(a) | the board of directors of a bank or controlling company— |
(A) | they understand the implications of the bank or controlling company’s relevant risk strategies, including the potential linkages with and impact on, for example, credit risk, market risk, operational risk, liquidity risk and interest-rate risk in the banking book; |
(B) | a sufficient number of the members of the board of directors have sufficient technical knowledge to adequately question and challenge the risk information and reports submitted by the senior management of the bank or controlling company to the board; |
(C) | the senior management of the bank or controlling company individually possesses the relevant required skills in their functional areas, and collectively have the capacity, capability and the relevant required skills to understand all the bank or controlling company's relevant material exposures to risk; |
(D) | adequate resources are devoted to the management of the bank or controlling company’s relevant material exposures to risk; |
(ii) | shall approve and regularly review the strategy, policies and limits related to the bank's material exposures to risk, including the material exposures to risk or categories of exposure to risk specified in subregulation (3), and to oversee and monitor through regular reporting their implementation by management; |
[Regulation 39(6)(a) inserted by section 11(a) of Notice No. 724, GG44003, dated 18 December 2020 - effective 1 January 2021 - subsequent paragraphs have been renumbered]
(b) | shall ensure that the bank has in place management information systems— |
(i) | that facilitate the proactive management of risk; |
(ii) | shall have sufficient expertise to understand the nature of the various instruments, markets and activities in which the bank conducts business, including capital market activities such as securitisation and the related off-balance sheet-activities, and the nature and extent of the associated risks; |
[Regulation 39(6)(b)(ii) substituted by section 10(h) of Notice No. 1427, GG44048, dated 31 December 2020 - effective 1 January 2021]
(iii) | able to provide regular, accurate and timely information regarding matters such as the bank's aggregate risk profile, as well as the main assumptions used for risk aggregation; |
(iv) | adaptable and responsive to changes in the bank's underlying risk assumptions; |
(v) | sufficiently flexible to generate relevant forward-looking scenario analyses that capture the board and senior management's interpretation of evolving market conditions and stressed conditions; |
(vi) | capable of capturing and bringing to the attention of senior management and the board of directors any breach in a specified internal, regulatory or other statutory limit; |
(vii) | that make provision for any relevant initial and ongoing validation; |
(viii) | shall ensure that the monitoring and the reporting of individual and aggregate exposure(s) to related persons are subject to an independent credit review process; |
(ix) | shall remain informed about the aforesaid risks and changes thereto as financial markets, risk management practices and the bank's activities evolve; |
(x) | shall ensure that accountability and lines of authority are clearly delineated; |
(xi) | shall ensure adequate segregation of duties to promote sound governance and effective risk management in the bank, and avoid conflict of interests; |
(xii) | shall ensure that, before embarking on new activities, investing in new instruments or introducing products new to the bank— |
(A) | the potential changes in the bank's exposure to risk arising from the aforesaid new instruments, products or activities have been duly identified, considered and reviewed; and |
(B) | the bank's infrastructure, policies, processes, procedures and internal controls necessary to manage the related risks are duly updated and in place; |
(ix) | shall duly consider the possible difficulty related to the valuation of new products, and how the products might perform in a stressed economic environment; |
(c) | the senior management of a bank— |
(i) | shall ensure that the risks to which the bank is exposed are appropriately managed; |
(ii) | shall set capital targets commensurate with the bank's risk profile and control environment; |
(iii) | shall implement robust and effective risk management and internal control processes; |
(v) | shall develop and maintain— |
(A) | an appropriate strategy that ensures that the bank maintains adequate capital based on the nature, complexity and risk inherent in the bank's on-balance sheet and off-balance sheet activities, including the bank's activities relating to risk mitigation; |
(B) | an internal capital adequacy assessment process that responds to changes in the business cycle within which the bank conducts business; |
(v) | shall, with respect to new or complex products or activities, understand the underlying assumptions regarding business models, valuation and risk management practices, and shall duly evaluate the bank's potential risk exposure should the aforesaid assumptions fail; |
(vi) | shall, on a periodic basis, conduct relevant stress tests, particularly in respect of the bank's main risk exposures, in order to identify events or changes in market conditions that may have an adverse impact on the bank. |