Appendix
to Resolution No. 51/5 of the
National Bank of the
Kyrgyz Republic Board
as of December 28, 2009
Regulation on Minimum Requirements for Risk Management in the Banks Operating Under the
Principles of Islamic Banking and Finance
(amendments and additions approved by Resolution No.21/10 of the National Bank Board
as of May 31, 2017)
1. General Provisions
1. (Became invalid as per Resolution No. 21/10 of the National Bank of the Kyrgyz Republic Board as of May 31, 2017)
2. The purpose of this Regulation is to define minimum requirements for the formation of an adequate risk management system and requirements for organization of internal control in commercial banks that operate under the principles of Islamic banking and finance, including banks that have an “Islamic window” (hereinafter referred to as – banks).
3. (Became invalid as per Resolution No. 21/10 of the National Bank of the Kyrgyz Republic Board as of May 31, 2017)
4. For the purposes of the present Regulation, investment accounts are the accounts of the customers, which reflect the funds attracted by the bank under the Mudaraba agreement. Depending on the type of the Mudaraba agreement, the investment account may be unlimited or limited.
2. Risk Management Organization
5. In order to minimize the risks inherent in the bank’s activities, the bank shall have a risk management concept and policies approved by the Board of Directors that correspond to its scale, needs and complexity of the operations.
Bank’s risk management concept shall provide one of the following approaches:
1) development and adoption of separate policies for each kind of risk;
2) availability of a bank’s common risk management policy providing the issues of risk management in other internal policies (asset and liability management policy, liquidity policy and other policies).
6. The risk management concept shall include consideration and assessment of risks taken by the bank, as a whole, i.e. reflect the mutual impact of risks in all transactions conducted by the bank.
The bank concept shall specify the following:
1) risks shall be defined on an ongoing basis and be guided by identification of current risks and risks arising from the expansion of activities and development of new banking products and services, including their compliance with the Sharia’h standards;
2) risk measurement shall be carried out taking into account external and internal conditions affecting the bank’s activities. The risk measurement tools used by the bank should reflect the complexity and level of risk assumed by the bank. The Bank shall need to evaluate the instruments of risk measurement that are used by it on a periodic basis;
3) risk control should be carried out by establishing limits that define the rights and responsibilities of bank employees in the policies, rules and procedures. The policies shall determine the order of decision-making when exceeding these limits. The control mechanisms used by the bank shall comply with the Sharia’h rules and standards, the requirements of the legislation, as well as the internal policies and procedures of the bank and ensure the integrity of the risk management process;
4) risk monitoring should be conducted to ensure timely review of the bank’s risk level. Risk monitoring reports should be periodic, relevant, timely and shall be submitted to the responsible persons of the bank for taking the necessary measures.
7. Risk management of the bank shall be carried out comprehensively and simultaneously at all levels of the bank. Wherein:
1) the activities of the Board of Directors and the Management of the Bank should be aimed at defining the concept and procedures for risk management, establishing an acceptable level of risk and creating relevant control systems;
2) the activities of the risk management committee are to review the main strategic issues of risk management, assess its current status, ensure control over the activities of the Management of the bank, and establish and assess risks when introducing new banking technologies;
3) risk management at the level of structural units shall cover the activities of middle managers and functional units associated with the review of risks;
4) risk management at the level of persons who take risks on behalf of the bank shall be limited to compliance with operational procedures, internal control procedures and other requirements established by the management of the bank.
(As amended by Resolution No. 21/10 of the National Bank of the Kyrgyz Republic Board as of May 31, 2017)
8. Risk management shall be carried out on a consolidated basis and applied to subsidiaries, both located in the territory of the Kyrgyz Republic, and acting outside its borders.
9. The adequacy of the bank’s risk management system shall be assessed by internal and external audit and the National Bank of the Kyrgyz Republic (hereinafter - the National Bank) in accordance with the legislation of the Kyrgyz Republic.
2-1. Risk Management Committee
(As amended by Resolution No. 21/10 of the National Bank of the Kyrgyz Republic Board as of May 31, 2017)
9-1. The purpose of the Risk Management Committee (hereinafter referred to as the “Risk Committee”) is to assist the Board of Directors of the bank in determining priority areas of the bank’s activities in the field of banking risks and assist in creating conditions for proper risk management.
9-2. The competence of the Risk Committee shall include at least:
1) Evaluation of the current risk management system effectiveness:
- analysis of internal documents of the bank regulating the risk management process;
- analysis of the adequacy of management reporting on risks;
- analysis of the adequacy of information support for the risk management process.
2) Consideration:
- policies and regulations for the banking risks management introduced by the executive body for approval by the Board of Directors;
- regular reports on significant (important) types of risks, the status of bank limits, the results of stress testing.
3) Interaction with the structural units responsible for the building and implementation of the risk management system with internal and external audit on risk management in the bank.
4) Development/preparation of recommendations for the Board of Directors of the bank:
- on improving the effectiveness of existing risk management systems;
- on the risk-restriction policy for all banking operations and other bank transactions;
- on other significant issues in the field of risk management.
5) Communication of the information about all significant banking risks for the bank, including issues of special importance to the Board of Directors of the bank.
3. Responsibility of the Senior Members of the Bank for Risk Management
10. The Board of Directors and the Management of the bank shall be responsible for functioning of an effective risk management system in the bank, including the definition, measurement, control, monitoring of risks and assessment of the bank’s exposure to various types of risks taken by the bank.
11. The Board of Directors of the bank shall be responsible for determining the concept of a risk management system.
12. The Board of Directors shall periodically assess the effectiveness of the risk management system and, if necessary, make appropriate changes on the basis of information submitted by the Risk Committee, the Management and the Risk Manager.
(As amended by Resolution No. 21/10 of the National Bank of the Kyrgyz Republic Board as of May 31, 2017)
13. The Board shall manage the risks of the bank in accordance with the concept and policies of the bank approved by the Board of Directors and determine authorities of the bank’s employees responsible for definition, measurement, control and monitoring of risks. The Board shall ensure the independence of structural units and officials whose activities are related to risk management from structural units that take risks on behalf of the bank.
14. The bank shall develop a policy on diversification (distribution) of risks by the types of its operations, procedures and rules for risk management. The Board shall ensure compliance with the overall limits set by the Board of Directors. If necessary, the Board shall review the procedures and rules for risk management of the bank (at least once a year).
15. The Board shall be responsible for identifying and measuring risks on a consolidated basis assessing the significance of identified risks and providing periodic reports and recommendations to the Board of Directors on risk management that will ensure the effectiveness and adequacy of an ongoing risk management process.
(As amended by Resolution No. 21/10 of the National Bank of the Kyrgyz Republic Board as of May 31, 2017)
16. The responsibilities of the Board shall also include timely submission of recommendations to the Board of Directors on the need for changes in the concept and policies for risk management.
17. The Board of Directors shall appoint a risk manager who is responsible for implementation of the bank’s risk management policy and shall continuously assess the risks inherent in the bank’s activities for prompt independent monitoring of the risks of the bank.
18. The Board of Directors shall determine the rights, responsibilities of the risk manager and the procedure for its interaction with the Management of the bank.
19. The risk manager shall provide reports to the Board of Directors at least on a monthly basis. The risk manager shall cooperate with the representative of the bank’s executive body responsible for risk management in the conduct of current activities and for prompt decision-making.
20. The activities of the risk manager shall be subject to inspections by the internal audit service of the bank in accordance with the frequency of inspections established by the Board of Directors.
21. The functioning of the independent Sharia’h Council is mandatory in the bank that carries out operations on the principles of Islamic banking and finance. The Sharia’h Council of the bank shall carry out its activities independently of the Board of Directors, the Management and structural divisions of the bank and shall be responsible for managing the risks associated with the compliance of the bank’s agreements or amendments to them with the Sharia’h standards.
4. Basic Types of Risks
§1. Credit Risk
22. Credit risk is the risk of loss as a result of a failure or improper performance of the obligations by a customer under the terms of the agreement.
23. In order to manage credit risk, the bank shall:
1) assess the customer’s risk for performance of obligations, as well as the risk associated with the delay or failure to make scheduled payments, delay in preparation and delivery of the subject matter of the agreement (salam, parallel istisna’a) acting as a financing party when concluding agreements (mudaraba, musharaka);
2) assess and measure credit risk separately for each agreement due to the fact that the moment of occurrence of a credit risk depends on the type and nature of the agreement;
3) consider the impact of other risks that increase credit risk. Evaluate credit risk in a complex and take credit risk as part of an integrated approach to managing all types of risks inherent in the bank’s activities.
24. Credit risk management policy of the bank shall provide:
1) acceptable risk level (limits) established by the Board of Directors;
2) authorities of the committees/departments responsible for managing credit risk. It shall be provided the limits for the bank’s specialists responsible for the allocation of assets, as well as the parameters which require approval for the placement of assets. It should be provided a division of responsibilities between the employees engaged in marketing, analysis and approval of transactions (agreements) for the placement of assets that carry credit risk;
3) the process of approving transactions (agreements) that includes a list of minimum requirements subject to fulfillment before the decision on the transaction is made and an analysis method to determine the solvency of a potential customer. The criteria for decision making and other tools that are acceptable for the customer’s evaluation should be indicated;
4) a list of types of transactions (agreements) for the placement of assets, including instructions that are to be observed when implementing them and a list of operations that are prohibited by the Sharia’h standards. This list should be periodically updated and communicated to the staff performing asset placement operations;
5) reasonable maturity of the assets placed. The maturity planning should be related to the expected source of repayment, the purpose of the asset, the useful life of collateral and the source of financing for the bank;
6) indications on the pricing of the asset, including, among other factors, the cost of the funds raised, the cost of servicing the asset, overhead costs and exposure to potential losses, as well as the planned profit for the bank;
7) the ratio of the asset to the estimated value of the collateral established to determine the amount and type of collateral permitted by the Sharia’h standards required and acceptable for the issued asset. The policy shall determine the responsibility for the assessment, the standard parameters that should be observed in the assessment, including procedures for possible re-assessments in case of asset restructuring. Also, limits on the amounts and type of pledges taken as collateral should be determined. The bank shall provide for possible legal problems that may arise when dealing with collateral in the event of the need to exercise the rights of the creditor;
8) provisions for proper verification of potential customers, assessment of their creditworthiness, business objectives, the economic nature of the project, operational capabilities, including an assessment of actual projections of future cash flows. Such procedures may include stress testing, sensitivity analysis and other methods of analysis. It is necessary to assess customers using various types of financing to ensure that their activities comply with the Sharia’h standards, as well as the legislation of the Kyrgyz Republic;
9) requirements for provision and periodic updating of the financial statements of the customer. Requirements for financial reporting should be provided for both legal entities and individuals and include provisions on the need for confirmation by their auditors. Requirements for the provision of annual, interim reports, including balance sheet, statement of comprehensive income, statement of cash flows, etc., should be established. The requirements should be clearly defined, should contain possible (justified) exceptions specifying the authority to approve them;
10) requirements for conducting an analysis of the asset on the basis of the customer’s submitted documents, including an analysis of the economic sector and the requirements for scheduling a customer visit on the site;
11) the procedure of the bank’s actions in the event of cancellation of an application for the purchase of property or goods by the customer. The following should be described:
a) the procedure for monitoring and controlling the exposure of the bank to the risk of the supplier, which may occur at various stages of implementation of agreements (including the risk of default under salam and istisna’a agreements), in particular, during the delivery of an asset in the event that the customer of the bank acts as an agent;
b) the procedure for taking the risk associated with the asset between the bank, the customer and the supplier.
12) restrictions on total current (overdue) assets bearing a credit risk;
13) restrictions on the assets issued to insiders and affiliated persons and authorities to approve such transactions;
14) restrictions on the concentration of assets bearing credit risk (geographically, by industry, by currency or other factors). It should be provided a diversification within the portfolios based on acceptable levels of the risk established by the Board of Directors. The bank’s policy shall provide for periodic analysis of information on the concentration and presentation of the analysis results to the Management and the Board of Directors. Limits can be set at the discretion of the bank, but should not exceed the level set by the National Bank;
15) periodicity of analysis of the bank’s assets portfolio in order to assess its compliance with the policies and objectives of the bank;
16) asset management system from the moment of applying for an asset and until it is fully repaid;
17) minimum requirements for dealing with customers, including the type, frequency of analysis and updating of information that should be contained in them;
18) a system of internal classification of assets and off-balance items, creation of reserves to cover current or potential losses. There should be clear policies and procedures for classifying assets, taking into account the credit risk for creating reserves to cover current or potential losses, and requirements for providing results of the internal classification process to the Board of Directors and the Management of the bank;
19) measures to be taken with regard to overdue assets. The requirements for reporting on overdue assets should be clearly defined, including the frequency of submitting a list of all overdue and written-off assets to the Board of Directors;
20) a distressed assets/off-balance sheet items management system that provides for the procedure of early health measures, which should be regularly reviewed and provide at least the following:
a) monitoring the customer’s financial situation by maintaining frequent negotiations, field visits;
b) review of the payment schedule, increase in maturity, restructuring (without increasing the total amount of debt);
c) insurance of the asset in accordance with the Sharia’h standards;
d) the application of penalties in accordance with the Sharia’h standards.
21) a monitoring system for each asset separately. The assets provided for a period exceeding the established one should be considered separately. Periodicity of examination of distressed assets should be determined. Consideration of assets should be carried out regardless of the analysis and marketing of services. If some weaknesses in the procedures or methodology were identified during the monitoring, it is necessary to make appropriate changes to the policies and procedures of the bank;
22) procedures for managing risks arising from the participation of the bank in parallel transactions (parallel istisna’a, parallel salam);
23) types of reporting, as well as to whom and how often it should be provided in order to determine the level of a credit risk;
24) procedure of insurance coverage of the cost of the asset that is sufficient and corresponding to the Sharia’h standards. If necessary, the bank should be able to attract insurance experts to assess the alleged insured events;
25) additional policies and procedures necessary to ensure the proper management of a credit risk developed by the decision of the bank.
§2. Risk of Investments in Equity
25. Risk of investments in equity is the risk arising from investing the bank’s funds in the shareholders’ equity of companies in accordance with the agreements of mudaraba, musharaka.
26. The bank shall have a risk of investments in equity management policy that shall provide for:
1) the purposes and criteria of investment appraisal, including the mechanism of profit distribution;
2) limits on the acceptable level of risk arising from the investments in equity, which should be established by the Board of Directors;
3) a list of activities, which are forbidden to be invested by the Sharia’h standards. Such a list should be periodically updated and communicated to the staff performing investment placement operations. Decision-making on the placement of investments should be based on the experience (expert knowledge) of specialists, including members of the Sharia’h Council reviewing and monitoring the compliance of bank agreements with the Sharia’h standards. Investments that led the bank to losses in the past should be controlled within the framework of this policy;
4) the procedure for assessing partners, including such criteria as the results of cooperation in the past, the business plan for the proposed transaction and the qualifications of specialists involved in the investment project;
5) the most reasonable time for the investment placement. Planning of the terms of placement should be related to the expected source of profit and the purpose of investment, it is also necessary to provide for the maturity parameters;
6) the procedure and the appropriate risk management structure arising from the acquisition, ownership and transfer of authorities for instrument management with the mechanism for allocating income that should be periodically reviewed;
7) procedure for continuous monitoring of transactions and economic results of the entity, which is invested by the bank acting as a partner. The procedure shall include an assessment of the adequacy of the partner’s financial statements, an assessment of the partner’s activities in accordance with the Sharia’h standards, holding periodic meetings with the partner along with the mandatory record-keeping of such meetings;
8) procedure for identification and monitoring of risk changes at various stages of the investment project implementation;
9) the procedure for analyzing and determining possible factors affecting the expected volumes and timing of cash flows from income and capital gains from investing in shareholders’ equity;
10) methods for minimizing risks associated with the deterioration of the value of the invested funds. At the same time, it is possible to use the surety from the partner under the Sharia’h standards;
11) the methodology for assessing the cost of investment and the frequency of profits distribution, which should be agreed between the bank and the partner. If necessary, the bank can agree with the partner on involving independent persons to conduct an audit and assess the cost of investments. These measures will contribute to the transparency and objectivity of the assessment and profits distribution, as well as determination of amounts due;
12) Risk management procedures arising from insufficiently reliable information related to an inadequate financial control system or potential distortion of the results of reporting leading to an inadequate assessment of partnership income and investment quality. To reduce such risks, the bank shall provide for the possibility of active participation in monitoring investments or using mechanisms to reduce risks;
13) the criteria for withdrawing from the investment project, including the conditions for renewal or repayment of investment agreements. Such criteria shall include conditions for the possible repurchase of investments or their sale, as well as alternative methods and deadlines for withdrawing from the project;
14) types of reporting, to whom and how often it should be provided in order to determine the risk of investments in equity.
§3. Market Risk
27. Market risk is the probability of losses associated with an adverse change in the cost of assets and liabilities of the bank as a result of changes in prices for raw materials, commodities, changes in exchange rates, and the cost of shares. Market risk can arise at various stages of the implementation of agreements or be present permanently during the entire period of their validity. Market risk shall include a price risk and a currency risk.
28. The bank shall establish a market risk management process and a management information system, including:
1) a conceptual general scheme for determining market risks;
2) instructions on risk operations for various portfolios and limits on them;
3) approaches to determine pricing, assessment and revenue recognition;
4) developed system of management information for control, monitoring and reporting on market risk management.
29. The bank shall determine the exposure to market risk in quantitative form and assess the likelihood of future losses.
30. The bank shall have a comprehensive policy to manage market risk that shall provide for various methods depending on the size and complexity of the bank’s activities.
31. Price risk is the risk of loss the bank is exposed to in the event of adverse changes in the value of financial instruments and other investments or assets owned by the bank or any of its subsidiaries (on balance or off balance sheet). The risk arises from the activities in the market, dealer activities and positions held in the capital markets, foreign exchange and commodity markets.
32. Integrated market risk management policy shall determine and control price risk, as well as provide for the size and types of transactions conducted by the bank.
33. An integrated market risk management policy shall contain:
1) limits on the acceptable level of risk arising from exposure to price risk. Limits should be established by the Board of Directors and take into account possible negative changes in the market value of assets and liabilities;
2) the levels of authorities and responsibility that should be clearly defined to distinguish responsibility for determining, assessing and controlling the price risk in the bank. Levels of authorities on decision-making to approve price risks should be included in the policy;
3) forecast of the quality of assets and liabilities and profitability;
4) a list of qualified dealers and other parties whom the bank intends to enter into transactions with;
5) systems for measuring price risk. Effective methods, such as stress testing, should be provided to assess the nature, quality and size of the bank’s market risks, and to assess the degree of price risk the bank is exposed or will be exposed to in accordance with the current and projected trends;
6) frequency of reporting.
34. Currency risk is the risk of incurring costs (losses) associated with the changes in currency rates when the bank performs its activities. The probability of expenses (losses) arises from the re-assessment of the bank’s positions by currency in value terms.
35. Market risk management policies shall provide for definition and monitoring of currency risk and include the following:
1) limits on the acceptable level of risk arising from the imbalance of a net open position in one currency and across all currencies as a body;
2) levels of authorities of committees/departments responsible for currency risk management;
3) internal risk measurement systems to be identified and to be used to assess the compliance of the bank’s risk level with the level set by the Board of Directors;
4) structure of foreign currency assets, both on-balance and off-balance sheet;
5) acceptable instruments used by the bank to assess currency risk. Risks arising from changes in exchange rates can be insured in accordance with the methods permitted by the Sharia’h standards;
6) frequency of reporting and conducting stress testing to determine the level of currency risk and loss in the event of significant changes in the market.
§4. Rate of Return Risk
36. Rate of Return Risk is the risk of losses the bank is exposed to when the assets and liabilities of the bank do not coincide with the final dates of maturity or as a result of changes in rates of return in the market.
The bank shall assess the factors that may be the cause of the rate of return risk, first of all, the possible growth of long-term rates of return in the market. The bank shall also assess the consequences of the degree of dependence on the funds on current accounts. Despite the fact that the holders of current accounts do not expect to receive a profit, an unexpected withdrawal of funds may negatively affect the overall potential rate of return for the bank.
36-1. A displaced commercial risk may arise as a result of the rate of return risk. The bank may waive its rights for part or all of the profits attributable under the mudaraba agreement to satisfy and preserve sources of funding and conviction not to withdraw its funds. The displaced commercial risk arises from the competitive pressure on the bank to attract and keep investors (sources of financing).
(As amended by Resolution No. 21/10 of the National Bank of the Kyrgyz Republic Board as of May 31, 2017)
36-2. The bank’s decision on waiver of its rights to all owing share of profits under the Mudaraba agreement in favour of the investment account holders is a commercial decision, the basis for which should be clear policies and procedures approved by the Bank’s Board of Directors.
(As amended by Resolution No. 21/10 of the National Bank of the Kyrgyz Republic Board as of May 31, 2017)
37. The bank shall have a rate of return management policy, which shall include at least the following:
1) limits on the acceptable level of the rate of return risk. When determining risk limits, the Board of Directors and the Management shall take into account the nature of banking strategies and operations, the previous results of its operations, and an acceptable level of profitability. Limits shall take into account possible negative changes in the rates of return in the market, as well as their projected fluctuations;
2) levels of authorities and responsibility that should be clearly defined to distinguish responsibility for definition, assessment and control of the of the rate of return risk in the bank;
3) the rate of return risk, which should be measured at different time periods according to maturity or re-appraisal dates, whichever occurs first. Risk measurement systems can provide for both relatively simple methods and such complex ones as stress testing that determine the impact of a potential risk on the income or equity of a bank at certain rates of return. It is important to predict the occurrence of cash flows, including the impact of premature debt repayment to assess the rate of return risk;
4) internal control procedures related to informing the Board of Directors and the Management;
5) acceptable tools for their use by the bank to control the rate of return risk and are stipulated by the Sharia’h standards, as well as clearly defined internal restrictions on the use of such instruments;
6) recommended structure of repayment of the bank’s assets and liabilities;
7) types and frequency of reports provided to both the Board of Directors and the Management. Reports shall contain a detailed assessment of the rate of return risk to determine the potential impact of market factors on the rate of return on assets relative to the return expected by the investment account holders. Reports shall contain an assessment of the rate of return risk accepted by the bank, compliance with its established limits and risk management strategy;
8) procedures for the profits distribution in cases where the returns obtained from the bank’s assets is lower than the returns obtained by competitors. The procedures may include cases where the bank makes a decision to waive the rights to a part or all of its share of returns in favor of the investment account holders, change the future return margin in accordance with the market situation, calculation of the amounts directed to the reserves created to maintain the level of returns of customers.
§5. Sovereign Risk
38. Sovereign risk is the risk of incurring costs (losses) due to insolvency or unwillingness of a non-resident partner of the Kyrgyz Republic to repay its obligations to the bank for reasons not related to financial risks.
39. The bank shall have a sovereign risk management policy providing for different methods depending on the size and complexity of the bank’s operations and contains the following:
1) an acceptable level of risk established by the Board of Directors the bank is ready to bear. The limits for an acceptable level of a sovereign risk should be clearly defined by a single country or by a group of countries;
2) levels of authorities of the committees/departments responsible for management of the sovereign risk of the bank;
3) types of permitted financial instruments;
4) restrictions on the type of currencies with the allowed amount of risk by countries;
5) requirements for setting the prices of financial instruments for the bank customers from other countries taking into account additional risk. It is necessary to determine the necessary increase in return on investment from contributions in the assets in other countries;
6) the need to use internal or external credit rating systems. Acceptable ratings should be established at the request of the Board of Directors.
7) the procedure for assessing the sovereign risk in creating a reserve to cover potential losses and damages;
8) the frequency of reporting on the control of the level of a sovereign risk to the management.
§6. Operational Risk
40. Operational risk is the risk of direct or indirect losses the bank is exposed to as a result of failures in the operations of the bank or its subsidiaries caused by external events, staff errors, and as a result of inadequate or disruptive processes, procedures or control systems. Operational risk is present in all products and activities of the bank. The bank shall consider possible causes of operational risk due to non-compliance with the Sharia’h standards and improper fulfillment of obligations by the bank to manage the resources of investment account holders. Operational risk includes, but is not limited to, the risk of non-compliance with the Sharia’h standards, the risk of non-compliance with the fiduciary responsibility of the bank.
Islamic financial instruments are not a single contract or agreement, but the totality of written documents and agreements concluded in a certain order and representing an integral structure, and the bank shall need to ensure the control of risks at each stage of the transaction and the processing of documents on them in order to minimize risks.
(As amended by Resolution No. 21/10 of the National Bank of the Kyrgyz Republic Board as of May 31, 2017)
41. The bank shall have an operational risk management policy that provides methods for determining the causes of this type of risk, as well as internal and external trends that may affect the level of operational risk.
42. The bank shall have mechanisms to control operational risk arising from the failure of internal control systems and information systems, non-compliance with safety regulations, the procedure for dealing with customers and providing banking products, as well as in violation of laws, rules and regulations that have been established by the National Bank.
43. The risk of non-compliance with the Sharia’h standards arises from non-compliance of bank products, the bank’s agreements with the rules of banking operations established by the Sharia’h standards, which could adversely affect the bank’s reputation. To manage the risk of non-compliance with the Sharia’h standards, the bank shall ensure:
1) observance of Sharia’h rules and standards on a permanent basis. The issue of compliance with the Sharia’h standards should be considered on an ongoing basis in conducting the activities of the bank;
2) compliance of the conditions of the products and services of the bank, standard agreements, terminology and elements that may affect performance of agreements with the Sharia’h standards;
3) monitoring of income received by the bank as a result of a transaction that is not in compliance with the Sharia’h standards and, as a result, unrecognized by the bank. The bank shall assess the likelihood of a recurrence of such cases in the future. Taking into account the historical data and potential areas of non-compliance with the Sharia’h standards, the bank shall need to assess the amount of revenue that may not be recognized by the bank due to the failure of the bank’s operations to comply with the Sharia’h standards.
44. The bank shall at least once a year to carry out audit of the bank’s activity within the frames of the existing internal and external audit system by the experts having relevant knowledge in the field of Islamic banking and finance in order to ensure compliance of operations with the Sharia’h standards and proper performance of the agreements.
45. The risk of non-compliance with the fiduciary responsibility of the bank arises from improper management of the customers' funds of the bank and the failure to comply with the terms stipulated in the investment agreements. In the cases where the funds of investment account holders are mixed with the bank’s funds, mechanisms for the allocation of assets, losses and profits should be determined. In order to manage the risk of non-compliance with the fiduciary responsibility, the bank shall need to define a policy to protect the interests of investment account holders, including:
1) determination of the investment activity of the bank in accordance with the fiduciary responsibility of the bank and the terms of investment agreements;
2) determination of the mechanism of profits and losses distribution between the bank and the investment account holders depending on the term of investment agreements and in accordance with the fiduciary obligations of the bank;
3) setting the size of the required reserves at a level that does not limit the right of investors to receive higher profits;
4) limiting the risks associated with current and investment accounts;
5) procedure and obligation to provide full information on possible investments in investment projects to potential investors;
6) maintaining separate accounts for the bank’s operations related to the funds of holders of limited investment accounts;
7) procedure for the formation of reserves to compensate for the possible shortage of the amount in the future to ensure a rate of return for the investment account holders;
8) the requirement to ensure monitoring and reporting on the risks of subsidiaries for risk management on a consolidated basis;
9) the requirement to ensure the compliance of investment accounts with certain requirements, such as the size, duration and level of risk of the investment project in the event that the bank attracts funds for a separate investment project.
46. (Became invalid as per Resolution No. 21/10 of the National Bank of the Kyrgyz Republic Board as of May 31, 2017)
47. (Became invalid as per Resolution No. 21/10 of the National Bank of the Kyrgyz Republic Board as of May 31, 2017)
48. In defining the operational risk management policy, the Board of Directors to-gather with the Management shall:
1) provide an effective operational risk management system, which shall include a clearly defined operating structure with the establishment of rights and responsibilities for all levels of management and monitoring of operational risk, as well as relevant tools that allow to identify, assess and monitor significant risks;
2) recognize the consequences and determine all categories of operational risk inherent in the bank.
49. Operational risk management policies and procedures shall provide for the division of responsibilities between the front and back offices of the bank.
50. Policies and procedures for operational risk management should be approved in accordance with the established procedure and communicated to all employees of the bank.
51. The bank shall identify and assess the operational risk inherent in the activities, processes and systems, and determine sensitivity to such risks. The bank shall provide an estimate of the potential size of the operational risk before the introduction of any new banking products, activities, processes and systems.
52. Reports on operational risk should be timely provided to the bank’s management and include at least:
1) a list of types of operational risks the bank faces or may face, including its subsidiaries;
2) events that carry operational risk and possible problems, as well as the measures taken to correct them;
3) assessment of the effectiveness of the measures taken to reduce operational risks;
4) developed measures to identify operational risks inherent in the bank’s activities;
5) areas of activity or areas where the occurrence of operational risk is most likely;
6) the results of measures taken by the bank aimed at preventing operational risk.
53. To prevent operational risks, banks shall need to prepare contingency plans and plans for continuous operations aimed at ensuring continued operation and minimizing losses. Plans shall include, but not be limited to, backup of key information, as well as reliable storage of backup information.
§7. Liquidity Risk
54. Liquidity risk is the risk connected with the failure of the bank to perform its obligations in due time.
55. The bank shall have a liquidity risk management policy, which shall include at least the following:
1) an acceptable liquidity risk level established by the Board of Directors;
2) levels of authorities and responsibility to define, assess and control the liquidity risk of the bank, as well as to determine the bank’s liquidity needs;
3) planning for unforeseen circumstances related to non-compliance of liquidity with the levels established by the Board of Directors, including the possibility of applying to sources of funding;
4) a list of approved investors to establish sources of funding;
5) preferred sources of funding consistent with the bank’s activities and not inconsistent with the Sharia’h standards, taking into account the restrictions established by the Board of Directors. Also, diversification of the sources of funding should be provided;
6) the optimal ratio of assets and liabilities, including on maturity dates in order to maintain sufficient liquidity;
7) methods of forecasting future cash flows of the bank to assess the degree of liquidity risk the bank is exposed to under current and projected negative trends;
8) the type, frequency of liquidity risk management reporting provided to responsible persons.
56. The bank shall need to determine the possible liquidity shortage in the future by plotting the maturity dates of assets and liabilities for the relevant period of time. The bank can independently determine the criteria for estimating cash flows or use the following cash flows:
1) known - repayment dates and amounts are known in advance (receivables under transactions of murabaha, ijarah, ijarah muntahiya bittamlik and sharika/musharaka);
2) conditional but anticipated (salam and istisna’a transactions) - conditionality is determined by the type of agreement or performance of work on pre-agreed conditions and within the agreed timeframe;
3) conditioned and unpredictable - agreements with an open maturity date (investments under the sharika/musharaka agreement), as well as repayment of invested funds and receipt of income from investments conditioned by the results of the activity under the agreement.
57. The bank shall periodically analyze cash flows under various changes in market conditions that can be based on a “normal” business environment or taking into account various negative situations.
58. The bank shall assess the need and the possibility of access to sources of funding.
59. The bank shall have an action plan for liquidation of a possible liquidity crisis. The bank can independently determine the criteria for assessing the stages of the liquidity crisis or use other approaches including:
1) detection of a liquidity gap or a situation that could lead to an unpredictable outflow of funds;
2) determination of the need to liquidate assets or investments in a certain order to close the liquidity gap;
3) emergency measures should be taken if the conducted activities did not lead to the closure of the liquidity gap.
60. The bank shall consider the following factors in the action plan:
1) holding of highly liquid assets, which can be sold in significant volumes, taking into account the probability of sale at a price below the book value;
2) characteristics of other assets and the degree of their liquidity;
3) assessment of available sources of funding that meet the requirements of the Sharia’h, among which may be the agreements of cooperation with other banks or other financial institutions on an interest-free basis, sale of fixed assets or sale with reverse leasing for longer-term financing;
4) the possibility of providing liquidity by the National Bank;
5) the appointment of an anti-crisis management or personnel responsible for taking measures at various stages of the liquidity crisis;
6) procedures for notifying the head bank, if the bank is a subsidiary.
§8. Reputational Risk
61. Reputational risk is the risk of losses the bank is exposed to as a result of a negative public opinion of the bank or its subsidiaries. This risk shall influence on the capability of the bank to cooperate and maintain the existing inter-relations. Reputational risk may arise as a result of involving the bank into legal proceedings, availability of negative information in Mass Media and other negative events, which can result in financial losses, outflow of deposits or loss of bank’s reputation.
(As amended by Resolution No. 21/10 of the National Bank of the Kyrgyz Republic Board as of May 31, 2017)
62. The reputational risk of a bank operating under the principles of Islamic banking and finance may also be caused by the discrepancy of banking products and services with the Sharia’h standards.
63. In order to manage reputational risk, it is necessary not only to have a separate policy, but also to have effective corporate governance, internal control, internal audit, and use of the benefits of management information. In addition, it is necessary to ensure the bank’s ability to meet the needs of customers and the public without violating the bank’s strategy, goals and objectives.
64. The bank shall consider and take into account the impact of the services provided, operations and/or decisions on the general public and the clientele using its services.
65. The Board of Directors of the bank shall ensure implementation of the following:
1) risk assessment by conducting an objective assessment of internal and external sources of reputational risk. The definition of risk should be based on future plans and current activities. The main operations conducted by the bank require a special assessment of the reputational risk;
2) quantitative and qualitative assessment of the risks identified to determine the material impact on the main areas of the bank;
3) monitoring of the risk through periodic reports to the Board of Directors to inform about potential threats to the reputation of the bank. The reporting shall include information about customer complaints, if any, legal analysis of any pending or threatening legal proceedings, non-compliance issues and any other potential sources of reputational risk for the bank;
4) risk control to reduce the likelihood of damage to the bank’s reputation by:
a) effective functioning of the public relations department;
b) fulfillment of the requirements for the examination (legal department or public relations department, the Sharia’h Council) of press releases and advertisements before their placement for the general public;
c) determining approaches to work with lawsuits initiated against the bank;
d) monitoring the completeness and reliability of the information provided by the bank to customers;
f) adopting a code of conduct for bank employees (preferably with the participation and taking into account the opinion of the Sharia’h Council) and conducting trainings for bank employees;
g) taking other measures acceptable to the bank.
§ 8-1. Compliance Risk
(As amended by Resolution No. 21/10 of the National Bank of the Kyrgyz Republic Board as of May 31, 2017)
65-1. The bank shall analyze the current market situation, consider the bank’s strategy, assess the size, complexity of banking operations and develop internal documents covering the components of the compliance risk management system in the organization of the compliance risk management system.
65-2. Compliance risk can lead to the reputational damage, imposition of fines or other money sanctions, reduction of the value of the bank’s assets, the restriction of business opportunities, reduction of the potential for expansion of activities, and the failure to comply with the terms of the agreements, contracts concluded.
65-3. Banks shall approve policies, procedures and/or processes to manage compliance risk in order to reduce compliance risk
65-4. The Board of Directors of the bank shall be responsible for the development of compliance policies that contain the basic principles on the basis of which compliance risks are identified and managed at all levels of the bank’s structure.
65-5. The Board of Directors of the bank shall ensure implementation of the following processes:
1) Definition of risk - an objective assessment and determination of significance of the violations (events, transactions) that can lead to the compliance risk should be conducted. The definition should be based on future plans and current activities of the bank.
2) Risk assessment - quantitative and qualitative assessment of the risks identified to determine the material impact on the main areas of the bank.
3) Monitoring/OUI - the Compliance Controller shall submit reports to the Board of Directors for information on compliance risk as required, but at least once a year. Information on any violations of the law or regulations, all correspondence with the National Bank related to compliance risk should be provided to the Board of Directors. The Board of Directors shall ensure that remedial actions are taken to address compliance issues and introduce necessary changes in internal control policies and processes to prevent the re-emergence of such deficiencies.
4) Risk control - the bank shall exercise control to reduce compliance risk. This shall at least include:
a) the need to identify, measure and monitor compliance risk;
b) introduction of a corporate culture that contributes to the limitation of compliance risk;
c) a clear definition of accountability and responsibility for compliance with legislation, policies and procedures of the bank;
d) development of an integrated structure (plan), including procedures that ensure consistent compliance with all laws and regulations;
e) the requirement to conduct an analysis of any new banking products or activities for potential compliance risk;
e) requirement that the internal audit program includes periodic checks on compliance with laws, rules and regulations;
g) training for the bank’s staff on compliance issues so that all employees of the bank know the requirements of legislation, rules and regulations that influence on the bank’s activities;
h) any other policies, procedures, or processes that, in the opinion of the Board of Directors, are necessary to reduce the level of compliance risk in the bank.
§9. Other Spheres of Risk
66. If the bank’s activity has other types of risk, the Board of Directors of the bank shall define them in its concept and approve the policies to manage these types of risks. The Management shall take procedures and processes with respect to them. Minimum requirements, such as definition, measurement, monitoring and control over the risks shall cover the other types of risks arisen in the course of the bank’s activity.