• Calling days and hours of the governing body of the National Bank of Moldova for citizens.

  • Sergiu Cioclea, Governor of the National Bank of Moldova

    1st Monday of the month: 14.00-17.00;
    Appointment: +373 22 822 606;

  • Ion Sturzu, Deputy Governor of the National Bank of Moldova

    4th Monday of the month: 14.00-17.00;
    Appointment: +373 22 822 607.

Please, note the requirements for receiving and examining petitions to the National Bank of Moldova !

Details

 

Main navigation BNM

Expand Hide
23.06.2017

Decision no. 146 of 7 June 2017 approving the Regulation on Internal Governance and Risk Management in Banks

Note: The translation is unofficial, for information purpose only

Published in the Official Monitor of the Republic of Moldova no. 201-213 Article 1183 of 23.06.17

Registered
at Ministry of Justice
of the Republic of Moldova
no.1229 of 14 June 2017

EXECUTIVE BOARD
OF THE NATIONAL BANK OF MOLDOVA


DECISION No.146
of 7 June, 2017

Approving and Repealing Certain Regulatory Acts of the National Bank of Moldova

Pursuant to Articles 5, 11(1), 27(1) letter c) and 44 letter a) of the Law no. 548-XIII of 21 July 1995 on the National Bank of Moldova (republished in the Official Monitor of the Republic of Moldova, 2015, no. 297-300, Article 544), with further amendments and addenda, and Articles 17, 25, 28, 29 and 40 of the Law on financial institutions no. 550-XIII of 21 July 1995 (republished in the Official Monitor of the Republic of Moldova, 2011, no. 78-81, Article 199), with further amendments and addenda, the Executive Board of the National Bank of Moldova

DECIDES:

1. To approve the Regulation on Internal Governance and Risk Management in Banks, according to Annex no.1.

2. To repeal certain regulatory acts of the National Bank of Moldova, according to Annex no.2.

3. Banks shall have in place internal governance and risk management arrangements and in compliance with the Regulation stipulated in item 1 hereto on the enforcement day of this Decision.

4. This Decision enters in force on 1 July 2017.

 

Chairman
Of the Executive Board

Sergiu CIOCLEA

Annex no.1
to the Decision of the Executive Board
of the National Bank of Moldova
no.146 of 7 June 2017

Regulation
On Internal Governance and Risk Management in Banks

 

Title I. GENERAL PROVISIONS

Chapter I. Scope

1. This Regulation applies to banks of the Republic of Moldova and foreign bank’s branches operating on the territory of the Republic of Moldova and establishes their internal governance and risk management arrangements.

2. A foreign bank’s branch may follow the policies of the parent company’s on internal governance and risk management, provided that requirements set by the national legislation and this Regulation are observed. Otherwise, the management of a foreign bank’s branch shall set its own policies and shall assess any decision or practice at group level, to ensure that these do not entail the branch office to violate the provisions of the regulation framework or the prudential rules applicable on the territory of the Republic of Moldova.

 

Chapter II. Definitions

3. Terms and expressions used herein have the meanings provided in the Law on Financial Institutions no. 550-XIII of 21 July 1995 (republished in the Official Monitor of the Republic of Moldova, 2011, no. 78-81, Article 199), Law on the National Bank of Moldova no. 548-XIII of 21 July 1995, Law on Preventing and Combating Money Laundering and Terrorism Financing no. 190-XVI of 26 July 2007 and in the regulatory acts of the National Bank issued to be enforced.

4. For the purpose of this Regulation, the terms and expressions below shall have the following meaning:
risk appetite – an absolute level of risks that a bank is willing to take within its risk capacity according to its business model to ensure that its strategic objectives are being achieved;
internal control – a system that ensures carrying out efficient and effective operations, proper control of risks, prudential performance of activities, reliability of financial and non-financial reported information, reported both internally and externally, and compliance with the legal and regulatory frameworks, supervisory requirements and internal bank decisions;
corporate governance – a set of relations between the bank’s management, shareholders and other stakeholders. Corporate governance also includes structures (internal organization) that contribute to setting the bank’s objectives and their achievement means and to monitor performances;
business model – all activities carried out according to a strategy aiming at achieving financial performance;
bank’s management bodies – board and executive body;
risk profile – amount of exposures of banks to actual and potential risks;
primary internal regulations – strategies, codes, regulations and other internal regulatory acts designated to manage the bank’s activity and risks it is exposed to so that it complies with the legal framework, including Article 17 of the Law on Financial Institutions no.550-XIII of 21 July 1995 (republished in the Official Monitor of the Republic of Moldova, 2011, no.78-81, Article 199), that are approved by the bank’s board, or, as appropriate, by the General Meeting of Shareholders;
secondary internal regulations – instructions, procedures, guidelines, handbooks or other documents approved by the bank’s executive body designated to implement the provisions of the primary internal regulations;
ICT (information and communications technology) risk – operational risk subcategory that refers to risk of loss/negative impact due to compromised information confidentiality, information systems’ data integrity, unavailability of information systems and/or data and incapacity to change (upgrade) ICT in a short time and a cost-effective way. These losses/negative impact can result from external or internal factors, such as: undue organization, faulty or poorly secured information systems and network infrastructures, and shortage of staff or unqualified staff that is in charge for bank’s information systems’ administration;
concentration risk – a risk resulting from exposures to each counterparty and/or groups of related parties, and/or groups of persons acting in the same economic sector, performing the same activity and owning a joint venture;
compliance risk – operational risk subcategory that refers to current or future risk of profits and capital which may result in fines, damages and/or contracts termination, or which may affect the bank’s reputation due to violations of or non-compliance with the legal framework, regulatory acts, agreements, recommended practices or ethical standards;
credit risk – current or future risk that affects profits and capital due to failure to fulfill by the counterparty of its contractual obligations or any of its set obligations;
counterparty credit risk – risk that a counterparty to a transaction could default before final cash settlement related to the transaction is made;
settlement risk – risk of loss arising from the difference between the agreed settlement price and the current market value for transactions for which the debt instrument, equity securities or currency remain unsettled after the due delivery date;
liquidity risk – current or future risk that may affect profits or capital, arising due to bank’s incapacity to meet its obligations when they fall due;
operational risk – current or future risk that may affect profits and capital, arising from inadequate or failed internal processes and systems and/or as a result of certain external persons or events;
market risk – risk to record losses in terms of on-balance and off-balance items due to unfavorable fluctuations of prices for financial instruments and other equity securities held for trading, of interest and foreign exchange rates on the market;
price risk (position risk)- risk that may cause inconsistency of the price in time, i.e. the time between the date when the contract was concluded and the date when the payment was made and the sum provided in the contract was received;
residual risk – risk that may arise due to the fact that techniques used to mitigate credit risk are less efficient than expected as they generate new risks (such as liquidity or compliance risks) that may undermine the efficiency of mitigation techniques;
interest rate risk – current or future risk that affects profits and capital due to some adverse changes in interest rates;
reputational risk – current or future risk that may affect profits and capital or liquidity, due to unfavorable perception of counterparties, shareholders, investors or supervisory authorities regarding the image of a bank;
transfer risk – risk arising from a counterparty’s impossibility to convert national currency to foreign currency needed to pay some financial obligations due to lack or unavailability of such a currency as a result of some restrictions imposed by the country on the respective counterparty;
country risk – risk of exposure to losses due to economic, social and/or political events from a foreign country, affecting the bank’s activity;
currency risk – risk of exposure to losses arising from commercial contracts or other economic relations due to exchange rate fluctuations on the market from the date of signing the contract to its expiry;
information system – information management system of the bank and its related organization resources, such as information, human resources and organizational structures;
stress testing – risk management technique used to assess potential effects of some events or future changes in economic conditions, that may have impact the bank’s financial situation;
risk tolerance – maximum level of risk accepted by a bank that fits into the actual limits of the appetite risk taken by a bank.

 

Title II. ORGANIZATIONAL STRUCTURE AND ACTIVITY ORGANIZATION

Chapter I. Organizational Structure

5. The bank shall have a transparent organizational structure appropriate to the activity it carries out to promote effectiveness and secure necessary prudence for the bank management.

6. Reporting and responsibility lines and competencies in the bank shall be clearly marked, defined, coherent and effectively implemented.

7. Organizational structure of the bank shall be assessed as to identify whether its diverse elements complement each other and interact mutually, shall be improved depending on the bank’s development, shall comply with the approved business model and risk profile and shall avoid an excessive or inadequate level of complexity.

8.  Organizational structure of the bank shall not affect the capacity of the management bodies to efficiently supervise and manage its activity and encountered risks.

 

Chapter II. Activity Organization

9. The bank shall perform its activity, including carry out operations and provide services in strict conformity with its internal governance and risk management arrangements.

10. The bank shall organize its activity in a way that the decision made by the management and/or practices used do not impede the healthy and prudent management, bank’s financial soundness or stakeholders’ legal interests (depositors, creditors).

11. The bank shall accept to carry out and to conduct only those activities, operations, and services that provide the security that the related risks shall be managed appropriately.

12. The bank shall maintain an appropriate set of basic operational competencies related to the outsourced activities, so that it has the capacity to resume, if necessary, the direct control over outsourced activities and it possesses outsourcing policies, under the Regulation no. 241 of 3 November 2011 on Outsourcing Bank’s Activities and Operations.

 

Title III. MANAGEMENT BODIES OF THE BANK, DUTIES, RESPONSIBILITIES, COMPOSITION AND OPERATION.
INTERNAL GOVERNANCE

Chapter I. Management Bodies of the Bank, Their Composition and Operation

13. The bank shall establish the size and composition of its management bodies based on the scale, complexity, nature and scope of its activities.

14. Numerical strength, operation manner and duties of the management bodies shall be established in the bank’s internal regulations, in compliance with the Law on Financial Institutions no. 550-XIII of 21 July 1995, other regulatory acts of the National Bank of Moldova issued to implement it and the Law no. 1134-XIII of 02.04.1997 on Joint Stock Companies.

15. The meetings of the bank’s board, including the number of attendees and the frequency of meetings shall be thus organized as to ensure an in-depth examination of the bank’s issues and critical debate of matters in order to maintain the activity at an efficient level.

16. Members of the board and executive body, according to the assigned duties, shall be responsible to monitor the bank’s compliance with the legal framework, including the Law on Financial Institutions no. 550-XIII of 21 July 1995 and other regulatory acts issued by the National Bank of Moldova.

 

Chapter II. Duties and Responsibilities of the Bank’s Board

17. The board is the bank’s management body in charge of supervising the bank’s business environment and the way the bank regulates and organizes its activity. Thus, the board defines internal governance and risk management arrangements of the bank’s activity by ensuring the development, approval and review (no less than once per year) of internal regulations covering all bank’s activities.

18. The board shall:
1) Approve an appropriate and transparent organizational structure that is in line with the risk volume, complexity, and profile of the bank;
2) Approve and supervise the implementation of strategies and policies in all bank’s areas of activity, considering the bank’s long-term financial interests, risk appetite, profile and tolerance of the bank;
3) Ensure the development and supervision of implementation of corporate governance code;
4) Approve and supervise the implementation of a code of conduct that clearly states the acceptable and unacceptable conduct of the staff, including illegal activities and excessive risks taken by the bank;
5) Approve and supervise the implementation of the bank’s staff remuneration policy;
6) Approve and supervise the implementation of the policy on appointment of administrators;
7) Approve and supervise the implementation of the policy on conflicts of interest and make sure that the bank’s staff is trained in preventing the occurrence and monitoring how to address conflicts of interest in the bank;
8) Approve and supervise the implementation of risk management policies and ensure the training of the bank’s staff engaged in this activity;
9) Supervise and secure the effective operation of compliance, internal audit, and risk management functions, reporting directly to the board, in order to maintain their independent activity status.

19. The board shall make sure that the experience and knowledge of the members of the executive body is in line with the bank’s nature of activity and risk profile, shall establish performance standards for the executive body according to the bank’s strategies and policies and shall monitor the compliance off such performances with the standards.

20. The board shall supervise the activity of the executive body, shall oversee its actions to ensure that they are in line with the bank’s strategy and policies by examining the information provided by the executive body and by the compliance, internal audit and risk management functions, reporting directly to the executive board, and by convening meetings with the Executive Board and these functions on a regular basis.

21. The board shall define and update from time to time the standards for its own activity, considering the laws and the regulations establishing the board’s organization, rights, responsibilities and activities and shall maintain its performance and integrity by conducting assessments of each member and of the entire board on a regular basis.

22. The board, depending on the nature, complexity and volume of the bank’s activity, may establish one or more committees to assist it in performing its risk management duties. The bank’s board can define the number and structure of the committees to ease its own activities, but shall not be entitled to delegate its duties to these committees.

23.  The board members shall exercise their duties with due diligence and loyalty and according to the legal provisions and applicable regulatory framework, considering, at the same time, the primary internal regulations that are used to carry out the supervision function.

24. The board members shall always have access to any information related to the bank and the executive body’s activity, to internal and external audit reports, to strengthen the implementation of internal policies and procedures and to secure the compliance of the bank’s risk profile with its strategy and the ability to manage and absorb risks.

25. The board members shall actively participate in the bank’s activities and shall make solid, objective, and independent decisions and judgements.

26. The bank shall provide appropriate human and financial resources to integrate and train the board members.

 

Chapter III. Responsibilities of the Executive Body of the Bank

27.  The executive body is responsible for the management of the bank’s current activity and is accountable to the board for the bank’s financial performance. For this, the executive body shall ensure appropriate implementation of the internal governance and risk management arrangements of the bank, shall develop and approve, as needed, internal documents subject to internal regulations approved by the bank’s board.

28. The executive body shall know and understand the bank’s organizational structure, the risks it generates to ensure that the bank’s activities are carried out according to its strategy, risk appetite and policies.

29. To promote and ensure an efficient bank activity, the executive body shall be responsible for:
1) The bank’s compliance with the legal framework, including the Law on Financial Institutions no. 550-XIII of 21 July 1995 and regulatory acts issued by the National Bank of Moldova;
2) Implementation of all internal regulations approved by the bank’s board and the bank’s codes of corporate governance and of conduct;
3) Ensuring and monitoring the adequate performance of the subordinated staff’s duties, so that the bank’s activity be consistent with its strategic objectives;
4) Distribution of bank’s staff duties and responsibilities and set-up of a management structure promoting a responsible and transparent activity in the bank;
5) Integrity of bookkeeping and financial reporting systems and delivery of accurate and truthful information to the bank’s board;
6) Appropriate implementation of the internal control mechanism and risk management systems;
7) Implementation of risk management systems, risk culture, risk management processes and control that the bank is exposed to in accordance with the primary internal regulations;
8) Delivery to the bank’s board of regular and proper information on: changes in the bank’s activities that fall outside the business strategy, risk strategy and their related policies, bank’s performance and financial situation.

30. The executive body shall contribute to a healthy corporate governance within the bank, including by its own behavior. For this, executive body members may act in jointly or independently, as it is provided in the primary internal regulations of the bank.

 

Chapter IV. Internal Governance

31. The bank shall carry out its activity under the legal framework provisions, including under the Law on Financial Institutions no. 550-XIII of 21 July 1995 and the regulatory acts issued by the National Bank of Moldova, the Articles of Association and internal regulations of the bank.

32. The bank shall have in place internal regulations on internal governance and risk management, adjusted to the nature, scale, and complexity of risks inherent to the bank’s business model and activities.

33. The bank shall inform through its secondary internal regulations and shall update clearly and consistently the staff concerned on primary internal regulations of the bank, its strategies and policies, so that the staff has the necessary knowledge to at least fulfill their duties.

34. The bank shall have:
1) a management structure that shall contribute to the efficient and practical supervision over the bank, including over its subsidiaries and/or structural subdivisions, depending on the risks they are exposed to;
2) internal documents related to the activities carried out at all bank’s levels, including at bank’s branch and/or structural subdivision level, to meet all applicable organization/conduct of activity requirements;
3) resources sufficient for the bank, including for each branch and/or structural subdivision of the bank, to conform to internal governance and risk management arrangements, both at bank and each branch/structural subdivision level.

35. The bank shall develop and promote standards of conduct to secure a professional conduct of the staff knowing and observing the code of conduct at all bank’s levels, shall have appropriate programs and training for staff on their responsibilities, shall set clear integrity and ethical values expectations for the staff, so that they understand their role and the responsibilities.

36. The bank shall develop and promote a conflict-of-interest policy to identify current or potential relations, services, activities or transactions that could generate conflicts of interest. For this, the bank shall ensure that the conflict-of-interest policy is read and understood by the bank’s staff and is complied with.

37. Conflict-of-interest policy shall at least set requirements for:
1) procedures on prevention of conflicts of interest, their management and monitoring when being identified;
2) bank administrators’ commitment to avoid conflict of interests or their emergence;
3) bank administrators’ commitment to disclose any legal issue of conflict of interest and to abstain from voting in case of a conflict of interest;
4) proper procedures for transactions with related parties;
5) identification of areas of activity that may be affected by conflict of interest and independent monitoring carried out by persons that are not directly involved in such activities, and who are informed based on a properly set reporting line;
6) conflict of interest management and measures to be taken by the bank’s board in case of failure to observe the policy on conflicts of interest.

38. The bank shall have in place internal warning procedure that shall be used to outline the legitimate and valid concerns related to their internal governance and risk management.

39. The internal warning procedures shall ensure that the person raising a certain issue remains anonymous. These concerns shall be raised by the compliance or internal audit functions or by an internal warning procedure, but outside the reporting lines, in order to avoid conflicts of interest.

40. The warning procedures shall be available to the entire staff of the bank. Information provided by the staff via a warning procedure shall, if relevant, be presented to the bank’s board.

41. In addition to the internal warning procedures, the bank’s staff may inform the National Bank of Moldova on the legitimate and valid concerns related to their internal governance and risk management arrangements.

 

Title IV. ADMINISTRATORS APPOINTMENT POLICY

42. The bank must have in place a policy on the appointment of administrators, which shall be in compliance with the requirements of the National Bank on exigencies to administrators and adjusted to the nature, scale and complexity of the bank’s activity.

43. The policy on appointment of administrators shall regulate the selection and assessment of the candidates’ suitability for the role of administrators, and shall at least establish requirements for:
1) position in charge for the assessment of adequacy of administrators;
2) internal procedure applicable to assessing the adequacy of a candidate for administrator, as well as to registering the assessment and its results;
3) required competencies and qualifications for a candidate for administrator and the information that need to be provided to the bank for assessment;
4) measures to make sure that shareholders are informed about the requirements for the administrators if the candidate is appointed by shareholders;
5) situations of reassessing the adequacy and measures taken to identify such situations;
6) obligation of the candidate for administrator to notify the bank about any major change endangering the compliance with the set requirements;
7) ways the bank shall provide vocational training opportunities, should training/refresher courses be necessary for the candidate for administrator.

44. The position in charge of assessing the adequacy of administrators shall:
1) identify and inform the board or the executive body, as appropriate, on the vacant positions of administrator in the bank;
2) assess the knowledge, competencies and experience for the positions of administrator and prepare a description of the roles and capacities in order to appoint to a certain position;
3) assess constantly, at least once a year, the structure, size, composition and performance of the management bodies and make some recommendations to the bank’s board on any changes;
4) review periodically, at least once a year, the bank policy on the appointment of administrators and make some recommendations to the board, if required.

 

Title V. REMUNERATION POLICY

45. The bank shall have in place a remuneration policy that shall contribute to prudent management of risks and shall not favor assuming risks that exceed the bank’s accepted risk level.

46. The remuneration policy shall correspond to the strategies, objectives, and long-term interests of the bank and shall avoid any conflict of interest.

47. The remuneration policy shall consist of the following:
1) explanations on the relative importance of remuneration components;
2) remuneration schemes that discourage imprudent risk-taking or seeking higher short-term profits.

48. The staff involved in the internal control mechanism shall be rewarded in accordance with the achievement of objectives related to the exercise of functions. Their remuneration shall not depend on the performance of activities monitored or controlled by the internal control mechanism, but on the qualifications and role of the involved staff.

49. Staff remuneration shall reflect individual performance, such as knowledge/qualifications obtained, personal development, compliance with the systems and recommendations related to the bank controls, involvement in business strategies and bank policies and contribution to the team’s performance.

50. The structure and operation of the remuneration policy shall be monitored and supervised by the bank’s board and shall be applied to its entire staff.

51. The remuneration policy shall be evaluated by the bank’s board no less than once per year, paying particular attention to preventing compensation for excessive risks-taking and to ensuring a reasonable balance between basic and additional remuneration.

 

Title VI. RISK MANAGEMENT

Chapter I. General Provisions

52. The bank shall develop a risk culture, integrated for the whole bank, on the basis of a full understanding of the risks encountered by the bank and of their management, considering the bank’s risk tolerance/appetite.

53. Each person in the bank shall be fully aware of its risk management-related responsibilities. Risk management responsibility shall not be limited to risk-related, compliance, internal audit, risk management professionals. The bank’s units, under the supervision of management bodies, are mainly responsible for the daily risk management, taking into account the risk tolerance/appetite of the bank, in compliance with the policies, procedures and results of controls carried out by the bank.

54. The management bodies shall spend enough time to examine risk-related issues.

55. The bank shall have some comprehensive risk management arrangements for all units, including the support and control functions, fully recognizing the economic substance of risk exposure and covering all risks relevant for this bank. The risk management shall cover at least the credit risk, market risk, liquidity risk, operational risk, concentration risk, reputational risk, compliance risk.

56. The bank shall ensure that the risk management policies are in compliance with the bank’s business model, capital and risk management experience, shall make sure that the management bodies properly perform their duties, shall maintain the bank’s capacity to exercise its duties to depositors and creditors, shall establish the risk level that is ready to take and shall manage all risks related to its activity, including risks related to outsourced activities.

57. Risk management policies shall be translated into internal regulations, with a distinction between general rules applicable to the entire staff and the specific rules applicable to some of the staff members, and shall at least set requirements for:
1) risk management procedures, adjusted to the bank activity’s scale and nature shall include the identification and permanent assessment of risk-taken positions, risk monitoring and control, including the risks related to outsourced activity and off-balance transactions;
2) adjustment of risk management procedures according to the risk profile and market development;
3) risk exposure limits provided for all the activities and for every separate major activity and/or branch that outlines the chosen risk profile, in the light of the relation between the accrued risks and obtained profit that the bank deems acceptable under an efficient and prudent ongoing activity. The limits set for activity and/or branch level shall be linked with those set for the level of the entire bank;
4) procedures of operations’ authorization that may be affected by risks, considering the risk management responsibilities of the management bodies and the bank’s staff;
5) required measures to minimize and limit risk exposures that interfere with the achievement of objectives and/or stability of the bank;
6) enough bank resources (including technical and human resources) to manage the risks.

58. The bank shall identify the risk profile, determining the objectives for each risk, shall ensure a systematic monitoring of activity’s compliance with the risk management policies and procedures, and shall report about found violations, if required, to the relevant board, and shall ensure their resolution.

59. The bank shall have an adequate information exchange system to identify, assess, monitor and systemically document the risks both at the level of the bank, and its units and/or branches, and to report risk exposures to the relevant management bodies to take decisions on the risks assumed by the bank.

60. The bank shall thoroughly analyze new products, markets or activities and shall make sure that the authorized body approves the new products, major current product feature changes and risk management initiatives, shall have internal instruments and relevantly experienced staff to understand, manage and monitor the related risks.

61. In the event of a high risk exposure and/or use of inappropriate risk management methods, the bank shall take corrective measures, which will aim at least the following:
1) improve information and risk exposure assessment systems;
2) reduce risk level;
3) other measures or a combination of measure depending on the concrete situation, state and conditions existing in the bank.

 

Chapter II. Risk Management

Section 1. Credit Risk, Including the Counterparty Credit Risk and the Settlement Risk

62. The bank shall have an adequate credit risk management, taking into account the bank’s risk appetite and profile, and the market and macroeconomic conditions. It includes credit risk management policies and procedures to identify, assess, monitor and control timely the credit risk, including the counterparty credit and settlement risks.

63. The credit risk policy shall cover the bank’s lending activities and shall consider both individual credits, including the credit currency, and the entire portfolio. For this, the credit risk policy shall at least provide requirements for:
1) Lending procedure, including based on a contractual framework determined according to the specifics of the credit, counterparty and guarantees offered by it, arrangements for assuming the risk, including by establishing more restrictive requirements to the counterparties subjected to the currency risk (related to the guarantee, debt and large debtor concentration indicators), credit risk monitoring and control;
2) credit categories that the bank shall promote, economic sector, ownership, counterparty categories (individual/legal entity etc.), residence, geographical area, currency, initial life, estimate profitability;
3) procedures used to identify the market that the bank intends to operate on, determining credit portfolio characteristics (including diversification and concentration degree) and assessing the new business opportunities for the lending activities;
4) procedures to determine the eligible counterparties, conditions that they must meet to enter in business relations with the bank and guarantees accepted by the bank;
5) effective loan management procedures, including the ongoing analysis of the debtor’s contractual payment ability, considering the currency rate risk value that it is exposed to and the debtor’s level of indebtedness; ongoing examination of the credit documentation (credit contract, collateral contract and other guarantees, documents confirming the counterparty’s financial situation etc.); assessment of the classification system based more on the transaction’s economic substance and less on its legal form, so that it corresponds with the nature, scale, and complexity of the bank’s activity;
6) procedures to identify, manage and monitor the assets and nonperforming conditional commitments in order to maintain healthy lending standards and observe the credit risk-taking limits;
7) criteria to define the new assets and conditional commitments and the ways to approve them, as well as the assets with an extended and renegotiated time limit;
8) conduct stress tests to identify the potential weaknesses or vulnerabilities of the credit risk positions, on the basis of different stress scenarios;
9) internal reporting process providing the bank’s management bodies adequate information to measure, estimate and report in due time the size and the quality of the credit risk;
10) assurance that lending-related decisions are taken independently, without any pressure or conflicts of interest.

64. In order to prevent business relationships with individuals involved in fraudulent activities, the bank shall have in place procedures that shall include at least the following:
1) Receiving information from persons in the bank, authorized to carry out required investigations;
2) consulting the information obtained by the bank from external structures, organized under the law, aiming directly to collect and provide information on the situation of the counterparty as the credit beneficiary and/or other financial information;
3) knowing the participants in the legal entity’s capital and checking their references and those of the persons in charge of managing it.

65. The bank shall carry out the lending activity based on prudent and well-defined criteria. When assessing the credit risk to a counterparty, the bank shall consider at least the following:
1) purpose of the credit, credit currency, credit life and repayment;
2) the current risk profile of the counterparty and guarantees, as well as guarantees’ sensitive reaction to market developments;
3) debt history of the counterparty and the current and future capacity to repay it based on the historical financial evolutions and future cash flow predictions that shall be critically analyzed as to the likelihood of being achieved;
4) the economic sector where the counterparty operates and its position in this sector;
5) concentration of bank exposures to the counterparty and the way it repays credit and interest rates;
6) the likelihood of failing to meet contractual conditions set based on an internal counterparty evaluation system and the capacity to implement, from legal view-point, the contractual commitments, including the likelihood to exercise the guarantees under market conditions.

66. The bank shall have in place counterparty risk assessment procedures with clear provisions of risk classification and establishment of allowances for credit risk losses based on updated credit file information, as well as procedures for the ongoing assessment of guarantees that shall be taken into account during the classification process.

67. The bank shall have large credit identification and potential changes registration procedures, as well as monitoring mechanisms. The bank’s board shall approve the credits that exceed a certain bank capital share (set in internal policies, but do not exceed the regulatory limits) and/or assume a high credit risk or those that don’t fall into the lending policy.

68. The bank’s internal information system shall allow to assess the credit risk related to on-balance and off-balance items. The information process shall provide proper information on the credit portfolio composition, with emphasis on standard, supervised and non-performing credits breakdown and/or identification of non-compliance with the set exposure limits, as well as the information allowing to identify any risk concentrations, so that the problematic credits are found and corrective actions are taken in due time.

69. The bank shall have a system to timely solve the situation of worsening credit quality, as well as a system to manage the non-performing credits.

 

Section 2. Country Risk/Transfer Risk

70. The bank that has cross-border and foreign currency exposures, including in cash, deposits, NOSTRO correspondent accounts, investments, loans and other on-balance and off-balance assets, and external funding sources, shall develop and implement the country risk and transfer risk policy that shall at least set requirements for:
1) procedures to determine the acceptable risk level for a certain region, currency, country and exposure limits depending on activities;
2) procedures to determine criteria on the country’s political, economic and financial situation assessment and the types of instruments and activities allowed for the bank to properly manage country risk and transfer risk exposure;
3) reporting procedures for the dissemination of information on the bank’s cross-border exposures at each organizational level, having a structure, content, and frequency appropriate to the operations performed;
4) control processes that shall ensure that the information is accurate, complete and of high quality, setting control means and ensuring integrity of the system used to identify, monitor and control the country risk and the transfer risks;
5) procedures to authorize and processes to notify the exceptions from the policy on the country risk and transfer risk, if exceptions are to be allowed, as well as to justify their necessity and acceptability;
6) procedures to assess and establish the allowances for losses on assets and commitments subject to the country risk and transfer risk.

71. The assessment procedures shall determine the possibility to relocate the risk, i.e. the final location of the risk in the guarantor’s country where the risk is transferred, to aggregate exposures and to allow the management bodies to monitor the overall exposures to countries and individual foreign currencies in the bank.

72. The bank’s exposure to an individual country/foreign currency shall comprise all on-balance and off-balance accounts of counterparties that are residents of the country concerned. They shall be monitored according to the following aspects: on-balance and off-balance values; residual maturity; contractual maturity; type of the counterparty (country, bank, non-banking legal entity, individual).

73. The bank shall have country risk analysis and country rating processes that would reveal the real risk profile of the country concerned. The rating shall be used as basis to determine the exposure limits. Banks can use various sources to assign the rating, such as international agencies’ evaluations and ratings (Standard & Poor’s, Moody’s and Fitch-IBCA), official publications of the International Monetary Fund or of the World Bank and/or internationally acknowledged publications. These sources can be used for the bank’s self-assessment.

74. The bank shall have in place information systems to report aspects related to the country risk and transfer risk in due time, with a focus on the level and the trend of the bank’s country risk and transfer risk, including at least information on the on-balance and off-balance accounts, maturity, type of the debtor/creditor, effect of the position of the country risk and transfer risk on the capita.

 

Section 3. Market Risk

75.  For market risk management, the bank shall take into consideration at least the following subcategories:
1) Interest rate risk;
2) Price risk (position risk);
3) Foreign exchange risk.

76. The bank shall have proper policies that shall clearly describe the market risk identification, assessment, monitoring and control roles and responsibilities.

77. The bank policies on the interest rate risk, price risk, and foreign exchange risk shall at least set requirements for:
1) procedures to determine acceptable levels for all risks, especially for the price risk, considering the type of investments allowed, acceptable quantity and quality per each type of investment, while for foreign exchange risk it shall take into account all foreign currencies, profitability level, needs of liquidity for each currency the bank operates with, assets and liabilities maturity structure, and off-balance exposures;
2) procedures to identify, assess, and monitor the risks, and to establish the types of instruments and activities allowed so that the bank can manage its interest rate and foreign exchange risk exposures, including their features and use;
3) control processes specifying and performing daily operational controls to ensure accurate and full information, which is needed for managing the interest rate, price and foreign exchange risks in compliance with the internal regulations of the bank;
4) authorization procedures and warning processes for exceptions from the policies on interest rate, price and foreign exchange risks, as well as their rationale and acceptability;
5) stress test methodologies based on information on the bank’s operations and the level laid down for the interest rate, price and foreign exchange risks, in order to establish the impact of the hypothetical fluctuation of interest rates, prices, and exchange rates on the bank’s income and capital.

78. The bank shall establish limits for the market risk, approved by the bank’s board, which shall comply with its absorption capacity, size and complexity of the bank’s activity and/or operations, reflecting all major market risks.

79. The bank shall have management processes able to secure that all transactions are registered in due time and that market positions are re-assessed sufficiently frequent, using credible market information or, in the absence of market prices, internal models or models accepted in the banking sector.

80. The bank shall use the stress test results to perform analyses, shall have plans for unpredictable situations, as may be required, and shall validate or test periodically the systems used to quantify the market risks. Approaches used by the bank shall be integrated in the risk management policies, and their results shall be considered in the bank’s risk-taking strategy.

81. The bank shall ensure an independent verification of the market information used to assess the trading portfolio items by members of staff that are not involved in this activity.

82. The bank shall manage the interest rate and foreign exchange risks for all assets and liabilities in the national and foreign currencies, including those attached to the foreign currency’s exchange rate, from the on-balance and off-balance accounts.

83. The bank shall consider the identification, assessment, monitoring and control of the potential price volatility of the on-balance and off-balance financial instruments, while managing the price risk. Limits for exposures to price risk shall include limits for the exposure to a company, to a sector and the limit for losses. Limits for securities and other more volatile and less liquid investments shall be examined in terms of the feasibility for maintaining lower limits for losses than those established for securities and other more liquid and less volatile investments.

84. The bank shall ensure information systems to report aspects related to country and transfer risks in due time, with a focus on the level and the trend of these risks, including at least:
1) for the interest rate risk - an analysis of maturity differences between the interest generating assets, interest-bearing liabilities and off-balance exposures, change in the value of assets, liabilities and off-balance positions following the interest rates change, the effect of the interest rate risk positions on the profit and capital;
2) for the price risk - an analysis of the total value of investments and of the current market values, the aggregated limits for investments and information on their observance, the change in the value of assets, liabilities and off-balance positions, the effect of the price risk position on the profit and capital;
3) for the foreign exchange risk - a periodical analysis (monthly, daily) of the open currency positions and the analysis of cash flow for each foreign currency and aggregated (inflows and outflows) for the nearest future period, the maturity of short and long positions, the change in the value of assets, liabilities and off-balance positions following the change in the exchange rates, the effect of the currency risk position on the capital.

 

Section 4. Liquidity Risk

85. The bank shall manage the liquidity risk for all assets and liabilities in national and foreign currencies, including those attached to the foreign currency’s exchange rate, from the on-balance and off-balance accounts and taking into account all the complementary risks.

86. The bank shall make sure that it has enough liquidity reserves and alternative financing plans. For this purpose, it shall have policies and procedures to identify, measure, manage and monitor the liquidity risk developed for certain periods, including during the day - intraday.

87. The bank’s policy on the liquidity risk shall include at least requirements for:
1) procedures of establishing acceptable limits of the liquidity risk, based on parameters that can be identified clearly and that should be in compliance with the short- and long-term objectives regarding the bank’s liquidity;
2) procedures to identify, assess and monitor the liquidity positions, including considering the limits established for the need to monitor the liquidity on a daily basis. This process shall include a robust framework to forecast the cash flows from assets, liabilities and off-balance elements for adequate periods of time, both in normal and crisis conditions;
3) procedures to determine the structure of assets and liabilities to maintain a sufficient liquidity level, diversification of deposits and other sources of funds in order to avoid liquidity volatility and to determine limits for counterparty transactions, to develop a list with instruments and activities allowed for the bank to manage liquidity risk exposure, including their characteristics and frequency;
4) reporting procedures needed for the dissemination of information at each level and reporting frequency;
5) control procedures to make sure that the information is accurate, complete and of a good quality allowing the bank’s management bodies to perform their duties;
6) procedures to authorize and notify the exceptions from the policy on liquidity risk, if exceptions are to be allowed, as well as their rationale and acceptability;
7) stress test procedures securing periodical stress tests and containing a variety of short, medium and long-term scenarios, taking into account the bank-specific and market situations, on the basis of which the vulnerabilities of the bank are analyzed in terms of liquidity positions and the potential negative impacts and their possible solutions are determined. These scenarios should be permanently updated, considering both the internal (bank-specific) and external (market) factors;
8)  liquidity management procedures in crisis situation, which shall envisage the identification of weaknesses or potential vulnerabilities related to the liquidity level of the bank in unpredictable conditions and development of liquidity management plans for such situations.

88. The bank shall assess the cash inflows, comparing them with the cash outflows, and shall determine the liquid value of assets in order to identify the potential deficit of the future net financing. For this purpose, the bank shall identify, assess and monitor the liquidity risk positions for:
1) future asset and debt cash flows;
2) sources of unforeseen demand of liquidity and the triggering factors related to off-balance positions;
3) foreign currencies in which the bank performs significant transactions;
4) activities on the correspondent, custody and settlement accounts.

89. To identify, assess, and monitor the liquidity risk positions for the future asset and debt cash flows, the bank shall:
1) have a robust liquidity risk management providing dynamic projections of cash flows that take into account hypotheses on the important counterparties’ behavior if their conditions change;
2) build realistic hypothesis on the short and long-term liquidity needs, reflecting the complexity of activities performed, of products offered and of market it operates on;
3) analyze the quality of assets that can be used as a financial guarantee to assess their potential to secure financing in crisis conditions;
4) manage, depending on the maturity, the registered cash inflows compared to cash outflows in order to see the distribution of sources available for use by their maturity.

90. To identify, assess, monitor and control liquidity risk positions for unforeseen liquidity demands and the factors that trigger off-balance positions, the bank shall identify, assess, and monitor off-balance commitment cash flows and other unforeseen obligations, shall monitor liquidity risk management in relation with certain entities to minimize derivate financial instrument, guarantees and other commitment risks of the bank.

91. To identify, assess, and monitor the liquidity risk positions for foreign currencies associated with major transactions, the bank shall:
1) assess its aggregated foreign currency liquidity needs;
2) analyze separately the strategy for each foreign currency in which it carries out major activity, considering crisis restrictions;
3) assess the likelihood of losing the access to currency markets and the degree of convertibility of the currencies in which it carries out its activity.

92. To identify, assess, and monitor liquidity risk positions for correspondent, custody, and settlement accounts, the bank shall understand and have the capacity to manage the way the correspondent, custody and settlement services can affect its cash flows.

93. The bank shall determine an asset’s liquidity based on its capacity to generate liquidities, regardless of its classification as a trading/non-trading portfolio item or the applicable accounting treatment.

94. The bank shall have in place information systems through which legal issues related to the liquidity risk to be promptly reported to the management, outlining the level and trend of the risk concerned, and which shall at least include an analysis of the cash flow for each currency (inflows/outflows) broken down by periods, the change in the main value of assets, liabilities and off-balance positions due to the market changes, and the effect of the liquidity risk position on the profit and capital.

95. The bank shall have procedures on the identification of various timely warning signs that signal a potential liquidity issue, such as:
1) concentrations in assets or liabilities;
2) worsening quality of assets that may generate a lower cash inflow;
3) fast increase of assets from volatile financing resources;
4) early withdrawal of deposits by customers (term deposits) or acceleration of deposits outflow;
5) the bank’s creditors increase the interest rates or decrease the amount of credit lines;
6) a higher loan-to-deposit ratio, indicating the need to borrow from other sources;
7) high off-balance exposures;
8) increasing number of cases requiring early payment/cross-default clause imposed to the bank by creditors, including the external ones;
9) any other factors deemed as important by the risk management function, executive body or the bank’s board.

96. During the planning for unpredictable situations, the bank management shall take into account the stress tests results. Plans for unpredictable situations shall contain:
1) different options of stress scenarios to create a clear image of the necessary measures to manage the liquidity in crisis conditions;
2) well-established communication lines allowing the bank management to take appropriate and well-funded decisions and apply promptly and efficiently the relevant measures in unpredictable situations.

 

Section 5. Operational Risk

97. The bank shall have in place operational risk management policies to consider (individual and corporate) competencies and behavior that trigger the bank’s operational risk-related management commitment and style.

98. For operational risk management, the bank shall at least consider its following subcategories:
1) compliance risk;
2) information and communications technology risk (ICT risk).

99. The bank shall establish in the code of conduct for its staff the expectations for integrity and ethical values at the highest level and shall identify specific responsibilities, so that the staff understand their role and responsibilities related to the operational risk management and their authority to act.

100. The bank’s operational risk management policies shall provide at least requirements for:
1) procedures to establish the operational risk indicators, on the basis of which the bank’s exposure to that risk could be determined. The procedures shall contain, but not be limited to, the number of failed transactions, frequency and/or seriousness of errors and omissions, staff fluctuation rate, fast increase in the volume of some activities, periodical review of their level and establishment of warning limits;
2) procedures to identify and assess the exposure to operational risk by assessing products, activities, processes and systems in order to determine the ones subject to operational risks, collect and analyze data on internal losses, contributing to identifying the areas that need additional verifications;
3) adequate and efficient information systems for operational risk monitoring by collecting and analyzing data on the operational risk, as well as by facilitating adequate reporting to the management bodies, as well as at the level of activity line;
4) control processes specifying daily operational controls to ensure accurate and full information for operational risk management in compliance with the internal regulations of the bank;
5) procedures to identify the critical operational processes, including those that depend on external suppliers or third parties, for which it would be important to resume fast the activity;
6) review of policies whenever a considerable change in the operational risk profile of the bank is noticed, but also in other cases that require such reviews, including when introducing new products, new business areas, changes in the organizational and management structure.

101. For operational risk management, the bank shall at least consider the following categories of events:
1) internal and/or external fraud or internal and/or external attempted fraud;
2) employment and occupational safety practices;
3) trading practices related to customers and products;
4) existence of damages to tangible assets;
5) termination of the activity and inadequate functioning of systems;
6) performance, delivery and management of processes.

102. The bank shall have in place information systems through which operational risk matters shall be timely reported, outlining the risk level and trend, change of the main value of assets, liabilities, and off-balance positions and operational risk effect on the profit and capital.

103. The bank shall review any activity outsourced to a third party in order to assure that the operational and other risks do not increase due to inadequate control methods or other deficiencies of third parties that take over these activities.

104. To reduce the operational risk in some areas, which can be caused by fraud or natural disasters, the bank’s board shall decide whether the insurance against these dangers is feasible and shall document why the insurance was refused for the areas where it is available, using the cost/benefits analysis, where possible.

105. The management bodies are in charge of creating a compliance culture protecting the bank against the risk related to the failure to observe the laws, subordinated regulations, rules and codes applicable to the banking activity.

106. The bank shall not participate in transactions by which the customers intend to avoid the financial reporting requirements, the tax obligations or to facilitate unlawful behavior.

107. The staff responsible for the compliance function shall identify, assess, monitor and control the compliance risk and test periodically the bank’s compliance with the regulatory framework.

108. The bank shall have a policy on the compliance risk containing at least:
1) the main principles followed by all the staff members, including by the management bodies, and the processes for managing the compliance risks at all levels in the bank;
2) requirements for the procedures of identifying and assessing issues with the compliance risk, encountered by the bank, and plans to solve them. These plans shall also overcome the deficiencies in policies and procedures, and prevent similar or related situations in the future;
3) description of the roles, rights and responsibilities of the compliance function and establishment of measures securing its independence;
4) requirements for the allocation of resources to fulfill the responsibilities related to the compliance function;
5) requirements for the procedures of establishing relations with the bank’s risk management and internal audit functions.

109. The management bodies are in charge of assuring the immediate reporting, by the compliance function staff, of any significant failure to comply with the legal framework, regulatory acts, agreements, recommended practices or ethical standards that may trigger a considerable risk of sanctions, financial losses or reputation damage.

110. The bank shall have adequate IT processes and infrastructure by which to manage the information system risks and support the current and future activity requirements, both in normal and in crisis conditions, as well as to secure the integrity of data and systems, their security and availability.

111. The bank shall inform, in due time, the National Bank of Moldova about the changes that have a significant impact on the operational risk that it is exposed to.

 

Section 6. Reputational Risk

112. The bank shall identify, assess and monitor the reputational risk at all business levels, including by its main components:
1) corporate reputational risk relating to the performance, strategy, exercise and delivery of services by a bank, that can be real or perceived;
2) operational reputational risk, when an activity, action or position of the bank, administrators and/or persons affiliated to the bank jeopardize the bank’s image, affecting at the same time the bank’s profile and capital.

113. When identifying the reputational risk, the bank shall consider its sources of origin, including the incapacity to secure the confidentiality of the information that is not intended for the general public (either internally or by outsourcing), the high number of complaints made by the customers, sanctions imposed by duly empowered institutions, real or perceived association with persons or companies with a negative reputation, or the incapacity to meet the assumed contractual obligations.

114. When assessing the reputational risk, the bank shall consider the regulatory framework, including in the social area, and other elements that can affect its activity. Such elements can include at least the following:
1) information, either compliant or not with the reality, perceived unfavorably with regard to its image or business practices;
2) loss of confidence in the bank’s soundness due to the serious damage of its security following some internal or external attacks on the information system;
3) difficulties encountered by customers when using some products without having sufficient information about them and without knowing the procedures of overcoming the emerged problem.

115. The bank shall adopt a policy on the reputational risk management, which should at least:
1) establish procedures allowing the bank to perform it activity in a safe and efficient manner, to build a reputational capital and avoid conflicts of interest and other potential issues that may harm the bank;
2) manage the risk by using a process to anticipate, analyze and decrease it, and, subsequently, via internal and external expectations;
3) measure the trends for the bank reputation by feasible means, such as the number of complaints made by customers, articles and trends in the banking sector on topics that could harm the bank’s reputation;
4) identify risky events as being specific to the bank or to the whole banking sector to determine the necessary remedial action;
5) ensure transparency so that the bank’s clients could take informed decisions on the bank’s reputation;
6) report to the management bodies any significant event that may harm the bank’s reputation;
7) set clearly defined procedures to approve the press releases;
8) appoint persons that can provide information to the public, especially during crises;
9) train the staff in order to avoid incorrect and inappropriate information flows to the customers.

116. To mitigate the reputational risk, the bank shall develop programs intended to educate customers how use the new products and services, to know their costs and to identify the eventual issues and ways to solve them.

 

Section 7. Concentration risk

117. The bank shall have policies on the exposure to concentration risk. The policies on concentration risk must be reviewed so as to consider any changes regarding the risk appetite and the bank’s operating environment and shall provide at least for the following:
1) procedures to establish and use the internal limits to mitigate the concentration risk in line with the general framework on risk management and measurement;
2) procedures to identify, assess and monitor the concentration risk;
3) procedures to authorize and notify the exceptions from the policy on concentration risk, if exceptions are to be allowed, as well as their rationale and acceptability.

118. The bank shall have adequate internal processes in line with the nature, size and complexity of the activity conducted to report the concentration risk resulting from:
1) individual exposures to customers or groups of connected customers;
2) exposures to the counterparties from the same economic sector or geographical region;
3) indirect credit exposures, resulted from applying credit risk mitigation techniques.

119. The bank shall analyze the credits and other assets, including estimates of their trends and will consider the results of these analyses when establishing and verifying the adequacy of procedures and limits, of thresholds and of other similar concepts for concentration risk management.

120. The concentration risk monitoring will be incorporated in the bank’s systems of risk management and reporting, and will be carried out with an appropriate frequency reflecting the nature of the activities conducted by the bank.

121. If the monitoring activity identifies components that are likely to cause breakdowns, the management bodies of the bank shall undertake at least one of the following measures:
1) review in details the risk environment in a specific sector;
2) conduct additional crisis simulations and analyses on the basis of additional scenarios;
3) review deeply the economic performance of counterparties;
4) review the approval levels for new activities; or
5) review periodically the risk mitigation techniques, their value and the possibilities for their implementation.

 

Title VII. INTERNAL CONTROL MECHANISM AND ORGANISATION OF THE CONTROL FUNCTIONS

Chapter I. Requirements for the Internal Control Mechanism

122. The bank shall have in place its own internal control mechanism that shall comply with the legal framework, regulatory acts of the National Bank of Moldova and with the generally accepted practice in the field, to ensure efficient bank management, performance of financial activities in a safe and prudent manner, compliance with laws in force and protection of depositors’ interests.

123. The main objectives of bank internal control include identification, proper monitoring and mitigation of financial activity risks, control over the observance of the legislation in force, ensuring information security, transparency of ownership and control structures over the bank, settlement of conflicts of interests, maintenance of an adequate security level to comply with the essence, character and volume of transactions performed.

124. While developing, organizing and implementing the internal control mechanism, the bank shall consider the amount, number, type and variety of transactions, the level of associated risk in every field of activity, the volume of control by management bodies over the bank daily activity, the degree of bank centralization and/or decentralization, and the level of IT resource usage.

125. While developing, organizing and implementing the internal control mechanism, the bank shall determine the field of application and the type of procedures of internal control to be implemented and shall consider the cost for its establishment and maintenance in relation with the benefits/risks of the bank. The cost factor shall not serve as ground to justify non-implementation of adequate and efficient internal control procedures.

126.  The bank’s internal control mechanism shall involve the bank management bodies and the bank staff, irrespective of the position held, shall contribute to increasing the revenue and minimizing expenses, and shall make sure that expenses are authorized and performed as intended, assets are adequately protected, liabilities are correctly registered, and risks are limited and/or mitigated.

127. The internal control mechanism must ensure at least that:
1) activities are planned and conducted in a correct, prudent, and efficient manner;
2) transactions and operations are conducted, and obligations are fulfilled according to the competence of the bank’s administrators and staff;
3) management bodies are able to protect assets and control transactions with liabilities, to ensure existence of measures to mitigate the risk of losses, violations, fraud, and errors, as well as of measures to identify such risks, to manage the level of capital adequacy, liquidity, profitability and the quality of bank’s assets; and to determine the risk of losses while conducting transactions and the adequate reserves to cover eventual losses on credits and other assets, as well as on off-balance commitments;
4) management bodies are able to ensure the development of complete and correct reports, in compliance with regulatory acts, and reflect accurate, complete and timely information in financial and other records;
5) corporate governance allows management bodies to follow the objectives that are in the bank’s interest and facilitates efficient monitoring of bank’s activity;
6) management bodies are able to regularly organize, supervise and verify the physical integrity of bank’s property and security means.

 

Chapter II. Requirements for Internal Control Activities and Procedures

128. Internal control activities shall be adapted to the specifics of Bank’s activity and shall comply with the structure, organization and management of bank’s activity and to the type, amount, number and complexity of bank’s transactions and operations and shall include at least the following:
1) organizational and administrative controls;
2) methods of activity management;
3) segregation of functions and obligations;
4) authorizing and approving processes;
5) record-keeping processes;
6) security processes;
7) verification processes;
8) evaluation processes;
9) risk management and control processes;
10) ongoing activity processes.

129. For organizational and administrative controls, the bank shall develop and have at least:
1) explicit documents about the objectives of short and long-term policies and strategies of the bank;
2) documents describing functions and obligations of the staff, reporting and communication mode;
3) documents describing the accounting procedures, bank accounts opening/changing/closing procedures, accounting documentation procedures, including a register of changes in the system, which indicates the date and name of the persons who authorizes and implemented the changes;
4) documents containing the description of internal control procedures in all fields of activity, including daily operational, automated and manual controls;
5) a register with the signatures of authorized persons, including signature specimens, determining assigned competences (powers) for every person included in the register; the register shall be updated depending on the modification of circumstances related to subjects stipulated in register;
6) documents regulating outsourcing of certain activities, to determine, inter alia, requirements for internal control system adjustment and improvement, internal reporting system and internal audit function, in order to make sure that the outsourced activities do not affect the bank’s capacity to conduct an efficient corporate governance;
7) a register of minutes of the general meeting of shareholders specifying the discussed topics; a register of internal documents; correspondence with entities/individuals, state bodies, including law enforcement bodies as regards credits and other assets;
8) clear procedures on knowledge about direct, indirect owners, effective beneficiaries, including bank’s knowledge about eventual common activities of thereof, as well as relationship between bank’s shareholders and debtors;
9) clear procedures on knowledge about bank’s affiliated persons, including knowledge of all affiliation criteria of board members and the bank;
10) procedures on security of bank’s assets from theft, abuse, incorrect use, or any other form of destruction;
11) procedures of independent and objective collateral evaluation, which will establish the modality and criteria for the selection of collateral evaluation officers, who might be third persons (for immovable assets – licensed evaluation enterprises in line with the law) or a separate subdivision subordinated to the bank’s board, methods of collateral value monitoring, methods evaluating the opportunity and correctness of the methodology applied by the bank upon collateral value estimation.

130. For activity management methods, the bank shall make sure that relevant subdivisions perform at least the following activities:
1) monitor, based on a set frequency (regularly, daily, weekly and/or monthly) the amount of risk exposures, confronting the limits set, develop reports on risk monitoring by specifically indicating risk positions that exceed the limits set;
2) develop procedures to identify, report and liquidate violations and activity drawbacks that would ensure accurate and regular comparative evaluation of the commitments and set limits, hold written explanations for actions regarding the positions that exceed the admissible limits, and indicate positions close to exceeding the admissible limits;
3) develop procedures to ensure regular transmission of accurate and full information to the bank’s management bodies;
4) regularly verify the implementation of bank’s policy and procedures on credit and other transactions, of the credit portfolio, of transactions that include advance payments, payments between other banks and of granted warranties, etc., with the view to duly trace out any problems related to such transactions and offering to management bodies the possibility to evaluate their impact upon the bank’s activity;
5) according to the internal policies of the bank, periodically verify the gained and retained profits and losses resulted from financial assets available for sale;
6) monthly verify the reports on current results and performance analysis, both separately and on consolidated basis, in comparison with the operational budgets and results of previous accounting period;
7) obtain, hold and update, in accordance with Annexes 1 and 2 to this Regulation, relevant documents and information on the following:
a) indirect shareholders and owners, including effective beneficiaries of equity interests in the bank’s capital;
b) bank’s debtors who benefited from credits and financial leasing, including direct, indirect owners and effective beneficiaries thereof, except for:
debit banks that benefited from credits and financial lease;
debtors to whom the bank has granted credits and financial lease, and whose total balance per debtor amount to up to MDL 100 thousand inclusively – for individuals, up to MDL 300 thousand inclusive – for sole proprietor, attorney, notary, patent holder, and up to MDL 500 thousand inclusive – for legal entities;
c) existence or lack of affiliation relationship between board members and the bank, except for the affiliation determined under the board membership title;
8) verify the bank’s fiscal status and obligations based on fiscal legislation;
9) regularly verify the technical condition of bank’s physical security means and assets.

131. The bank shall ensure that the methods of activity management, the mode in which the information is gathered, evaluated and submitted, the degree of detail required will vary depending on the hierarchic level of the staff that manages this information. Similarly, the importance and methods will determine the appropriate level of staff needed to fulfill the indications.

132. The bank shall ensure segregation of functions and obligations to reduce the risk of deliberate manipulation, crimes or errors and to streamline the control over transactions and bank’s operations. The bank shall have in place procedures to segregate functions and obligations in order to ensure at least that:
1) various persons are responsible for the maintenance of registers, assets, authorization, initiation and supervision of transactions and assigned commitments;
2) the authorization/approval, execution, registration, custody (maintenance), development of registers and electronic bookkeeping systems and their application within bank’s daily operations are separated;
3) segregation is made so that no person has the possibility to (intentionally or non-intentionally) illegally assume any assets, falsify information or incorrectly register any transaction or operation.

133. For authorization and approval processes, the bank shall have in place procedures to:
1) conduct transactions and operations in line with the authorization and approval requirements that provide for setting the limits depending on the powers held and conditions in which the management of the bank granted an authorization/approval;
2) conduct transactions and operations in line with the decisions of the bank’s management bodies and according to the granted authorization and approved powers.

134. For record-keeping processes, the bank shall have in place procedures to:
1) register correctly the authorized/approved, existing and future, spot, forward transactions or any other type of derivatives in accounting records, so that such transactions can be registered in the balance sheet in the period when they are reflected and in incomes statement in the period which they refer to;
2) ban registration of fictive transactions;
3) ensure the de facto existence of assets and liabilities entered into accounting records or other types of registers;
4) ensure daily entry of transactions in the register and complete, proper and due entry of all the conducted transactions in the bank’s accounts balance, and development of the accounting balance at day-end;
5) perform a complete and efficient control over accounting records and electronic bookkeeping systems;
6) verify arithmetical correctness of entries; keep and control totals, verifications, regularization accounts and trial balances; verify documents through the bookkeeping system; report traced errors and discrepancies to the executive bodies;
7) record documents that served as basis for transaction registration and that demonstrate the entry of transaction in bookkeeping and other registers.

135. For security processes, the bank shall have in place procedures that will include requirements for protection systems and equipment, especially, physical care for portable, negotiable, exchange and on bearer assets and goods, through the use of locked card safes for unused bills of exchange, and requirements for cash safes to protect money, securities, etc. and shall, at least:
1) ensure the security and physical custody over own assets, attribution of responsibilities to authorized persons, whose functions are independent from bookkeeping related duties;
2) limit both direct physical, as well as indirect documentary access to assets and goods through giving access to only authorized persons;
3) ensure the security and custody over goods held in the name of clients or other persons either in the name of thereof or in the name of persons named instead of thereof;
4) protect accounting registers and other types of bank registers.

136. For verification processes, the bank shall have in place procedures at least to:
1) ensure that accounting records are regularly confronted with the respective assets, documents and regularization accounts. The frequency of the verification procedures shall be set in line with the volume and type of transactions passed through a certain verified account and in line with value of the account balance;
2) determine the nature and volume of discrepancies traced out following the verification; investigate the verified positions, including clearing and, as the case may be, further adjust accounting records and authorize persons who have such powers;
3) justify the discrepancies between the balances at the end and the beginning of the accounting period and report any other discrepancies to the persons who have such powers;
4) ensure rapid exchange of transaction confirmations by a third person, including manual exchange, using mail or e-mail services;
5) organize, accomplish and verify the daily primary control over conducted and canceled transactions and operations.

137. or evaluation processes, the bank shall have in place procedures to:
1) ensure that the assets held for commercial purposes are subject to regular reevaluation at independently verified prices by other persons who have tangency with the respective assets (this is the competence of the back/middle office);
2) ensure that the value of assets, liabilities, rights and off-balance commitments is regularly reviewed and evaluated, but not least than once per year (except for real estate (buildings, special constructions), the value of which changes insignificantly – assessment is determined by the bank’s accounting policy);
3) create and register reserves and other adjustments against these assets to ensure compliance with laws in force, including regulatory acts of the National Bank of Moldova, accounting standards and bank’s accounting policy.

138. For risk management and control processes, the bank shall follow the policies on risk management and shall have in place procedures that will ensure the management and control of both risks controlled by the bank (risks related to assets and liabilities, as well as to off-balance positions, contract terms, insurers) and uncontrolled risks (general economic events and conditions, competition environment, natural disasters, terrorist acts).

139. Risks management procedures, in case of controlled risks, shall help the bank to take the decision to fully or partially assume these risks and the extent in which the Bank will mitigate the risks through control procedures. In case of uncontrolled risks, these procedures shall enable the bank to decide whether to accept or not, or reduce the level of activities affected by these risks.

140. For basic ongoing concern activity, the bank shall take all the appropriate measures to ensure activity continuity any time, irrespective of circumstances, and in all the activity directions. For this purpose, the bank shall develop and implement procedures that will maintain and/or relaunch the basic activities in case of an incident causing breakdowns.

141. To ensure a complex and efficient approach to planning and ensure basic activities continuity, the bank shall examine at least the following:
1) risks that might lead to incidents causing breakdowns in the basic activities of the bank;
2) impact of incident on the basic activities;
3) strategies to relaunch the basic activities and activity continuity plans;
4) plans to test basic activity continuity plans;
5) programs for bank’s staff training;
6) programs for communication and crisis management;
7) plans and procedures to ensure continuity of outsourced and relaunched activities, as a result of force majeure situations identified in the risk analysis, that are tested periodically to ensure their compliance with the outsourcing policies and procedures.

 

Chapter III. Organizing the Control Functions

Section 1. Role and Responsibilities of the Risk Management Function

142. The Bank shall have in place the function of risk management, under the direct supervision and responsibility of the bank’s board, the independence of which will be ensured by direct reporting to the bank’s board. The risk management function shall be in line with the nature, size and complexity of the activity performed by the bank.

143. The risk management function shall have enough authority, independence, resources and shall not have management or financial responsibilities in the bank.

144. The risk management function shall not be limited in access to information and processes regarded as needed to create an opinion and make conclusions and shall not be involved in conducting and keeping records of bank’s transactions and/or operations.

145. The bank's board shall ensure conditions to actively involve the risk management staff in the development of the bank’s strategies, decision making process, to make them participate in approval of new products or of significant changes to the existing products, and of valuable individual transactions or risks.

146. The risk management function shall at least:
1) identify, evaluate and monitor risks, which the bank is exposed to, and establish the extent to which the bank is really exposed to these risks;
2) determine the position of the capital and liquidity in connection with the risks, which the bank is exposed to;
3) monitor and evaluate consequences of accepting particular risks, of measures mitigating their impact and compliance of the risks level with the margin of tolerance;
4) report to the management bodies of the bank and issue recommendations.

147. The risk management function shall always cooperate with the bank’s board with a view to taking proper decisions related to the bank’s exposure to risk. Besides the periodic reporting, the risk management function shall report, as needed, about the significant risks of the bank to the bank’s board.

148. The risk management staff shall have enough experience and qualifications, including knowledge about market, products, management of risks related to the profile of the bank, so that it will have a significant role in the risk identification, evaluation and monitoring.

149. The head of the risk management function shall report the evolutions that are contrary to the tolerance to risk set in the bank’s strategy and policies directly to the bank’s board and communicate about this fact to the executive body, and if necessary, to audit committee.

150. The head of the risk management function shall be nominated by the bank’s board decision. For a candidate to be appointed to this position, the bank shall assess the candidate’s capacities (professional competence) with a view to fulfilling properly the job tasks. In the case of appointment and/or dismissal of the head of risk management function, the bank shall notify the National Bank of Moldova about it within 2 days since such a decision is adopted by the bank’s board.
Section 2. Role and Responsibilities of Compliance Function

151. The bank shall have in place an independent compliance function that would not be involved in any business and support activities of the business lines, the independence of which is ensured by direct reporting to the bank’s board.

152. The role of the compliance function is to assist management bodies in identification, evaluation, monitoring and reporting of the risk associated to the activities developed by the bank by providing consultancy on compliance of the activity with regulatory framework, own rules and standards, code of conduct and by providing legal information about developments in this area.

153. The risk management function shall benefit from enough resources and be in line with the nature, size and complexity of the activity run by the bank. The compliance function shall not be involved directly in conducting and registering transactions and/or bank’s operations.

154. The staff of the compliance function shall make recommendations to the bank’s management bodies in terms of observing laws, rules and standards, and shall inform them about the up-to-date situation in this area and about the potential impact of any changes on the bank.

155. The responsibilities of the compliance function shall be fulfilled on the basis of a program that shall at least:
1) implement and review specific policies and procedures;
2) evaluate the compliance risk, test and inform the bank’s staff about aspects related to compliance;
3) verify whether the new products and processes comply with the regulatory framework in force and with its amendments included in the adopted regulatory acts, the provisions of which will become then applicable;
4) develop and apply compliance risk evaluation methodologies by using some performance indicators (any identified violation and/or shortcomings, as well as corrective measure recommended to avoid them shall be presumed), that will be developed by processed, aggregated or filtrated data indicating potential issues with compliance;
5) monitor and test compliance on the basis of relevant tests and communicate results according to the bank’s reporting lines, according to internal risk management processes.

156. The compliance function staff shall be entitled to:
1) communicate on own initiative with every bank employee and have access to any records, information or documents needed to fulfill their responsibilities;
2) investigate possible violations of the compliance policies and reveal freely the findings to the management bodies;
3) make recommendations to correct the cases of non-compliance.

157. The head of compliance function shall inform the executive body about planned investigations of the observance of compliance policies. If the investigations find irregularities or violations of the compliance policies, the head of the compliance function shall report immediately to the bank’s board.

158. The head of the compliance function shall report regularly to the bank’s management bodies about any aspects related to the risk of compliance, as well as activity of the compliance function.

159. The head of the compliance function shall be nominated by the bank’s board decision. For a candidate to be appointed to this position, the bank shall assess the candidate’s capacities (professional competence) with a view to fulfilling properly the job tasks. In the case of appointment and/or dismissal of the head of the compliance function, the bank shall notify the National Bank of Moldova about it within 2 days since such a decision is adopted by the bank’s board.

160. The staff of the compliance function shall have the required qualifications, experience in the area and personal and professional qualities that would enable the staff to fulfill these specific activities. In addition, the staff shall have good knowledge of the regulatory framework and professional and ethical standards.

 

Section 3. Role and Responsibilities of Internal Audit Function

161. The bank shall have an internal audit function, under the direct responsibility of the bank’s board, which is different from the primary control conducted by a unit that controls daily the transactions and operations. To ensure an efficient internal audit function, the bank management shall make sure that the internal audit function is independent of the operational management and reports directly to the bank’s board.

162. If the bank is a subsidiary of a foreign bank, as well as if it is a branch of a foreign bank, the internal audit function shall comply with the internal audit principles set by the bank from country of origin, subject to compliance with requirements set by the national legislation and this Regulation.

163. The core aim of the internal control function is to evaluate independently, impartially and objectively the sufficiency and efficiency of the internal governance in line with legal and regulatory framework, including with this Regulation, with bank’s internal regulations, and to report the results to the bank’s board and audit committee, and to inform the executive body with a view to improving the activity indicators of the bank by applying the methods to evaluate and improve bank’s internal control mechanism in a systematic and orderly manner.

164. To achieve the core aim, the internal audit function shall have:
1) the right to initiative to communicate with any employee of the bank;
2) the right to examine any activity of any unit from the bank;
3) the right to have access to information and regime of data communication, to any internal records, files and information, including to information designed for the bank management;
4) the right to have access to minutes and other similar materials of all the decision making and consulting bodies, which are relevant to fulfill its duties.

165. The internal audit function has at least the following responsibilities:
1) develop, on a risk-based approach, implement and review, at least yearly, the internal audit plan (program), approved by the bank’s board that would also provide for the evaluation of the systems used by the bank to identify, estimate, monitor and control risks that the bank is exposed to;
2) evaluate the quality and verify the compliance with the bank’s policies and processes in all the activities and units of the bank, with the methodological framework on risk analysis and management, analyze stress scenarios and control mechanisms with a view to determining whether they are sufficient and proper for the conducted activity;
3) verify the ongoing monitoring of the risks that could affect the financial activities (credit, interest rate, currency, liquidity, country, operational, transfer, reputational and other risks that can occur while performing financial activities of the bank);
4) verify accounting and other registers, analyze transactions and compare them with financial statements, verify how the current financial statement and capital analyses were made depending on the level of risks assumed by the bank;
5) organize and ensure continuous control by means of regular inspections of the bank’s units to check the compliance of their activity with the laws, regulatory acts subordinated to it and internal regulations of the bank;
6) make control recommendations with a view of eliminating and preventing occurrence of violations and shortcomings found, and streamlining and developing the activity;
7) supervise the implementation of control recommendations and monitor the elimination of the violations and shortcomings found;
8) ensure the development of control-related documents and reflect the control outcomes, i.e. the identified issues and proposals to eliminate them, and submit them to the bank’s board, audit committee, executive body and relevant units to implement the required measures;
9) in line with the bank’s internal regulations, inform the bank’s board in due time about the:
a) significant risks and the ones found repeatedly, that may harm the reputation of the bank or its activity;
b) shortcomings in internal regulations or in the operation of the units and/or cases when bank officers violated the laws and internal regulations and may harm the activity of the bank;
c) measures taken by the heads of the controlled units in order to identify if they eliminated the committed violations and their results;
e) aggregated results of the internal control that include an analysis of the achievement level of annual internal audit plan, opinion on bank’s exposure to significant risks and efficiency of bank’s internal control mechanism at interval of at least one year;
10) evaluate the efficiency of outsourcing bank activities and identify risks that can hinder bank’s activity and compliance with the laws in force;
11) coordinate proper information with the bank’s external audit community with a view to discuss identified risk sectors and measures taken in this regard.

166. The bank shall organize the internal audit function in accordance with this Regulation, taking into account at least the following principles:
1) the internal audit function shall operate based on the internal regulation on internal audit, which shall be approved by the bank board and shall include information on internal audit unit organization, the rights and responsibilities, cooperation with other bank subdivisions, etc. The Regulation shall be brought to the notice of all bank employees;
2) in its operational activity the internal audit function shall use as guidance the Internal Audit Manual that includes instructions on the conduct of controls by activity areas, where the sectors exposed to higher risks are a priority. Each internal audit mission shall be conducted on the basis of a risk-centered plan;
3) the structure and number of internal audit function employees shall be determined by the bank board. The staff number shall be sufficient to carry out internal audit targets and objectives and to solve all issues related to internal audit and shall not be involved in any direct performance of bank transactions and/or operations;
4) the head of internal audit function shall be nominated by the bank’s board decision. For a candidate to be appointed to this position, the bank’s board shall evaluate the candidate’s capacities (professional competence) with a view to fulfilling properly the job tasks. In the case of appointment and/or dismissal of the head of the internal audit function, the bank shall notify the National Bank of Moldova about it within 2 days since such a decision is adopted by the bank’s board;
5) the staff of the internal audit function shall have the required qualifications, experience in the area and personal and professional qualities that would enable the staff to engage in internal audit activities. The ongoing professional training of internal auditors shall be ensured based on an annual training plan.

167. The procedure of current reporting by internal audit, as provided in the bank internal regulation on internal audit, shall include reporting significant findings to the bank’s board and executive body as soon as possible following the internal audit controls, so that the bank will be able to take corrective actions in due time. Along with the current reporting, the Regulation shall require internal audit function to report once in three months to the bank’s board and audit committee about the results of internal audit.

 

Chapter IV. Other Requirements

168. For activities with derivatives, the bank must establish policies and procedures to assess the positions and check the compliance with them, the frequency of evaluation and independence and quality of sources for fixing the evaluation prices, especially for the securities issued and traded on the markets with low liquidity.

169. Before engaging in activities with derivatives, the executive body and/or the bank’s council shall make sure that has obtained all the approvals set out in the internal regulatory frameworks and that has in place appropriate operational procedures and risks control systems. The decision on engaging bank in activities with derivatives shall fall within the competence of the management bodies and shall be based at least on the following:
1) description of relevant derivatives, markets and proposed strategies;
2) resources needed to establish sound and efficient risk management systems, as well as to attract and maintain experienced staff in trading with derivatives;
3) analysis of the proposed activities depending on the bank’s general financial situation and capital;
4) analysis of the risks that the bank can face after conducting these activities;
5) procedures that the bank will use to quantify, monitor and control risks;
6) relevant accounting treatment;
7) analysis of any restriction to conduct the above activities.

170. For the provision of payment and digital currency issuance services, including the conduct of activities of remote banking service systems, the bank shall develop internal policies and processes in compliance with the legislation, in-field regulations and recommendations issued by the National Bank of Moldova, that will ensure the integrity, authenticity and confidentiality of data, contribute to mitigating the risk of loss or decrease of funds by fraud, abuse, neglect and maladministration and will ensure the security of operation.

171. The policies on providing payment and digital currency issuance services shall at least:
1) define the responsibilities for the development and implementation of some data security processes by ensuring confidentiality, integrity and availability of information, irrespective of its medium (electronic, on paper) and by protecting resources involved in its management, as well as of other features as: authenticity, responsibility, non-repudiation, reliability;
2) include requirements for the needed security framework (to prevent fraud and abuse among both staff and persons outside the bank by, at least, controlling and monitoring the access to confidential data, ensuring the security of storage and transmission of confidential data, training clients on prevention measure that they shall take);
3) include requirements for the staff competence by describing explicitly at least the obligations and responsibilities of the staff, their regular training as their tasks change with time/the information technologies upgrade, control over the proper fulfillment of job tasks;
4) include requirements for establishment of some processes to evaluate the compliance with policies, implement some remedial measures and report cases of failure to comply with the security measures, which is a mean of mitigating the risk related to information technologies, including policies, standards, procedures, organizational procedures, ICT solutions;
5)  requirement for the development and implementation of internal procedures to identify, manage, monitor and report risks that the bank is or could be exposed to while providing payment/digital currency issuance services.

 

Title VIII. STRESS TESTS (RISK MANAGEMENT
TECHNIQUES)

Chapter I. Requirements for the Stress Tests

172. The bank shall have stress test policies and procedures that shall include at least the following:
1) the types of stress tests and the main purpose of each component of the program;
2) the frequency of stress testing exercises, which is likely to vary depending on type and purpose;
3) the methodological details of each component, including the definition of relevant scenarios and the role of bank experts’ notification in determining these methodologies;
4) the range of business assumptions and remedial actions envisaged, based on the purpose, type and result of the stress testing, including an evaluation of the feasibility of corrective actions in stress situations.

173. For each round of stress tests, the bank shall document the assumptions and fundamental components of the exercise. They will include rationales and decisions underpinning the chosen scenarios and sensitivity of the results depending on the type and severity of scenarios. The bank shall carry out such an evaluation on a regular basis or depending on the evolution of external conditions.

174. The bank shall use stress tests as a means of diagnostic control to understand the bank risk profile and as an anticipatory tool to evaluate internally the adequacy of the capital to the risks (evaluate how profiles and/or capital are affected by the crisis situations, evaluate risks in an anticipatory manner). The stress tests shall be combined with other risk management and control tools, and the results shall be taken in consideration when making decisions of proper management level, including business strategic decisions of the bank’s board and executive body.

175. The stress tests methodology shall cover all the activity areas subject to risks and the related risks, and shall include a broader range of scenarios, including anticipatory scenarios (of the events that might take place), with the view to considering the interactions at the bank and system levels. In this context, the stress tests will be developed to identify risks related to system, including massive outflow of deposits, exposures to particular groups of persons acting in concert, economic sector, interbank exposures etc.

176. The bank shall determine all the risks that can be subject to stress tests, by analyzing the nature and composition of bank portfolios and environment in which it operates. Based on the identified risks, the bank shall establish the risk factors that will be used in stress tests. In this context, the stress testing program shall contain at least the following:
1) analysis of business areas, types of risk and separate components of portfolios and business lines;
2) interdependence between risks;
3) a flexible mechanism that will allow building a variety of stress tests for every field of activity or type of risk;
4) data on bank’s activity, to obtain a complex image of the bank’s resistance to potential shocks.

177. The bank shall identify vulnerabilities to test in crisis situations the risk factors, as well as macro-economic, credit, financial risks in the case of some external events that might affect the profitability, solvency, unidentified risk concentrations, potential interactions between types of risks that could threaten the bank’s viability or compliance with the regulatory framework.

178. The bank shall be able to justify the choice of risk factors for stress tests, and the results shall be used to determine the bank’s risk tolerance and establish some limits to exposures with a view to substantiating the strategic options related to long-term business planning, including capital and liquidity planning.

179. The stress tests shall be based on exceptional, but plausible events. The stress tests shall allow for the simulation of shocks which have not previously occurred and shall be used to assess the robustness of models to possible changes in the economic and financial environment. When selecting the stress tests, the bank shall take into account that:
1) stress tests shall be done by portfolios and risk types depending on the changes and correlation between the risks identified for a particular portfolio;
2) stress tests shall be done at various levels of severity and probability of being materialized;
3) stress scenarios shall be dynamic and incorporate the simultaneous occurrence of events across the bank. A hypothetical scenario portfolio shall be developed so that to include a scenario based on relevant historical evolutions of risk parameters;
4) in case of historical scenarios, stress tests shall be based on exceptional, but plausible scenarios during a given period, using, where possible, data recorded over an entire economic cycle;
5) the bank shall understand how severely the capital can be affected by the future profitability or lack of profitability, and how it will face a similar crisis situation in real life.

180. Stress tests shall be performed at intervals set by the bank that are proportionate with the risk areas, but not less frequently than once a year. When determining the intervals of stress tests, the bank shall consider at least the following:
1) nature of risk factors considered in stress tests, particularly volatility;
2) complexity of techniques used by the bank to conduct stress tests;
3) significant changes in the bank environment or in its risk profile;
4) availability of external data required to conduct stress tests.

181. The bank shall conduct stress tests according to the maturity and liquidity of the stressed positions, where appropriate.

182. The bank shall use proper and representative data in order to conduct stress tests, and the IT resources shall be in line with the complexity of used techniques and degree of stress tests coverage.

183. The bank shall check at least once a year whether the stress tests are appropriate, updated and especially whether the risk profile assumptions and environment remain valid over the time. The bank shall check the relevance of the following elements:
1) scope of exposures that are subject to stress tests;
2) opportunity of assumptions;
3) adequacy of information management system;
4) integration in the bank management process, including clarity of reporting lines;
5) policy approving the stress tests, including in case of changes;
6) relevance, accuracy and integrity of data incorporated in the stress tests;
7) quality of formalizing stress tests.

184. The bank’s management bodies shall bear final responsibility for the institutional framework of the stress tests. The bank’s board shall approve the general framework of the stress tests, and the executive body shall approve the method of planning analyses and stress tests on the basis of identified scenarios, participate in reviewing and identifying potential stress scenarios, and help implement risk mitigation strategies.

185. Both the bank’s board and executive body shall take into consideration stress tests and shall understand the implications resulting from stress tests, from the perspective of the bank’s risk appetite.

186. The bank shall include the stress tests related process as an integral part of the risk management and shall have in place clear reporting and communication lines, in an easy understandable format. The reporting of the stress tests results shall include at least the following:
1) results of the stress tests shall be reported to the management bodies in due time and at proper intervals;
2) reports on the stress tests results shall present to the management bodies an overview image of risks that the bank is or could be exposed to;
3) reports on stress tests results shall draw attention to the potential risks, present the main assumptions of scenarios and make recommendations for remedial measures or actions.

187. If applicable, the bank’s management bodies shall take measures depending on the level of exposure to the risk identified in stress tests, as well as depending on the objectives and risk tolerance set by the management body. The bank, as may be required, may take the following measures:
1) review the set of limits;
2) use the risk mitigation techniques;
3) reduce exposures or business in specific sectors, countries, regions or portfolios;
4) review the funding policy;
5) review adequacy of the regulated capital;
6) implement the recovery plans.

188. The decisions on the measures taken, according to point 187, by the management bodies shall be formalized.

189. The bank shall formalize information related to the stress tests, that will include, at least, the scope of exposure, support-assumptions, responsibilities, reporting lines and types of measures that will be taken.

 

Chapter II. Stress Tests by Risk Type

190. The bank shall conduct the stress tests for all types of significant risks that it is exposed to, including to the market, credit, liquidity and operational risks.

191. The bank shall implement the policies and processes to measure and manage all the sources and effects of market risk, shall evaluate the exposures to interest rate risk, including to the ones resulting from non-commercial activities and exposures to foreign exchange risk. If the sudden and unexpected changes in interest rates and/or in market fluctuations of the currency exchange rate have a significant impact on the bank’s capital, the bank’s management bodies shall take emergency measures to correct the situation.

192. The bank shall simulate the change of credits’ quality between the classification categories in order to evaluate potential losses resulting from the materialization of the credit risk and their impact on capital and prudential indicators. When developing stress tests, the bank shall consider the value of the collateral and the possibility to reduce it, particularly in crisis situations, the possibility to reduce the level of its liquidity, which can lead to partial recovery of the non-performing assets and to the additional losses that will affect the capital.

193. The bank shall use stress tests as a key tool to identify concentration risk, which enables the bank to identify the interdependence between exposures that can be obvious only in crisis conditions, even if the probability of such scenarios is considerably low. The stress tests shall be conducted both on a solo basis for legal entities (in order to take account of potential risk concentrations specific to local markets), as well as on the type of concentrations that can materialize at the group level. The results of concentration risk stress tests shall be communicated to the bank’s management and used in decision making processes and in setting the limits as part of risk management.

194. The bank shall forecast the liquidity requirement for each time period in each scenario at each stress level, for which is determined the amount by which the foreseen cash inflows exceed the foreseen cash outflows (or vice-versa), based on the two dimensions of the liquidity risk: financing and market.

195. Each bank shall manage its individual funding liquidity risk, taking into account the possible impact of market liquidity risk. If the liquidity risk can derive from other risk sources, the “alternative liquidity scenarios” shall be performed in line with these risks.

196. When making assumptions in operational risk stress tests, the bank shall rely on external events (e.g. damage to tangible assets due to a natural disaster) and on internal ones (such as new products, systems, business areas and outsourced activities). The analysis of the stress test events could involve expert opinion and include the macro-economic environment (e.g. to reflect increasing fraud risk in an economic downturn) and external risks and other factors. The historical and hypothetical events used by the bank in stress tests shall have the nature of low frequency and high severity, and shall be plausible to operational risk.

 

Title IX. INFORMATION SYSTEMS AND CONTINUITY OF THE ACTIVITY

Chapter I. Information System and Communication

197. The bank shall have in place efficient and trustful information and communication systems that will cover all significant activities.

198. The bank shall have information systems in harmony with the generally accepted standards in this area.

199. The information systems, including the ones that store and use electronic data, shall be safe, independently monitored and supported by appropriate contingency plans.

 

Chapter II. Business Continuity Management

200. The bank shall have in place a sound business continuity management to ensure its ongoing operation and to limit losses in case of a severe downturn.

201. To establish a sound business continuity management, the bank shall analyze its exposure to severe downturns and shall evaluate both quantitatively and qualitatively their potential impact by using some internal and/or external data and some scenario analyses.

202. Based on the analysis set out in point 201, the bank shall have the following:
1) contingency and business continuity plans in order to ensure that it reacts accordingly to the emergency situations and that is able to maintain the most important activities, in case of a downturn;
2) recovery plans for critical resources to enable it to return to the normal works processes within a reasonable period of time. Any residual risk resulting from potential downturns shall be in line with the bank’s risk tolerance/appetite.

 

Title X. FINAL PROVISIONS

203. The National Bank shall verify the adequacy (efficiency) of internal control systems of every bank:
1) during on site controls;
2) during off site controls;
3) by participating in the general meetings of shareholders, board and executive body, and, if necessary, of other bank’s committees;
4) by meeting and discussing with the members of management bodies and bank’s external auditors.

204. The bank shall immediately notify the National Bank of Moldova about the identified frauds, if they may affect the bank’s safety, soundness and reputation. The information shall describe the identified fraud/frauds, value of damages sustained by the bank as a result of the fraud. If the value of the sustained damage was not yet exactly established, the bank shall estimate the value of damage when reporting.

205. The bank shall submit information about the results of conducted stress tests and measures taken by the management bodies to the National Bank of Moldova annually, within 6 months after the end of the reporting year and upon its request.

206. The banks shall prepare a report on the conditions under which the bank's internal control is carried out, treating the distinct aspects related the risk management function, compliance function and internal audit function, signed by the chairperson of the bank’s board and submit it annually, within 6 months after the end of the reporting year, to the National Bank of Moldova. The report shall include at least:
1) an inventory of main shortcomings identified in each functions of the internal control and measures taken to solve them;
2) a description of significant changes made in those 3 functions: compliance, internal audit and risk management, during the reporting period;
3) a description of the conditions for implementing control procedures relating to new activities;
4) information of the internal control conducted in separate subdivisions, including in bank’s subdivisions from abroad;
5) information on audit work performed during the reporting period, showing the internal audit findings and recommendations and the implementation status of the recommendations by the executive body of the bank;
6) level of bank compliance with the prudential requirements set by the legal framework.

 

Attachments:       _______doc       _______pdf