Internal Controls, Compliance and Internal Audit Regulation
C 161/2018 Effective from 29/8/2018Introduction
The Central Bank seeks to promote the effective and efficient development and functioning of the banking system. To this end, Banks must have strong internal control frameworks and establish permanent, independent and effective compliance and internal audit functions.
In introducing this Regulation and the accompanying Standards, the Central Bank intends to ensure that Banks’ approaches to internal controls, compliance and internal audit are in line with leading international practices.
This Regulation and the accompanying Standards must be read in conjunction with the Central Bank Regulation and Standards on Corporate Governance in Banks, which establish the overarching prudential framework.
This Regulation and the accompanying Standards are issued pursuant to the powers vested in the Central Bank under the Central Bank Law.
Where this Regulation, or its accompanying Standards, include a requirement to provide information or to take certain measures, or to address certain items listed at a minimum, the Central Bank may impose requirements that are additional to the listing provided in the relevant Article.
Objective
The objective of this Regulation is to establish the minimum acceptable standards for Banks’ approach to internal controls, compliance and internal audit, with a view to:
- Ensuring the soundness of Banks; and
- Contributing to financial stability.
The accompanying Standards supplement the Regulation to elaborate on the supervisory expectations of the Central Bank with respect to internal controls, compliance and internal audit.
- Ensuring the soundness of Banks; and
Scope of Application
This Regulation and the accompanying Standards apply to all Banks. Banks established in the UAE with significant Group relationships, including Subsidiaries, Affiliates, or international branches, must ensure that the Regulation and the Standards are adhered to on a solo and Group-wide basis.
Article (1): Definitions
- Affiliate: An entity owned by another entity by more than 25% and less than 50% of its capital.
- Bank: A financial entity, which is authorized by the Central Bank to accept deposits as a bank.
- Board: The Bank’s board of directors.
- Central Bank: The Central Bank of the United Arab Emirates.
- Central Bank Law: Union Law No (10) of 1980 concerning the Central Bank, the Monetary System and Organization of Banking as amended or replaced from time to time.
- Controlling Shareholder: A shareholder who has the ability to directly or indirectly influence or control the appointment of the majority of the board of directors, or the decisions made by the board or by the general assembly of the entity, through the ownership of a percentage of the shares or stocks or under an agreement or other arrangement providing for such influence.
- Compliance function: An independent function that identifies, assesses, advises on, monitors and reports on the Bank’s compliance risk.
- Compliance risk: The risk of legal or regulatory sanctions, loss to reputation or material financial loss a Bank may suffer as a result of its failure to comply with laws, regulations, rules, related self-regulatory organization standards, and codes of conduct applicable to its banking activities.
- Group: A group of entities which includes an entity (the 'first entity') and:
- a) any Controlling Shareholder of the first entity;
- b) any Subsidiary of the first entity or of any Controlling Shareholder of the first entity; and
- c) any Affiliate.
- a) any Controlling Shareholder of the first entity;
- Internal Audit function: An independent function that provides independent assurance to the Board of directors and Senior Management on the quality and effectiveness of a Bank’s internal control, risk management and governance systems and processes, thereby helping the Board and Senior Management protect their organization and its reputation.
- Internal Control: Consists of five interrelated elements, whose effective functioning is essential to achieving a Bank’s performance, information, and compliance objectives:
- management oversight and the control culture;
- risk recognition and assessment;
- control activities and segregation of duties;
- information and communication; and
- monitoring activities and correcting deficiencies.
- management oversight and the control culture;
- Islamic Financial Services: Shari’a compliant financial services offered by Islamic Banks and Conventional Banks offering Islamic banking products (Islamic Windows).
- Matter of Significance: A matter, or group of matters, that would have a significant impact on the activities or financial position of the Bank. Examples include failure to comply with the licensing criteria or breaches of banking or other laws, significant deficiencies and control weaknesses in the Bank’s operations or financial reporting process or other matters that are likely to be of significance to the function of the Central Bank as regulator.
- Senior Management: The executive management of the Bank responsible and accountable to the Board for the sound and prudent day-to-day management of the Bank, generally including, but not limited to, the chief executive officer, chief financial officer, chief risk officer, and heads of the compliance and internal audit functions.
- Subsidiary: An entity, owned by another entity by more than 50% of its capital, or is under full control of that entity regarding the appointment of the board of directors.
- Affiliate: An entity owned by another entity by more than 25% and less than 50% of its capital.
Article (2): Internal Control Framework
- The Board and Senior Management are responsible for ensuring that the Bank, and if applicable, Group, has an internal control framework that is adequate to establish a properly controlled operating environment for the conduct of its business, taking into account its risk profile.
- Senior Management is responsible for developing an internal control framework that identifies, measures, monitors and controls all risks faced by the Bank. Specific internal controls must deal with organizational structure, accounting and financial reporting policies and processes, checks and balances, and the safeguarding of assets and investments. It must also include measures against unauthorized trading and computer intrusion.
- Banks’ organizational structures should incorporate a “three lines of defence” approach comprising the business lines, the support and control functions and an independent internal audit function.
- Banks’ internal control frameworks must provide for a balance of the skills and resources of the back office, control functions and operational management relative to the business origination units. This includes, but is not limited to, ensuring that the staff of the back office and control functions have sufficient expertise and authority within the Bank, and in the case of control functions sufficient access to the Board, to be an effective check and balance to the business origination units.
- The Board and Senior Management are responsible for ensuring that the Bank, and if applicable, Group, has an internal control framework that is adequate to establish a properly controlled operating environment for the conduct of its business, taking into account its risk profile.
Article (3): Compliance Function
- The Board is responsible for ensuring that the Bank, and if applicable, Group, has an independent, permanent and effective compliance function to monitor and report on observance of all applicable laws, regulations and standards and on adherence by staff and members of the Board to legal requirements, proper codes of conduct and policy on conflicts of interest.
- Banks must have a Board-approved compliance policy that is communicated to all members of staff specifying the purpose, standing and authority of the compliance function within the Bank, and if applicable Group.
- The staff within the compliance function must be sufficient, competent and collectively have the appropriate experience within the Bank to ensure that compliance risk within the Bank is managed effectively.
- The compliance function must have primary reporting obligations to the chief executive officer and a right of direct access to the Board or the Board audit committee and/or Board risk committee.
- The compliance function must prepare and regularly update a risk-based compliance programme that sets out its planned activities, subject to oversight by the head of compliance. The activities of the compliance function must be subject to periodic and independent review by the internal audit function.
- Banks, for which the Central Bank is the primary regulator, having significant Group relationships including Subsidiaries, Affiliates, or international branches must ensure a consistent compliance policy across the Group.
- The Board is responsible for ensuring that the Bank, and if applicable, Group, has an independent, permanent and effective compliance function to monitor and report on observance of all applicable laws, regulations and standards and on adherence by staff and members of the Board to legal requirements, proper codes of conduct and policy on conflicts of interest.
Article (4): Internal Audit Function
- The Board is responsible for ensuring that the Bank, and if applicable, Group, must have an independent, permanent and effective internal audit function commensurate with the size, nature of operations and complexity of its organization.
- The internal audit function must provide independent assurance to the Board and Senior Management on the quality and effectiveness of the Bank’s internal controls, risk management, compliance, corporate governance, and the systems and processes created by the business units, support and control functions.
- The internal audit function must report to the Board or the Board audit committee.
- The internal audit function must be independent of the audited activities and have a sufficient standing and authority within the Bank, thereby enabling the internal auditors to carry out their assignments with objectivity.
- The internal audit function must have full access to and communication with any member of staff as well as full access to records, files or data of the Bank, and if applicable Group and Affiliates, whenever relevant to the performance of its duties.
- The staff within the internal audit function must be sufficient, competent and collectively have the appropriate experience to understand and evaluate all of the business activities, support and control functions of the Bank, and if applicable, Group.
- The head of internal audit must ensure that the function complies with the Institute of Internal Auditors’ (IIA) International Standards for the Professional Practice of Internal Auditing.
- Banks must have an internal audit charter approved by the Board audit committee, that articulates the purpose, standing and authority of the internal audit function within the Bank, and if applicable, Group.
- The internal audit function must have an annual internal audit plan approved by the Board audit committee that allocates resources based on its own risk-based assessment employing a methodology that identifies the material risks run by the Bank, and if applicable Group.
- Senior Management must inform the internal audit function on a timely basis of any changes to the Bank’s, or if applicable, Group’s, risk governance framework.
- Senior Management must ensure that timely and appropriate actions be taken on all internal audit findings and recommendations.
- Banks, for which the Central Bank is the primary regulator, having significant Group relationships including Subsidiaries, Affiliates, or international branches, must ensure a consistent approach to internal audit across the Group.
- The Board is responsible for ensuring that the Bank, and if applicable, Group, must have an independent, permanent and effective internal audit function commensurate with the size, nature of operations and complexity of its organization.
Article (5): Compensation
- Compensation of employees in the compliance and internal audit functions must be determined independently of the performance of the Bank.
Article (6): Duty to Report to the Central Bank
- Heads of compliance and/or internal audit functions must promptly report to the Central Bank violations of the Central Bank Law, regulations, instructions and any Matters of Significance. Heads of compliance and internal audit making such reports in good faith shall not be considered to have breached any of their obligations.
- Banks must promptly notify the Central Bank in case of resignation of their heads of compliance or internal audit and the reasons thereof, as well as obtain the no-objection of the Central Bank before their replacement or dismissal.
- Banks must also promptly notify the Central Bank when they become aware of a significant deviation from their Board-approved compliance policies and internal audit charters.
- Heads of compliance and/or internal audit functions must promptly report to the Central Bank violations of the Central Bank Law, regulations, instructions and any Matters of Significance. Heads of compliance and internal audit making such reports in good faith shall not be considered to have breached any of their obligations.
Article (7): Islamic Banking
- Banks offering Islamic financial services must have compliance and internal audit functions that ensure Shari’a compliance.
Article (8): Enforcement and Sanctions
- Violation of any provision of this Regulation and the accompanying Standards may be subject to regulatory action and sanctions as deemed appropriate by the Central Bank. These may include withdrawing, replacing or restricting the powers of Senior Management or members of the Board, providing for the interim management of the Bank, or barring individuals from the UAE banking sector.
Article (9): Interpretation of Regulation
- The Regulatory Development Division of the Central Bank shall be the reference for interpretation of the provisions of this Regulation.
Article (10): Cancellation of Previous Notices
- This Regulation replaces Article A3 of the previous Central Bank Circular No 23/00 dated 22 July 2000, Required Administrative Structure in Banks.
Article (11): Publication and Application
- This Regulation and the accompanying Standards shall be published in the Official Gazette in both Arabic and English and shall come into effect one month from the date of publication.