Back Custom print Link Text Only Rich Text Print

  • HC-6 HC-6 Management Structure

    • HC-6.1 HC-6.1 Principle

      • HC-6.1.1

        The Board must establish a clear and efficient management structure.

        October 2010

    • HC-6.2 HC-6.2 Establishment of Management Structure

      • HC-6.2.1

        The Board must appoint senior management whose authority must include management and operation of current activities of the Islamic bank licensee under the direction and oversight of the Board. The senior management must include at a minimum:

        (a) A CEO;
        (b) A chief financial officer;
        (c) A corporate secretary; and
        (d) An internal auditor,

        and must also include such other approved persons as the Board considers appropriate.

        Amended: April 2020
        Amended: October 2011
        Added: October 2010

    • HC-6.3 HC-6.3 Titles, Authorities, Duties and Reporting Responsibilities

      • HC-6.3.1

        The Board must adopt by-laws prescribing each senior manager's title, authorities, duties, accountabilities and internal reporting responsibilities. This must be done with the advice of the Nominating Committee and in consultation with the CEO, to whom the other senior managers should normally report.

        Amended: January 2012
        October 2010

      • HC-6.3.2

        These provisions must include but should not be limited to the following:

        (a) The CEO must have authority to act generally in the Islamic bank licensee's name, representing the Islamic bank licensee's interests in concluding transactions on the Islamic bank licensee's behalf and giving instructions to other senior managers and Islamic bank licensee employees;
        (b) The chief financial officer must be responsible and accountable for:
        (i) The complete, timely, reliable and accurate preparation of the Islamic bank licensee's financial statements, in accordance with the accounting standards and policies of the Islamic bank licensee (see also HC-3.4.1); and
        (ii) Presenting the Board with a balanced and understandable assessment of the Islamic bank licensee's financial situation;
        (c) The corporate secretary's duties must include arranging, recording and following up on the actions, decisions and meetings of the Board and of the shareholders (both at annual and extraordinary meetings) in books to be kept for that purpose; and
        (d) The internal auditor's duties must include providing an independent and objective review of the efficiency of the Islamic bank licensee's operations. This would include a review of the accuracy and reliability of the Islamic bank licensee's accounting records and financial reports as well as a review of the adequacy and effectiveness of the Islamic bank licensee's risk management, control, and governance processes.
        October 2010

      • HC-6.3.3

        The Board should also specify any limits which it wishes to set on the authority of the CEO or other senior managers, such as monetary maximums for transactions which they may authorise without separate Board approval.

        October 2010

      • HC-6.3.4

        The corporate secretary should be given general responsibility for reviewing the Islamic bank licensee's procedures and advising the Board directly on such matters (see Rule HC-6.3.2(c)). Whenever practical, the corporate secretary should be a person with legal or similar professional experience and training

        October 2010

      • HC-6.3.5

        At least annually the Board shall review and concur in a succession plan addressing the policies and principles for selecting a successor to the CEO, both in emergencies and in the normal course of business. The succession plan should include an assessment of the experience, performance, skills and planned career paths for possible successors to the CEO.

        October 2010

    • HC-6.4 HC-6.4 Compliance

      • HC-6.4.1

        Compliance starts at the top. It will be most effective in a corporate culture that emphasises standards of honesty and integrity and in which the board of directors and senior management lead by example. It concerns everyone within the bank and should be viewed as an integral part of the bank's business activities. A bank should hold itself to high standards when carrying on business, and at all times strive to observe the spirit as well as the letter of the law. Failure to consider the impact of its actions on its shareholders, customers, employees and the markets may result in significant adverse publicity and reputational damage, even if no law has been broken.

        Amended: January 2019
        October 2010

      • HC-6.4.2

        Islamic bank licensees must establish an effective compliance framework, which is appropriate for the size and complexity of their operations, for managing their compliance risks.

        Amended: January 2019
        October 2010

      • HC-6.4.3

        The term "Compliance risk" refers to the risk of legal or regulatory sanctions, material financial loss, or loss to reputation a bank may suffer as a result of its failure to comply with laws, regulations, directives, directions, reporting requirements and codes of conduct, including internal code of conduct.

        Amended: January 2019
        Amended: October 2014
        October 2010

      • HC-6.4.4

        Compliance laws, rules and standards generally cover matters such as observing proper prudential standards, standards of market conduct, managing conflicts of interest, treating customers fairly and ensuring suitability of customer advice, as well as matters specified in HC-6.4.3 above. They typically include specific areas such as the prevention of money laundering and terrorist financing, and may extend to tax laws that are relevant to the structuring of banking products or customer advice.

        Added: January 2019

      • HC-6.4.5

        It is important that banks do not consider compliance function as a cost center rather it is an activity that enhances the reputation of the bank and promotes the right environment for better financial performance.

        Added: January 2019

      • HC-6.4.6

        The relationship between a bank's business units, the support functions and the compliance function can be explained using the three lines of defence model.

        a) The business units are the first line of defence. They undertake the management of risks within assigned limits of risk exposure and are responsible and accountable for identifying, assessing and controlling the risks of their business.
        b) The second line of defence includes the support functions, such as risk management, compliance, legal, human resources, finance, operations, and technology. Each of these functions, in close relationship with the business units, ensures that risks in the business units have been appropriately identified and managed. The business support functions work closely to help define strategy, implement bank policies and procedures, and collect information to create a bank-wide view of risks.
        c) The third line of defence is the internal audit function that independently assesses the effectiveness of the controls over the processes created in the first and second lines of defence and provides assurance on these processes. The responsibility for internal control does not transfer from one line of defence to the next line.
        Added: January 2019

      • Responsibilities of the Board of Directors

        • HC-6.4.7

          The board of directors of an Islamic bank licensee is responsible for overseeing the management of the bank's compliance risk. The board must establish a permanent and effective compliance function and approve the bank's compliance policies for identifying, assessing, monitoring, reporting and advising on compliance risk. At least once a year, the board or a designated board committee must assess the extent to which the bank is managing its compliance risk effectively. The board must also ensure that the agenda for the meetings of the board or the designated board committee include compliance as a topic at least every quarter.

          Amended: January 2020
          Added: January 2019

        • HC-6.4.8

          The board designated committee referred to in HC-6.4.7 may be the audit committee, the governance committee, the risk committee, or other committee which does not have a role in the business or executive roles, such as those relevant to executive committees and investment committees. For branches of foreign bank licensees, all references in this Section to the Board/the designated board committee should be interpreted as the Group Compliance Officer or a sufficiently senior level Regional Compliance Committee or Officer.

          Added: January 2019

      • Responsibilities of the Senior Management

        • HC-6.4.9

          Senior management is responsible for effective management of bank's compliance risk.

          Added: January 2019

        • HC-6.4.10

          Senior management is responsible for establishing the operating framework and the processes to support a permanent and an effective compliance function. It is responsible for establishing and communicating a written compliance policy through all levels of the organisation for ensuring that it is adhered to in practice. It is responsible also for approving the bank's compliance procedures for identifying, assessing, monitoring, reporting and advising on compliance risk.

          Amended: January 2020
          Added: January 2019

        • HC-6.4.11

          The compliance policy must be approved by the Board/the designated board committee and must address the following:

          (a) The role and responsibilities of the compliance function;
          (b) Measures to ensure its independence;
          (c) Its relationship with other risk management functions within the bank and with the internal audit function;
          (d) In cases where compliance responsibilities are carried out by staff in different departments, how these responsibilities are to be allocated among the departments;
          (e) Its right to obtain access to information necessary to carry out its responsibilities, and the corresponding duty of bank staff to cooperate in supplying this information;
          (f) Its right to conduct investigations of possible breaches of the relevant laws and regulations and the compliance policy and to appoint outside experts to perform this task if appropriate; and
          (g) Its right to be able freely to express and disclose its findings to the board of directors or to the designated board committee, e.g. the audit committee or the governance committee of the board.
          (h) The basic principles to be followed by management and staff describing the main processes by which compliance risks are to be identified and managed through all levels of the organization.
          Added: January 2019

        • HC-6.4.12

          The Board and the designated Board committee must ensure that all compliance findings and recommendations are resolved within six months for high risk/critical issues and 9 months for any other issues from the issue date of the subject compliance report unless otherwise agreed with the CBB taking into consideration time required for specific issues that may require substantive changes to technology, systems and/or processes.

          Added: January 2019

        • HC-6.4.13

          Senior management must assess the training needs of staff taking into account the existing skills and competencies, the nature of changes to laws and regulations in developing a training plan for compliance across all levels throughout the organisation. Training must be provided by competent and skilled personnel, whether available internally or externally. Training that is provided must reflect the seniority, role and responsibilities of the individuals for whom it is intended.

          Added: January 2019

      • Compliance Function

        • HC-6.4.14

          Islamic bank licensees must organise their compliance function and set priorities for the management of their compliance risk in a way that is consistent with their own risk management strategy and structures.

          Added: January 2019

        • HC-6.4.15

          The compliance function must be independent and effective. It must be headed by an executive or senior staff member with overall responsibility for co-ordinating the identification and management of the bank's compliance risk and for supervising the activities of other compliance function staff.

          Added: January 2019

        • HC-6.4.16

          The Head of Compliance, with the assistance of senior management must:

          (a) report to the board of directors or the designated committee of the board on a quarterly basis, even if there are no issues to highlight,
          (b) report to the board or the designated committee of the board on the bank's management of its compliance risk, in such a manner as to assist board members to make an informed judgment on whether the bank is managing its compliance risk effectively;
          (c) report promptly to the board or the designated committee of the board on any material compliance failures as they arise (e.g. failures that may attract a significant risk of legal or regulatory sanctions, material financial loss, or loss to reputation); and
          (d) ensure that senior management develop remedial action plans to address compliance breaches.
          Added: January 2019

        • HC-6.4.17

          The role of head of compliance may be combined with those of the head of risk if the size and nature of the bank justifies a single function for both roles. Banks which carry out limited operations or are small branches of foreign banks would qualify for such a practice.

          Added: January 2019

        • HC-6.4.18

          The compliance function should assist senior management, the board and the designated committee of the board in their compliance obligations and help promote the right culture within the bank. While the board and management are accountable for the bank's compliance, the compliance function has an important role in supporting corporate values, policies and processes that help ensure that the bank acts responsibly and fulfils all applicable obligations.

          Added: January 2019

        • HC-6.4.19

          The independence and effectiveness of the function must be based on the following related elements:

          (a) The compliance function must have a formal status with sufficient authority within the bank;
          (b) There must be a group compliance officer or head of compliance with overall responsibility for co-ordinating the management of the bank's compliance risk;
          (c) Compliance function staff, and in particular, the head of compliance, must not be placed in a position where there is a possible conflict of interest between their compliance responsibilities and any other responsibilities they have;
          (d) Compliance function staff must have access to the information and personnel necessary to carry out their responsibilities; and
          (e) The compliance function must directly report to the board or a designated board committee in the case of Bahraini Islamic bank licensees) and administratively to the CEO; and
          (f) In the case of branches of foreign bank licensees, the reporting must be to the Group Compliance Officer or Regional Compliance Officer and may report administratively to the CEO/GM.
          Added: January 2019

        • HC-6.4.20

          The concept of independence does not mean that the compliance function cannot work closely with management and staff in the various business units. Indeed, a co-operative working relationship between compliance function and business units should help to identify and manage compliance risks at an early stage. Rather, the various elements described above should be viewed as safeguards to help ensure the effectiveness of the compliance function, notwithstanding the close working relationship between the compliance function and the business units. The way in which the safeguards are implemented will depend to some extent on the specific responsibilities of individual compliance function staff.

          Added: January 2019

        • HC-6.4.21

          The compliance function should be free to highlight to senior management on any irregularities or possible breaches disclosed by its investigations, without fear of retaliation or disfavour from management or other staff members.

          Added: January 2019

        • HC-6.4.22

          Appointment, dismissal and other changes to the head of compliance must be approved by the board or the designated board committee. Appointments of head of compliance must be approved by the CBB in accordance with paragraph LR-1A.1.17. If the head of compliance is removed from his or her position for any reason, this must be notified to the CBB, describing fully the reasons as required under paragraph LR-1A.1.22.

          Added: January 2019

        • HC-6.4.23

          Islamic bank licensees must ensure that the compliance risk management framework is subject to an independent review by a third party consultant, other than the external auditor, every three years and when there are material changes to the business. The results of the independent review and action must be provided to the CBB by 30th September of the relevant year.

          Added: January 2019

        • HC-6.4.24

          The responsibilities of the compliance function must be carried out under a compliance programme that sets out its planned activities, such as the implementation and review of specific policies and procedures, compliance risk assessment, compliance testing, and educating staff on compliance matters. The compliance programme must be risk based and subject to oversight by the head of compliance to ensure appropriate coverage across businesses and co-ordination among risk management functions.

          Added: January 2019

        • HC-6.4.25

          The Compliance function must on a pro-active basis, identify, measure, document and assess the compliance risks associated with the bank's business activities including the development of new products and business practices; the proposed establishment of new types of business or customer relationships, or material changes in the nature of such relationships. If the bank has a new products committee, the compliance function staff should be represented on the committee.

          Added: January 2019

        • HC-6.4.26

          While the Compliance function is responsible for oversight and compliance checks across the full spectrum of compliance risk areas, it is recognised that many areas of compliance require specialist skills which can be found in different parts of the organisation, example, the skill sets for compliance with ICAAP can be found either with financial control or with risk management, for compliance with labour laws, the specialist skills are with human resources departments etc. In such cases, the compliance function ensures that the right levels of checks and balances and compliance reporting are available to get comfort that the licensee has adhered to the relevant requirements. In certain instances, it may use external experts with the approval of the relevant authority within the bank.

          Added: January 2019

        • HC-6.4.27

          The compliance function should consider ways to measure compliance risk (e.g. by using performance indicators) and use such measurements to enhance compliance risk assessment.

          Added: January 2019

        • HC-6.4.28

          In case of new regulations, the compliance function must assess the appropriateness of the bank's compliance procedures and guidelines, promptly follow up any identified deficiencies, and, where necessary, formulate proposals for amendments.

          Added: January 2019

      • Monitoring, testing and reporting

        • HC-6.4.29

          The compliance function must monitor and test compliance by performing sufficient and representative compliance testing. The results of the compliance testing must be reported to the board or designated committee of the board.

          Added: January 2019

        • HC-6.4.30

          The compliance function must advise senior management and the designated committee of the board on all relevant laws, rules and standards, in all jurisdictions in which the bank conducts its business, and inform them on developments in the subject.

          Added: January 2019

      • Guidance and education

        • HC-6.4.31

          The compliance function must assist senior management in:

          a) Educating staff on compliance issues, and acting as a contact point within the bank for compliance queries from staff members; and
          b) Establishing written guidance to staff on the appropriate implementation of laws, rules and standards through policies and procedures and other documents such as manuals, internal codes of conduct and practice guidelines.
          Added: January 2019

      • Statutory responsibilities and liaison

        • HC-6.4.32

          The compliance function must have specific statutory responsibilities (e.g. fulfilling the role of anti-money laundering officer). It may also liaise with relevant external bodies, including regulators, standard setters and external experts.

          Added: January 2019

      • Right of access

        • HC-6.4.33

          The compliance function must have access across the entire organisation to carry out its responsibilities on its own initiative where compliance risk exists. It must, additionally, have the right to communicate with any staff member and to obtain access to any records or files necessary to conduct its responsibilities and to conduct investigations of possible breaches of the compliance policy and to request assistance from specialists within the bank (e.g. legal or internal audit) or engage outside specialists' subject to appropriate internal approval to perform this task if appropriate.

          Added: January 2019

      • Competent Resources

        • HC-6.4.34

          The compliance function must have adequate resources to carry out its functions effectively commensurate with the size and complexity of the organisation. The resources to be provided for the compliance function must be both sufficient and appropriate to ensure that compliance risk within the bank is managed effectively.

          Added: January 2019

        • HC-6.4.35

          The compliance function staff must have the necessary qualifications, experience and professional and personal qualities to enable them to carry out their specific duties. Compliance function staff must have a sound understanding of laws, rules and standards and their practical impact on the bank's operations.

          Added: January 2019

        • HC-6.4.36

          The professional skills of compliance function staff, especially with respect to keeping up-to-date with developments in compliance laws, rules and standards, must be maintained through regular and systematic education and training.

          Added: January 2019

      • Relationship with Internal Audit

        • HC-6.4.37

          The scope and breadth of the activities of the compliance function must be subject to periodic review by the internal audit function.

          Added: January 2019

        • HC-6.4.38

          Compliance risk must be included in the risk assessment methodology of the internal audit function, and an audit programme that covers the adequacy and effectiveness of the bank's compliance function should be established, including testing of controls commensurate with the perceived level of risk.

          Added: January 2019

        • HC-6.4.39

          The compliance function and the internal audit function must be separate, to ensure that the activities of the compliance function are subject to independent review. It is important, therefore, that there is a clear understanding within the bank as to how risk assessment and testing activities are divided between the two functions, and that this is documented (e.g. in the bank's compliance policy or in a related document such as a protocol). The internal audit function must, of course, keep the head of compliance informed of any audit findings relating to compliance.

          Added: January 2019

      • Cross-border Issues

        • HC-6.4.40

          Islamic bank licensees that conduct business through a branch or subsidiary in other jurisdictions must through the Group Compliance Function:

          (a) comply with local laws and regulations;
          (b) have Group Compliance policy and procedures; and
          (c) conduct annual compliance testing on overseas operations whose total revenue represents 20% or more of the Group's total revenue and on every two years' basis for other overseas operations.
          Added: January 2019

        • HC-6.4.41

          Islamic bank licensees must have procedures in place to identify and assess the possible increased reputational risk to the bank if it offers products or carries out activities in certain jurisdictions.

          Added: January 2019

        • HC-6.4.42

          Islamic bank licensees with overseas operations must establish a Group Compliance Function which must oversee the compliance activities on a group-wide basis. The Group Compliance Officer must ensure that compliance reviews and checks are carried out at branches and subsidiaries. As legal and regulatory requirements may differ from jurisdiction to jurisdiction, compliance issues specific to each jurisdiction must be coordinated within the structure of the bank's group-wide compliance policy.

          Added: January 2019

        • HC-6.4.43

          The senior management with assistance of Group Compliance Officer must ensure that adequate resources, commensurate with the scale and complexity of the operations, are assigned for compliance activities at, the head office, branches and subsidiaries.

          Added: January 2019

        • HC-6.4.44

          The Group Compliance Officer must ensure that adequate reports and information is received from overseas branches and subsidiaries on compliance related issues.

          Added: January 2019

      • Outsourcing

        • HC-6.4.45

          Compliance function or its activities must not be outsourced.

          Added: January 2019

      • Other requirements

        • HC-6.4.46

          Every application/request for approval to the CBB must be accompanied by a compliance assessment report confirming that all related requirements pertaining to the request have been thoroughly checked by the compliance function including the impact of such a request on the licensee's financial position and compliance status. In addition, reference must be made to any previously approved arrangements by the CBB.

          Added: January 2019

        • HC-6.4.47

          In cases where the requests have a potential financial impact on the licensee a report from the financial control function in consultation with external auditors must also be submitted as part of the compliance assessment report, whereas in case of any legal implication of such a request a legal opinion on the matter must be submitted.

          Added: January 2019

        • HC-6.4.48

          Where breaches or deficiencies have occurred due to failures by approved persons, the CBB may consider re-assessing the fitness and propriety of such persons.

          Added: January 2019

    • HC-6.5 HC-6.5 Internal Audit

      • Introduction

        Added: April 2018

        • HC-6.5.1

          Islamic bank licensee's must establish and implement an effective internal audit function which provides an independent and objective assurance to the board of directors and senior management on the quality and effectiveness of a bank's internal control, risk management and governance systems and processes, to protect the bank and its reputation.

          Added: April 2018

        • HC-6.5.2

          The internal audit function must develop an independent and informed view of the risks faced by the bank based on its access to all bank records and data, its enquiries, and its professional competence. The internal audit function must discuss its views, findings and conclusions directly with the audit committee and, if necessary with the board of directors at their routine quarterly meetings, thereby helping the board to oversee senior management.

          Added: April 2018

        • HC-6.5.3

          In this Section, all references to the board of directors may also be taken as referring to the bank's audit committee where the audit committee is mandated to carry out such functions on the board's behalf.

          Added: April 2018

        • HC-6.5.4

          For branches of foreign bank licensee's, and where no local board of directors exists, all references in this Module to the board of directors should be interpreted as the Head Office/ Regional Office.

          Added: April 2018

        • HC-6.5.5

          This Section applies in its entirety to all locally incorporated banks, including those within a banking group, and to holding companies whose subsidiaries are predominantly banks. While Module LR requires that all banks including branches must have an internal auditor as a controlled function in the Kingdom, only Paragraphs HC-6.5.7 to HC-6.5.23, HC-6.5.28 to HC-6.5.42 and HC-6.5.69 to HC-6.5.70 would be directly applicable to branches of foreign bank licensee's in Bahrain in terms of the internal audit function located here. Branches should ensure that equivalent arrangements are in place at the parent level for other requirements in this Section and these arrangements provide for an effective internal audit function over activities conducted under the Bahrain license.

          Added: April 2018

        • HC-6.5.6

          The extent of application of this Section must be commensurate with the significance, complexity and international presence of the bank (principle of proportionality).

          Added: April 2018

        • HC-6.5.7

          The key features for the effective operation of an internal audit function are:

          (a) Independence and objectivity;
          (b) Professional competence and due professional care; and
          (c) Professional ethics
          Added: April 2018

      • Independence and Objectivity

        • HC-6.5.8

          Islamic bank licensees internal audit function must be independent of the audited activities. This means that the internal audit is independent of all functions including compliance, risk management and financial control functions. The internal audit function must also have sufficient standing and authority within the bank and must operate according to sound principles.

          Added: April 2018

        • HC-6.5.9

          The internal audit function must report directly to the audit committee and administratively to the CEO, thereby providing a framework for internal auditors to carry out their assignments with objectivity.

          Added: April 2018

        • HC-6.5.10

          The internal audit function must be able to perform its assignments on its own initiative in all areas and functions of the bank based on the audit plan established by the head of the internal audit function and approved by the board of directors or audit committee. It must be free to report its findings and assessments internally through clear reporting lines. The head of internal audit must demonstrate appropriate leadership and have the necessary personal characteristics and professional skills to fulfill his or her responsibility for maintaining the function's independence and objectivity.

          Added: April 2018

        • HC-6.5.11

          The internal audit function must not be involved in designing, selecting, implementing or operating specific internal control measures. However, the independence of the internal audit function must not prevent senior management from requesting input from internal audit on matters related to risk and internal controls. Nevertheless, the development and implementation of internal controls must remain the responsibility of management.

          Added: April 2018

        • HC-6.5.12

          Islamic bank licensees should, whenever practicable and without jeopardising competence and expertise, periodically rotate internal audit staff within the internal audit function.

          Added: April 2018

      • Professional Competence and Due Professional Care

        • HC-6.5.13

          The head of internal audit must have the responsibility for acquiring human resources with sufficient qualifications and skills to effectively deliver on the mandate for professional competence and to audit to the required level. He/she must continually assess and monitor the skills necessary to do so. The skills required for senior internal auditors must include the abilities to judge outcomes and make an impact at the highest level of the organisation.

          Added: April 2018

        • HC-6.5.14

          For purposes of Paragraph HC-6.5.13, professional competence depends on the auditor's capacity to collect and understand information, to examine and evaluate audit evidence and to communicate with the stakeholders of the internal audit function.

          Added: April 2018

        • HC-6.5.15

          The head of internal audit must ensure that internal audit staff acquire appropriate ongoing training in order to meet the growing technical complexity of the Islamic Bank licensee's activities and the increasing diversity of tasks that need to be undertaken as a result of the introduction of new products and processes within the Islamic Bank licensee and other developments in the financial sector.

          Added: April 2018

        • HC-6.5.16

          The internal audit function collectively must be competent to examine all areas in which the bank operates. When internal audit is outsourced, the head of internal audit/coordinator must ensure that the use of those experts does not compromise the independence and objectivity of the internal audit function.

          Added: April 2018

        • HC-6.5.17

          For purposes of Paragraph HC-6.5.16, the coordinator must be an approved person within the Islamic Bank licensee.

          Added: April 2018

        • HC-6.5.18

          The head of internal audit/coordinator should ensure that, whenever practical, the relevant knowledge input from an expert is assimilated into the organisation. This may be possible by having one or more members of the bank's internal audit staff participate in the external expert's work.

          Added: April 2018

        • HC-6.5.19

          Internal auditors must apply the care and skills expected of a reasonably prudent and competent professional. Due professional care does not imply infallibility; however, internal auditors having limited competence and experience in a particular area must be appropriately supervised by more experienced internal auditors.

          Added: April 2018

      • Professional Ethics

        • HC-6.5.20

          Internal auditors must act with integrity. Integrity includes, being straightforward, honest and truthful.

          Added: April 2018

        • HC-6.5.21

          Internal auditors must respect the confidentiality of information acquired in the course of their duties. They must not use that information (particularly 'confidential information' as defined in Article 116 of the CBB Law) for personal gain or malicious action and must be diligent in the protection of information acquired.

          Added: April 2018

        • HC-6.5.22

          The head of the internal audit function and all internal auditors must avoid conflicts of interest (see Section HC-2.3). Internally recruited internal auditors must not engage in auditing activities for which they have had previous responsibility before a one year "cooling off" period has elapsed.

          Added: April 2018

        • HC-6.5.23

          Internal auditors must adhere to the code of ethics of both the bank and The Institute of Internal Auditors (see Section HC-2.2).

          Added: April 2018

      • Internal Audit Charter

        • HC-6.5.24

          All Bahraini Islamic bank licensee's must have an internal audit charter that articulates the purpose, standing and authority of the internal audit function within the bank in a manner that promotes an effective internal audit function as described in Paragraph HC-6.5.1.

          Added: April 2018

        • HC-6.5.25

          The charter must be drawn up and reviewed annually by the head of internal audit and approved by the board of directors or audit committee. It must be available to all internal stakeholders and, in certain circumstances, such as listed entities, to external stakeholders.

          Added: April 2018

        • HC-6.5.26

          At a minimum, the internal audit charter must establish:

          (a) The internal audit function's standing within the bank, its authority, its responsibilities and its relations with other control functions in a manner that promotes the effectiveness of the function as described in Paragraphs HC-6.5.1 and HC-6.5.2;
          (b) The purpose and scope of the internal audit function;
          (c) The key features of the internal audit function described in Paragraphs HC-6.5.8 to HC-6.5.23;
          (d) The obligation of the internal auditors to communicate the results of their engagements and a description of how and to whom this must be done (reporting line);
          (e) The criteria for when and how the internal audit function may outsource some of its engagements to external experts;
          (f) The terms and conditions according to which the internal audit function can be called upon to provide consulting or advisory services or to carry out other special tasks;
          (g) The responsibility and accountability of the head of internal audit;
          (h) A requirement to comply with sound internal auditing standards; and
          (i) Procedures for the coordination of the internal audit function with the external auditor.
          Added: April 2018

        • HC-6.5.27

          The charter must empower the internal audit function, whenever relevant to the performance of its assignments and discharge of its duties, to initiate direct communication with any member of staff, to examine any activity or entity of the bank, and to have full and unconditional access to any records, files, data and physical properties of the bank. This includes access to management information systems and records and the minutes of board and sub-board committee meetings and all consultative and decision-making committees.

          Added: April 2018

      • Scope of Activity

        • HC-6.5.28

          The scope of internal audit activities must include the examination and evaluation of the effectiveness of the internal control, risk management and governance systems and processes of the entire bank, including the bank's outsourced activities and its subsidiaries (including SPVs) and branches.

          Added: April 2018

        • HC-6.5.29

          The internal audit function must independently evaluate the:

          (a) Effectiveness and efficiency of internal control, risk management and governance systems and processes created by the business units and support functions in the context of both current and potential or actual emerging risks and provide assurance on these systems and processes;
          (b) Reliability, effectiveness and integrity of management information systems and processes (including relevance, accuracy, completeness, availability, confidentiality and comprehensiveness of data);
          (c) Monitoring of compliance with laws and regulations, including any requirements from the CBB; and
          (d) Safeguarding of assets.
          Added: April 2018

        • HC-6.5.30

          The head of internal audit must establish, prior to year-end an annual internal audit plan. It must be based on a robust risk assessment (including direct or indirect input from senior management and the board).

          Added: April 2018

        • HC-6.5.31

          The audit committee's approval of the audit plan also requires that an appropriate budget will be available to support the internal audit function's activities.

          Added: April 2018

        • HC-6.5.32

          The scope of the internal audit function's activities must ensure adequate coverage of matters of regulatory interest within the audit plan.

          Added: April 2018

      • Risk Management

        • HC-6.5.33

          Internal audit must include in its scope the following aspects of risk management:

          (a) The organisation and mandates of the risk management function including market, credit, liquidity, interest rate and operational risks;
          (b) Evaluation of risk appetite, escalation and reporting of issues and decisions taken by the risk management function;
          (c) The adequacy of risk management systems and processes for identifying, measuring, assessing, controlling, responding to, and reporting on all the risks resulting from the bank's activities;
          (d) The integrity of the risk management information systems, including the accuracy, reliability and completeness of the data used;
          (e) The approval and maintenance of risk models including verification of the consistency, timeliness, independence and reliability of data sources used in such models;
          (f) Information technology and information security;
          (g) The bank's system for identifying and measuring its regulatory capital and assessing the adequacy of its capital resources in relation to the bank's risk exposures and established minimum ratios; and
          (h) The review of management's process for stress testing its capital levels, taking into account the frequency of such exercises, their purpose (e.g., internal monitoring vs. regulator imposed), the reasonableness of scenarios and the underlying assumptions employed, and the reliability of the processes used.
          Added: April 2018

        • HC-6.5.34

          When the risk management function has not informed the board of directors about the existence of a significant divergence of views between senior management and the risk management function regarding the level of risk faced by the bank, the head of internal audit must inform the audit committee about this divergence.

          Added: April 2018

      • Capital Adequacy and Liquidity

        • HC-6.5.35

          The internal audit must review the bank's system for identifying and measuring its regulatory capital and assessing the adequacy of its capital resources in relation to the bank's risk exposures and established minimum ratios.

          Added: April 2018

        • HC-6.5.36

          Internal audit must review management's process for stress testing its capital levels.

          Added: April 2018

        • HC-6.5.37

          Internal audit must review the effectiveness of the bank's systems and processes for measuring and monitoring its liquidity positions in relation to its risk profile, external environment, and minimum regulatory requirements including the requirement set out in Paragraph CA-1.3.4.

          Added: April 2018

      • Regulatory and Internal Reporting

        • HC-6.5.38

          The internal audit function must regularly evaluate the effectiveness of the process by which the risk and reporting functions interact to produce timely, accurate, reliable and relevant reports for both internal management and the CBB. Such reports include, but not limited to, the PIR and public disclosure requirements included in the CBB Rulebook, Module PD.

          Added: April 2018

      • Compliance

        • HC-6.5.39

          The internal audit function must periodically review the scope of the activities of the compliance function using the risk-based approach. The audit of the compliance function must include an assessment of how effectively it fulfils its responsibilities.

          Added: April 2018

      • Finance

        • HC-6.5.40

          The internal audit function must periodically review the controls over the bank's finance function using the risk-based approach.

          Added: April 2018

        • HC-6.5.41

          The internal audit function must devote sufficient resources to evaluate the valuation control environment, availability and reliability of information or evidence used in the valuation process and the reliability of estimated fair values. This is achieved through reviewing the independent price verification processes and testing valuations of significant transactions.

          Added: April 2018

        • HC-6.5.42

          The internal audit function must, as a minimum, also include the following aspects in its scope:

          (a) The organisation and mandate of the finance function;
          (b) The adequacy and integrity of underlying financial data and finance systems and processes for completely identifying, capturing, measuring and reporting key data such as profit or loss, valuations of financial instruments and impairment allowances;
          (c) The approval and maintenance of pricing models including verification of the consistency, timeliness, independence and reliability of data sources used in such models;
          (d) Controls in place to prevent and detect trading irregularities; and
          (e) Balance sheet controls including key reconciliations performed and actions taken (e.g. adjustments).
          Added: April 2018

      • Permanency of the Internal Audit Function

        • HC-6.5.43

          The internal audit function must be structured consistent with Paragraphs HC-6.5.61 to HC-6.5.65. Senior management and the board must ensure that the internal audit function is permanent and commensurate with the size, the nature and complexity of the bank's operations.

          Added: April 2018

        • HC-6.5.44

          Where the head of internal audit function ceases to act in this capacity, the CBB will meet with him/her to discuss the reasons.

          Added: April 2018

      • Responsibilities of the Board of Directors and Senior Management

        • HC-6.5.45

          Islamic bank licensees board of directors must ensure that senior management establishes and maintains an adequate, effective and efficient internal control system (see HC-1.2.3(c)) and accordingly, the board must support the internal audit function in discharging its duties effectively.

          Added: April 2018

        • HC-6.5.46

          The board of directors must review at least annually, the effectiveness and efficiency of the internal control system based, in part, on information provided by the internal audit function (see HC-1.2.10).

          Added: April 2018

        • HC-6.5.47

          The board of directors, its audit committee and senior management must promote a strong internal control environment supported and assessed by a sound internal audit function.

          Added: April 2018

        • HC-6.5.48

          As part of their oversight responsibilities, the audit committee must review the performance of the internal audit function.

          Added: April 2018

        • HC-6.5.49

          Every five years, the audit committee must commission an independent external quality assurance review of the internal audit function.

          Added: April 2018

        • HC-6.5.50

          Senior management must inform the internal audit function of new developments, initiatives, projects, products and operational changes.

          Added: April 2018

        • HC-6.5.51

          Senior management must ensure that all internal audit findings and recommendations are resolved within six months for high risk/critical issues and 12 months for any other issues from the issue date of the subject internal audit report.

          Added: April 2018

        • HC-6.5.52

          Senior management must ensure that the head of internal audit has the necessary resources, financial and otherwise, available to carry out his or her duties commensurate with the annual internal audit plan, scope and budget approved by the audit committee.

          Added: April 2018

      • Responsibilities of the Audit Committee in relation to the Internal Audit Function

        • HC-6.5.53

          The audit committee must oversee the bank's internal audit function (see also Paragraph HC-3.2.3).

          Added: April 2018

        • HC-6.5.54

          The bank's audit committee and the internal audit function must develop and maintain their own tools to assess the quality of the internal audit function.

          Added: April 2018

        • HC-6.5.55

          The audit committee must ensure that the internal audit function is able to discharge its responsibilities in an independent manner, consistent with Paragraph HC-6.5.8. It must review and approve the audit plan, its scope, and the budget of the internal audit function. It must also review audit reports and ensure that senior management is taking necessary and timely corrective actions to address control weaknesses, compliance issues with policies, laws and regulations, and other concerns identified and reported by the internal audit function.

          Added: April 2018

      • Management of the Internal Audit Function

        • HC-6.5.56

          The head of the internal audit function must ensure that the function complies with The Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing.

          Added: April 2018

        • HC-6.5.57

          The audit committee must ensure that the head of the internal audit function is a person of integrity. This means that he or she will be able to perform his or her work with honesty, diligence and responsibility. It also implies that this person observes the law and has not been a party to any illegal activity. The head of internal audit must also ensure that the members of internal audit staff are persons of integrity.

          Added: April 2018

      • Reporting Lines of the Internal Audit Function

        • HC-6.5.58

          The internal audit function must be accountable to the audit committee, on all matters related to the performance of its mandate as described in the internal audit charter. It must also promptly inform the CEO and other related Heads of Functions about its findings.

          Added: April 2018

        • HC-6.5.59

          The internal audit function must inform senior management of all significant findings so that timely corrective actions can be taken. Subsequently, the internal audit function must follow up with senior management on the outcome of these corrective measures. The head of the internal audit function must quarterly report to the audit committee, the status of pending findings.

          Added: April 2018

      • The Relationship between the Internal Audit, Compliance and Risk Management Functions

        • HC-6.5.60

          The relationship between a bank's business units, the support functions and the internal audit function can be explained using the three lines of defence model. The business units are the first line of defence. They undertake the management of risks within assigned limits of risk exposure and are responsible and accountable for identifying, assessing and controlling the risks of their business. The second line of defence includes the support functions, such as risk management, compliance, legal, human resources, finance, operations, and technology. Each of these functions, in close relationship with the business units, ensures that risks in the business units have been appropriately identified and managed. The business support functions work closely to help define strategy, implement bank policies and procedures, and collect information to create a bank-wide view of risks. The third line of defence is the internal audit function that independently assesses the effectiveness of the controls over the processes created in the first and second lines of defence and provides assurance on these processes. The responsibility for internal control does not transfer from one line of defence to the next line.

          Added: April 2018

      • Internal Audit within a Group or Holding Company Structure

        • HC-6.5.61

          The internal auditors who perform the internal audit work at the bank must report to the bank's audit committee, or its equivalent, and to the group or holding company's head of internal audit.

          Added: April 2018

        • HC-6.5.62

          To facilitate a consistent approach to internal audit across all the banks within a banking organisation, the board of directors of each bank within a banking group or holding company structure should ensure that either:

          (a) The bank has its own internal audit function, which should be accountable to the bank's board and should report to the banking group or holding company's head of internal audit; or
          (b) The banking group or holding company's internal audit function performs internal audit activities of sufficient scope at the bank to enable the board to satisfy its fiduciary and legal responsibilities.
          Added: April 2018

        • HC-6.5.63

          The board of directors and senior management of the parent bank in a banking group must ensure that an adequate and effective internal audit function is established across the banking organisation and must ensure that internal audit policies and practices are appropriate to the structure, business activities and risks of all of the components of the group or holding company.

          Added: April 2018

        • HC-6.5.64

          The head of internal audit at the level of the parent bank must define the group or holding company's internal audit strategy, determine the organisation of the internal audit function both at the parent and subsidiary bank levels (in consultation with these entities' respective audit committees and in accordance with local laws) and formulate the internal audit principles, which include the audit methodology and quality assurance measures.

          Added: April 2018

        • HC-6.5.65

          The group or holding company's internal audit function must determine the audit scope for the banking organisation. In doing so, it must comply with local legal and regulatory provisions and incorporate local knowledge and experience.

          Added: April 2018

      • Outsourcing of Internal Audit Activities

        • HC-6.5.66

          Regardless of whether internal audit activities are outsourced, the board of directors remains ultimately responsible for the internal audit function.

          Added: April 2018

        • HC-6.5.67

          The head of internal audit/coordinator must maintain adequate oversight and ensure that any outsourcing providers comply with the principles of the bank's internal audit charter.

          Added: April 2018

        • HC-6.5.68

          To preserve independence, the head of internal audit/coordinator must ensure that the outsourcing provider has not been previously engaged in a consulting engagement in the same area within the bank unless a one year "cooling-off" period has elapsed. Subsequently, those experts who participated in an internal audit engagement must not provide consulting services to a function of the bank they have audited within the previous 12 months. Additionally, banks must not outsource internal audit activities to their own external audit firm (see OM-3).

          Added: April 2018

      • Communication between the CBB and the Internal Audit Function

        • HC-6.5.69

          The bank's internal auditor must have formal regular communication with the CBB to (i) discuss the risk areas identified, (ii) understand the risk mitigation measures taken by the bank, and (iii) monitor the bank's response to weaknesses identified.

          Added: April 2018

        • HC-6.5.70

          At least two weeks prior to the prudential meeting date, all internal audit reports issued since the last prudential meeting must be submitted to the CBB supervisory point of contact.

          Added: April 2018

    • HC-6.6 HC-6.6 Risk Management

      • Bank-wide Risk Management Framework

        • HC-6.6.1

          Islamic bank licensees must establish a sound risk management framework commensurate with the bank's size, complexity and risk profile. A risk management framework must have the following key features:

          (a) active Board and senior management oversight;
          (b) independent risk management function;
          (c) a Board driven sound risk management culture that is established throughout the bank;
          (d) appropriate policy, procedures and limits;
          (e) comprehensive and timely identification, measurement, mitigation, controlling, monitoring and reporting of risks;
          (f) appropriate management information systems ('MIS') at a business and bank-wide level; and
          (g) comprehensive internal controls.
          Added: July 2018

        • HC-6.6.2AA

          Further to the requirement in Paragraph HC-B.1.2, branches of foreign bank licensees must demonstrate that the activities of the Bahrain branch are subject to appropriate risk management oversight commensurate with the size, complexity, nature and the risk profile of the branch.

          Added: October 2019

        • HC-6.6.2

          More specifically, the risk management framework generally encompasses the process of:

          (a) developing and implementing the enterprise-wide risk governance framework, Subject to the review and approval of the board, which includes the bank's risk culture, risk appetite and risk limits;
          (b) identifying key risks to the bank including material individual, aggregate and emerging risks;
          (c) assessing the key risks and measuring the bank's exposures to them;
          (d) ongoing monitoring and assessing of the risk taking activities, decisions and risk exposures in line with the board-approved risk strategy, risk appetite, risk limits and determining the corresponding capital or liquidity needs (i.e. capital planning) on an ongoing basis;
          (e) reporting to senior management, and the board or risk committee as appropriate, on all the items noted in this Paragraph including but not limited to proposing appropriate risk-mitigating actions;
          (f) establishing an early warning or trigger system for breaches of the bank's risk appetite or limits; and
          (g) influencing and, when necessary, challenging decisions that give rise to material risk.
          Added: July 2018

        • HC-6.6.3

          Senior management must establish a risk management process that is not limited to credit, market, rate of return risk in the banking book (RRRBB), liquidity and operational risks, but which incorporates all material risks. This includes reputational and strategic risks, as well as risks that do not appear to be significant in isolation, but when combined with other risks, could lead to material losses.

          Added: July 2018

      • Independent Risk Management Function and Chief Risk Officer

        • HC-6.6.4

          All Islamic bank licensees must establish an independent Risk Management function and appoint a head of risk management function, referred to as Chief Risk Officer ('CRO') or any equivalent title. The function must be independent of the individual business lines and report directly to the Board of Directors or its Audit or Risk Committees and administratively to the Chief Executive Officer ('CEO'). The role of the CRO must be independent and distinct from other executive functions and business line responsibilities, and there must be no 'dual hatting' (i.e. the chief operating officer, CFO, chief auditor or other senior management personnel must not also serve as the CRO).

          Added: July 2018

        • HC-6.6.5

          For branches of foreign bank licensees, and where no local board of directors exists, all references in this Module to the board of directors should be interpreted as the Head Office/ Regional Office.

          Added: July 2018

        • HC-6.6.6

          [This Paragraph was deleted in October 2019].

          Deleted: October 2019
          Added: July 2018

        • HC-6.6.7

          Branches of foreign bank licensees operating in Bahrain have the choice of having an in-house risk management function in Bahrain or to outsource such role to their regional or Head offices.

          Amended: October 2019
          Added: July 2018

        • HC-6.6.8

          The CRO should have the ability to interpret and articulate risk in a clear and understandable manner and to effectively engage the board and management in constructive dialogue on key risk issues. The CRO should also not have any management or financial responsibility in respect of any operational business lines or revenue-generating functions. Interaction between the CRO and the board should occur regularly and be documented adequately. Non-executive board members should have the right to meet regularly — in the absence of senior management — with the CRO.

          Added: July 2018

        • HC-6.6.9

          The CRO has primary responsibility for overseeing the development and implementation of the bank's risk management framework. This includes the ongoing strengthening of risk management staff skills and enhancements to risk management systems, policies, processes, quantitative models and reports as necessary to ensure that the bank's risk management capabilities are sufficiently robust and effective to fully support its strategic objectives and all of its risk-taking activities. The CRO is responsible for supporting the board and the Risk Committee, as appropriate, in its engagement with and oversight of the development of the bank's risk strategy, risk appetite statement ('RAS') and for translating the risk appetite into a risk limits structure.

          Added: July 2018

        • HC-6.6.10

          The risk management function must have access to all business lines that have the potential to generate material risk to the Islamic bank licensee as well as to relevant risk-bearing subsidiaries.

          Added: July 2018

        • HC-6.6.11

          The CRO, together with management, must be actively engaged in monitoring performance relative to risk-taking and risk limit adherence. The CRO's responsibilities also include participating in key decision-making processes (e.g. strategic planning, capital and liquidity planning, new products and services development and compensation design and operation).

          Added: July 2018

        • HC-6.6.12

          The CRO must have sufficient organisational stature, authority, seniority within the organisation and necessary skills to oversee the bank's risk management activities.

          Added: July 2018

        • HC-6.6.13

          Appointment, dismissal and other changes to the CRO position must be approved by the board or its Risk/ Audit Committee. If the CRO is removed from his or her position for any reason, this must be disclosed publicly. The bank must also discuss the reasons for such removal with the CBB. The CRO's performance, compensation and budget must be reviewed and approved by the board Remuneration Committee.

          Added: July 2018

      • Board Risk Committee

        • HC-6.6.14

          Further to HC-1.8.1, all Bahraini Islamic bank licensees must establish a board risk committee composed of at least three independent directors. Such board risk committee must be responsible for supporting the board in its oversight and decisions related to the bank's risk management framework.

          Added: July 2018

        • HC-6.6.15

          The risk committee must meet the following requirements:

          (a) must be chaired by an independent director;
          (b) include a majority of members who are independent of day to day risk taking activities;
          (c) include members who have experience in risk management issues and practices;
          (d) develop a committee charter which among other matters include its role in the discussions of risk strategies, both at an aggregated basis and by type of risk and make recommendations to the board thereon, and on the risk appetite and risk limits;
          (e) review and revise as may be required, the bank's policies from a risk management perspective, at least every three years, unless there are material changes in the relevant Rulebook requirements or to the business conducted by the bank and / or its risk profile;
          (f) review and recommend the appointment or removal of Chief Risk Officer; and
          (g) oversee that the bank has in place processes to promote the bank's adherence to the approved risk policies.
          Added: July 2018

      • Role of Board and Senior Management

        • HC-6.6.16

          The Board must define the Islamic bank licensee's risk appetite and ensure that the bank's risk management framework is aligned with the bank's strategic, capital strategies and financial plans and compensation practices and includes detailed policy that sets specific bank-wide prudential limits on the bank's activities. The bank's risk appetite must be clearly conveyed through an RAS that can be easily understood by all relevant parties, the board itself, senior management and bank employees.

          Added: July 2018

        • HC-6.6.17

          The Islamic bank licensee's RAS must:

          (a) include both quantitative and qualitative considerations;
          (b) establish the individual and aggregate level and types of risk that the bank is willing to assume in advance of and in order to achieve its business activities within its risk capacity;
          (c) define the boundaries and business considerations in accordance with which the bank is expected to operate when pursuing the business strategy; and
          (d) be communicated effectively throughout the bank, linking it to daily operational decision-making and establishing the means to raise risk issues and strategic concerns across the bank.
          Added: July 2018

        • HC-6.6.18

          Developing and conveying the bank's risk appetite is essential to reinforcing a strong risk culture. The risk governance framework should outline actions to be taken when stated risk limits are breached, including disciplinary actions for excessive risk-taking, escalation procedures and board of director notification.

          Added: July 2018

        • HC-6.6.19

          The development of an effective RAS should be driven by both top-down board leadership and bottom-up management involvement. While the definition of risk appetite may be initiated by senior management, successful implementation depends upon effective interactions between the board, senior management, risk management and operating businesses, including the chief financial officer (CFO).

          Added: July 2018

        • HC-6.6.20

          The Board must ensure that:

          (a) a sound risk management culture is established throughout the bank;
          (b) appropriate limits are established that are consistent with the bank's risk appetite, risk profile and capital strength, and that are understood by, and regularly communicated to, relevant staff;
          (c) policy and processes are developed for risk-taking, that are consistent with the Risk Management Strategy and the established risk appetite;
          (d) uncertainties attached to risk measurement are recognised; and
          (e) senior management is taking all necessary steps to monitor and control all material risks consistent with the approved strategies and risk appetite.
          Added: July 2018

        • HC-6.6.21

          The Board of Directors and senior management must possess sufficient knowledge of all major business lines to ensure that appropriate policy, controls and risk monitoring systems are implemented effectively. They must have the necessary expertise to understand the activities in which the bank is involved — such as securitisation and off-balance sheet activities — and the associated risks. The Board and senior management must remain informed, on an on-going basis, about these risks as financial markets, risk management practices and the bank's activities evolve. In addition, the Board and senior management must ensure that accountability and lines of authority are clearly delineated.

          Added: July 2018

        • HC-6.6.22

          Before embarking on new lines of business or activities, the Board and senior management must identify and review the changes in risk profile arising from these potential new activities and ensure that the infrastructure and the internal controls necessary to manage any related risks, are in place.

          Added: July 2018

        • HC-6.6.23

          Before embarking on new or complex products, senior management must identify and review the changes in risk profile arising from these potential new products and ensure that the infrastructure and internal controls necessary to manage any related risks, are in place.

          Added: July 2018

        • HC-6.6.24

          For purposes of paragraphs HC-6.6.22 and HC-6.6.23, senior management must understand the underlying assumptions regarding accounting treatment, business models, valuation and risk management practices. In addition, senior management must evaluate the potential risk exposure if those assumptions fail.

          Added: July 2018

        • HC-6.6.25

          As part of the Board members annual training program, Islamic bank licensees must include training to enable Board members to better analyse risk and question strategic decisions, policy and transactions. Banks must also provide adequate training for all staff across the business units on risk management related matters.

          Added: July 2018

      • Policy, Procedures, Limits and Controls

        • HC-6.6.26

          An Islamic bank licensee's policy and procedures must provide specific guidance for the implementation of broad risk management strategies and must establish, where appropriate, internal limits for the various types of risk to which the bank may be exposed. These limits must consider the bank's role in the financial system and be defined in relation to the bank's capital, total assets, earnings or where adequate measures exist, its overall risk level.

          Added: July 2018

        • HC-6.6.27

          An Islamic bank licensee's policy, procedures and limits must:

          (a) Provide for adequate and timely identification, measurement, monitoring, control and mitigation of all risks, including the risks posed by its lending, investing, trading, securitisation, off-balance sheet, fiduciary and other significant activities at the business line and bank-wide levels;
          (b) Ensure that the economic substance of a bank's risk exposures, including reputational risk and valuation uncertainty, are fully recognised and incorporated into the bank's risk management processes;
          (c) Be consistent with the bank's stated goals and objectives, as well as its overall financial strength;
          (d) Clearly delineate accountability and lines of authority across the bank's various business activities, and ensure there is a clear separation between business lines and the Risk Management function;
          (e) Escalate and address breaches of internal position limits;
          (f) Provide for the review of new businesses and products by bringing together all relevant risk management, control and business lines, to ensure that the bank is able to manage and control the activity, prior to it being initiated; and
          (g) Include a schedule and process for reviewing the policy, procedures and limits, and for updating them as appropriate.
          Added: July 2018

      • Monitoring and Reporting of Risk

        • HC-6.6.28

          An Islamic bank licensee's MIS must provide the Board and senior management with timely and relevant information concerning their risk profile, in a clear and concise manner. This information must include all risk exposures, including those that are off-balance sheet. Senior management must understand the assumptions behind, and limitations inherent in, specific risk measures

          Added: July 2018

        • HC-6.6.29

          Islamic bank licensees must establish appropriate risk management methodologies, tools and models and systems commensurate with the nature and complexity of their business.

          Added: July 2018

        • HC-6.6.30

          Where Islamic bank licensees use models to measure components of risk, they must establish model governance frameworks including regulatory validation and testing.

          Added: July 2018

        • HC-6.6.31

          Islamic bank licensees must have information systems that are adequate (both under normal circumstances and in periods of stress) for measuring, assessing and reporting on the size, composition and quality of exposures on a bank-wide basis across all risk types, products, countries, region, etc. and counterparties. These reports must reflect the bank's risk profile, capital and liquidity needs, and are provided on a timely basis to the bank's Board and senior management. A bank's MIS must be capable of capturing limit breaches, and there must be procedures in place to promptly report such breaches to senior management, as well as to ensure that the appropriate follow-up actions are taken.

          Added: July 2018

        • HC-6.6.32

          The CRO must consistently remind staff, through a regular process under the sponsorship of the CEO, of the risk management requirements and enhance a common understanding of these requirements across the bank in order to create a culture of risk awareness.

          Added: July 2018

      • Independent Review

        • HC-6.6.33

          Islamic bank licensees must ensure that their risk management frameworks are subject to a comprehensive independent review by a third-party consultant, other than their external auditors:

          (a) Upon first implementation of a new or revised module on specific risk management requirements;
          (b) When there are material changes to certain Rulebook requirements and the CBB requires such a review;
          (c) When there are material changes to the business conducted by the bank or its risk profile and the CBB requires such a review; or
          (d) In case of a major failure of controls or major adverse changes in relevant business environment and the CBB requires such a review.
          Amended: January 2022
          Added: July 2018

        • HC-6.6.34

          With regards to HC-6.6.33(a), the relevant modules are the following:

          (a) Module IC;
          (b) Module CA;
          (c) Module DS;
          (d) Module CM;
          (e) Module OM;
          (f) Module ST;
          (g) Module LM; and
          (h) Module RR.
          Amended: January 2022
          Added: July 2018

        • HC-6.6.35

          Resources involved in the independent third-party review must be competent and appropriately trained. The independent third party must not have been previously involved in the development, implementation and operation of the bank’s risk management framework.

          Added: January 2022

        • HC-6.6.36

          The independent review reports must be presented to the Board or a designated committee of the Board. The agreed action planning steps to remedy any material weaknesses must be documented. The independent report together with the action plan must be provided to the CBB within one month of the date of the report.

          Added: January 2022