CHAPTER 1 GENERAL PROVISIONS

Transcription

1 APPROVED Resolution of the Board of the National Bank of the Republic of Belarus No. 625 dated November 30, 2012 INSTRUCTIONS on the organization of the internal control system in banks, non-bank financial institutions, banking groups, and bank holding companies CHAPTER 1 GENERAL PROVISIONS 1. These Instructions set out requirements for the organization of the internal control system in banks, non-bank financial institutions (hereinafter banks ), banking groups, and bank holding companies. 2. For the purposes of these Instructions the terms that are listed below shall have the following meanings: - internal control the bank s process for ensuring that activities are carried out in an orderly and efficient manner in compliance with the requirements set out in Belarusian legislation and the bank s local regulatory legal acts; - the internal control system the totality of internal control, internal audit, organizational structure, local regulatory legal acts that formulate the internal control strategy, policy, methodologies, and procedures as well as powers and responsibilities of the bank s governing bodies and officials; - information security a multi-tiered complex of arrangements and hardware, software, and technical tools which provide protection against accidental and intentional threats that may, in the event of their

2 2 materialization, impair characteristics of accessibility, integrity, authenticity, or confidentiality of processed, stored, or transmitted information; - information accessibility an automated system s ability to provide required information in a timely and trustworthy fashion in compliance with established access rules and rights; - information integrity and authenticity an automated system s ability to keep unchanged information and attributes that establish authorship or find out the fact of their unauthorized modification; and - information confidentiality an automated system s ability to ensure that unauthorized users are denied access to information. 3. The parent organization of the banking group and/or the bank holding company shall organize the system of internal control on a consolidated basis within the banking group and/or the bank holding company so as to allow for possibility of receiving, in a timely fashion, information about activities of the members of the banking group and/or the bank holding company for the purpose of evaluating the efficiency of such participants and their compliance with the requirements set out in legislation and local regulatory legal acts. 4. Based on the results of the evaluation of the bank s internal control system, the National Bank of the Republic of Belarus (hereinafter the National Bank ) may adopt, relying on the motivated judgment about the internal control system s compliance (failure to comply) with the requirements set down by the National Bank, the following decisions on: - the state registration of the bank set up as a result of the reorganization and granting it, at the same time, special banking permission (license); - the state registration of changes and/or modifications to the bank statute (during reorganization of the bank); - granting (refusing) the bank special banking permission (license) and making (refusing to make) changes and/or modifications to the list of banking operations in special banking permission (license) which the bank has been granted; and - taking supervisory response measures.

3 3 CHAPTER 2 REQUIREMENTS FOR THE BANK S INTERNAL CONTROL BODIES AND THE ORGANIZATIONAL STRUCTURE OF INTERNAL CONTROL 5. The bank s governing bodies shall establish an efficient internal control which ensures an appropriate level of financial reliability and information security that corresponds to the nature and volume of conducted banking and other operations (transactions) and other activities. The bank shall ensure that the governing bodies are involved, on an ongoing basis, in the organization and operation of the internal control system as well as the internal control powers and responsibilities are clearly distributed among the board of directors (the supervisory board), the audit committee, the executive body, other collegial bodies, divisions, and employees at all levels, including an official with responsibility for internal control in the bank, the bank s division having internal control functions (if any), special AML/CFT division, and the internal audit service and all abovementioned participants in the internal control system are interacting. 6. The board of directors (the supervisory board) of the bank shall ensure that the internal control system is set up, the conflict of interest and conditions for the emergence thereof in the internal control process are prevented from happening, and the local regulatory legal act formulating the bank s strategy on the organization and the implementation of internal control is approved. The board of directors (the supervisory board) shall: - impose limits on operations and other activities decisions on which are made by the executive body of the bank and/or the head of the bank; - review, on a regular basis, the results of the efficiency evaluation of the internal control system and its adequacy for the nature, the scale, and conditions of the bank s activities and give the executive body of the bank instructions on the organization of internal control and the implementation of measures to enhance its efficiency; - review management statements on the operation of the internal control system; - review information from the audit committee about the results of inspections of the internal audit service; - take measures which ensure that violations of Belarusian legislation, misuse, and deficiencies identified in the course of inspections of the internal audit service, the audit firm, the auditor-independent

4 4 entrepreneur, the National Bank, and other government (regulatory) agencies are eliminated by the executive body of the bank in a timely fashion as well as recommendations are carried out; and - adopt strategic decisions on improvements in the internal control system. 7. The audit committee shall: - exert internal monitoring of compliance with decisions on the internal control system and the internal audit service made by the board of directors (the supervisory board); - evaluate the efficiency of the internal control system and activities of the internal audit service in the bank; - provide, on a regular basis, the board of directors (the supervisory board) with management statements about the state of the internal control system and activities of the internal audit service; - review the results of inspections of the internal audit service, the audit firm, the auditor-independent entrepreneur, the National Bank, and other government (regulatory) agencies and provide the board of directors (the supervisory board) with information about significant problems, misuse, and deficiencies identified in the bank s activities which may lead to adverse consequences; - submit its recommendations on internal control and internal audit issues and proposals to improve the internal control system to the board of directors (the supervisory board), including based on the review of the results of inspections of the internal audit service, the audit firm, the auditorindependent entrepreneur, the National Bank, and other government (regulatory) agencies; - exert internal monitoring of the procedure for compiling financial, accounting, prudential, and other statements; - make decisions on internal control and internal audit in the name of the board of directors (the supervisory board); - choose the audit firm and the auditor-independent entrepreneur and organize required interaction with them; and - perform other functions in compliance with the procedures established by the bank. The composition of and the frequency of providing the board of directors (the supervisory board) with information shall ensure that it is sufficient and provided in a timely fashion to make management decisions. 8. The executive body of the bank shall organize the internal control system and the internal audit service s activities and ensure that objectives

5 5 are attained by the bank and tasks set by the board of directors (the supervisory board) in this area are accomplished. The executive body of the bank shall approve local regulatory legal acts which formulate policy of and methods and procedures for conducting banking and other operations (transactions) and controlling them, setting limits and other restrictions (if the bank statute does not stipulate that the approval of such local regulatory legal acts comes within the competence of the board of directors (the supervisory board)) as well as procedures for making decisions, interacting among divisions, and distributing and delegating powers in the course of conducting operations (transactions), managing risks, and exerting internal control and ensure their effective practical implementation. The executive body of the bank shall: - ensure compliance with the decisions made by the board of directors (the supervisory board) and the implementation of the bank s strategy and policy, including on the organization and the execution of internal control; - control whether limits and powers of the officials are complied with, including at a time of conducting significant transactions; - control whether measures to reduce (contain) risks are taken; - exert internal monitoring of the efficiency of the internal control system and control the elimination of the identified violations and deficiencies in internal control; - review management statements containing the results of and materials on periodic evaluations of the efficiency of the system for internal control and its individual areas and types; - organize efficient system for information transfer and exchange which shall ensure that required information is supplied to the users who are interested therein; and - veto the approval of the bank s local regulatory legal acts and/or actions which may create conditions for violation of Belarusian laws and/or hinder the execution of internal control and take measures to improve the internal control system. 9. The bank shall appoint an official with responsibility for internal control in the bank who is on the staff of the bank and may be at the helm of the division with responsibility for internal control in the bank. The official with responsibility for internal control in the bank shall coordinate and control activities of the divisions and/or the officials exercising internal control in individual divisions of the bank and/or individual areas of activities (business lines and business processes) (if any),

6 6 organize the development of local regulatory legal acts formulating policy, methods, and procedures for exerting internal control, and ensure that management statements on the internal control system are compiled and submitted to the bank s governing bodies and the audit committee. The official with responsibility for internal control in the bank is on the audit committee. The status, job duties, powers, and responsibilities of the above-mentioned official shall be enshrined in the bank s local regulatory legal acts. In order to avoid the conflict of interest, functions of the official with responsibility for internal control in the bank shall not include management of the bank s divisions (business lines and business processes) and officials which generate risks and manage them as well as the internal audit service. 10. At a time of carrying out their job duties the bank employees shall: - control the accuracy and the legitimacy of conducted operations as well as prevent the conflict of interest from happening; - ensure that operations (transactions) registered in accounting books, financial, accounting, prudential, and other statements and management and other information are accurate; - inform managers and other officials of divisions, in a timely fashion and in full, about violations and errors which may lead to adverse consequences for the bank; and - put forward proposals to enhance the efficiency of the bank s activities and the internal control system. 11. The bank shall evaluate compliance with qualification requirements and requirements for business reputation set down thereby for the official with responsibility for internal control in the bank and the head of the internal audit service with frequency that is sufficient to ensure that their qualification and business reputation are maintained at appropriate level. 12. The organizational structure of the internal control system shall be adequate for the organizational and functional structure of the bank, the nature and the volume of banking operations and other operations (transactions) conducted thereby, and other activities. 13. The internal control system shall be staffed with qualified experts and equipped with required information systems and hardware and software tools which make it possible to collect, process, analyze, transfer, and protect information used for internal control. The bank shall analyze, on an ongoing basis, existing information systems for the purpose of identifying their ability to ensure that the internal control system is operating in compliance with the requirements set out in

7 7 these Instructions and refine (update), as required, these systems or introduce the new ones in a timely manner. 14. The organizational structure of the internal control system, information flows generated thereby, the distribution of areas of responsibilities and powers assumed by the officials, procedures for carrying them out, procedures for interacting between divisions and employees of the bank, the reporting lines and accountability of the officials and the divisions exercising internal control, procedures for providing officials and divisions responsible for internal control with information, and procedures for making decisions shall be organized in such way that the conflict of interest is prevented from happening, including among the divisions (the officials) exercising internal control and the divisions (the officials) that are subject to internal control. CHAPTER 3 REQUIREMENTS FOR INTERNAL CONTROL PROCEDURES 15. The bank shall draft and approve local regulatory legal acts formulating the internal control policy, methodologies, and procedures which shall be consistent, have a degree of detail adequate for the scale and complexity of the bank s activities, and be applied in a uniform manner throughout all its divisions. It is necessary to evaluate the above-mentioned local regulatory legal acts for adequacy at least once a year, including having regard to significant changes in its activities, and make appropriate adjustments based on the results of the evaluation. 16. The internal control system shall be organized in the following areas: - controlling the attainment of the stated strategic objectives; - controlling that the efficiency and the effectiveness of the bank s financial and business activities are ensured at a time of conducting banking and other operations (transactions); - controlling the efficiency of asset and liability management; - controlling safety of assets and investments of the bank; - controlling trustworthiness, completeness, objectivity, and expediency of bookkeeping and compiling and submitting financial, accounting, prudential, and other statements (to external and internal users);

8 8 - controlling that powers and responsibilities are distributed; - controlling that the bank and its employees comply with the requirements set down in Belarusian legislation and local regulatory legal acts; - internal control of the organization of the AML/CFT (anti-money laundering/combating the financing of terrorism) work; - controlling the operation efficiency of the risk management system; - controlling the operation of information systems, the management of information flows (receiving and transmitting information), and the provision of information security; - controlling the work with applications lodged by citizens and legal persons; - controlling compliance with Belarusian legislation on bank, commercial, and other legally protected secretes and requirements for information disclosure set by the National Bank; and - controlling that the conflict of interest is excluded from the bank s activities. The bank may define additional areas of internal control in its regulatory legal acts. 17. At a time of exerting internal control the bank shall use such forms (methods) as: - internal control exerted by the board of directors (the supervisory board) and the executive body by dint of receiving, on a regular basis, management statements and asking for other statements and information about the results of activities performed by divisions and explanations from the heads of corresponding divisions with a view to identifying deficiencies, violations, and errors; - internal control of the distribution of powers at a time of conducting banking and other operations (transactions) and other activities which is exerted on the basis of the bank s local regulatory legal acts defining functional powers of divisions and powers of employees at a time of conducting banking and other operations (transactions); - accounting control aimed at generating complete and reliable information about the conduct of banking and other operations (transactions) and other activities for the purpose of ensuring that assets and property of the bank are safe which is exerted by dint of verifying whether assets and liabilities are evaluated accurately, payments are made in full and in due time, and expenses are justified; - the material (physical) control exerted by dint of verifying that access to tangible assets is restricted, tangible assets are recalculated,

9 9 responsibility for the storage and the use of tangible assets is shared, and the protection of the storage room for tangible assets is ensured; - controlling compliance with the limits imposed on the conduct of banking and other operations (transactions) and other activities by dint of receiving relevant statements and reconciling with data in the source documents; - controlling compliance with the procedure for making decisions on the conduct of banking and other operations (transactions) and other activities and the distribution of powers at a time of conducting banking and other operations (transactions) and other activities exceeding imposed limits which stipulates that information about such operations and other activities or current situation is made available for relevant managers of the bank (its divisions) in a timely fashion and is adequately registered in accounting books and statements; - verifying whether the bank s activities are in conformity with Belarusian legislation and the bank s local regulatory acts; - verifying whether procedures (processes) for conducting banking and other operations (transactions) and other activities are complied with, reconciling accounts, and providing relevant managers of the bank (its divisions) with information about identified violations, errors, and deficiencies; - legal control exerted by dint of expert evaluation of contractual relations under conducted banking and other operations (transactions) and other activities; - process control exerted in the course of preparing and conducting banking and other operations (transactions) and other activities in an automated way by dint of verifying compliance with relevant technical codes and standards in the field of information systems; - controlling activities of the service provider organization under the outsourcing contract; and - other forms (methods) of internal control defined by the bank s local regulatory legal acts. The bank s local regulatory legal acts establish procedures for identifying the conflict of interest and spheres and conditions of its emergence as well as controlling the completeness and the efficiency of measures taken by the bank with a view to identifying and excluding them. 18. Requirements for exerting internal control of preventing and identifying financial operations associated with AML/CFT as well as control of compliance with regulations and requirements set out in foreign exchange

10 10 legislation of the Republic of Belarus are imposed in accordance with individual regulatory legal acts of the Republic of Belarus. 19. Procedures for controlling the operation of information systems, the managing information flows (receiving and transmitting information), and providing information security shall be established in the bank s local regulatory legal acts taking into account the requirements set out in these Instructions, technical codes and standards in the field of information systems and their internal control and audit and shall apply to all divisions, business lines, and business processes of the bank. With a view to ensuring smooth and continuous functioning of the automated information systems and technical tools the bank shall run: - total check which comprises the bank s procedures for making backup copies of data and recovering functions of the automated information systems and providing support throughout the life cycle of the automated information systems, including setting rules for purchasing, developing, and servicing (maintaining) the software and procedures for controlling safety of the physical access; and - program check which is carried out with the help of automated procedures that are built into applications as well as manual procedures which control the processing of banking and other operations (transactions), such as edit check, logical access check, internal back-up and data recovery procedures, etc. The bank shall ensure expediency, reliability, accessibility, integrity, authenticity, confidentiality, and accurate registration of information on the basis of which the operation of information systems, the management of information flows, and the provision of information security are controlled. Information shall contain details about the bank s activities and their results, data on compliance with the requirements set down in regulatory legal acts, the bank statute, and other local regulatory legal acts, as well as details about events and conditions relating to decision-making, and other required information. The form of information presentation shall be defined taking into account needs of a particular user (the board of directors (the supervisory board), the audit committee, the executive body of the bank, divisions, and employees). 20. Control of the operation of the risk management system shall include: - the bank employees compliance with the procedures for controlling risks that have been established by the bank s regulatory legal acts;

11 11 - verification of compliance with the bank s local regulatory legal acts formulating risk management strategy, policy, methodologies, and procedures and legislation of the Republic of Belarus and verification of accuracy of compiling prudential and other statements, such as management statements which are carried out by the officials (divisions) exercising internal control and/or internal audit in the bank; and - the evaluation of the efficiency of the bank s risk management system by the internal audit service. 21. The bank shall exercise the following types of internal control such as preliminary, ongoing, and follow-up controls. Preliminary control is exerted prior to actual conduct of banking and other operations (transactions) and is used in the sphere of: - recruitment by making a careful analysis of business and professional knowledge and skills that are required to perform a specific job (job duties) and choosing from candidates the most trained and qualified specialists who have appropriate business reputation; - attraction and placement of monetary funds by making a preliminary analysis of the efficiency of the bank s operations by dint of determining optimal tools and methods for their conduct in order to avoid or limit potential losses; - material resources by providing the bank with required technical means, equipment, up-to-date automated information systems, and technologies relying on the financial capacity of the bank and in compliance with the bank s local regulatory legal acts; - delineation of responsibilities and powers by developing and approving uniform local regulatory legal acts which define methods, processes, and procedures for conducting banking and other operations (transactions) and tasks, functions, and responsibilities of divisions (business lines and business processes) and their managers, job descriptions of employees, as well as by imposing and revising, on a regular basis, limits and other restrictions; and - in other spheres defined in the bank s local regulatory legal acts. Ongoing control of conducted banking and other operations (transactions) and other activities and compliance with the prescribed procedures for making decisions on carrying out banking and other operations (transactions) and with the established flow of documents is exerted during the banking day in the process of performing duties assigned to the employee. Ongoing control is exerted for the purpose of preventing the rejection of the requirements set down in legislation of the Republic of Belarus and the bank s local regulatory legal acts, registering banking and

12 12 other operations (transactions) in accounting books in a timely and trustworthy fashion, and ensuring that funds are used properly and the bank s property is safe. Follow-up control is exerted after conducting banking and other operations (transactions). In the course of follow-up control the reasonableness and accuracy of conducting operations (transactions), the documents compliance with the prescribed forms and requirements for their execution, conformity of the duties performed by employees to their job descriptions, compliance with the prescribed verification procedures, and negotiating and initialing documents are checked; the efficiency of ensuring information security is evaluated; the distribution of duties between employees is analyzed; cause-and-effect relations between violations and deficiencies are identified and the remedial measures are defined; and planned and projected indicators are adjusted. The bank s local regulatory legal acts shall establish procedures for exerting preliminary, ongoing, and follow-up controls in accordance with the specifics of the tasks to be performed. 22. The bank shall exert an ongoing internal monitoring of the internal control system by dint of monitoring the operation of the internal control system at all levels of management for the purpose of evaluating the extent of its adequacy to the scale and the nature of the bank s activities, identifying deficiencies, developing proposals to improve the bank s internal control system, and controlling the implementation of the adopted decisions. The bank s local regulatory legal acts shall establish procedures for exerting internal monitoring of the internal control system (methods, rules, frequency, and procedures for reviewing the results) for the purpose of taking required measures to improve the internal control system taking into consideration the change in internal and external factors having an impact on the bank s activities. 23. Local regulatory legal acts shall set procedures for and composition, levels, and frequency of providing the bank s governing bodies, the audit committee, and the officials with management statements on internal control issues, including the results of internal monitoring of the internal control system, information about its state, and an evaluation of the operation efficiency of the internal control system which make it possible to ensure that information is sufficient and is provided to the bank s governing bodies in a timely fashion for making management decisions.

13 13 CHAPTER 4 REQUIREMENTS FOR THE ORGANIZATION OF OPERATION OF THE INTERNAL AUDIT SERVICE 24. The internal audit service directly reports to the head of the bank. The head of the internal audit service shall be on the audit committee. The internal audit service shall inspect the bank s activities, including the internal control system, the risk management system, and the evaluation of the efficiency of the organization of business processes. The internal audit service shall not be involved in conducting banking and other operations (transactions) and other bank s activities which are subject to internal audit and drafting (preparing) the bank s local regulatory legal acts (excluding those that govern activities of the internal audit service), as well as involved in implementing day-to-day internal control procedures. The head and employees of the internal audit service are not allowed to sign payment instructions and/or cash, accounting, and other documents on behalf of the bank in accordance with which the bank will assume banking risks or to initial such documents. 25. The bank s local regulatory legal act shall govern activities of the internal audit service and shall define: - the objective and the scope of activities of the internal audit service; - principles (standards) and methods of operation of the internal audit service; - tasks, powers, and duties of the internal audit service; - powers and duties of the head of the internal audit service; - conditions of and procedures for providing by the internal audit service the board of directors (the supervisory board), the audit committee, their managers, the head of the bank, as well as the manager of the bank s division where internal audit has been exerted with information about the results of inspections of the internal audit service; - conditions of and procedures for providing by the internal audit service the board of directors (the supervisory board), the audit committee, and the head of the bank with information about the events that prevent the internal audit service from performing its functions; - conditions of and procedures for involving the internal audit service in consulting at a time of carrying out current activities of the bank; - responsibility of the head of the internal audit service for failure to perform (improper performance of) duties assigned thereto; - procedures for interacting between the internal audit service and divisions and employees of the bank and powers of the internal audit service

14 14 to have access to the bank s premises and documents as well as receive information and explanations from employees of the bank which may be required by the internal audit service to perform its functions; - procedures for providing the internal audit service with information about conducted and planned banking and other operations (transactions) and other activities of the bank, decisions made, and the bank s local regulatory legal acts as well as other issues concerning the bank s activities which are required by the internal audit service to perform its functions; and - conditions of and procedures for making decisions to involve outside organization in exerting internal audit (internal audit outsourcing) of individual operations and areas of activities (business lines and business processes) in the bank if such decision is made by the bank s governing body. 26. Activities of the internal audit service in the bank shall be performed in compliance with the following principles: - independence of the internal audit service from activities performed by other divisions of the bank; - objectivity in presenting materials, making decisions, and putting forward proposals aimed at the elimination of identified deficiencies and violations in the bank s activities; - consistency and comprehensiveness of coverage by the internal audit service s inspections of all areas of the bank s activities; - professionalism and competence of the employees of the internal audit service; - confidentiality; and - operation efficiency of the internal audit service. 27. The internal audit service shall: - develop the bank s local regulatory legal act governing activities of the internal audit service; - develop an action plan of the internal audit service, submit it for approval of the board of directors (the supervisory board), as well as provide the board of directors (the supervisory board) and the audit committee with information about the implementation thereof; - define operations and areas of activities (business lines and business processes) that are exposed to the highest risk in order to develop an action plan of the internal audit service; - evaluate, in the course of inspections, the efficiency of the internal control system, including the verification of the internal control procedures for areas of activities (business lines and business processes);

15 15 - evaluate, in the course of inspections, the efficiency of operation of the risk management system, including the verification of completeness of application and accuracy of the method for evaluating banking risks and procedures for managing banking risks; - verify the organization of activities performed by information systems, the management of information flows (receiving and transmitting information), and the provision of information security, including control of data bases integrity and their protection against unauthorized access and/or use and availability of contingency plans; - verify the organization of AML/CFT work; - verify compliance with legislation of the Republic of Belarus and the bank s local regulatory legal acts at a time of carrying out the bank s activities; - verify trustworthiness, completeness, objectivity, and expediency of providing the National Bank and other government agencies with the statements and other information in compliance with legislation of the Republic of Belarus; - verify trustworthiness, completeness, objectivity, and expediency of providing the bank s governing bodies with management statements and other information in compliance with the bank s local regulatory legal acts; - verify safety of assets and investments, including actual availability and registration in accounting books; - verify organization of the work with applications lodged by citizens and legal persons; - verify compliance with Belarusian legislation on bank, commercial, and other legally protected secretes; - verify compliance with the requirements for disclosure of information set down by the National Bank; - identify the conflict of interest in the bank and spheres and conditions of its emergence and evaluate the efficiency of the bank s remedial actions; - verify the efficiency of measures taken with a view to remedying identified violations and deficiencies in the operation of the bank, including in the organization of business processes, internal control and risk management and compliance with the recommendations to improve them; - verify other issues stipulated by the bank s local regulatory legal acts; - inform the audit committee and the head of the bank about the results of inspections carried out by the internal audit service;

16 16 - inform the audit committee and the head of the bank about the state of the internal control system, ensuring compliance with laws, and the efficiency of the bank s activities; and - submit its proposals to enhance the efficiency of the bank s activities, including internal control, risk management and organization of business processes.