Update No. 15 of Circular No. 263 of 27 December 2006: Internal Controls, Information Systems, and Operational Continuity

General measures of credit authorities Section II - Bank of Italy Supervisory Bulletin No. 7, July 2013 II.1 Circular No. 263 of 27 December 2006 (Folder "New prudential supervision provisions for banks") - 15th update of 2 July 2013 (1)

With this update, Chapter 7 "The internal control system", Chapter 8 "The information system", and Chapter 9 "Operational continuity" are inserted into Title V of Circular No. 263 of 27 December 2006 "New prudential supervision provisions for banks".

Chapter 7 defines an organic framework of principles and rules that must inspire the internal control system, without however exhausting the organizational provisions applicable to banks. The provisions contained therein, in fact, represent the reference framework within which the rules on controls dictated within specific disciplinary areas (e.g., organizational rules on the management of individual risk profiles, internal risk measurement systems for the calculation of capital requirements, the ICAAP process, the prevention of money laundering risk) are framed (so-called "hub and spokes" model).

The provisions introduce some significant novelties compared to the current regulatory framework, in order to equip banks with a complete, adequate, functional, and reliable internal control system.

In particular, the new rules emphasize the role of the body with a strategic supervision function in defining the business model and the Risk Appetite Framework; this body is also required to promote the spread of a control culture through the approval of a code of ethics to which the members of corporate bodies and employees are bound to conform.

The body with a management function, on the other hand, is required to have an in-depth understanding of all corporate risks and, within the framework of integrated management, of their mutual interrelations and with the evolution of the external context (including macroeconomic risk).

The provisions require the top management of banks to pay particular attention to the definition of the most significant corporate policies and processes, such as those concerning: the management of risks; the evaluation of corporate assets; the approval of new products/services or the launch of new activities as well as entry into new markets; the development and validation of internal risk measurement models not used for regulatory purposes.

The regulation of corporate control functions (internal audit, compliance, and risk management) has been thoroughly revised; in particular:

• The appointment and dismissal of the heads of corporate control functions are the exclusive competence of the body with a strategic supervision function, after consulting the body with a control function;
• The heads of the risk control function (so-called Chief Risk Officer) and the compliance function are placed, at least, under the management of the body with a management function, while retaining their prerogative to have direct access to the body with a strategic supervision function and the body with a control function. The head of the internal audit function, on the other hand, is always hierarchically reported to the body with a strategic supervision function;
• The three corporate control functions are independent from business areas and separate from each other. If consistent with the principle of proportionality, banks are allowed to establish a single compliance and risk control function, while maintaining the internal audit function separate in any case to ensure the impartiality of audit controls on other control functions;
• The powers of the risk management function have been strengthened. The function, in addition to collaborating in the definition of the RAF, is called, among other things, to provide prior opinions on the consistency of the most significant operations with the RAF itself. In case of a negative opinion, the decision on the operation is referred to the body with a management function;
• Within the regulation on compliance – while noting that the oversight on non-compliance risk carried out by the compliance function refers to all provisions applicable to banks, including those of a fiscal nature – the involvement of the function is graded in relation both to the significance that individual provisions have for the activity carried out and for the consequences of their violation, and to the existence within the bank of other forms of specialized oversight against the risk of non-compliance related to specific regulations.

To ensure coordination and interaction between the various functions and bodies with control tasks (provided for by corporate, accounting, or supervisory legislation), the body with a strategic supervision function approves a specific document in which the tasks, responsibilities, and methods of coordination/collaboration between the various control functions involved are specified.

An organic regulation on outsourcing has then been introduced. Banks are required to carefully monitor the risks arising from outsourcing, maintaining the capacity for control and responsibility for outsourced activities as well as the essential competencies to re-internalize them in case of necessity. Specific provisions concern the conditions for outsourcing important corporate or control functions. Less stringent requirements are provided in the case of outsourcing within a banking group. Two specific administrative procedures have been defined for the prohibition of outsourcing important operational or control functions, respectively, outside or inside the banking group (see Sections IV and V); these procedures integrate the Measure of 25 June 2008, on the identification of the terms and organizational units responsible for the administrative procedures under the competence of the Bank of Italy.

Chapter 8 contains the regulation of the information system, which has been completely revised, also to receive the main developments emerged in the international panorama. Among other things, the following have been regulated: the governance and organization of the information system; the management of cyber risk; the requirements to ensure cybersecurity and the data management system. The provisions also provide that in the definition of security measures for access to critical systems and services via the internet channel, the ECB Recommendations on internet payment security shall apply.

Chapter 9 regulates the matter of operational continuity, reorganizing the provisions currently contained in different sources. Among the most significant novelties, there is the formalization of the role of CODISE, the structure for the coordination of the management of operational crises of the Italian financial market, chaired by the Bank of Italy. In addition, a rapid escalation process from incident to emergency has been defined to ensure that the declaration of a state of crisis occurs in the shortest possible time from the detection of the incident. The total restoration time must not exceed four hours, including the times for the analysis, decision-making, technical intervention, and verification phases.

These provisions have been submitted to public consultation and regulatory impact analysis. On the Bank of Italy's website, the report of the consultation, the impact analysis report, and the observations received during the consultation phase are published.

(1) The text of the update is available on the Bank of Italy's website at the address http://www.bancaditalia.it/vigilanza/banche/normativa/disposizioni/vigprud.

General measures of credit authorities Section II - Bank of Italy Supervisory Bulletin No. 7, July 2013 II.2

This update enters into force on the day of publication on the Bank of Italy's website.

Banks comply with the provisions contained in Chapter 7 (The internal control system) by 1 July 2014 (date of effectiveness), subject to the following:

• with reference to second-level corporate control functions (risk management and compliance), banks comply by 1 July 2015 (date of effectiveness) with what is provided for in Section III, para. 1, letter b), second paragraph, second sentence ("reporting lines of the heads of such functions");
• with reference to the outsourcing of corporate functions (Sections IV and V), banks adapt existing outsourcing contracts to the date of entry into force of these provisions to the first contractual expiry date and in any case within three years from the entry into force (1 July 2016).

Banks comply with the provisions contained in Chapter 8 (The information system), including the ECB recommendations on internet payment security, by 1 February 2015 (date of effectiveness). Banks adapt existing information system outsourcing contracts (Section VI) to the date of entry into force of these provisions to the first contractual expiry date and in any case within three years from the entry into force (1 July 2016).

Banks comply with the provisions contained in Chapter 9 (Operational continuity) by 1 July 2014 (date of effectiveness).

By 31 December 2013, the recipients of this regulation send to the Bank of Italy a report containing a self-assessment of their corporate situation regarding the provisions of the new regulation (gap analysis). The report also indicates the measures to be adopted and their relative timeline to ensure full compliance with these provisions. By the same date, banks communicate to the Bank of Italy the outsourcing contracts in force on the date of entry into force of these provisions and their duration.

From the date of effectiveness of the provisions contained in Chapters 7 (The internal control system), 8 (The information system), and 9 (Operational continuity), the following provisions are repealed:

• Internal control system, tasks of the statutory auditors' board, contained in the "Supervision instructions for banks", Circular No. 229 of 21 April 1999, Title IV, Chapter 11, with the exception of Section V (Issuance and management of bank and postal checks);
• Operational continuity in emergency cases (Communication of July 2004, see Supervisory Bulletin No. 7 – July 2004);
• Risk management and control. Role of corporate bodies, contained in the "New prudential supervision provisions for banks", Circular No. 263 of 27 December 2006, Title I, Chapter I, Fourth Part;
• Supervision provisions – Particular requirements for the operational continuity of processes of systemic relevance (Communication of March 2007, see Supervisory Bulletin No. 3 – March 2007);
• Supervision provisions – Outsourcing of cash handling (Communication of 7 May 2007), limited to aspects concerning banks and parent companies of banking groups;
• Supervision provisions - The compliance function (Communication of July 2007, see Supervisory Bulletin No. 7 – July 2007);

General measures of credit authorities Section II - Bank of Italy Supervisory Bulletin No. 7, July 2013 II.3

• Communication of 30 December 2008 – Creditworthiness assessment (see Supervisory Bulletin No. 12 – December 2008), limited to aspects concerning banks and parent companies of banking groups.

General measures of credit authorities Section II - Bank of Italy Supervisory Bulletin No. 7, July 2013 II.4