GUIDELINES FOR THE MANAGEMENT OF OPERATIONAL RISK FOR CREDIT UNIONS



Similar documents
SUPERVISORY AND REGULATORY GUIDELINES: PU GUIDELINES ON MINIMUM STANDARDS FOR THE OUTSOURCING OF MATERIAL FUNCTIONS

Guidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004

Guideline. Outsourcing of Business Activities, Functions and Processes. Category: Sound Business and Financial Practices

OUTSOURCING GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS, 2008

GUIDANCE NOTE ON OUTSOURCING

PROPERTY OF THE SECURITIES COMMISSION OF THE BAHAMAS

SUPERVISION GUIDELINE

GUIDELINES FOR THE MANAGEMENT OF OPERATIONAL RISK

BARRAMUNDI L IMITED RISK MANAGEMENT POLICY

GUIDELINES ON OUTSOURCING

FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB OVERSIGHT OF SINGLE-FAMILY SELLER/SERVICER RELATIONSHIPS. Purpose

Morgan Stanley. Policy for the Management of Third Party Residential Mortgage Servicing Providers

GUIDANCE FOR MANAGING THIRD-PARTY RISK

Advisory Guidelines of the Financial Supervisory Authority. Requirements regarding the arrangement of operational risk management

Internal Control Systems and Maintenance of Accounting and Other Records for Interactive Gaming & Interactive Wagering Corporations (IGIWC)

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012

Part A OVERVIEW Introduction Applicability Legal Provision...2. Part B SOUND DATA MANAGEMENT AND MIS PRACTICES...

Operational Risk Management Policy

Financial Services Guidance Note Outsourcing

6/8/2016 OVERVIEW. Page 1 of 9

RISK MANAGEMENT AND COMPLIANCE

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

Board Risk & Compliance Committee Charter

Credit Union Liability with Third-Party Processors

Prudential Practice Guide

Operational Risk Publication Date: May Operational Risk... 3

BERMUDA MONETARY AUTHORITY

EASTERN CARIBBEAN CENTRAL BANK

Risk Management of Outsourced Technology Services. November 28, 2000

Vendor Management. Outsourcing Technology Services

Statement of Guidance

Audit and Risk Committee Charter. 1. Membership of the Committee. 2. Administrative matters

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel

REGULATION 9 ON OPERATIONAL RISK MANAGEMENT. Article 1 Purpose and Scope

Mapping of outsourcing requirements

Statement of Guidance: Outsourcing All Regulated Entities

RESERVE BANK OF VANUATU OPERATIONAL RISK MANAGEMENT

Advisory Guidelines of the Financial Supervision Authority. Requirements for Organising the Business Continuity Process of Supervised Entities

Outsourcing Risk Guidance Note for Banks

SUPERVISORY AND REGULATORY GUIDELINES: PU BUSINESS CONTINUITY GUIDELINES

Authorisation Requirements and Standards for Debt Management Firms

Clearing and Settlement Procedures. New Zealand Clearing Limited. Clearing and Settlement Procedures

Reserve Bank of Fiji Insurance Supervision Policy Statement No. 8 MINIMUM REQUIREMENTS FOR RISK MANAGEMENT FRAMEWORKS OF LICENSED INSURERS IN FIJI

Decision on outsourcing. Article 1

Annex 7 referred to in Chapter 7. Financial Services. Article 1 Scope of Application

OUTSOURCING POLICY

Capital Market Services UK Limited Pillar 3 Disclosure

GUIDELINES ON RISK MANAGEMENT AND INTERNAL CONTROLS FOR INSURANCE AND REINSURANCE COMPANIES

Sound Practices for the Management of Operational Risk

Solvency II Detailed guidance notes

Audit, Risk Management and Compliance Committee Charter

GUIDELINES ON CORPORATE GOVERNANCE FOR LABUAN BANKS

Standards for the Professional Practice of Internal Auditing

Federal Home Loan Bank Membership Version 1.0 March 2013

Third Party Relationships

Guidance Note on Outsourcing/Delegation of Functions

FMCF certification checklist (incorporating the detailed procedures) certification period. Updated May 2015

Credit Card Related Merchant Activities

FRAMEWORK FOR INTRODUCTION OF NEW PRODUCTS...5 SUPERVISORY EXPECTATIONS ON PRODUCT RISK MANAGEMENT AND FAIR TREATMENT OF CONSUMERS...

BANKING UNIT BANKING RULES OUTSOURCING BY CREDIT INSTITUTIONS AUTHORISED UNDER THE BANKING ACT 1994

MISSION VALUES. The guide has been printed by:

SUPERVISION GUIDELINE NO. 9 ISSUED UNDER THE AUTHORITY OF THE FINANCIAL INSTITUTIONS ACT 1995 (NO. 1 OF 1995) RISK MANAGEMENT

Vendor Management Best Practices

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

ugust, 2010 RISK MANAGEMENT GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS, 2010

The principal purposes of the Audit Committee ( Committee ) of the Board of Directors ( Board ) of CSRA Inc. (the Company ) are to:

Care Providers Protecting your organisation, supporting its success. Risk Management Insurance Employee Benefits Investment Management

GUIDELINES ON COMPLIANCE FUNCTION FOR FUND MANAGEMENT COMPANIES

Central Bank of The Bahamas Consultation Paper PU Draft Guidelines for the Management of Interest Rate Risk

POLICY STATEMENT AND GUIDANCE NOTES ON: (1) OUTSOURCING; AND

GUIDELINE ON THE APPLICATION OF THE OUTSOURCING REQUIREMENTS UNDER THE FSA RULES IMPLEMENTING MIFID AND THE CRD IN THE UK

NCUA LETTER TO CREDIT UNIONS

S t a n d a r d 4. 4 a. M a n a g e m e n t o f c r e d i t r i s k. Regulations and guidelines

B o a r d of Governors of the Federal Reserve System. Supplemental Policy Statement on the. Internal Audit Function and Its Outsourcing

Best practice guidelines for depositary banks in relation to the safekeeping of assets from UCITS funds held through the traditional custody network

Risk Management Guidelines For Co-operative Financial Institutions

Objective and key requirements of this Prudential Standard

Supervisory Letter. Current Risks in Business Lending and Sound Risk Management Practices

Are You Ready for the New Foreclosure Processing Regulations?

Guidelines. ADI Authorisation Guidelines. Australian Prudential Regulation Authority. April 2008

OCC 98-3 OCC BULLETIN

Managing Outsourcing Arrangements

Charities & Not for Profit Protecting your organisation, supporting its success. Risk Management Insurance Employee Benefits Investment Management

How To Set Up A Committee To Check On Cit

GUIDANCE NOTE OUTSOURCING OF FUNCTIONS BY ENTITIES LICENSED UNDER THE PROTECTION OF INVESTORS (BAILIWICK OF GUERNSEY) LAW, 1987

AMTRUST FINANCIAL SERVICES, INC. AUDIT COMMITTEE CHARTER

Audit and Permitted Non-Audit Services Pre-Approval Policy (Pertaining to the Company s Independent Auditor)

Table of Contents. 1 P a g e

#24 TEMPORARY MORTGAGE PURCHASE PROGRAMS (Risk Focused)

Guidance Note on Credit and Credit Control for Credit Unions. October Office of the Registrar of Credit Unions

FUND MANAGER CODE OF CONDUCT

Transcription:

SUPERVISORY AND REGULATORY GUIDELINES Guidelines Issued: 22 December 2015 GUIDELINES FOR THE MANAGEMENT OF OPERATIONAL RISK FOR CREDIT UNIONS 1. INTRODUCTION 1.1 The Central Bank of The Bahamas ( the Central Bank ) is responsible for the registration, regulation and supervision of all credit unions operating in and from within The Bahamas, pursuant to the Bahamas Co-Operative Credit Unions Act, 2015 ( the Credit Unions Act) and the Central Bank of The Bahamas (Amendment) Act, 2015 ( the CBA ). Additionally, the Central Bank has the duty, in collaboration with financial institutions, to promote and maintain high standards of conduct and management in the provision of credit union services. 1.2 The Central Bank recognizes that credit unions are not-for-profit organizations, and in this respect are different from other deposit-taking financial institutions. The Central Bank is aware that credit unions work as a co-operative, valuing volunteerism, co-operation and member participation. Therefore, the Central Bank is committed to ensuring the unique characteristics of credit unions are maintained, while still fulfilling its obligations to protect the interests of credit union members. 1.3 All registrants are expected to adhere to the Central Bank s registration and prudential requirements, ongoing supervisory programmes and regulatory reporting requirements, and are subject to periodic on-site examinations. Credit Unions are expected to conduct their affairs in conformity with all other Bahamian legal requirements. 2. PURPOSE 2.1 These Guidelines provide guidance to credit unions in relation to operational risk management. Credit Unions are expected to develop and implement an operational risk management framework in line with these Guidelines, taking into account the nature, size, complexity and risk profile of its activities. Credit Unions are expected to continuously improve their approaches to operational risk management as operational risk continues to evolve. BANK SUPERVISION DEPARTMENT 1

2.2 The Central Bank endorses the principles and best practices of the World Council of Credit Unions (WOCCU). Credit Unions are encouraged to refer to these principles and best practices on the WOCCU s website at http://www.woccu.org. 3. APPLICABILITY 3.1 These Guidelines apply to all credit unions which are registered under the Credit Unions Act or deemed, by virtue of section 126(1) to be registered under this Act. 4. DEFINITION 4.1 Operational risk refers to the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events. This definition includes legal risk, but excludes other risks like strategic and reputational risk. 4.2 Operational risk is potentially inherent in all of a credit union s products, activities, processes and systems and the effective management of operational risk is important. The most important types of operational risk involve breakdowns in internal controls and corporate governance. Such breakdowns can lead to financial losses through error, fraud, or failure to perform in a timely manner or cause the interest of the credit union to be compromised in some other way (e.g., lending officers or other staff exceeding their authority or conducting business in an unethical or risky manner). Other aspects of operational risk include major failure of information technology systems or events such as major fires or other natural disasters. 5. OPERATIONAL RISK MANAGEMENT FRAMEWORK 5.1. The Board of Directors (the Board) of credit unions are expected to develop an operational risk management policy that sets out requirements, purpose and scope of related internal controls. Senior Management is required to document the internal controls within the credit union s operational procedures. The operational risk management policy and procedures should address the following: 5.1.1 Defined levels of authority to make corporate decisions; 5.1.2 Safeguards to protect the premises and assets of the credit union; 5.1.3 An operational and secure management information system (MIS) which accurately records transactions; 5.1.4 A framework for technology development; 5.1.5 Business continuity and disaster recovery; 5.1.6 A process for outsourcing services; and BANK SUPERVISION DEPARTMENT 2

5.1.7 Staffing and monitoring controls appropriate to the size of the credit union. Decision Making Authority and Approval 5.2. Credit unions should establish and implement an approval framework which ensures that responsibilities and approvals for transactions are assigned to the proper and appropriate individuals within the organization. The framework should outline the following: 5.2.1 Defined levels of authority for corporate decisions in all areas of the operations; 5.2.2 Appropriate delegation of authority defined and documented; 5.2.3 The skills and experience of staff are commensurate with the defined levels of authority; and 5.2.4 Establishment of lines of reporting, responsibility and authority. Safeguarding of Premises, Assets and Records 5.3. Credit unions should establish internal controls to ensure: 5.3.1 Premises of the credit union are safeguarded, including protection of members and staff from exposure to crime or injury; 5.3.2 Safety and protection of assets of the credit union and assets of other parties held in its care, control and custody; and 5.3.3 Safety of financial records and other key information. 5.4. Insurance coverage should be utilized to reduce the risk of monetary loss from accidents. Management Information Systems 5.5. Credit Unions should establish a policy approved by the Board that will address the operation and security of a management information system (MIS). The policy should require the following: 5.5.1 Transactions are recorded on an accurate, complete and timely basis; 5.5.2 Accounting for all on and off balance sheet activities to enable management to monitor and analyze the financial condition and performance of the credit union; 5.5.3 Protection of integrity of the system hardware, software and data through appropriate access and process controls; 5.5.4 Provisions of an audit trail for all transactions; and BANK SUPERVISION DEPARTMENT 3

5.5.5 Back up. Technology Development and Maintenance 5.6. Credit unions should establish an appropriate framework for technology development and maintenance and include processes for: 5.6.1 Planning for technology requirements consistent with strategic and business plans; 5.6.2 Identifying and evaluating technology solutions appropriate for the business activities of the credit union; 5.6.3 Development and/or acquisition of software; 5.6.4 Documentation, testing and implementation of the software; and 5.6.5 Delivery and support for the software, including identification and solution of problems. Business Continuity and Disaster Recovery 5.7. Credit unions should establish the appropriate business continuity and disaster recovery plans, including: 5.7.1 Processes to deal with short term and longer term business disruption; and 5.7.2 Nature, frequency and extent of testing backup, recovery and contingency plans. 5.8. Credit Unions should confirm to the Central Bank that it has a Business Continuity Plan in place (see Appendix B for the minimum standards for business continuity plans). Outsourcing of Services 5.9. Outsourcing involves contracting out a business function to a service provider instead of performing that function internally (see Appendix A) for possible material outsourced functions). Before outsourcing services, credit unions should identify: 5.9.1 The process for selecting capable and reliable service providers to ensure transparency; 5.9.2 Standards for outsourced services, including accuracy, security, privacy and confidentiality; 5.9.3 Process for monitoring the performance and risks related to outsourced services and service providers; and 5.9.4 Schedules for periodic reviews of outstanding contracts. BANK SUPERVISION DEPARTMENT 4

5.10. Sufficient analysis should be undertaken to confirm that the service provider has the necessary expertise, capacity and viability to perform the functions or activities to be outsourced. Appropriate due diligence and impact analysis of nonperformance by a service provider should also be undertaken. 5.11. The Board should approve the outsourcing of business functions. The Board and Senior Management maintain responsibility for oversight of outsourced functions. 5.12. Credit Unions should notify the Central Bank of all outsourcing arrangements they have in place. The service level agreements for these arrangements should be reviewed by the credit union s internal or external legal counsel. Staffing and Monitoring Controls 5.13. Credit Unions should establish staffing and monitoring controls which protect against fraud, theft and misappropriation. These controls should be specified in policy approved by the Board and documented into procedures. Staffing Controls 5.14. Credit unions should ensure there is the appropriate independence/segregation of duties as a control to avoid staff error, fraud or theft. Monitoring controls 5.15. Appropriate controls should be established to monitor adherence to the operational risk policy, including: 5.15.1 routines for transaction verification and validation for error detection and fraud prevention; and 5.15.2 establishment of an independent internal audit function. 5.16. Internal audits regarding the operations should be carried out by the internal auditor, or an independent senior officer not involved in the business origination and/or approval process of the credit union or alternatively an external chartered accountant. This individual should be approved by the Board. Internal audit should report to the Board on the internal controls of the credit union and any other matters as the Board may direct. 5.17. The internal auditor of a credit union should report to the supervisory committee on the following areas: 5.17.1. the adequacy of internal controls; 5.17.2. compliance with the internal control procedures; 5.17.3. instances of non-compliance with the system of internal controls; BANK SUPERVISION DEPARTMENT 5

5.17.4. any material weaknesses in the system of internal controls; 5.17.5. recommended procedures to eliminate any material weaknesses with the system of internal controls; 5.17.6. other matters determined by the Board. 6. SUPERVISION BY THE CENTRAL BANK 6.1. The Central Bank, as part of its ongoing supervisory responsibilities, intends to assess the degree of credit unions compliance with the principles set forth in these Guidelines. Consequently, the Central Bank will examine the effectiveness of the operational risk management policies and procedures during the course of its on-site examination of credit unions. BANK SUPERVISION DEPARTMENT 6

Appendix A Examples of Services that may be Regarded as Outsourcing Information system management and maintenance (e.g. data entry and processing, data centres, facilities management, end-user support, local area networks, help desks); Document processing (e.g., cheques, credit card slips, bill payments, bank statements, other corporate payments); Application processing (e.g. loan originations, credit cards); Loan administration (e.g., loan negotiations, loan processing, collateral management, lending analysis, collection of bad loans); Investment management (e.g., portfolio management, cash management); Marketing and research (e.g., product development, data warehousing and mining, advertising, media relations, call centres, telemarketing); Back office management (e.g., electronic funds transfer, payroll processing, custody operations, quality control, purchasing); Professional services related to the business activities of the registrant (e.g., accounting, internal audit, actuarial); Human resources (e.g., benefits administration, recruiting); Records management; and Business continuity and disaster recovery capacity and capabilities. The following are arrangements that would not be considered outsourcing for the purposes of these Guidelines: Courier services, regular mail, utilities, telephone; Procurement of specialized training; Discrete advisory services (e.g., legal opinions, certain investment advisory services that do not result directly in investment decisions, independent appraisals, trustees in bankruptcy); Purchase of goods, wares, commercially available software and other commodities; Independent audit reviews; Credit background and background investigation and information services; Market information services (e.g., Bloomberg, Moody s, Standard & Poor s, Fitch); Independent consulting; Services the registrant is not legally able to provide; Printing services; Repair and maintenance of fixed assets; Supply and service of leased telecommunication equipment; Travel agency and transportation services; Correspondent banking services; Maintenance and support of licensed software; BANK SUPERVISION DEPARTMENT 7

Temporary help and contract personnel; Fleet leasing services; Specialized recruitment; External conferences; Clearing and settlement arrangements between members or participants of recognized clearing and settlement systems; Sales of insurance policies by agents or brokers; Ceded insurance and reinsurance ceded; and Syndication of loans. BANK SUPERVISION DEPARTMENT 8

Appendix B Minimum Standards for a Business Continuity Plan Identification of who is responsible for approving the plan; Stating how often the plan should be reviewed; Stating who is responsible for implementing the plan or identifying alternative individual(s) should the primary person(s) be unavailable; Establishment of the duties and responsibilities of the group of employees that will be responsible for assessing the situation, providing information and establishing member service as quickly as possible; Identification of alternative credit union locations should the credit union office be destroyed; Identification of the most essential information needed to operate the credit union; and Stating how often the plan will be tested. END BANK SUPERVISION DEPARTMENT 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information