policies and compensation packages do not incentivise excessive risk￾taking and imprudent practices. Additionally, in relation, to the control functions it is important that the board routinely reviews their compensation packages to ensure that they are aligned with their effectiveness in exercising their duties and achieving their objectives, and not dependent on the performance of any business line. This approach will promote independence in the roles played by control functions and guard against conflict of interest.
5. Furthermore, when approving the compensation policies and packages for senior management and other officers, the Board must satisfy itself that appropriate measures are in place to ensure that during periods of stress or crisis, senior managers and other officers will not be receiving significant pay￾outs or bonuses.

11

1. Boards are required to periodically perform meaningful self-assessments to evaluate their effectiveness and functionality, the effectiveness of their sub-committees and directors’ skills and expertise. By acknowledging that the board holds itself responsible for its performance, self-assessments help affirm a positive tone at the top, which emphasizes accountability and integrity.
2. These self-assessments must not only be applied at the overall board level but at the sub-committee levels, as well as the individual director level.
3. It is the Bank’s expectation that after any self￾assessment of the board, there will be follow￾up on action items identified to improve performance and incorporate relevant training where necessary.

12 ESTABLISHING A STRONG RISK MANAGEMENT FRAMEWORK • Approves the mandate and budget for the risk management function and establish a compensation structure, which is not tied to revenues or profits. • Installs an independent risk management function headed by a chief risk officer, who is ascribed an appropriate senior stature and authority. • Approves the risk appetite statement and tolerance (both normal and stressed) limits. Periodic reviews are to be executed, having regard for factors such as the institution’s strategic direction, risk profile, products, and operating environment. • Reviews and approves the policy framework which guides the operations of the institution, at appropriate intervals, which is commensurate with the nature of the operating environment and risk profile of the entity. • Establishes a risk management framework that requires the routine and dynamic identification, assessment, measurement and monitoring of the key and emerging risks of the organization. This includes mandating the execution of frequent stress testing and scenario analyses, to determine the likely crystallization of these risks and their potential impact on the capital and liquidity positions of an institution. • Ensures that appropriate systems are in place to enable the risk management function’s ability to independently access information to facilitate the execution of its responsibilities. • Reviews the output of the risk management function, which should include recommended risk management strategy (e.g. manage, mitigate, or eliminate). • Deliberates on the adequacy of the reporting content and makes recommendations for improvements, having regard for the entity’s size, complexity, risk profile and strategic direction and changes in the operating environment. • Ensures the risk management function is adequately resourced (staff complement, skillset, qualifications, and experience). • Convenes frequent, scheduled and unscheduled meetings with the chief risk officer without undue influence from executive and senior management.

13 ESTABLISHING A STRONG INTERNAL AUDIT FUNCTION TO SUPPORT THE BOARD’S OVERSIGHT • Approves the appointment and removal of the chief internal auditor. • Delegates enterprise-wide responsibility for the execution of independent reviews of all aspects of an institution’s operations to the internal audit function. • Approves the function’s mandate/charter and budget and establishes a compensation structure for the audit function, which is not tied to revenues or profits. • Reviews the output of the internal audit function to inform its assessment of the quality and effectiveness of the bank’s internal control, risk management, compliance, and governance systems and processes. This should include assessments on: o effectiveness of risk management and compliance functions; o quality of reporting to the board and senior management; and o the effectiveness of the bank’s system of internal controls. • Deliberates on matters such as audit completion rate and issue resolution rate relative to established benchmarks to determine the root causes of unfavourable variances and the development of strategies to ameliorate concerns. • Approves annual audit plans which are risk￾focused and consider the risk profile of the institution and other factors such as the entity’s strategic direction and changes in the operating environment. • Establishes a tiered audit cycle that aligns the frequency of audit reviews with the assessed level of risk assigned to each auditable area/ process. • Approves the internal audit procedural document, which should prescribe guidelines for key areas such as the execution of audits (covering areas such as planning and fieldwork expectations, audit processes and methodology, reporting, and communication protocols), the rating of audit issues and issue follow-up and monitoring procedures. • Ensures the internal audit function is adequately resourced (staff complement, skillset, qualifications and experience). In determining the adequacy of resources, the audit committee should consider factors such as the audit universe and the entity’s business model. • Ensures an appropriate succession management programme is in place for the head of the function. • Convenes frequent, scheduled and unscheduled meetings with the chief internal auditor. • Requires the execution of periodic external and self-assessment of the internal audit function’s activities and practices, which should identify areas for improvement. This will, among other things, provide the board with an independent evaluation of the performance of the internal audit function.

14