Regulatory Alerts2025-01-01
Prudential Standard No. 02-2025/BSSFS: Corporate Governance
The Bank Supervision, Surveillance and Financial Stability Division has issued Prudential Standard No. 02-2025/BSSFS to establish minimum corporate governance requirements for all banking and non-bank financial institutions in Zimbabwe. The standard mandates boards to actively oversee strategy, integrate environmental and social governance priorities into risk management, enforce strict conflict of interest controls, and maintain robust internal audit and compliance functions. By clarifying directors’ statutory duties and standardizing board committee structures, the revised framework strengthens accountability, ensures prudent decision-making, and aligns domestic institutions with international Basel and OECD governance principles.
BANK SUPERVISION, SURVEILLANCE & FINANCIAL STABILITY DIVISION
PRUDENTIAL STANDARD NO. 02-2025/BSSFS: CORPORATE GOVERNANCE
| Document No. | NO. 02-2025/BSSFS |
|---|---|
| First Issue Date | 30 September 2004 |
| First Issue Title | Guideline No. 01-2004/BSD: Corporate Governance |
| Version | 2 |
| Revised Version Title | Prudential Standard No. 02 -2025/BSSFS: Corporate Governance |
| Date | June 2025 |
TABLE OF CONTENTS
- INTERPRETATION .................................................................................................................... 3
- INTRODUCTION ....................................................................................................................... 5
- AUTHORITY AND SCOPE OF APPLICATION ........................................................................... 6
- RESPONSIBILITIES OF THE BOARD & DIRECTORS’ DUTIES ................................................. 6
- GENERAL OVERSIGHT ................................................................................................................. 6
- SETTING AND OVERSEEING THE INSTITUTION’S STRATEGY ..................................................... 7
- POLICIES AND PROCEDURES ..................................................................................................... 7
- SETTING CORPORATE VALUES AND STANDARDS ..................................................................... 8
- SETTING AND OVERSEEING AN INTEGRATED GOVERNANCE FRAMEWORK ........................... 10
- APPOINTMENT AND OVERSIGHT ON SENIOR MANAGEMENT ................................................. 11
- OVERSEEING THE COMPENSATION POLICY ............................................................................. 13
- DISCLOSURE AND TRANSPARENCY .......................................................................................... 14
- APPOINTMENT OF DIRECTORS ............................................................................................. 15
- BOARD QUALIFICATIONS AND COMPOSITION ......................................................................... 15
- SELECTION OF DIRECTORS AND PRINCIPAL OFFICERS ........................................................... 16
- STATUTORY DUTIES OF DIRECTORS ......................................................................................... 17
- ORGANISATION AND FUNCTIONING OF THE BOARD .......................................................... 18
- ROLE OF THE BOARD CHAIR ..................................................................................................... 19
- BOARD COMMITTEES ................................................................................................................. 19
- BOARD CREDIT COMMITTEE ..................................................................................................... 21
- LOANS REVIEW COMMITTEE ..................................................................................................... 21
- NOMINATION COMMITTEE ......................................................................................................... 22
- AUDIT COMMITTEE ...................................................................................................................... 22
- RISK COMMITTEE ........................................................................................................................ 23
- COMPENSATION COMMITTEE .................................................................................................... 24
- COMPANY SECRETARY .............................................................................................................. 25
- RISK MANAGEMENT FUNCTION ............................................................................................ 26
- COMPLIANCE FUNCTION ....................................................................................................... 27
- INTERNAL AUDIT FUNCTION .................................................................................................. 28
- BOARD & DIRECTOR EVALUATION ....................................................................................... 30
- OUTSOURCING ........................................................................................................................ 31
- GOVERNANCE OF GROUP STRUCTURES .............................................................................. 32
- GROUP CONTROLLING COMPANY ............................................................................................ 32
- BANKING SUBSIDIARY ............................................................................................................... 33
- SHARED SERVICES .................................................................................................................... 34
- EFFECTIVE DATE ..................................................................................................................... 35
- FEEDBACK AND CLARIFICATIONS ....................................................................................... 35 ANNEXURE ‘A’ ............................................................................................................................... 36 REFERENCES ................................................................................................................................ 38
Page 2 of 40
1. INTERPRETATION
Unless otherwise specified, terms used and defined in the Banking Act [Chapter 24:20] (“the Banking Act”) or the Microfinance Act [Chapter 24:30] (“the Microfinance Act”) shall have the meanings ascribed in the said laws. In addition, for the purposes of this Prudential Standard, the following definitions apply:
“Assurance function” or “Control function”, used interchangeably in this document, refers to those functions that have a responsibility to provide objective assessment, reporting and/or assurance, independent from business units. This includes the risk management function, the compliance function, and the internal audit function¹.
“Board” refers to the governing body of a regulated institution, made up of executive and non-executive directors (including independent non-executive directors), which has oversight over senior management and the operations of a regulated institution.
“Duty of care” refers to the duty of board members to decide and act on an informed and prudent basis with respect to the regulated institution, that is, requiring board members to approach the affairs of the regulated institution the same way that a “prudent person” would approach his or her own affairs.
“Duty of loyalty” refers to the duty of board members to act in good faith in the interest of the regulated institution. The duty of loyalty should prevent individual board members from acting in their own interest, or the interest of another individual or group, at the expense of the regulated institution and/or shareholders.
“Executive director” refers to a director who has management responsibilities within a regulated institution, in addition to their roles as members of the board.
“Independent non-executive director” shall have a meaning as defined in section 2 (4) of the Banking Act [Chapter 24:20].
“Internal control system” refers to a set of rules and controls governing the regulated institution's organisational and operational structure, including reporting processes, and functions for risk management, compliance, and internal audit.
“Non-executive director” refers to a member of the board who is not an employee of the regulated institution and who does not hold any other office in the regulated institution.
“Principal officer” refers to the chief executive officer, chief accounting officer, compliance officer, internal auditor, company secretary and other officers of a regulated institution whose appointment requires regulatory approval in terms of the Banking Act [Chapter 24:20] or Microfinance Act [Chapter 24:30].
¹ See BCBS, Corporate Governance Principles for banks, July 2015. Page 3 of 40
“Risk appetite” refers to the aggregate level and types of risk a regulated institution is willing to assume, decided in advance and within its risk limits, to achieve its strategic objectives and business plan.²
“Risk appetite framework” refers to the overall approach, including policies, processes, controls, and systems, through which risk appetite is established, communicated, and monitored. It includes a risk appetite statement, risk limits and an outline of the roles and responsibilities of those overseeing the implementation and monitoring of the risk appetite framework. The risk appetite framework should consider material risks to the regulated institution, as well as to its reputation vis-à-vis depositors, investors, and customers. The risk appetite framework aligns with the regulated institution's strategy.
“Risk limits” refers to the maximum amount of risk a regulated institution can assume given its capital base, risk management and control capabilities as well as regulatory constraints.
“Risk culture” is a system of shared values and norms that define appropriate attitudes and behaviours for organisational members in relation to the way the organisation assumes and manages risk. In this regard, risk culture is not separate to organisational culture but reflects the influence of organisational culture on how risks are managed.³
“Risk governance framework” refers to the overall framework through which the board and senior management establish and make decisions about the regulated institution's strategy and risk approach; articulate and monitor adherence to risk appetite and risk limits vis-à-vis the regulated institution's strategy; and identify, measure, manage and control risks.
“Senior management” refers to principal officers of a regulated institution and officers who at highest level of management are responsible for the day-to-day management of the institution including officers who report directly to the Chief Executive Officer.
² See FSB, Principles for an effective risk appetite framework, November 2013. ³ See Prudential Standard Number 01-2024/BSD: Risk Management.
Page 4 of 40
2. INTRODUCTION
2.1. Corporate governance refers to the processes and structures used to oversee, direct and manage the business and affairs of an institution with the objective of ensuring its safety and soundness and enhancing shareholder value.
2.2. The process and structure clearly separates, and defines the specific roles and responsibilities, and division of power between the board of directors, senior management, and shareholders, establishing mechanisms for achieving accountability and transparency, while protecting the interests of depositors and considering the effects on other stakeholders, such as creditors, employees, customers, and the community. It involves the way the business and affairs of individual institutions are governed.
2.3. The importance of effective corporate governance is amplified in the case of deposit-taking institutions. As custodians of public funds, these institutions have a fiduciary duty to protect and manage public funds with integrity and transparency.
2.4. For their sustainability, financial institutions must exhibit impeccable integrity and professionalism in the management and conduct of its officials to engender public confidence in the safety of depositors’ funds.
2.5. This Prudential Standard sets out the minimum requirements for sound corporate governance of regulated institutions. The primary objective is to ensure that these institutions are managed in a sound and prudent manner, by a competent board and senior management, exercising impartial business judgments in the best interests of the institution or group, balancing between interests of various stakeholders.
2.6. This Prudential Standard is a revision of the Corporate Governance Guideline No.01-2004/BSD and takes into account best practice guidance, on corporate governance, issued by standard setting bodies such as the Basel Committee on Banking Supervision⁴ and the Organisation for Economic Co-operation and Development (OECD)⁵ and the International Organisation for Standardisation⁶.
2.7. The Bank for International Settlements (BIS) widely accepted and long-established Corporate Governance Principles for Banks (2015), the OECD Principles of Corporate Governance (2023) and the ISO 37000:2021 Governance of Organisations seek to assist bank supervisors in their efforts to evaluate and improve their frameworks for corporate governance and to provide guidance for participants in governance. Annexure ‘A’ to this Prudential Standard sets out these principles of corporate governance.
2.8. This Prudential Standard takes into account amendments that have been incorporated into the Zimbabwean banking and non-banking legal framework to date.
⁴ The revised Corporate Governance Principles for Banks can be found at http://www.bis.org/bcbs/publ/d328.htm. ⁵ The OECD principles can be found at http://www.oecd.org/corporate/principles-corporate-governance.htm. ⁶ International Organization for Standardisation issued ISO 37000:2021 Governance of organisations – Guidelines. Page 5 of 40
3. AUTHORITY AND SCOPE OF APPLICATION
3.1. This Prudential Standard is issued in terms of section 4C of the Banking Act [Chapter 24:20] and section 5 of the Microfinance Act [Chapter 24:30]. It applies to all banking institutions, non-bank financial institutions and controlling companies, herein referred to as “regulated institutions”.
3.2. All regulated institutions are expected to maintain a level of corporate governance reflective of the standards set out in this Prudential Standard in a manner commensurate with the nature, size, and complexity of their operations.
4. RESPONSIBILITIES OF THE BOARD & DIRECTORS’ DUTIES
General oversight
4.1. The board of every regulated institution shall establish and maintain adequate and effective procedures of corporate governance consistent with the legal and regulatory framework and with the nature, complexity and risks inherent in the activities and business of the institution⁷.
4.2. The board should understand its oversight and corporate governance role and be able to exercise sound, objective judgment on the affairs of the institution.
4.3. An effective corporate governance framework should cover the following areas: a) Governance structure, with role clarity for the board/board committees and senior management; b) Policies and procedures; c) Compliance with the legal and regulatory framework; d) Compensation policy; e) Conduct and ethics management, including management of conflict of interest; f) Internal controls; and g) Transparency and accountability.
4.4. The corporate governance framework should promote - a) corporate behaviour that is universally recognised and accepted as sound and ethical; and b) board and management accountability; and c) a balance of stakeholder interests; and d) gender balance, diversity and inclusion; and e) effective management of conflict of interest; and f) responsible conduct by the directors and principal officers of the institution; and g) acceptable risk appetite balancing risks and opportunities; and h) the timely, accurate and meaningful disclosure of material matters; and
⁷ See section 28A of the Banking Act and section 20B of the Microfinance Act [Chapter 24:30]. Page 6 of 40
i) board control over the strategic direction of the institution, whilst enabling its principal officers to manage its business and activities; and j) compliance with the legal and regulatory framework.
4.5. The board has overall responsibility of regulated institutions for: a) approving and overseeing implementation of strategy; b) policies and procedures commensurate with size and complexity of business; c) setting corporate values and ethical standards; d) setting and overseeing an integrated governance framework; e) appointment and oversight of senior management; f) overseeing the compensation policy; g) disclosure and transparency; and h) oversight over assurance functions⁸.
4.6. When setting, approving, and overseeing the implementation of the aspects listed above, the board should aim at ensuring a business model, governance arrangements, including a risk management framework that consider all risk factors, including sustainability and environmental, social and governance (ESG) risk factors.
Setting and Overseeing the Institution’s Strategy
4.7. Senior management shall be responsible for formulating the business objectives and overall strategy of a regulated institution, within the applicable legal and regulatory framework, considering its internal resources, capabilities and developments in the operating environment, as well as its exposures to risk, and ability to manage risk effectively.
4.8. The board shall oversee the implementation of the strategy to ensure that it meets the strategic objectives, and expectations of the organisation, its ethical and compliance obligations as approved by the board.
Policies and Procedures
4.9. The board shall ensure that there are adequate policies in place that are aimed at compliance with legal and regulatory requirements and ensuring fulfilment of the regulated institution's strategic plans.
4.10. Every regulated institution should have policies that include enterprise-wide risk management, lending and credit administration, operations and internal controls, investments or asset and liability management, treasury and foreign exchange operations, legal and corporate governance.
4.11. The corporate governance policies should cover corporate culture and values, group and organisational structure, the internal control environment, the suitability
⁸ This is more elaborated under sections covering the Risk Management Function, Compliance Function and Internal Audit Functions in this Prudential Standard. Page 7 of 40
assessment procedures, the responsibilities of the banks’ boards and senior management, and compensation practices⁹.
4.12. The board should ensure that these policies and processes remain commensurate with the risk profile and systemic importance of the regulated institution.
Setting Corporate Values and Standards
4.13. The board should set, adhere and oversee implementation of professional standards and corporate values that promote ethical and responsible professional behaviour amongst a regulated institution’s staff (including senior management and members of the board).
4.14. Every regulated institution should take all reasonable steps to demonstrate its commitment to organisational integrity by codifying its standards, acceptable conduct and ethical behaviour.
4.15. A board approved code of conduct and ethics should clearly disallow behaviour that could result in the regulated institution engaging in any improper or illegal activity and require that business be conducted in accordance with applicable laws, regulations, standards, and guidelines issued by the Reserve Bank and other relevant regulatory authorities.
4.16. Staff recruitment and appraisal systems should include ethics, professionalism, and integrity as key assessment factors.
4.17. Ethical and corporate values as well as professional behaviour should form part of on-going board and staff training programs.
4.18. Every regulated institution should have a well communicated policy setting out procedures for staff to communicate, in confidence and without the risk of reprisal, material and bona fide concerns or observations of any violations.
4.19. The board should establish and oversee the implementation and operation of effective policies to identify actual and potential conflicts of interest for the board and the wider bank as a whole.
4.20. The conflicts of interest policy should cover: a) a member’s duty to avoid activities that could create conflicts of interest or the appearance of conflicts of interest; b) a rigorous review or approval process for members to follow before they engage in certain activities (such as serving on another board) to ensure that such activity will not create a conflict of interest; c) a board member or staff member’s duty to promptly disclose any matter that may result, or has already resulted, in a conflict of interest; d) a board member or staff member’s responsibility to abstain from voting on any matter where the member may have a conflict of interest or where the
⁹ Bank for International Settlements, Core Principles for effective banking supervision (2024), available at https://www.bis.org/bcbs/publ/d573.pdf. Page 8 of 40
member’s objectivity or ability to properly fulfil their duties to the regulated institution may be otherwise compromised; and the board’s approach to dealing with any non-compliance with the policy.
4.21. The board should ensure that the institution has put in place adequate measures to prevent or manage conflicts of interest throughout the institution. Such measures may include: a) adequate segregation of duties for staff and board committees; b) establishing information barriers such as physical separation of certain departments; and c) preventing directors, senior management and other staff members of a regulated institution who are also active outside the institution (e.g. acting as a director of another institution) from having inappropriate influence within the institution in respect of matters which have some connection with, or touch upon, their outside activities.
4.22. The board and senior management should put in place controls to prevent directors and employees from benefiting from the improper use of confidential information or otherwise from advantages offered to them which may lead to unfair, improper, or illegal behaviour.
4.23. Every regulated institution shall adopt a policy on insider trading and should have adequate procedures and systems in place to ensure compliance and report any deviations that are identified.
4.24. The board of every regulated institution should ensure that the regulated institution establishes a policy on connected or related party lending including intra-group exposures and this must comply with the prudential limits imposed from time to time¹⁰.
4.25. Board and director evaluation should consider the director’s time commitment to the business of the regulated institution and any potential conflicts of interest and where there are concerns about the ongoing suitability of a director, the board should take appropriate action.
4.26. The board of every regulated institution shall be responsible for ensuring that there is understanding and alignment of sustainability and ESG priorities throughout the institution. Sustainability and ESG must be incorporated into the institution’s purpose, governance, strategy, risk management, reporting and decision-making processes¹¹.
¹⁰ Refer to section 35 of the Banking Act [Chapter 24:20] as read with section 16 of the Banking Regulations S. I. 205 of 2000. ¹¹ International Organization for Standardisation, Governance of organisations - Guidelines (ISO 37000:2021). Page 9 of 40
Setting and overseeing an integrated governance framework
4.27. The board and senior management of a regulated institution should ensure that the institution’s structure does not hinder effective control of the institution’s or the group’s activities and corporate strategy or the ability of the Reserve Bank to effectively supervise the regulated institution(s).
4.28. The board should establish a governance structure that will ensure promotion and maintenance of effective and prudent management of the institution on a solo and, for group companies, on a consolidated basis.
4.29. Prior to setting up new structures or initiating new activities, a regulated institution should assess the structures or activities, including: a) a full vetting of the purpose of the structures or activities; b) identifying and assessing the associated risks of setting up the structures or activities; and c) assessing a regulated institution’s ability to manage the risks when the structures or activities are established.
4.30. Where a regulated institution is part of a group and uses group policies or group centralised functions, the board of the regulated institution must consider all proposed group policies and centralised functions and must ensure that these give appropriate regard to the regulated institution's business and applicable specific requirements as set out in the Banking Act and Banking Regulations or Microfinance Act or other prudential standards or guidelines issued from time to time.
4.31. The board shall be responsible for establishment of assurance functions (risk management, compliance and internal audit) that meet the following characteristics: a) appointment and performance evaluation is done by the board or at the instance of the board; b) independent from risk-taking functions; c) provide assurance to the board on compliance with board approved policies and with the legal and regulatory framework; and d) report functionally to the board and administratively, to senior management.
4.32. The board is ultimately responsible for the institution’s risk governance framework and should ensure the regulated institution’s risk management framework aligns with provisions of Prudential Standard No.1-2024/BSD: Risk Management.
4.33. The board should ensure that the institution��’s risk appetite is calibrated on a periodic basis to be responsive to new business strategies and a changing market environment.
4.34. The board should set clear strategies and approve policies for the establishment of new units, branches, subsidiaries, or other legal entities within the regulated institution’s or the group’s organisational structure and should ensure that they are consistent with the policies and interests of the institution and the group.
Page 10 of 40
4.35. The board should assess whether there are effective systems in place to facilitate the exchange of information among the various units within the regulated institution to effectively manage risks, and to ensure effective group oversight.
4.36. The board should ensure that it keeps itself informed on the risks posed by the group structure.
4.37. The board has the ultimate responsibility for ensuring the effectiveness of the internal control systems and procedures in place, having regard to the size, nature, and complexity of the regulated institution’s business activities¹².
4.38. The ultimate responsibility and accountability of ensuring adequate policies and procedures that are consistent with the nature, complexity and scale of the institution’s activities and compliance with AML/CFT/CPF laws, regulations, guidelines, and directives rests with the regulated institution’s board of directors and senior management¹³.
4.39. The board should establish and maintain a robust finance function responsible for accounting and financial data to ensure that the regulated institution’s business performance is accurately recorded and reported to the regulatory authorities, board, senior management, business lines and other stakeholders.
4.40. The Board should periodically review the effectiveness of the regulated institution’s internal control systems and procedures.
Appointment and Oversight over Senior Management
4.41. The board of a regulated institution is ultimately responsible for the appointment and removal of senior management.
4.42. In particular, the board should: a) appoint a chief executive officer with integrity, technical competence and experience in the business for which the institution is registered to enable him/her to administer the regulated institution's affairs prudently and in compliance with the legal and regulatory framework; b) oversee the appointment of other senior management and ensure that they are fit and proper to manage and supervise the regulated institution's key business; and c) ensure that appropriate succession plans are in place for senior management.
4.43. Members of senior management should have the necessary experience, competencies and integrity to manage the businesses and people under their supervision and their appointment comply with the fitness and probity assessment criteria set out under the Banking Act and the Prudential Standard No. 07-2014/BSD Fitness & Probity Assessment Criteria.
¹² Refer to Guideline No.2-2004/BSD: Minimum Internal Audit Standards in Banking Institutions. ¹³ Refer to the Guidance to Reporting Institutions on AML/CFT/CPF Obligations Document No. 01-2025/BSSFS. Page 11 of 40
4.44. The board should ensure that there is formal documentation setting out clearly the role, responsibilities, accountability, and reporting lines of senior management.
4.45. Consistent with the direction given by the board, senior management should implement business strategies, risk management systems, risk culture, processes and controls for managing the risks to which the institution is exposed and concerning which it is responsible for complying with laws, regulations and board approved policies.
4.46. Senior management should provide the board with the information necessary for the discharge of the board’s function. In this regard, senior management should keep the board regularly and adequately informed of material matters, including: a) changes in business strategy, risk strategy/risk appetite; b) the institution’s performance and financial condition; c) breaches of risk limits or compliance rules; d) internal control failures; e) legal or regulatory concerns; and f) issues raised as a result of the institution’s whistleblowing procedures.
4.47. Senior management is responsible for the implementation and maintenance of effective systems of internal control as approved by the board.
4.48. In this regard, senior management should, among other things: a) maintain an organisational structure that clearly assigns responsibility, authority and reporting relationships and ensure that delegated responsibilities are effectively carried out; b) develop processes and procedures at a sufficiently detailed level to identify, measure, monitor and control risks inherent in the regulated institution's business activities, including those arising from any new, products, initiatives, and operational changes; c) set appropriate internal control policies and monitor the effectiveness of the regulated institution's internal control systems; and d) report to the board on the scope and performance of the regulated institution's internal control systems.
4.49. Senior management is responsible for ensuring that the recommendations of the assurance functions are properly implemented and that the assurance functions are kept informed of any new products, developments or initiatives affecting the regulated institution to ensure that any associated risks can be identified at an early stage.
4.50. To effectively oversee discharge of senior management responsibilities, the board must: a) receive timely and accurate reports; b) ensure that an internal control system is implemented; c) ensure the regulated institution takes appropriate remedial action to issues raised through the risk governance processes;
Page 12 of 40
d) receive assurance on accuracy of reports and figures, effectiveness of the internal control system, risk management and compliance risk management; e) review and approve performance objectives for senior management; f) review and approve and written standards governing the compensation of key members of senior management; g) put in place effective systems of control to monitor senior management’s performance against the performance objectives and assessment criteria within the compensation standards on a continuing basis; h) oversee senior management’s implementation of the overall risk governance arrangements of a regulated institution; i) monitor the consistency of senior management’s actions with the strategy and policies approved by the board; j) question, and review critically, explanations and information provided by senior management and assess whether senior management’s collective knowledge and expertise remain appropriate given the nature of the business and the regulated institution’s risk profile; and k) ensure that senior management has access to regular training to maintain and enhance their competencies and to keep themselves updated on industry and regulatory developments relevant to their areas of responsibility.
Overseeing the Compensation Policy
4.51. The board of every institution should establish and maintain a written compensation policy and must ensure that the policy supports the risk management framework.
4.52. The board approved compensation policy must outline the compensation objectives and the structure of the compensation arrangements, including, but not limited to, the performance-based components of compensation.
4.53. The board (or its committee) should oversee management’s implementation of the regulated institution's compensation system, including monitoring and reviewing the compensation of senior management and assessing whether the regulated institution's overall compensation policy is in line with its risk appetite, risk culture and long-term interests.
4.54. The board should also ensure that compensation and performance measures for staff in the assurance or control functions are determined independently from the performance of business overseen so that the independence of these staff members is not compromised.
4.55. All performance-based components of compensation arrangements must include: a) assessment of financial and non-financial risks that could materially impact the institution’s risk profile, sustainable performance, long-term soundness, and; b) payout schedules that are commensurate with the possible range of risk and performance outcomes and that are sensitive to the time horizon of risk; and
Page 13 of 40
c) appropriate variable remuneration adjustment tools, that include ability of the Board to override compensation decisions, in-period adjustments, and possible claw back.
4.56. The compensation policy’s performance-based components must be designed to encourage behaviour that supports the institution’s long-term financial soundness and the risk governance framework of the institution.
4.57. The performance-based components of compensation must be designed to align compensation with prudent risk-taking.
4.58. The compensation policy must form part of an institution’s risk governance framework.
Disclosure and transparency
4.59. The board of every regulated institution should ensure that the governance framework facilitates adequate disclosures to the institution’s shareholders, depositors, other relevant stakeholders and market participants.
4.60. Every regulated institution shall establish and maintain a board approved disclosure policy addressing the institution’s approach for determining the content, appropriateness and frequency of the disclosure required and the internal controls over the disclosure process.
4.61. At a minimum, regulated institutions should comply with disclosure requirements spelt out under the Banking Regulations S. I. 205 of 2000 under Guideline No. 01-2008/BSD: Minimum Disclosure Requirements for Financial Institutions.
Page 14 of 40
5. APPOINTMENT OF DIRECTORS
Board Qualifications and Composition
5.1. The qualifications and disqualifications for board members outlined under the Banking Act [Chapter 24:20] and Microfinance Act [Chapter 24:30] as read with the Prudential Standard No. 07-2014/BSD Fitness & Probity Assessment Criteria, shall apply for all proposed appointments to the boards of regulated institutions.
5.2. The board of every regulated institution shall consist of directors¹⁴ with: a) the requisite range of competence (relevant knowledge and understanding, skills, experience and approach); b) diversity of perspectives and inclusion. This should encompass a broad range of dimensions, including knowledge, professional experience, gender, age, disability and ethnicity; c) independence; d) probity; and e) commitment.
5.3. A board member shall have a minimum qualification of a relevant diploma/degree or experience and general understanding of the business and economic environment.
5.4. All members of the board must be fit and proper persons¹⁵ with the necessary skill and experience to discharge their function, in the best interest of the regulated institution, and maintaining oversight on the issues of strategy, performance and resources, including standards of conduct within the regulated institution.
5.5. Not fewer than two (at least Chief Executive Officer and Chief Accounting Officer) and not more than two-fifths of the directors of a regulated institution shall be officers or employees of the institution or company and, of the remainder, the majority shall be non-executive and independent.
5.6. The board shall put in place a documented policy with a description of the necessary competencies and skills required to ensure required expertise, having regard to the fitness and probity criteria in the legal and regulatory framework prescribed from time to time.
5.7. The board shall include a statement in the regulated institution's half-year and year-end financial statements regarding the assessment of the independence of the non-executive directors.
5.8. The board shall have an adequate number and appropriate composition of members in line with requirements of the Banking Act and Microfinance Act to ensure sufficient independence, and collective expertise for effective, objective decision-making, in
¹⁴ The Banking Act [Chapter 24:20] and the Microfinance Act [Chapter 24:30] prescribe the minimum number of directors for banking institutions and microfinance institutions. ¹⁵ Appointments must follow prior regulatory approval in terms of the Banking Act or Microfinance Act and the Prudential Standard No. 07-2014/BSD Fitness & Probity Assessment. Page 15 of 40
view of the size, complexity and risk profile of the regulated institution and the nature and scope of its activities.
Selection of Directors and Principal Officers
5.9. The board, or its nomination committee, should identify, assess, and select qualified and experienced candidates for appointment as members of the board.
5.10. The board should satisfy itself that a candidate for appointment is a fit and proper person for such appointment¹⁶, taking into account their experience, competence, skills, track record, independence of mind (particularly in the case of non-executive directors, independent non-executive directors).
5.11. Board candidates should not have any conflict of interest that may impede their ability to perform their duties independently and objectively or subject them to undue influence from: a) personal, professional, or other economic relationships with other members of the board or senior management (or with other entities within the group); or other persons including shareholders; or b) relationship arising from or connected to past or present positions held.
5.12. No person may be appointed as a director of a regulated institution if: a) the person is disqualified in terms of the Banking Act or Microfinance Act or prudential standards issued by the Reserve Bank from time to time; or b) the person was, or is, a director of the audit company or a member or partner of the audit firm from which an external auditor is responsible for the audit of the regulated institution in the previous three (3) years; and c) there is already another person employed as a director or principal officer of the regulated institution who was a director of the audit company or a member of the audit firm, at a time when an external auditor from the audit company or audit firm undertook an audit of the regulated institution at any time during the previous two years.
5.13. Other factors which must be considered in assessing the time commitment and potential conflicts of interest of a candidate for appointment as director or principal officer should include but not limited to the following: a) the number of directorships (maximum of 4 for non-executive directors, maximum of 3 for executive directors) and other appointments held outside the regulated institution; b) the size and nature of the entities to which the outside mandates relate (e.g. whether it is a regulated/listed/private company, public body, charity, or non-profit organisation, and whether it has active, sizable, and complex business operation or is purely for holding assets);
¹⁶ The Prudential Standard No. 07-2014/BSD Fitness & Probity Assessment Criteria sets out the fitness and probity assessment criteria providing guidance in the board member selection process. Page 16 of 40
c) the nature of the outside mandates held (e.g. executive/non-executive, and fulltime/part-time employment); d) the time commitment required of the outside mandates held (e.g. chairing a board or board committee); and e) the business nature of the entities to which the outside mandates relate and the relationship between the entities and the regulated institution.
5.14. All alternate directors should obtain regulatory approval prior to appointment.
Statutory Duties of Directors
5.15. Each director and principal officer of a regulated institution owes a fiduciary duty and a duty of care and skill to the institution or company and owes a duty¹⁷ to: a) act bona fide for the benefit of the institution and for the benefit of its depositors and shareholders and other stakeholders and on an informed and prudent basis, in accordance with applicable laws, regulations and supervisory standards; b) avoid any conflict between one’s personal interests and the interests of the institution or company and its depositors and shareholders; c) possess and maintain the knowledge and skill that may reasonably be expected of a person holding a similar appointment and carrying out similar functions as those that he or she carries out; and d) exercise such care in the carrying out of one’s functions as may reasonably be expected of a diligent person who holds the same appointment under similar circumstances, and who possesses both the knowledge and skill mentioned in paragraph (c) and any additional knowledge and skill that one may have.
5.16. No executive director or principal officer of a regulated institution shall hold any executive position in another regulated institution.
5.17. A director who fails, without just cause, to attend at least three-quarters of the meetings of the board that are convened during any period of a year shall be regarded as not having exercised the degree of diligence required of him or her under the Banking Act and the Microfinance Act.
5.18. In addition to anything contained under the Companies & Other Business Entities Act [Chapter 24:31], where a regulated institution has been placed under curatorship or judicial management or has been wound up, and it is established that the business of the institution or company has been carried on without regard for the prudential norms and standards and other requirements provided for under the Banking Act, personal civil and criminal liability shall attach to responsible directors and principal officers.
¹⁷ Section 20A of the Banking Act [Chapter 24:20] and section 20A of the Microfinance Act [Chapter 24:30] sets out the prescribed responsibilities and conduct of directors and principal officers of regulated institutions. Page 17 of 40
5.19. The members of the board shall exercise their “duty of care” and “duty of loyalty” to the regulated institution under laws and supervisory standards and uphold high ethical standards.
5.20. When considering an appointment/re-appointment, the board should satisfy itself that the candidate is able to commit sufficient time, and attention to fulfil their responsibilities effectively, particularly if the candidate has a seat on other boards or undertakes other professional or commercial activities.
5.21. Given the important role and responsibility of the chair of the board, a greater time commitment should be expected of the person appointed to be the chair.
6. ORGANISATION AND FUNCTIONING OF THE BOARD
6.1. The board shall be led by a chair appointed in terms of the regulated institution’s constitutive documents and in compliance with the legal framework governing the institution.
6.2. The board of every regulated institution shall discharge its functions through decisions of the board and through committees of the board to whom it may delegate its authority.
6.3. The board may delegate authority to senior management to act on its behalf with respect to certain matters, as decided by the board. This delegation of authority must be set out clearly in a formal delegation document.
6.4. The board must have an effective process in place for monitoring how any delegated authority is used in practice. The delegation of any authority or responsibility of the board shall in no way abrogate the board’s oversight responsibility.
6.5. The board must have a formal charter that sets out the roles and responsibilities of the board, including, the board’s organisation, committees, mandate and key activities and working procedures of meetings.
6.6. The Board should also put in place a formal policy on board renewal as part of the risk governance framework. This policy must provide details of how the Board will renew itself to remain open to new ideas and independent thinking, albeit retaining adequate expertise. The policy must consider whether directors have served for a period that could, or could reasonably be perceived to, materially interfere with their ability to maintain independence of thought.
6.7. These practices and procedures should support the efficacy of the board’s work, particularly in facilitating and ensuring a sufficient in-depth review of the matters to be considered, and robust, critical challenge and discussion of issues.
6.8. The board should periodically review its governance procedures and practices, determine where improvements may be needed, and make any necessary changes.
Page 18 of 40
Role of the Board Chair
6.9. The chair of the board shall provide leadership to the board and be responsible for the overall effective functioning of the board.
6.10. The chair of every regulated institution shall be an independent non-executive director.
6.11. The chair shall possess the requisite experience, competencies, and personal qualities to fulfil the responsibilities of a board chair.
6.12. The responsibilities of the chair of every regulated institution shall include: a) ensuring that board decisions are taken on a sound and well-informed basis and in the best interest of the regulated institution; b) setting the agenda for board meetings and ensure that all directors are given an opportunity to include matters on the agenda; c) ensuring that directors receive accurate, timely, complete, and clear information sufficiently in advance of board meetings; d) encouraging and promoting open and critical discussion in board meetings; e) ensuring that any concerns and dissenting views can be freely expressed and discussed within the decision-making process; f) encouraging constructive relations and effective communication between the board and senior management, and among executive directors, non-executive directors, and independent non-executive directors; g) ensuring that directors have access to independent professional advice at the institution's expense where they deem it necessary to discharge their responsibilities; h) dedicating sufficient time to the exercise of one’s responsibilities; and i) ensuring the board Chair and directors are available to meet with the Reserve Bank prudential supervisors upon request.
Board Committees
6.13. While the board is ultimately responsible for the conduct of a regulated institution’s affairs, it may delegate oversight of certain major functional areas, including sustainability and ESG related matters, to dedicated committees of the board.
6.14. To ensure the effectiveness of delegation (promotes trust, accountability, and transparency), the following conditions must be fulfilled: a) each committee must have terms of reference outlining its mandate, responsibilities, membership, meeting frequency and working procedures (including how the committee will report to the board and tenure limit for members serving on the committee). b) required resources must be made available; c) authority must match the level of responsibility; and
Page 19 of 40
d) the charter should be regularly reviewed and updated appropriately.
6.15. The board should appoint members to such dedicated committees with the goal of achieving an optimal mix of skills and experience that, in combination, allows the committees to fully understand, and objectively evaluate the relevant issues which they will need to consider and address.
6.16. To achieve the required objectivity, the committees should have in their membership enough independent non-executive directors and be chaired by an independent non-executive director.
6.17. To ensure effective operation of the board as a whole, there must be regular, transparent and robust communication and information sharing between the board and its committees, and between committees where appropriate.
6.18. For credit-only microfinance institutions, non-executive directors may be appointed in the absence of a sufficient number of independent non-executive directors.
6.19. To avoid undue concentration of power, the board should ensure rotation of members and of the chairpersons of board committees.
6.20. Each committee should maintain appropriate records of its deliberations and decisions and report regularly to the board on its decisions and recommendations.
6.21. Every regulated institution is required to establish the following board committees: a) Loans Review Committee, b) Credit Committee, c) Audit Committee, d) Risk Committee, e) Nominations committee; and f) Compensation committee.
6.22. The committees responsible for loans review, risk, credit or audit should be standalone and not combined with any another.
6.23. In line with the principle of segregation of duties, directors that are members of risk-taking function committees (Credit, Assets and Liabilities Committee (ALCO), Executive Committee (EXCO)) should not be part of risk oversight function committees (Audit, Loans Review, Risk, Compliance).
6.24. In addition, the board of a regulated institution should establish other committees as necessary to manage different areas of a regulated institution's business operations and risk management.
6.25. For a credit-only microfinance institution, with a relatively small and simple business operation and low risk profile, approval of the Registrar may be granted for its board: a) to rely on the audit committee of the controlling company; and b) to rely on other committees of the controlling company, or c) not to establish such committees as long as the board can dedicate sufficient time and resources to carry out its responsibilities in the relevant specific area(s).
Page 20 of 40
6.26. Board committees should be free to seek independent external professional advice as and when necessary.
Board Credit Committee
6.27. A credit committee assumes credit risk-taking responsibilities of the board and may include executive directors.
6.28. The primary responsibilities of the Board Credit Committee shall be to:- a) review and oversee the credit policy of the regulated institution; b) deliberate and consider loan applications beyond the discretionary limits of the executive credit committee; c) review lending by the senior management or executive credit committee; d) ensure that there are adequate procedures and resources available to the credit risk management function of the regulated institution to identify and manage irregular problem credits, minimise credit loss and maximise recoveries; e) provide oversight of all issues that may materially impact on the present and future quality of the institution's credit risk management; and f) delegate and review lending limits to the sanctioning arms of the regulated institution.
Loans Review Committee
6.29. The Loans Review Committee should be composed of non-executive board members who are not responsible for credit sanctioning.
6.30. The primary responsibilities of the Loans Review Committee shall be to assist the board with discharging its responsibility to review the quality of the regulated institution's loan portfolio and credit risk management.
6.31. The responsibility of the Loans Review committee falls into the following main areas, namely: a) to ensure the conformity of the loan portfolio and credit function to a sound credit policy which is documented, approved and adopted by the board; b) to ensure the conformity of the loan portfolio and/or assumed credit risk to risk limits and approvals by the board; c) to ensure that the credit policy and risk lending limits are reviewed at least on an annual basis and as and when the environment so dictates; and d) to ensure that the regulated institution's potential and specific bad debts are adequately provided for.
Page 21 of 40
Nomination Committee
6.32. The majority of Nomination Committee members (including the chair) should be independent non-executive directors.
6.33. Members of a governance or nomination committee should have, collectively and individually, appropriate knowledge, skills and expertise about the selection process and the fitness and probity requirements applicable to appointment of board members and principal officers of regulated institutions.
6.34. The key objectives of the Nomination Committee include the following: a) identifying individuals suitably qualified to become members of the board or of senior management, and selecting, or making recommendations to the board on the selection of, individuals nominated for directorships and senior management positions (based on the role and its responsibilities and the knowledge, experience, skills and competence which the role requires); and b) making recommendations to the board on the appointment or re-appointment of directors and succession planning for directors, the chair and executive directors.
6.35. The Nomination Committee should also undertake board performance evaluation to assist the board in reviewing the efficiency and effectiveness of the functioning of the board.
6.36. The Nomination Committee should ensure objectivity and independence in the selection process for board members and senior management.
Audit Committee
6.37. The Audit Committee should be composed of non-executive board members¹⁸, the majority of whom should be independent non-executive directors.
6.38. The Audit Committee members should have adequate collective experience in audit practices, financial reporting and accounting and should possess a collective balance of skills and expertise which is commensurate with the complexity of the regulated institution, its business and risk profile, to ensure it is able to discharge its responsibilities effectively.
6.39. To ensure independence, the chair of the Audit Committee should not be the chair of the board or of any other committee.
6.40. Where necessary, the Audit Committee should have access to external expert advice at the institution’s expense.
6.41. The Audit Committee’s primary responsibilities are detailed in section 40 of the Banking Act [Chapter 24:20].
6.42. The external and internal auditors of a regulated institution should have free access to the Audit Committee. The auditors should be allowed to attend and be heard at any meeting of the Audit Committee. Upon the request of the auditors, the chair of
¹⁸ Section 40 of the Banking Act [Chapter 24:20]. Page 22 of 40
the Audit Committee should convene a meeting to consider any matter that auditors believe should be brought to the attention of directors or shareholders.
6.43. The Audit Committee is required to provide prior endorsement for the appointment or removal of the institution's external auditor and internal auditor.
6.44. Where the external auditor or internal auditor is removed from their position, the reasons for removal must be communicated to the Reserve Bank as soon as practicable, and no more than 10 business days, after the committee’s endorsement of the termination of engagement.
6.45. The Audit Committee shall review the engagement of the external auditor at least annually, including assessing whether the external auditor meets the audit independence tests.
6.46. As part of the process of ascertaining the independence of the external auditor, a regulated institution must obtain a declaration from the external auditor to the effect that: a) the auditor is independent, both in appearance and in fact; b) the auditor has no conflict-of-interest situation; and c) there is nothing to the auditor's knowledge (either in relation to the individual auditor or any audit firm or audit company of which the auditor is a member or director) that could compromise that independence.
6.47. For the purposes of this Prudential Standard, a conflict-of-interest situation exists in relation to a regulated institution at a particular time, if because of circumstances that exist at that time: a) the external auditor is not capable of exercising objective and impartial judgement in relation to the conduct of the work that is undertaken for the institution; or b) a reasonable person, with full knowledge of all relevant facts and circumstances, would conclude that the auditor is not capable of exercising objective and impartial judgement in relation to undertaking the work for the institution.
Risk Committee
6.48. The majority of the members of the Risk Committee shall be independent non-executive directors. They should individually and collectively possess relevant technical expertise and experience in risk management and control practices that are adequate to enable them to discharge their responsibilities effectively.
6.49. The Risk Committee should be chaired by an independent non-executive director with expertise in risk management, accounting, banking or other relevant financial industry.
6.50. The chair of the Risk Committee should not be the chair of the board.
Page 23 of 40
6.51. The Risk Committee’s primary responsibilities are detailed in the Banking Act and Microfinance Act as read with Prudential Standard No.1-2024/BSD: Risk Management.
6.52. Where the Chief Risk Officer is removed from their position, the reasons for removal must be communicated to the Reserve Bank as soon as practicable, and no more than ten (10) business days, after the committee’s endorsement or consideration of the matter.
6.53. The committee shall have access to any information it may require in fulfilling its responsibilities. It must have free and unfettered access to senior management and assurance function personnel.
6.54. The Risk Committee should collaborate with other board committees whose activities may have an impact on the institution’s risk strategy (e.g. audit and remuneration committees) and regularly communicate with the institution’s internal control functions.
Compensation Committee
6.55. The Compensation Committee shall be composed of at least three non-executive directors and chaired by an independent non-executive director.
6.56. The Compensation Committee shall assist the board in the design and operation of the institution’s compensation system, and make recommendations to the board in respect of compensation policy and related corporate practices including: a) the compensation packages for the regulated institution’s senior management and principal officers in cases where the approval authority for such compensation packages rests solely with the board; b) ensure that compensation is appropriate and consistent with the institution’s culture, long-term business and risk appetite, performance, and control environment, as well as with any legal or regulatory requirements; c) review and approve performance objectives for senior management; d) work closely with other relevant committees of the institution’s board, such as the risk committee and the audit committee, and consult with the institution’s compliance function in evaluating incentives created by the compensation system; and e) conducting regular reviews of, and making recommendations to the Board on, the Compensation Policy.
Page 24 of 40
Company Secretary
6.57. The company secretary shall be a principal officer whose appointment requires regulatory approval in terms of the Banking Act [Chapter 24:20] or Microfinance Act [Chapter 24:30].
6.58. Company secretary may be a registered legal practitioner, chartered / public accountant, chartered secretary or as may be prescribed. The company secretary must have the knowledge of statutory requirements of companies and be suitably qualified.
6.59. The board should be cognisant of the statutory duties imposed upon the company secretary and should empower the company secretary accordingly to enable him/her to fulfil those duties.
6.60. The duties of the company secretary shall be as spelt out under the Companies & Other Business Entities Act [Chapter 24:31].
Board Meetings
6.61. Meetings of the board of every regulated institution must be held as and when necessary to discharge the board’s responsibilities but, in any event, no less than once every quarter.
6.62. The board should ensure that it receives timely and accurate reports from senior management, board committees including assurance on the accuracy of reports and figures, effectiveness of the internal control system, risk management and compliance risk management to enable its members to effectively fulfil board and director responsibilities.
6.63. Written minutes of the board and its committee meetings, covering matters reviewed, discussions on key deliberations, decisions taken and dissenting opinions, must be taken and copies, including any papers or submissions put to the board or board committee, must likewise be kept, and made available to the Reserve Bank on request.
Page 25 of 40
7. RISK MANAGEMENT FUNCTION
7.1. The board of every regulated institution shall establish a risk management function with sufficient authority, stature, independence, resources, and access to the board.
7.2. In particular, the regulated institution should have an independent risk management function, under the direction of a Chief Risk Officer (CRO), to oversee risk-taking activities and the institution’s adherence to the Banking Act [Chapter 24:20] or the Microfinance Act [Chapter 24:30] and other specific minimum risk management guidelines or prudential standards issued by the Reserve Bank from time to time.
7.3. The risk management function is a key component of a regulated institution’s second line of defense for managing risks.
7.4. The CRO’s primary responsibilities are detailed under the Prudential Standard No. 01-2024/BSD: Risk Management.
7.5. The risk management function is responsible for assisting the Board and senior management of the regulated institution to maintain a sound risk management framework.
7.6. The risk management function must: a) be appropriate to the size, business mix and complexity of the institution; b) be operationally independent from revenue generation or risk-taking activities; c) have the necessary authority and reporting lines to the Board and senior management of the regulated institution to conduct its risk management activities in an effective and independent manner; d) have a sufficient number of employees who possess the requisite experience and qualifications, including; (i) market and product knowledge as well as command of risk disciplines; and (ii) the ability and willingness to effectively challenge business operations regarding any aspects of risk arising from the regulated institution’s activities. e) have access to all areas of the regulated institution that have the potential to generate material risk or present opportunities; and f) notify the board of any significant breaches or material deviation from the risk management framework.
Page 26 of 40
8. COMPLIANCE FUNCTION
8.1. Every regulated institution must have an independent and adequately resourced compliance function headed by an executive or member of senior management, a Chief Compliance Officer, with overall responsibility for coordinating the identification and management of the regulated institution’s compliance risk.
8.2. The overall role of the compliance function is to ensure that a regulated institution operate with integrity and comply with applicable laws, regulations, and internal policies.
8.3. The Chief Compliance Officer may be designated as the Compliance Officer required to be appointed in terms of the Money Laundering & Proceeds of Crime Act [Chapter 09:24] as read with the Guidelines and Directives issued in terms of the Money Laundering & Proceeds of Crime Act.
8.4. The Banking Act [Chapter 24:20] and the Microfinance Act [Chapter 24:30] prescribe the statutory duties of compliance officers as identifying, assessing, monitoring, and advising the board on compliance risk; and advising the board on ways to comply with all applicable laws, codes of conduct and standards of good practice, and assist the board in complying with them.
8.5. The appointment, performance evaluation and termination of employment of a Chief Compliance Officer shall vest in the board or a committee of the board to whom the Chief Compliance Officer shall functionally report, periodically.
8.6. The compliance function should be independent¹⁹, that is, a) have a formal status to give it the appropriate authority, standing and independence within the regulated institution; b) bestowed with overall responsibility for coordinating the management of the regulated institution’s compliance risk; c) not placed in a position where there is a possible conflict of interest between compliance responsibilities and any other responsibilities they may have; d) staff should have access to the information and personnel necessary to carry out their responsibilities; and e) should have the resources to carry out its responsibilities effectively.
8.7. Where the Chief Compliance Officer is removed from their position, the reasons for removal must be communicated to the Reserve Bank as soon as practicable, and no more than ten (10) business days, after the board/ board committee’s endorsement or consideration of the matter.
8.8. The compliance function should have the necessary qualifications, experience, and professional qualities to enable discharge of its duties.
8.9. The operation of the compliance function must be governed by a board approved compliance policy that at a minimum address the following: a) responsibilities of the compliance function;
¹⁹ See also BCBS Compliance and the compliance function, April 2005. Page 27 of 40
b) measures to ensure independence of the compliance function; c) the relationship between the compliance function and other control functions within the regulated institution; d) the right of the compliance function to obtain access to information necessary to carry out its responsibilities, and the corresponding duty of business units to co-operate in supplying requested information; e) the right of the compliance function to conduct investigations of possible breaches of the compliance policy; and f) the obligation of the compliance function to disclose its findings to senior management, and duty of direct access to the board or a committee of the board without fear of retaliation or disfavour from senior management.
8.10. Senior management must: a) ensure day-to-day effective management of a regulated institution’s compliance risk; b) establish and communicate a compliance policy, ensuring that it is observed, and reporting to the board of directors on the management of the regulated institution’s compliance risk; and c) take the necessary measures to ensure that the regulated institution can rely on a permanent and effective compliance function.
8.11. A risk-based compliance programme should be put in place setting out planned activities to ensure appropriate coverage across businesses and co-ordination among risk management functions.
8.12. The compliance programmes should consider the money laundering, terrorist financing and proliferation financing risks and size of the regulated institution as required under the AML/CFT/CPF Guideline No. 01-2025/BSSFS.
8.13. The scope and breadth of the activities of the compliance function should be subject to periodic review by other control functions.
9. INTERNAL AUDIT FUNCTION
9.1. Every regulated institution must have an independent and adequately resourced internal audit function, headed by a Chief Internal Auditor.
9.2. The Chief Internal Auditor should be independent of the audited activities, with sufficient standing and authority within the regulated institution.
9.3. The Chief Internal Auditor shall be responsible for coordinating internal audit function operations, ensuring that the function complies with sound internal auditing standards and that personnel of the internal audit function receive appropriate ongoing training.
9.4. The responsibilities of the internal audit function should include an independent review of the following: a) the appropriateness of the institution’s governance framework;
Page 28 of 40
b) whether existing policies and procedures remain adequate and comply with legal and regulatory requirements and with the risk strategy and risk appetite of the institution; c) whether the procedures are correctly and effectively implemented (e.g. compliance of transactions, the level of risk effectively incurred, etc.); d) the adequacy, quality and effectiveness of the controls performed, and the reporting done by the risk management and compliance functions; e) the integrity, accuracy and comprehensiveness, and timeliness of financial and management information (including information for regulatory reporting); f) the integrity and reliability of all management information systems for internal and regulatory reporting; g) the accuracy of accounting records and financial reports; and h) the efficiency of operations and the effectiveness of the systems and processes for risk management and control throughout the regulated institution.
9.5. The appointment, performance evaluation and termination of employment of a Chief Internal Auditor shall vest in the board or the Audit Committee to whom the Chief Internal Auditor shall functionally report periodically. Where the Chief Internal Auditor is removed from their position, the reasons for removal must be communicated to the Reserve Bank as soon as practicable, and no more than ten (10) business days, after the committee’s endorsement or consideration of the matter.
9.6. Internal audit personnel should possess professional competence, including relevant knowledge and experience pertinent to the discharge of the internal audit function’s responsibilities.
9.7. Internal auditors, collectively, should be competent to examine all areas in which the regulated institution operates.
9.8. Internal audit function personnel should be free from conditions that threaten the ability to carry out internal audit responsibilities in an unbiased manner. They must be able to maintain an unbiased mental attitude that allows them to discharge their duties without compromise. The requirement for objectivity demands that internal auditors do not subordinate their judgement on audit matters to others.
9.9. To fulfil its functions, the internal auditor must, always, have unfettered access to the institution’s business lines and support functions.
9.10. The Reserve Bank may approve alternative arrangements for microfinance institutions where it is satisfied that, having regard to the size of the regulated institution, the nature of its activities and alternative arrangements put in place, the internal audit function would be discharged effectively.
9.11. When outsourcing arrangements are in place with Reserve Bank’s prior approval, it is the responsibility of the board to maintain adequate oversight and to ensure that the use of experts does not compromise the independence and objectivity of the internal audit function.
Page 29 of 40
10. BOARD & DIRECTOR EVALUATION
10.1. The board of every regulated institution must develop and competently use appropriate criteria for performance reviews that will indicate effectiveness of the board and governance arrangements, as well as progress towards fulfilment of the institution’s purpose within set targets and limits in line with the Reserve Bank Board and Director Evaluation Framework.
10.2. The board may delegate the board and director evaluation process to a committee that is responsible for governance.
10.3. Procedures for assessing, regularly and at least annually, the board, board members and board committees’ performance relative to respective objectives must be in place. Such review shall be by means of peer review and self-evaluation of the board, its committees, and the contribution of each director, including the chair.
10.4. The board should: a) periodically review its structure, size, and composition, as well as that of its specialised committees and the coordination between them; b) determine if the board or its committees collectively lack any skills or expertise to discharge their responsibilities effectively, and put in place measures for enhancing effectiveness; and c) review the effectiveness of its governance practices and procedures, determine any improvements that may be needed, and make any necessary changes.
10.5. At a minimum, the evaluation should assess effectiveness of the board relative to its responsibilities, board strategy and effectiveness (including against objectives related to socially responsible behaviour), board structure and committees, chairpersons, and individual directors’ performance.
10.6. The ongoing suitability of each board member should be assessed by the board at least annually, considering the member’s performance during meetings of the board and, where relevant, its specialised committees.
10.7. To enhance the objectivity of the evaluation process, the board may draw on independent professionals to assess the adequacy of its effectiveness, and efficiency.
10.8. Where the performance of individual board members does not meet expectations or there is serious concern on a member’s integrity, the board should take timely and appropriate action, including seeking the resignation of the director concerned and the appointment of new members.
10.9. More importantly, the board should continuously improve its collective competencies regarding the institution’s activities, legal and regulatory requirements, and the institution’s context, thereby ensuring a continually improving governance environment.
10.10. The chair of the board shall submit a report to the Reserve Bank, ninety days after the year end, on the board and director evaluations and effectiveness.
Page 30 of 40
11. OUTSOURCING
11.1. The board should ensure that arrangements for any outsourcing of material business activities by the regulated institution is done within a board approved policy and that the policy is regularly reviewed and updated to comply with the legal and regulatory requirements and, ensuring that appropriate changes are implemented in a timely manner.
11.2. A ‘material business activity’ is one that has the potential, if disrupted, to have a significant impact on the regulated institution’s business operations or its ability to manage risks effectively and includes the internal audit function and the risk management function are material business activities.
11.3. The outsourcing policy should consider the impact of outsourcing on an institution’s business and the risks such as operational; legal; reputational; and concentration risks; and in relation to the assessment of potential outsourcing activities, have regard to: a) the financial and operational impact of a failure of the service provider to perform over a given period of time; b) the cost of the outsourcing arrangement as a share of total costs; c) the degree of difficulty, including the time taken, in finding an alternative service provider or bringing the business activity in-house; d) the ability of the regulated institution to meet regulatory requirements if there are problems with the service provider; e) potential losses to the regulated institution’s customers and other affected parties in the event of a service provider failure; and f) affiliation or other relationship between the regulated institution or group and the service provider.
11.4. An outsourcing policy should include the reporting and monitoring arrangements to be implemented.
11.5. A regulated institution remains fully responsible for all outsourced services and activities and management decisions arising from them and as such, the outsourcing policy should make it clear that outsourcing does not relieve the institution of its regulatory obligations and its responsibilities to its customers.
11.6. The board should ensure that outsourcing arrangements should not hinder effective supervision of the regulated institution and should not contravene any supervisory restrictions on services and activities.
Page 31 of 40
12. GOVERNANCE OF GROUP STRUCTURES
12.1. The board of directors of a regulated institution and its controlling company shall be distinctly separate, with separate chairpersons. For the avoidance doubt, the board of the holding company must not be the same for the bank or subsidiary.
Group Controlling Company
12.2. Where a regulated institution is part of a group, the controlling company’s board should ensure that there are governance strategies and governance policies and procedures in place, commensurate with the structure, business and risks of the group and its subsidiaries or affiliates.
12.3. Shareholders of regulated institutions shall jointly and severally protect, preserve, and actively exercise the authority of the institution in general meetings. They have a duty, jointly and severally, to exercise that authority in line with laws that govern the regulated institutions to: a) ensure that only competent and reliable persons who can add value to the regulated institution are elected or appointed to the board of directors; and b) ensure that the board of directors is constantly held accountable and responsible for the efficient and effective governance of the regulated institution.
12.4. The regulated institution’s capital adequacy, liquidity and risk exposures should be overseen by the board, and the board should be aware of the material risks and issues that may affect the institution and its subsidiaries.
12.5. The board should therefore exercise adequate oversight over the activities of the subsidiaries while respecting the independent legal and governance responsibilities that apply to subsidiary boards.
12.6. The board of the regulated institution should ensure that enough resources are available for each subsidiary to meet group standards and its entity specific corporate governance requirements.
12.7. To fulfil its corporate governance responsibilities, the board of every regulated institution should, among other things: a) establish a group structure and a corporate governance framework with clearly defined roles and responsibilities, including at the parent company level and at the subsidiary level as appropriate based on the complexity and significance of the subsidiary and considering applicable legal or regulatory requirements; b) define an appropriate subsidiary board and senior management structure which considers the material risks to which the group, its businesses and its subsidiaries are exposed and applicable legal or regulatory requirements; c) assess whether the group’s corporate governance framework includes adequate policies, processes, and controls and whether it sufficiently addresses risk management across the businesses and legal entity structures within the group;
Page 32 of 40
d) ensure the group’s corporate governance framework includes appropriate processes and controls to identify and address potential intragroup conflicts of interest; e) put in place a policy on intra-group exposures; f) have sufficient resources to monitor the compliance of subsidiaries with all applicable legal, regulatory and governance requirements; g) maintain an effective relationship with both the home regulator and, through the subsidiary board or direct contact, with the regulators of all subsidiaries; and h) establish effective internal audit, compliance, and risk functions that ensure independent reviews are being performed at the subsidiary level (either within the subsidiary or for the subsidiary), and for parts of the group (where necessary), as well as at the group level.
12.8. The controlling company should ensure that the different group entities (including the controlling company itself) receive adequate information to get a clear perception of the general objectives, strategies, and risk profile of the group and how the institutions are embedded in the group’s structure and operational functioning.
12.9. The board of the controlling company should keep themselves informed about the risks the group’s structure faces, and should receive: a) information on major