(16) | Based on and without derogating from the requirements specified in subregulations (1) to (15) above, a bank’s policies, processes and procedures relating to governance, effective risk management, adequate capital and liquidity, and adequate internal controls shall contain the key features specified below: |
[Words preceding regulation 39(16)(a) substituted by section 11(b) of Notice No. 724, GG44003, dated 18 December 2020 - effective 1 January 2021]
(a) | Board and senior management oversight |
Since sound governance and risk management processes provide the basis for ensuring, among other things, that a bank continuously maintains adequate capital and liquidity, the board of directors of a bank—
[Heading and words preceding regulation 39(16)(a)(i) substituted by section 10(j) of Notice No. 1427, GG44048, dated 31 December 2020 - effective 1 January 2021]
(i) | shall set the bank's tolerance for risk, that is, the board of directors shall, among other things, duly define and approve the bank's risk appetite; |
(ii) | shall approve the bank’s broad business strategies and its relevant policies in respect of the bank’s respective material exposures to risk; |
[Regulation 39(16)(a)(ii) inserted by section 11(c) of Notice No. 724, GG44003, dated 18 December 2020 - effective 1 January 2021 - subsequent subparagraphs have been renumbered]
(iii) | shall ensure that clear policies and/or guidance is in place regarding the acceptable level of the bank’s respective material exposures to risk, given the bank’s relevant business strategy and tolerance for risk; |
[Regulation 39(16)(a)(iii) inserted by section 11(d) of Notice No. 724, GG44003, dated 18 December 2020 - effective 1 January 2021 - subsequent subparagraphs have been renumbered]
(iv) | shall ensure that effective governance is in place in respect of the bank's compensation or remuneration policies, processes, practices and procedures, and in particular the board of directors— |
(A) | shall actively oversee the design and operation of the bank's compensation or remuneration policies, processes, practices and procedures; |
(B) | shall duly monitor and review the bank's policies, processes, practices and procedures in order to ensure that the said policies, processes, practices and procedures operate as intended; |
(C) | shall ensure that staff engaged in financial and risk control— |
(ii) | have appropriate authority; and |
(iii) | are compensated in a manner that is independent of the relevant business areas they oversee, and commensurate with the key function that they fulfil; |
(v) | shall ensure that the bank's compensation or remuneration policies, processes, practices and procedures are duly aligned with the board approved tolerance for risk or risk appetite, and in particular the board of directors shall ensure that— |
(A) | compensation in the bank is duly adjusted for all relevant and material types of risk; |
(B) | all compensation outcomes are symmetric with the relevant and related risk outcome; |
(C) | all relevant compensation payout schedules are duly sensitive to the relevant and related time horizon of risk; |
(D) | the relevant mix or composition of cash payment, equity or other form of compensation is consistent with the relevant and related risk exposure; |
(E) | the aforesaid policies, processes, practices, procedures and compensation outcomes duly consider the risk and reward related to all relevant transactions concluded by executive directors or executive officers; |
(F) | the aforesaid policies, processes, practices and procedures support and promote the bank's other policies, processes, practices and procedures related to sound corporate governance and effective risk management; |
(G) | the aforesaid policies, processes, practices and procedures protect and promote the long-term safety and soundness of the bank; |
(H) | the aforesaid policies, processes, practices and procedures include adequate controls and are subject to appropriate audit; |
(I) | the bank's policies, processes, practices and procedures comply with such further requirements as may be specified in writing by the Registrar; |
(vi) | shall ensure that, based on, among other things, the bank's capital needs, the bank's anticipated capital expenditure and the bank's desired level of capital, the annually approved variable component of compensation does not unduly limit or restrict the ability of the bank to appropriately strengthen the capital base; |
(vii) | shall ensure that the senior management of the bank— |
(A) | establishes a risk framework in order to assess and appropriately manage the various risk exposures of the bank; |
(B) | develops a system to relate the bank's risk exposures to the bank's capital and reserve funds, that is, every bank shall have in place a robust internal capital adequacy assessment process (ICAAP), as part of the bank's overall risk management framework and processes, which ICAAP— |
(i) | shall in addition to the relevant requirements specified in this sub-item (B), continuously comply with the requirements specified in paragraph (b) below; |
(ii) | shall ensure that the bank maintains qualifying capital and reserve funds adequate to continuously support the nature and extent of the bank's relevant risk exposures; |
(iii) | shall in the case of the bank’s exposure to interest-rate risk in the banking book comply with the relevant requirements specified in regulation 30 and such further requirements as may be specified in writing by the Authority; |
[Regulation 39(16)(a)(vii)(B)(iii) inserted by section 10(k) of Notice No. 1427, GG44048, dated 31 December 2020 - effective 1 January 2021 - subsequent subparagraphs have been renumbered section 10(l)]
(iv) | shall incorporate sufficiently robust stress-testing to complement and validate the bank's quantitative and qualitative measures related to its risk management framework, policies, processes or practices, and shall provide the board of directors and senior management with sufficiently robust information to better understand the bank's various exposures to risk and the potential interrelatedness of the said risks under stressed conditions, including the potential interrelatedness between liquidity risk and capital adequacy; |
(v) | shall incorporate measures to ensure that the bank builds and maintains sufficient capital buffers during benign periods to ensure that the bank will be able to subsequently withstand severe and prolonged market downturns; |
(vi) | shall be sufficiently robust— |
(aa) | to examine future capital resources and capital requirements under adverse scenarios; |
(bb) | to ensure that the bank maintains an appropriate amount of capital for concentration risk; |
(cc) | to continuously analyse the bank's issued capital instruments and their potential performance during periods of stress, including their ability to absorb losses and support the bank's ongoing business operations; |
(dd) | to accommodate changes in the bank's strategy or risk appetite, and volatility in market conditions over time; |
(vii) | shall incorporate such further requirements as may be specified in writing by the Registrar; |
(C) | develops a system to relate the bank’s relevant— |
(i) | available amount of unencumbered level one and level two high-quality liquid assets to the bank’s relevant expected total net cash outflows and/ or any related liquidity needs during a 30 calendar day time horizon under a significantly severe liquidity stress scenario, as envisaged in regulation 26(12); |
(ii) | available amount of stable funding to the bank’s relevant required amount of stable funding, as envisaged in regulation 26(14), |
that is, every bank shall have in place a robust internal liquidity adequacy assessment process (ILAAP),
as part of the bank’s overall risk management framework and processes;
[Regulation 39(16)(a)(vii)(C) inserted by section 10(m) of Notice No. 1427, GG44048, dated 31 December 2020 - effective 1 January 2021 - subsequent paragraphs have been renumbered section 10(n)]
(D) | establishes a method to monitor the bank's compliance with internal policies; |
(E) | effectively communicates all relevant policies and procedures throughout the bank; |
(F) | duly defines the bank's stress testing objectives and scenarios— |
(i) | the results of which stress tests shall be duly considered during the bank's strategic decision making process and when the board of directors specifies the bank's risk tolerance or appetite levels; |
(ii) | which stress testing shall in relevant cases duly consider— |
(aa) | the potential risks and exposures associated with pipeline and warehoused exposures that may emerge when the bank is unable to access the securitisation market due to either bank specific or market stresses; |
(bb) | reputational risk scenarios; |
(cc) | scenarios in respect of which the bank, for example, assesses the size and the soundness of securitisation vehicles relative to the bank's own financial, liquidity and capital positions, including an assessment of all relevant covenants and triggers; |
(G) | duly discusses and understands the results of the bank's stress tests and scenario analysis; |
(viii) | shall adopt and support strong internal controls; |
(ix) | shall ensure that the bank has in place appropriate written policies and procedures; |
(x) | shall ensure that the bank has in place an appropriate strategic plan, which strategic plan, as a minimum, shall duly outline— |
(A) | the bank's capital needs; |
(B) | the bank's anticipated capital expenditure; |
(C) | the bank's desired level of capital. |
(xi) | shall ensure that the bank has in place an appropriate policy relating to public disclosure, which policy, as a minimum, shall ensure the bank's continued compliance with the requirements specified in regulation 43. |
[Regulation 39(16)(a)(iv) to (xi) renumbered by section 11(c) and (d) of Notice No. 724, GG44003, dated 18 December 2020]
(b) | Sound capital assessment |
Without derogating from the relevant requirements specified in paragraph (a) above, as a minimum, a bank shall have in place a sound capital assessment process, which capital assessment process—
(i) | shall include board approved policies and procedures designed to ensure that the bank identifies, measures, and reports all material risk exposures; |
(ii) | shall include all material risk exposures incurred by the bank, including the risks specifically referred to in subregulation (3); |
Although a bank may not be able to accurately measure all risk exposures, the bank shall develop and implement an appropriate framework and process to estimate the key elements of the bank's material risk exposures.
(iii) | shall relate the bank's capital and reserve funds to the level of risk incurred by the bank; |
(iv) | based on the bank's strategic focus and business plan, shall clearly state the bank's objectives in respect of capital adequacy and risk exposure; |
(v) | shall incorporate rigorous, forward-looking stress testing that identifies possible events or changes in market conditions that could adversely impact the bank, the results of which stress testing shall be considered when the bank evaluates the adequacy of its capital buffer; |
(vi) | shall promote the integrity of the bank's overall risk-management process by way of internal controls and appropriate internal and external reviews and audit. |
(c) | Monitoring and reporting |
(i) | As a minimum, a bank shall establish and maintain an adequate system— |
(A) | to monitor, communicate and report the bank's exposures to risk in a timely manner and at an appropriate level; |
(B) | to assess the impact of the bank's changing risk profile on the bank's capital position. |
(ii) | The board of directors of a bank or a board-appointed committee shall receive regular reports, which reports shall be sufficiently detailed to allow the said board of directors or board-appointed committee— |
(A) | to evaluate and understand the level and trend of material risk exposures and the impact of the risk exposures on the bank's capital adequacy; |
(B) | to determine whether the bank maintains sufficient capital against the various risk exposures and complies with the bank's established objectives relating to capital adequacy; |
(C) | to make timely adjustments to the bank's strategic plan. |
(iii) | the senior management of a bank shall receive regular reports, which reports shall be sufficiently detailed to allow the senior management of the bank— |
(A) | to consider the matters specified in subparagraph (ii) above; |
(B) | to evaluate and understand the sensitivity and reasonableness of key assumptions used in the capital measurement system; |
(C) | to assess the bank's future capital requirements based on the bank's reported risk profile. |
(d) | Internal control review |
(i) | A bank shall establish and maintain an appropriate internal control structure in order to monitor the bank's continued compliance with internal policies and procedures. |
(ii) | As a minimum, a bank shall conduct periodic reviews of its risk management processes, which periodic reviews— |
(A) | shall be adequate to ensure— |
(i) | the integrity, accuracy, and reasonableness of the processes; |
(ii) | the appropriateness of the bank's capital assessment process based on the nature, scope and complexity of the bank's activities; |
(iii) | the timely identification of any concentration risk; |
(iv) | the accuracy and completeness of any data inputs into the bank's capital assessment process; |
(v) | the reasonableness and validity of any scenarios used in the capital assessment process; |
(vi) | that the bank conducts appropriate stress testing; |
(B) | shall ensure the appropriate involvement of internal and external audit. |