(17) | Matters related to corporate governance, risk management and internal controls |
Without derogating from the provisions contained in regulation 39 and in subregulations (3) to (16) above, in order to promote and maintain sound standards in respect of corporate governance, risk management and internal controls, every bank and every controlling company shall have in place board-approved policies and comprehensive risk-management processes and procedures, which policies, processes and procedures—
(a) | shall include comprehensive and robust know-your-customer standards that— |
(i) | include robust customer identification, verification and acceptance requirements throughout the banking group; |
(ii) | assist the bank or controlling company in its processes to prudently manage any related or interconnected risk exposure; |
(iii) | contribute to the safety and soundness of the reporting bank or controlling company; |
(iv) | prevent the bank or controlling company from being used for any money laundering or other unlawful activity; |
(b) shall be sufficiently robust to ensure that—
(i) the relevant bank or controlling company—
(A) continuously—
(i) | achieves the objectives relating to sound corporate governance and effective risk management, and complies with the relevant minimum requirements specified in regulation 39; |
(ii) | monitors account activity for potential suspicious transactions; |
(iii) | shares all relevant information relating to risk exposure and customer identification with relevant entities within the banking group; |
(iv) | receives relevant information relating to risk exposure incurred by any foreign operation; |
(v) | assesses the bank or controlling company's aggregate exposure to risk, including any risk incurred as a result of the bank or controlling company's cross border electronic banking business; |
(vi) | assesses the banking group's overall capital adequacy in relation to its risk profile; |
(vii) | maintains adequate levels of capital and reserve funds; |
(i) | an independent internal audit function; |
(ii) | an independent compliance function; |
(iii) | a centralised process in order to— |
(aa) | coordinate and issue appropriate risk and customer identification policies and procedures on a groupwide basis; |
(bb) | coordinate the sharing of all relevant information; |
(C) | does not enter into or continue a correspondent banking relationship with a shell bank located in a foreign jurisdiction, that is, a bank— |
(i) | with no physical presence in the country in which the bank is authorized to conduct banking business; |
(ii) | not subject to adequate solo or consolidated supervision; |
(D) | duly documents and maintains all relevant information, including information relating to— |
(i) | risks incurred by the entities included in the banking group; |
(ii) | the nature and extent of banking business and other financial services conducted within the banking group; |
(iii) | the ownership structure; |
(E) | is able to provide such information or submit such returns as may be— |
(i) | specified in writing by the Registrar; or |
(ii) | prescribed in these Regulations; |
(F) | publishes timely, reliable and sufficiently detailed information in respect of— |
(i) | any concentration risk, including the bank or controlling company's approach to the management of concentration risk; |
(ii) | any intragroup transactions or exposure, including the bank or controlling company's approach to the management of intragroup transactions or exposure; |
(G) | complies with any prescribed disclosure requirements. |
(ii) | every relevant foreign branch, subsidiary or operation of the bank or controlling company implements and applies— |
(A) | Anti-Money Laundering and Combating Terrorist Financing (AML/CFT) measures consistent with the relevant Financial Action Task Force (FATF) Recommendations issued from time to time; |
(B) | the higher of AML/CFT standards issued in the Republic of South Africa or the relevant host country, |
Provided that when the relevant foreign branch, subsidiary or operation is unable to implement and apply the aforesaid measures or standards, the relevant bank or controlling company shall in writing inform the Registrar accordingly;
(iii) | in relation to any cross-border correspondent banking or other similar relationship, the bank or controlling company— |
(A) | has in place robust due diligence procedures and measures; |
(B) | gathers sufficient information about a respondent institution, inter alia— |
(i) | to fully understand the nature of the respondent's business; |
(ii) | to determine the reputation of the relevant institution; |
(iii) | to determine the quality of supervision, including whether it has been subject to any money laundering or terrorist financing investigation or regulatory action; |
(iv) | to ensure that the respondent institution does not permit its accounts to be used by a shell bank; |
(C) | assesses the respondent institution's anti-money laundering and terrorist financing controls; |
(D) | obtains the required approval from its senior management, before it establishes any new correspondent relationship; |
(E) | duly documents the respective responsibilities of each relevant institution; |
(F) | with respect to any "payable-through account", is satisfied that the respondent bank has duly verified the identity of and performed ongoing due diligence on any customer that has direct access to accounts of the correspondent, and that it is able to provide relevant customer identification data upon request to the correspondent bank; |
(iv) | all relevant policies, processes and procedures are subject to regular and robust processes of independent review; |
(c) | shall ensure an appropriate segregation of duties, that is, an entity or person responsible for the origination of a transaction or position, for example, shall not be responsible for the subsequent evaluation and performance measurement of the said transaction or position; |
(d) | shall promote the principles of an integrated approach to risk management, that is, as a minimum, the said policies, processes and procedures— |
(i) | shall create an awareness of and accountability for the risks incurred in the banking group to which the bank or controlling company belongs; |
(ii) | shall ensure appropriate oversight by the board of directors and senior management of the relevant bank or controlling company; |
(iii) | shall promote the development of— |
(A) | standardised definitions relating to material risk exposure; |
(B) | appropriate risk reports for use by the board of directors and senior management of the bank or controlling company; |
(C) | adequate integrated risk systems that promotes an appropriate balance between— |
(i) | any potential benefits derived from diversification; and |
(ii) | any correlation between risk factors; |
(A) | an appropriate set of common risk factors is specified within the banking group; |
(B) | appropriate risk management committees or structures are established; |
(v) | shall ensure the appropriate assessment of— |
(A) | any potential losses associated with the bank or controlling company's various risk exposures; |
(B) | any potential risk concentration, |
(vi) | shall duly capture all relevant matters relating to the bank or controlling company's cross-border electronic business such as internet banking, including— |
(A) | requirements to conduct appropriate due diligence and risk assessments prior to the bank or controlling company engaging in cross-border electronic business; |
(B) | appropriate consultation and information sharing with all relevant regulatory and supervisory authorities; |
(C) | a requirement to obtain all relevant regulatory or supervisory approval; |
(D) | matters relating to legal requirements such as— |
(iii) | consumer protection; |
(iv) | disclosure requirements; |
(v) | reporting requirements; |
(E) matters relating to strategic risk, reputational risk or operational risk;
(i) | proper oversight by the management and board of directors of the relevant bank or controlling company of any foreign operation, including any foreign branch of a bank, joint venture or subsidiary; |
(ii) | that the senior management and board of directors of any foreign operation adhere to all relevant fit and proper standards issued from time to time. |