Operational Risk Regulation
C 163/2018 Effective from 29/8/2018Introduction
The Central Bank seeks to promote the effective and efficient development and functioning of the banking system. To this end, Banks must have appropriate policies, processes, procedures, systems and controls to identify, monitor and mitigate operational risks.
In introducing this Regulation and the accompanying Standards, the Central Bank intends to ensure that Banks’ approaches to operational risk are in line with leading international practices.
This Regulation and the accompanying Standards are issued pursuant to the powers vested in the Central Bank under the Central Bank Law.
Where this Regulation or its accompanying Standards, include a requirement to provide information or to take certain measures, or to address certain items listed at a minimum, the Central Bank may impose requirements, which are additional to the list provided in the relevant article.
Objective
The objective of this Regulation is to establish minimum acceptable standards for Banks’ approach to managing operational risks, with a view to:
i Ensuring the soundness of Banks; and
ii Enhancing financial stability
The accompanying Standards supplement the Regulation to elaborate on the supervisory expectations of the Central Bank with respect to operational risk management.
Application
This Regulation and the accompanying Standards apply to all Banks. Banks established in the UAE with significant Group relationships, including Subsidiaries, Affiliates, or international branches, must ensure that the Regulation and Standards are adhered to on a solo and Group-wide basis.
This Regulation and Standards must be read in conjunction with the Risk Management Regulation and Standards, which establish the requirements for Banks’ overarching approach to risk management.
Article 1: Definitions
- Affiliate: An entity that, directly or indirectly, controls, is controlled by or is under common control with another entity. The term control as used herein shall mean the holding, directly or indirectly, of voting rights in another entity, or of the power to direct or cause the direction of the management of another entity.
- Bank: A financial entity, which is authorized by the Central Bank to accept deposits as a Bank.
- Board: The Bank’s Board of Directors.
- Central Bank: The Central Bank of the United Arab Emirates.
- Central Bank Law: Union Law No (10) of 1980 concerning the Central Bank, the Monetary System and Organization of Banking as amended or replaced from time to time.
- Central Bank regulations: Any resolution, regulation, circular, rule, standard or notice issued by the Central Bank.
- Group: A group of entities that includes an entity (the 'first entity') and:
- a) any Parent of the first entity;
- b) any Subsidiary of the first entity or of any Parent of the first entity; and
- c) any Affiliate.
- a) any Parent of the first entity;
- Islamic Financial Services: Shari’a compliant financial services offered by Islamic Banks and Conventional Banks offering Islamic banking products (Islamic Windows).
- Operational risk: The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk but excludes strategic and reputational risk.
- Parent: An entity (the 'first entity') which:
- a) holds a majority of the voting rights in another entity (the 'second entity');
- b) is a shareholder of the second entity and has the right to appoint or remove a majority of the Board of directors or managers of the second entity; or
- c) is a shareholder of the second entity and controls alone, pursuant to an agreement with other shareholders, a majority of the voting rights in the second entity.
Or; - d) if the second entity is a subsidiary of another entity which is itself a subsidiary of the first entity.
- a) holds a majority of the voting rights in another entity (the 'second entity');
- Risk appetite: The aggregate level and types of risk a Bank is willing to assume, decided in advance and within its risk capacity, to achieve its strategic objectives and business plan.
- Risk limits: Specific quantitative measures that must not be exceeded based on, for example, forward looking assumptions that allocate the Bank’s aggregate risk appetite to business lines, legal entities or management units within the Bank or Group in the form of specific risk categories, concentrations or other measures as appropriate.
- Risk profile: Point in time assessment of the Bank’s gross (before the application of any mitigants) or net (after taking into account mitigants) risk exposures aggregated within and across each relevant risk category based on current or forward-looking assumptions.
- Risk governance framework: As part of the overall approach to corporate governance, the framework through which the Board and management establish and make decisions about the Bank’s strategy and risk approach; articulate and monitor adherence to the risk appetite and risk limits relative to the Bank’s strategy; and identify, measure, manage and control risks.
- Senior Management: The executive management of the Bank responsible and accountable to the Board for the sound and prudent day-to-day management of the Bank, generally including, but not limited to, the chief executive officer, chief financial officer, chief risk officer, and heads of the compliance and internal audit functions.
- Subsidiary: An entity (the 'first entity') is a subsidiary of another entity (the 'second entity') if the second entity:
- a) holds a majority of the voting rights in the first entity;
- b) is a shareholder of the first entity and has the right to appoint or remove a majority of the Board of directors or managers of the first entity; or
- c) is a shareholder of the first entity and controls alone, pursuant to an agreement with other shareholders, a majority of the voting rights in the first entity.
Or; - d) if the first entity is a subsidiary of another entity which is itself a subsidiary of the second entity.
- a) holds a majority of the voting rights in the first entity;
- Affiliate: An entity that, directly or indirectly, controls, is controlled by or is under common control with another entity. The term control as used herein shall mean the holding, directly or indirectly, of voting rights in another entity, or of the power to direct or cause the direction of the management of another entity.
Article 2: Operational Risk Governance Framework
- A Bank must have appropriate operational risk management strategies, policies and processes to identify, assess, evaluate, monitor, report and control or mitigate operational risk on a timely basis.
- The members of the Board bear ultimate responsibility for ensuring that a Bank has an adequate operational risk governance framework, which must be fully integrated into the Bank’s overall risk governance framework.
- A Bank must ensure that its operational risk strategy, policies and processes are consistent with its risk profile, systemic importance, risk appetite and capital strength and take account of market and macroeconomic conditions.
- A Bank must address all major aspects of operational risk prevalent in the business of the Bank on a bank-wide and if applicable Group-wide basis.
- A Bank must have appropriate operational risk management strategies, policies and processes to identify, assess, evaluate, monitor, report and control or mitigate operational risk on a timely basis.
Article 3: Board of Directors
- The Board must approve and thereafter review at least annually, the Bank’s operational risk strategies, policies and processes, including disaster recovery and business continuity plans.
- The Board must establish a formal process to oversee Senior Management and ensure that the strategies, policies and processes are implemented effectively at all decision levels.
- The Board must approve and thereafter review at least annually, the Bank’s operational risk strategies, policies and processes, including disaster recovery and business continuity plans.
Article 4: Senior Management
- Senior Management must ensure that the Board-approved operational risk management strategy and significant policies and processes are implemented effectively and fully integrated into the Bank’s overall risk management process.
- Senior Management must ensure that the Board-approved operational risk management strategy and significant policies and processes are implemented effectively and fully integrated into the Bank’s overall risk management process.
Article 5: Identification and Assessment
- The Board-approved operational risk management strategy must provide for the identification and assessment of the operational risks inherent in all material products, activities, processes and systems.
Article 6: Control and Mitigation
- The Board-approved operational risk management strategy must foster a strong control environment that utilizes policies, processes and systems, appropriate internal controls and appropriate risk mitigation and transfer.
Article 7: Disaster Recovery and Business Continuity Management
- A Bank must have disaster recovery and business continuity plans in place to ensure its ability to operate on an ongoing basis and limit losses in the event of a severe business disruption. Such plans must be commensurate with the risk profile, nature, size and complexity of the Bank’s business and structure and take into account different scenarios to which the Bank may be vulnerable.
- Disaster recovery and business continuity plans must ensure that critical business functions can be maintained or recovered in a timely manner to minimize the financial, legal, regulatory, reputational and other risks that may arise from a disruption.
- The Board must ensure there is a periodic independent review of the Bank’s disaster recovery and business continuity plans to ensure adequacy and consistency with current operations, risks and threats, recovery levels and priorities.
- A Bank must have disaster recovery and business continuity plans in place to ensure its ability to operate on an ongoing basis and limit losses in the event of a severe business disruption. Such plans must be commensurate with the risk profile, nature, size and complexity of the Bank’s business and structure and take into account different scenarios to which the Bank may be vulnerable.
Article 8: Information Technology
- A Bank must establish appropriate information technology policies and processes to identify, assess, monitor and manage technology risks.
- A Bank must have appropriate information technology infrastructure to meet its current and projected business requirements under normal circumstances and in periods of stress. This infrastructure must ensure data and system integrity, security and availability and support integrated and comprehensive risk management.
- A Bank must establish appropriate information technology policies and processes to identify, assess, monitor and manage technology risks.
Article 9: Systems and Internal Reporting
- A Bank must have appropriate and effective information systems to:
- a) Monitor operational risk;
- b) Compile and analyze operational risk data; and
- c) Facilitate appropriate reporting mechanisms at the Bank’s Board, Senior Management and business line levels that support proactive management of operational risk.
- a) Monitor operational risk;
- A Bank must have appropriate and effective information systems to:
Article 10: Reporting Requirements and Disclosure
- A Bank must promptly notify the Central Bank when it becomes aware of a significant deviation from its Board-approved operational risk appetite statement, policies or procedures, or becomes aware that a material operational risk has not been adequately addressed.
- A Bank must provide, upon request, any specific information with respect to operational risk that the Central Bank may require.
- A Bank’s publicly disclosed information must be appropriate to permit stakeholders to assess the Bank’s approach to operational risk management in the context of the Bank’s size, risk profile, complexity of operations and evolving industry practice.
- A Bank must promptly notify the Central Bank of any operational risk event that triggers, or is likely to trigger disaster recovery or business continuity plans, or has, or is likely to have, a material impact on the Bank’s operations, profitability or capital.
- A Bank must promptly notify the Central Bank when it becomes aware of a significant deviation from its Board-approved operational risk appetite statement, policies or procedures, or becomes aware that a material operational risk has not been adequately addressed.
Article 11: New Businesses, Products and Systems
- The approval procedures for new businesses, products or systems or material modification of existing businesses, products or systems required by the Risk Management Regulation and Standards must explicitly address operational risk.
- The approval procedures for new businesses, products or systems or material modification of existing businesses, products or systems required by the Risk Management Regulation and Standards must explicitly address operational risk.
Article 12: Islamic Banking
- A Bank offering Islamic financial services must ensure that its operational risk management framework addresses any operational risks arising from potential non-compliance with Shari’a rules and principles.
- A Bank offering Islamic financial services must ensure that its operational risk management framework addresses any operational risks arising from potential non-compliance with Shari’a rules and principles.
Article 13: Enforcement
- Violation of any provision of this Regulation and the accompanying Standards shall be subject to supervisory action as deemed appropriate by the Central Bank.
- Violation of any provision of this Regulation and the accompanying Standards shall be subject to supervisory action as deemed appropriate by the Central Bank.
Article 14: Interpretation of Regulations
- The Regulatory Development Division of the Central Bank shall be the reference for interpretation of the provisions of this Regulation.
- The Regulatory Development Division of the Central Bank shall be the reference for interpretation of the provisions of this Regulation.
Article 15: Cancellation of Previous Notices
- This Regulation and the accompanying Standards replace all previous Central Bank regulations with respect to operational risk.
- This Regulation and the accompanying Standards replace all previous Central Bank regulations with respect to operational risk.
Article 16: Publication and Application
- This Regulation and the accompanying Standards shall be published in the Official Gazette in both Arabic and English and shall come into effect one month from the date of publication.