Introduction

International Monetary Fund. Monetary and Capital Markets Department

doi:10.5089/9781484309773.002.A001

Introduction

Author:

International Monetary Fund. Monetary and Capital Markets Department

International Monetary Fund. Monetary and Capital Markets Department
Search for other papers by International Monetary Fund. Monetary and Capital Markets Department in
Current site
Google Scholar

Publication Date:: 03 Mar 2015

eISBN:: 9781484309773

Language:: English

Keywords:: ISCR; CR; risk management; banking group; senior management; board of directors; risk profile; internal audit; External audit; Market risk; Credit risk; Internal audit; Auditing; Africa; Global; Southern Africa; BSD staff; audit committee

Download PDF (1.3 MB)

This paper discusses key findings of the Detailed Assessment of Compliance on the Basel Core Principles for Effective Banking Supervision in South Africa. The South African banking system is highly concentrated with more than 90 percent of banking assets being controlled by the five largest banks. A suitable legal framework for banking supervision is in place to provide each responsible authority with the necessary legal powers to authorize banks, conduct ongoing supervision, address compliance with laws, and undertake timely corrective actions to address safety and soundness concerns. The responsibilities and objectives of each of the authorities involved in banking supervision are clearly defined in legislation and publicly disclosed.

Abstract

1. South Africa has a high level of compliance with the Basel Core Principles for Effective Banking Supervision (BCPs). The current supervisory regime is based on strong relationships with bank Boards and senior management, as well as with banks’ internal and external auditors, supported by intensive qualitative and quantitative analysis. The Registrar of Banks (the head of banking supervision) and his staff in the Bank Supervision Department (BSD) of the South African Reserve Bank (SARB) hold banks to a very high standard of corporate governance and risk management.

2. The South African banking system is highly concentrated with more than 90 percent of banking assets being controlled by the five largest banks. The same laws, regulations and supervisory processes apply to all banking institutions, irrespective of their size. However, under a risk-based system, a much larger percentage of supervisory focus and resources centers quite naturally on the largest institutions.

3. The SARB, as a member of the Basel Committee on Banking Supervision (BCBS), is committed to the adoption of international standards and sound practices promulgated by the BCBS, as well as other relevant international standard-setting bodies. The SARB has implemented, or is in the process of implementing, all of the BCBS standards, most notably those related to capital adequacy and liquidity. The SARB is to be commended for its ongoing commitment to adhering to the highest standards for supervision and regulation, and also for encouraging and supporting its supervisory counterparts in neighboring countries in implementing key standards, as appropriate, which should also help to ensure the adequate oversight of South African banks’ cross-border operations as they expand.

4. Since the previous assessment conducted in 2010, the BSD has made several significant improvements to its supervisory framework. Most notably, the department has increased supervisory staff by almost 50 percent, and it now includes a corps of risk specialists to complement the analysis teams, and additional on-site inspectors, thereby enabling the BSD to have more direct interaction with the banks and place less reliance on external auditors. In addition, several shortcomings in bank regulations have been addressed since 2010. Cooperation with relevant domestic and foreign supervisors has also been strengthened.

5. There are a few areas in relation to the legal and regulatory frameworks as well as powers that still warrant improvement. These include, among others, legal provisions related to objectives of the supervisory institution and appointment and dismissal of its head, the power to suspend or limit a bank’s registration expeditiously, and supervisory techniques to address risks stemming from the non-banking activities of a financial group. While the BSD has been able, for the most part, to work around these weaknesses, amendments to the appropriate laws and regulations should be made as soon as possible. In addition, supervisory techniques to monitor the risk of an entire financial group should be further improved. The SARB anticipates that the laws and regulations will be further strengthened in the next round of amendments expected to take place as part of the restructuring of the financial regulatory system in South Africa.

6. As the country’s financial sector oversight is going through a substantial transition, efforts should be made to maximize the benefit of the new twin peaks structure. In 2011, the National Treasury announced its intention to adopt the twin peaks model of financial regulation. The new Prudential Authority will be a department within the SARB and the current BSD staff will become part of the new Authority, merging with prudential supervisors of insurers and several other categories of financial institutions currently within the Financial Services Board (FSB). This move has the potential to contribute to safeguarding the stability of the banking system, given the unique situation of the banking sector in South Africa, which is also substantially involved in insurance and other financial activities as groups. But the new prudential supervisor needs to establish an appropriate framework and improve tools to supervise these diversified entities without undermining the current high quality oversight of banks.

Background Information and Methodology

7. This assessment of the current state of the implementation of the Basel Core Principles for Effective Banking Supervision (BCPs) in South Africa has been completed as a part of a Financial Sector Assessment Program (FSAP) update undertaken by the International Monetary Fund (IMF) during 2014.¹ It reflects the regulatory and supervisory framework in place as of the date of the completion of the assessment. It is not intended to represent an analysis of the state of the banking sector or crisis management framework, which have been addressed in the broader FSAP exercise.

8. An assessment of the effectiveness of banking supervision requires a review of the legal framework, and detailed examination of the policies and practices of the institution(s) responsible for banking regulation and supervision. In line with the BCP methodology, the assessment focused on banking supervision and regulation in South Africa and did not cover the specificities of regulation and supervision of other financial intermediaries, which are covered by other assessments conducted in this FSAP.

9. The South African authorities agreed to be assessed according to the Revised Core Principles Methodology issued by the BCBS (Basel Committee of Banking Supervision) in September 2012. This assessment was thus performed according to a significantly revised content and methodology as compared with the previous BCP assessment carried out in 2010 which was conducted under the former BCP methodology. It is important to note that this assessment cannot and should not be compared to the previous undertaking, as the revised BCPs have a heightened focus on risk management and its practice by supervised institutions and its assessment by the supervisory authority, raising the bar to measure the effectiveness of a supervisory framework (see box for more information on the Revised BCPs).

10. The South African authorities also chose to be assessed against both the Essential and Additional Criteria but rated against only the Essential Criteria. In order to assess compliance, the BCP Methodology uses a set of essential and additional assessment criteria for each principle. Only the essential criteria (EC) were used to gauge full compliance with a CP. The additional criteria (AC) are recommended best practices against which the South African authorities have agreed to be assessed but not rated. A four-part grading system is used: compliant; largely compliant; materially noncompliant; and noncompliant. This is explained below in the detailed assessment section. The assessment of compliance with each CP is made on a qualitative basis to allow a judgment on whether the criteria are fulfilled in practice. Effective application of relevant laws and regulations is essential to provide indication that the criteria are met.

Box 1.

The 2012 Revised Core Principles

The revised BCPs reflect market and regulatory developments since the last revision, taking account of the lessons learnt from the financial crisis in 2008/2009. These have also been informed by the experiences gained from FSAP assessments as well as recommendations issued by the G-20 and Financial Stability Board, and take into account the importance now attached to: (i) greater supervisory intensity and allocation of adequate resources to deal effectively with systemically important banks; (ii) application of a system-wide, macro perspective to the microprudential supervision of banks to assist in identifying, analyzing and taking pre-emptive action to address systemic risk; (iii) the increasing focus on effective crisis preparation and management, recovery and resolution measures for reducing both the probability and impact of a bank failure; and (iv) fostering robust market discipline through sound supervisory practices in the areas of corporate governance, disclosure and transparency.

The revised BCPs strengthen the requirements for supervisors, the approaches to supervision and supervisors’ expectations of banks. The supervisors are now required to assess the risk profile of the banks not only in terms of the risks they run and the efficacy of their risk management, but also the risks they pose to the banking and the financial systems. In addition, supervisors need to consider how the macroeconomic environment, business trends, and the build-up and concentration of risk inside and outside the banking sector may affect the risk to which individual banks are exposed. While the BCP set out the powers that supervisors should have to address safety and soundness concerns, there is a heightened focus on the actual use of the powers, in a forward-looking approach through early intervention.

The number of principles has increased from 25 to 29. The number of essential criteria has expanded from 196 to 231. This includes the amalgamation of previous criteria (which means the contents are the same), and the introduction of 35 new essential criteria. In addition, for countries that may choose to be assessed against the additional criteria, there are 16 additional criteria.

While raising the bar for banking supervision, the Core Principles must be capable of application to a wide range of jurisdictions. The new methodology reinforces the concept of proportionality, both in terms of the expectations on supervisors and in terms of the standards that supervisors impose on banks. The proportionate approach allows assessments of banking supervision that are commensurate with the risk profile and systemic importance of a wide range of banks and banking systems.

11. The assessors reviewed the framework of laws, rules, and other materials provided and held extensive meetings with officials of the South African Reserve Bank (SARB) Banking Supervision Department, and additional meetings with the National Treasury, auditing firms, and banking sector participants. The authorities provided a self-assessment of the CPs, as well as responses to additional questionnaires, and provided access to supervisory documents and files, staff and systems.

12. The assessors appreciated the cooperation received from the authorities. The team extends its thanks to staff of the authorities who provided cooperation, including provision of documentation and access, at a time when staff was burdened by many initiatives related to global regulatory changes and reforms in the financial sector oversight structure in South Africa.

13. The standards were evaluated in the context of the South Africa’s financial system’s structure and complexity. The CPs must be capable of application to a wide range of jurisdictions whose banking sectors will inevitably include a broad spectrum of banks. To accommodate this breadth of application, according to the methodology, a proportionate approach is adopted, both in terms of the expectations on supervisors for the discharge of their own functions and in terms of the standards that supervisors impose on banks. An assessment of a country against the CPs must, therefore, recognize that its supervisory practices should be commensurate with the complexity, interconnectedness, size, risk profile and cross-border operation of the banks being supervised. The assessment considers the context in which the supervisory practices are applied. The concept of proportionality underpins all assessment criteria. For these reasons, an assessment of one jurisdiction will not be directly comparable to that of another.

14. An assessment of compliance with the BCPs is not, and is not intended to be, an exact science. Reaching conclusions required judgments by the assessment team. Nevertheless, by adhering to a common, agreed methodology, the assessment should provide the South African authorities with an internationally consistent measure of the quality of its banking supervision in relation to the BCPs, which are internationally acknowledged as minimum standards.

15. To determine the compliance with each principle, the assessment has made use of five categories: compliant; largely compliant, materially noncompliant, noncompliant, and nonapplicable. An assessment of “compliant” is given when all ECs are met without any significant deficiencies, including instances where the principle has been achieved by other means. A “largely compliant” assessment is given when there are only minor shortcomings, which do not raise serious concerns about the authority’s ability to achieve the objective of the principle and there is clear intent to achieve full compliance with the principle within a prescribed period of time (for instance, the regulatory framework is agreed but has not yet been fully implemented). A principle is considered to be “materially noncompliant” in case of severe shortcomings, despite the existence of formal rules and procedures and there is evidence that supervision has clearly not been effective, the practical implementation is weak or that the shortcomings are sufficient to raise doubts about the authority’s ability to achieve compliance. A principle is assessed “noncompliant” if it is not substantially implemented, several ECs are not complied with, or supervision is manifestly ineffective. Finally, a category of “non-applicable” is reserved for those cases that the criteria would not relate to the country’s circumstances.

Institutional and Market Structure—Overview

A. Institutional Framework for Regulation and Supervision

16. The responsibility for the regulation and supervision of banks lies with the SARB. As provided by the Banks Act of 1990 (BA), its authority is exercised through the Registrar of Banks and the Office for Banks, also known as the BSD, which falls under the Registrar’s direction. Some important powers formally rest with the Minister of Finance, such as issuing regulations and formally making important supervisory actions. As an internal department of the SARB, the organizational governance of the BSD, including the Registrar, follows the rules applicable to the central bank. The Banks Act provides a comprehensive legal framework for banking regulation and supervision in the country. The SARB and the BSD also have the responsibility for the regulation and supervision of mutual banks as provided by the Mutual Banks Act of 1993. The National Credit Regulator (NCR), which reports to the Minister of Trade & Industry, has a certain regulatory power over lending activity for consumer protection. The Financial Intelligence Center (FIC) acts as the country’s Financial Intelligence Unit (FIU).

17. The regulatory framework for banks follows international standards, and the implementation of Basel III has started since 2013. The BSD attaches strong importance to adopting international standards established by the BCBS and other international bodies such as the Financial Stability Board and the International Accounting Standard Board (IASB). Its regulatory and supervisory framework on banks is continuously updated to incorporate the latest international standards. They were also one of the first jurisdictions implementing Basel II and 2.5. A shorter phase-in period for Basel III capital than that of internationally agreed is set. Also, one percent additional capital is required for all banks. The authorities also intend to introduce the Liquidity coverage ratio (LCR) and the Net stable funding ratio (NSFR) according to the internationally-agreed timeframe.

18. The FSB has broad regulatory authority over other types of financial activities. It regulates and supervises insurance companies, although some of their lending activities are also under the purview of the NCR. For securities companies, while the FSB is responsible for supervising fund managers and exchanges, the supervisory responsibility for market intermediaries is divided between the FSB and the Johannesburg Stock Exchange (JSE). The FSB does not have any role in issuer supervision, which is undertaken by the JSE for listed companies and by the Department of Trade and Industry (DTI) for unlisted companies. The FSB also regulates the JSE (including SAFCOM, its clearance and settlement subsidiary), Strate Limited, and pension funds.

19. The regulatory and supervisory framework for the financial sector is expected to go through a substantial transformation through the adoption of the Twin Peaks structure. Under the plan, the prudential regulation and supervision of financial conglomerates, banks, insurance companies, securities exchanges and central counterparties as well as money market funds would be assigned to a single statutory entity located in the SARB, which will be called the Prudential Authority. The market conduct regulation and supervision of financial conglomerates, banks, insurance companies, securities exchanges and central counterparties as well as money market funds would be assigned to a separate dedicated statutory entity to be situated in the FSB, which will be called the Market Conduct Authority. The National Treasury has published the relevant bill for public consultation early this year, which is expected to be revised further. Amendments to acts regulating financial industries, such as the Banks Act, are expected to take place following the completion of the reorganization.

B. Overview of the Banking Sector

20. The financial sector in South Africa is large and sophisticated. Total financial sector assets of about 298 percent of GDP exceed those of most other emerging market. Commercial banks make up the single largest segment of the financial system with assets of slightly more than 112 percent of GDP. But their share in total financial assets has been declining in recent years with the rapid growth of the nonbank financial sector, and currently only comprises less than 40 percent of the total. Close to 95 percent of banking assets is domestic; some of the largest banks shrank their operations in advanced economies and non-African emerging market economies, but South African banks’ exposure to other African countries has expanded rapidly in recent years.

Figure 1.

Financial Assets in South Africa

Citation: IMF Staff Country Reports 2015, 055; 10.5089/9781484309773.002.A001

Source: SARB.

21. The banking sector is comprised of only 31 banks and foreign bank branches, and highly concentrated where large banks dominate. Five large banks—ABSA Bank, FirstRand Bank, Nedbank, Standard Bank of South Africa, and Investec Bank—dominates the sector, which together account for more than 90 percent of total banking assets. Four of the five large banks are providing full-scale banking services nationwide, while Investec’s operation is focused on corporate and private banking businesses. The rest of the sector consists of 7 locally owned banks, 5 subsidiaries of foreign banks, and 14 branches of foreign banks (end-2013). Except for two relatively large local banks focusing on retail banking, other banks, both locally controlled and foreign controlled, have limited operations, and not systemically important even regionally.

22. The banking industry has strong cross-border and cross-sectoral linkages. Three of the five large banks have strong ownership links with the U.K. Barclays, a U.K. global systemically important bank, has a fully-owned bank controlling company registered in South Africa, Barclays Africa Group, which owns a majority stake of ABSA Bank. Nedbank is indirectly owned by Old Mutual in the U.K, which also owns a major insurance subsidiary in South Africa. Investec is dual-listed on the JSE and London Stock Exchange and has a parallel structure where the U.K. holding company oversees the group’s non-African operations. In addition to Nedbank, all other major banks are also affiliated with insurance companies. For example, Standard Bank Group, the controlling company of Standard Bank, has the majority of shares in the Liberty Group, one of the largest insurers in the country. These bank-affiliated insurance companies underwrite a substantial proportion of private pension fund assets, and some banks also own asset management companies that offer unit trusts. These big banks have started to expand to other Sub-Saharan African countries, with Standard Bank and Barclays Africa Group spearheading the move. Four of the top five banks have 39 subsidiaries in 17 sub-Saharan countries. Their sizes of operation in these countries are still very small compared to the entire group, however.

Figure 2.

Shares of Banking Assets

Citation: IMF Staff Country Reports 2015, 055; 10.5089/9781484309773.002.A001

Source: SARB.

23. Banks remained sound and profitable during the crisis, with good asset quality and high capital ratios. While non-performing loans (NPLs) jumped from 2 percent of total loans at the onset of the crisis to 6 percent in late 2009, the average NPL ratio declined steadily since then to 3.6 percent in 2013. The regulatory tier one ratio of 13.4 percent in 2013 also compares favorably with banks in other countries. Return on equity (ROE) of the four largest banks is staying close to 20 percent. South African banks have also accumulated a sizable net foreign asset position and there is no evidence of large-scale unreported borrowing from abroad. The SARB also applies a 1 percent systemic risk surcharge to the large banks in addition to minimum capital requirements.

24. Banks are dependent on wholesale deposits with high loan-to-deposit ratios. The average funding maturity seems to have shortened in recent years with short-term deposits (6 months in maturity) rising to 63.3 percent of total deposits from 60.3 percent in 2008. In addition, the liquid asset to short-term liabilities ratio is around 16 percent. While deposits make up the largest source of bank funding (87.5 percent), a large part (60 percent) of it is wholesale funding from non-bank financial institutions and corporations with maturities of six months or less, reflecting the structural situation in South Africa where households are investing in non-deposit products such as pensions, insurance products and unit trust, which are in turn deposited in banks by providers of those products. The average loan-to-deposit ratio is 127 percent.

Preconditions for Effective Banking Supervision

A. Macroeconomic Environment

25. The financial sector operates in a challenging economic environment. A combination of slow growth, high unemployment, low savings and relatively high household debt is sustaining large current account and fiscal deficits. The South African economy contracted by 0.6 percent of GDP in 2014Q1 and is projected to grow only by 1.4 percent this year, down from 2 percent in 2013, and a pre-crisis high of 5.6 percent in 2006. The unemployment rate, already persistently high, has risen steadily to 25 percent while inflation remained at 6 percent. Fiscal deficits averaging 4 ½ percent of GDP for the past five years has led to a sharp increase in government debt from 27 percent of GDP to 46 percent in 2014. Reflecting this macroeconomic environment, an international rating agency recently downgraded the sovereign foreign and local currency ratings. Exchange controls on capital transactions by residents are in place, which keeps rand in the system, although it has been gradually relaxed.

26. Household debt rose rapidly in the years prior to the global financial crisis (GFC) to 82.4 percent of disposable income in 2008, although declined somewhat since then. A credit boom in the years prior to the GFC and, from 2009 when interest rates dropped to record lows, fueled a sharp increase in household debt. Mortgage lending peaked at 30 percent annual growth rate in 2006, declining to single digits in 2012, before picking up again in the first quarter of 2014. Although the household-debt-to-disposal-income ratio has declined steadily from its peak, to 75.2 percent in 2013, it remains well above the historical average before the GFC. At end 2013, total bank lending to households is 56 percent of bank total loans and advances. Floating-rate mortgages account for a large proportion of household debt. Bank lending to the corporate sector is 31 percent of banking sector assets, and total corporate debt accounted for 62 percent of GDP in 2013, up from 57.6 percent in 2010. The increase reflected mostly external borrowing by public sector corporations, which doubled their external debt between 2010 and 2012.

B. Frameworks for Financial Stability Oversight, Crisis Management, and Systemic Protection

27. The SARB performs the function of promoting financial stability. This mandate was added by the Minister of Finance in 2010. The SARB has subsequently established the Financial Stability Committee to discuss issues related to financial stability. The Financial Stability Department of the SARB was recently separated from the BSD. To fulfill its macroprudential mandate, the SARB conducts a number of tasks including: assessing risks to system wide stability; sharing risk assessment with other agencies / the public; contributing to the development of macroprudential instruments and policies; and developing and implementing any discretionary policy actions to mitigate risks. The SARB publishes Financial Stability Review twice a year.

28. The framework is expected to be reorganized substantially as a part of the move to the Twin Peaks structure. The Financial Stability Oversight Committee (FSOC), chaired by the SARB Governor and includes the Prudential Authority and the Market Conduct Authority as a member and a representative from the National Treasury as an observer, will be created and become responsible for monitoring and assessing systemic risks to financial stability, and making recommendations or taking actions to reduce or eliminate these risks. The FSOC is also expected to play a central role in crisis management and resolution.

29. The current bank resolution regime in South Africa comprises powers assigned to a curator, who is appointed by the Minister based on the recommendation of the Registrar when a bank is close to insolvency. The curator has broad powers to take control of the bank and its assets, some of which require prior approval of the Minister, but they lack critical features necessary to deal with a systemic case, and minimize risks to public funds. The existing legal framework does not require mandatory recovery plans to be prepared by banks, but the BSD has announced the introduction of recovery and resolution planning in a phased-in approach through a number of Guidance Notes. As a member of the Financial Stability Board, the South African authorities are committed to reforming the resolution regime to make it compliant with the Key Attributes of Effective Resolution by end 2015.

30. Formal systemic protection is limited in South Africa, but the authorities have intervened in bank failure cases on an ad-hoc basis. The country does not have a depositor protection scheme or a framework for systemic liquidity provision, but, in the past, capital and liquidity injections were made mostly by the SARB in the interest of stemming deposit contagion and preserving financial stability. The authorities have been considering introducing a deposit insurance scheme for some time but no decision has been made yet. The SARB set up a committed liquidity facility (CLF) to support banks to meet the Basel III LCR requirement from 2015, but it does not prevent the central bank from providing emergency liquidity assistance on different terms than the CLF. While there is no formal legal framework for crisis management, the Financial Sector Contingency Forum, which is chaired by a Deputy Governor of the SARB and whose members include representatives from the National Treasury, SARB and FSB was established to coordinate efforts on contingency planning for financial crisis, among others.

C. Infrastructures for the Financial Sector

31. South Africa has a well-developed system of laws. The Companies Act was recently updated to incorporate the latest thinking. It includes provisions on bankruptcy/insolvency and related matters. The King Report III, which sets the corporate governance best practice, is applicable to all companies listed on the main board of the JSE. The contract law is also well developed and covers a wide range of matters including, among others, debt, mediation between parties, insurance, and share sales. Consumer protection is addressed in the Consumer Protection Act, which applies to the sale of goods and services, and supplemented by the National Credit Act (NCA) which covers credit agreements. Business laws can be enforced through the courts system or parties can make use of arbitration and mediation for the resolution of disputes. The independence and impartiality of the judiciary have not been questioned, but the efficiency of the courts can be sometimes hampered and efforts for improvement are ongoing.

32. Accounting and auditing in South Africa are based on international standard and a well developed system exists to ensure their consistency and quality.²

South Africa has implemented International Financial Reporting Standards (IFRS) and International Standards on Auditing since 2005. The JSE has required listed companies to use IFRS since January 1, 2005. The Companies Act, however, does not require all companies to have their financial statements audited. The Companies Act Regulations permit the use of either IFRS, the IFRS for SMEs, or South African GAAP in specific instances. The Financial Reporting Standards Council (FRSC), a governmental body formed in 2011, has responsibility as the advisor to the Minister of Trade and Industry on financial reporting standards.
The Independent Regulatory Board for Auditors (IRBA) is responsible for overseeing registered auditors and audits performed by them. The South African Institute of Chartered Accountants (SAICA) is the national professional organization of Chartered Accountants, with more than 36,000 members. It participates in a number of international accounting bodies, including the trustees of the International Financial Reporting Standards Foundation (IFRS Foundation) and the International Accounting Standards Board (IASB). The Auditing and Assurance Standards Board (AASB), consists of SAICA and other business bodies, is responsible for ensuring consistency between South African auditing pronouncements and those of the International Auditing and Assurance Standards Board (IAASB). The Consultative Advisory Group advices the IAASB on technical issues, and its members include representatives from the SARB, FSB, JSE, Strate, and Institute of Internal Auditors.

33. South Africa also has a developed financial infrastructure, including a stock exchange, a Central Securities Depository, a national payment system, and credit bureaus:

The JSE is the primary exchange in South Africa and the largest in Africa. It offers primary and secondary markets for a range of financial products, including equities, bonds and derivatives. SAFCOM, a wholly owned subsidiary of the JSE, is a licensed clearinghouse for derivatives listed on the JSE.
Strate is the central securities depository (CSD). It provides electronic settlement for securities—including equity, bond and derivative products, such as warrants, Exchange Traded Funds (ETFs), retail notes and tracker funds for the JSE, and money market securities for the South African market, as well as equities for the Namibian Stock Exchange. It also acts as a clearinghouse for some debt trading.
The South African Multiple Option Settlement (SAMOS) system, owned and operated by the SARB, is the core of the South African national payment system. SAMOS is a real-time gross settlement system, which settles, among others, the rand settlement of all the financial market transactions, interbank transactions and the settlement of foreign exchange transactions with other international banks.
South Africa has four major credit bureaus with consumer and business credit information. The NCA provides that the Minister of Trade & Industry must publish regulations on how consumer credit information held by credit bureau must be reviewed, verified, corrected and removed. The NCR provides oversight over these credit bureaus. Data contributors to the credit bureaus include banks, credit driven retailers, credit card companies, micro lenders, telecommunication and insurance companies, courts, debt counsellors, debt collectors.

Detailed Assessment

Table 1.

Supervisory Powers, Responsibilities, and Functions

Table 2.

Prudential Regulations and Requirements

Principle 14

Corporate governance. The supervisor determines that banks and banking groups have robust corporate governance policies and processes covering, for example, strategic direction, group and organizational structure, control environment, responsibilities of the banks’ Boards and senior management,²⁹ and compensation. These policies and processes are commensurate with the risk profile and systemic importance of the bank.

EC1

Laws, regulations or the supervisor establish the responsibilities of a bank’s Board and senior management with respect to corporate governance to ensure there is effective control over the bank’s entire business. The supervisor provides guidance to banks and banking groups on expectations for sound corporate governance.

Description and findings re EC1

The BA clearly sets out extensive requirements related to corporate governance, including:

Section 60 - Directors and officers of a bank/controlling company
Section 60A - Compliance function
Section 60B - Corporate governance
Section 64 - Audit committee
Section 64A - Risk and capital management committee
Section 64B - Directors’ affairs committee
Section 64C - Remuneration committee

In addition, Regulation 39 (Process of corporate governance) states that:

The Board of directors of a bank is ultimately responsible for ensuring that an adequate and effective process of corporate governance, which is consistent with the nature, complexity and risk inherent in the bank’s on-balance sheet and off-balance sheet activities and that responds to changes in the bank’s environment and conditions, is established and maintained, provided that the Board of directors may appoint supporting committees to assist it with its responsibilities.

Other specific regulations related to corporate governance include:

Regulation 40 - Guidelines relating to conduct of directors
Regulation 41 - Composition of the Board of directors of a bank or controlling company
Regulation 42 - Statement relating to attributes of serving or prospective directors or executive officers
Regulation 43 - Public disclosure
Regulation 46 - Audit reports
Regulation 48 - Internal audit

In practice, the BSD continuously engages with the Boards of directors and the senior management of banks regarding various supervisory requirements related to corporate governance. This interaction includes, at a minimum, an annual meeting with a bank’s Board of directors (bilateral meeting), with its CEO, and with the Board’s Audit Committee and external auditors (trilateral meeting). In addition, an analysis of the corporate governance practices at individual banks is part of the SREP.

EC2

The supervisor regularly assesses a bank’s corporate governance policies and practices, and their implementation, and determines that the bank has robust corporate governance policies and processes commensurate with its risk profile and systemic importance. The supervisor requires banks and banking groups to correct deficiencies in a timely manner.

Description and findings re EC2

Regulation 39(18) requires that the Board of directors of a bank or a committee appointed by the Board for such purpose:

Shall at least once a year assess and document whether the processes relating to corporate governance, internal controls, risk management, capital management and capital adequacy implemented by the bank successfully achieve the objectives specified by the Board.
Shall at the request of the Registrar of Banks provide the Registrar with a copy of the report compiled by the Board of directors or committee in respect of the adequacy of the processes relating to corporate governance, risk management, capital management and capital adequacy.

Following from the above, Regulation 39(19) requires that the external auditors of a bank shall annually review the process followed by the Board of directors in assessing the corporate governance arrangements, including the management of risk and capital, and the assessment of capital adequacy, and report to the Registrar whether any matters have come to their attention to suggest that they do not concur with the findings reported by the Board of directors, provided that when the auditors do not concur with the findings of the Board of directors, they shall provide reasons therefore.

The assessment is conducted by the bank in conjunction with its financial year-end audit. The external auditors are required to provide their assessment of the Regulation 39 report to the Registrar within 120 days of the bank’s financial year end and the report is also an agenda item for the annual trilateral discussions between the BSD, the bank’s audit committee and senior management and its external auditors. If any issues are identified, the BSD will keep the issue open until the matter is resolved to the satisfaction of the BSD.

Regulation 39(18) and (19) also apply to any controlling company.

EC3

The supervisor determines that governance structures and processes for nominating and appointing Board members are appropriate for the bank and across the banking group. Board membership includes experienced non-executive members, where appropriate. Commensurate with the risk profile and systemic importance, Board structures include audit, risk oversight and remuneration committees with experienced non-executive members

Description and findings re EC3

BA Section 64B requires the Board of directors of a bank or controlling company to appoint a directors’ affairs committee. The functions of this committee include, among other things, assisting the Board of directors in establishing and maintaining a Board directorship continuity program entailing:

A review of performance of and planning for successors to the executive directors;
Measures to ensure continuity of non-executive directors;
A regular review of the composition of skills, experience and other qualities required for the effectiveness of the Board; and
An annual self-assessment of the Board as a whole and of the contribution of each individual director.

The BA prohibits more than 49 percent of the directors from being employees of the bank or controlling company or their subsidiaries. This requirement ensures that there are an appropriate number of non-executive members on the Boards of all banks and controlling companies.

The Act also requires the establishment of:

An audit committee;
A risk and capital management committee; and
A remuneration committee.

Regulation 41 deals with the composition of the Board of Directors of a bank or controlling company and includes prohibition of the chairperson of the Board of a bank or controlling company from being an employee of the organization or from serving on the Board’s audit committee.

The BSD provided the assessors with a recent example of a bank that they determined did not have a sufficient number of independent directors. The bank subsequently rectified the situation to the BSD’s satisfaction.

EC4

Board members are suitably qualified, effective and exercise their “duty of care” and “duty of loyalty.”³⁰

Description and findings re EC 4

Regulation 39(6)(a) requires that a Board of directors shall possess sufficiently detailed knowledge of all the major business lines of the bank to ensure that the policies, processes, procedures, controls and risk monitoring systems are appropriate and effective. In addition, Board members shall have sufficient expertise to understand the various instruments, markets and activities in which the bank conducts business, including capital market activities such as securitization and the related off-balance sheet activities, and the associated risks.

Regulation 40 provides guidelines relating to the conduct of directors and includes the provision that all directors and executive officers of a bank or controlling company shall perform their functions with diligence and care and with such a degree of competence as can reasonably be expected.

Regulation 42 and form BA 020 (“fit and proper” questionnaire) relate to the statement and declaration by serving (at the request of the Registrar) or prospective directors or executive officers of a bank or controlling company regarding their attributes and qualifications. BA 020 is a detailed and comprehensive report (containing 40 questions) with the final one asking directors or prospective directors if they understand their responsibilities and duties as a director of the institution.

In practice, the BSD interacts with Board members and receives minutes of Board meetings, which helps them to determine the effectiveness of individual Board members and the Board as a whole.

EC5

The supervisor determines that the bank’s Board approves and oversees implementation of the bank’s strategic direction, risk appetite³¹ and strategy, and related policies, establishes and communicates corporate culture and values (e.g., through a code of conduct), and establishes conflicts of interest policies and a strong control environment.

Description and findings re EC5

BA Section 60B(2) states that the process of corporate governance shall be established with the objective to achieve the bank’s strategic and business objectives efficiently, effectively, ethically and equitably, within acceptable risk parameters.

As part of the supervisory review cycle of the SREP, the BSD establishes that the Board approves and oversees implementation of the bank’s strategic direction. The BSD has meetings with the chairpersons of Boards of directors as well as the full Boards of directors of all banks. The discussions held with individual bank Boards are both qualitative and quantitative in order to understand the Board’s strategic initiatives. Furthermore the meetings are aimed at establishing the bank’s overall corporate culture and values and the level of the effectiveness of the bank’s control environment.

The BSD annually issues a guidance note regarding meetings to be held with the Board of directors detailing some of the key system-wide issues that will be discussed with individual banks in addition to more bank-specific issues.

As per the supervisory process established by the BSD, banks are required to provide an assessment report stating whether the bank has met successfully its objectives as specified by the Board in terms of corporate governance, internal controls, risk management, capital management and capital adequacy as set out in Regulation 39(18)(a).

The BSD also receives a regulatory report wherein a bank’s Board confirms that the bank has a strong internal control environment per Regulation 40(4).

Through interactions with the Board of directors, review of Board minutes and the regulatory reports received in terms of the requirements of Regulations 39 and 40, the BSD regularly assesses Board oversight at individual banks and controlling companies.

EC6

The supervisor determines that the bank’s Board, except where required otherwise by laws or regulations, has established fit and proper standards in selecting senior management, maintains plans for succession, and actively and critically oversees senior management’s execution of Board strategies, including monitoring senior management’s performance against standards established for them.

Description and findings re EC6

Regulation 36(8)(b)(v) requires banks to provide each quarter the respective management structures of the significant entities included in the consolidated return and the respective main responsibilities of such senior management. This allows BSD staff to understand key reporting lines within the bank.

As with prospective Board members, Form BA020 (“fit and proper” questionnaire) needs to be filed by persons to be appointed as executive officers of a bank or controlling company. Such forms need to include a declaration by the Board chair that the chair has carefully studied the information contained in the questionnaire and, following discussions with the individual, as well as all other members of the Board, has concluded that the individual is fit and proper to take the position within the bank or controlling company.

Through various meetings with the Board of directors and Board committees of a bank, BSD staff is able to judge whether the Board is aware of the quality of the bank’s management and whether there are any weak performers. The BSD also monitors how a Board follows up with any problems at the senior management level.

As part of their meeting process with bank Boards, the BSD also ensures that banks have strong succession planning for executive management positions.

EC7

The supervisor determines that the bank’s Board actively oversees the design and operation of the bank’s and banking group’s compensation system, and that it has appropriate incentives, which are aligned with prudent risk taking. The compensation system, and related performance standards, are consistent with long-term objectives and financial soundness of the bank and is rectified if there are deficiencies.

Description and findings re EC7

The BSD subscribes to the Financial Stability Board Principles for Sound Compensation Practices and their Implementation Standards. In 2010 the banks in South Africa undertook a self-assessment on the above and in 2011 it was included in the “flavor of the year” discussions with banks’ Boards of directors where any shortcomings were discussed with the Boards and actions taken to rectify shortcomings. Any further actions are followed up through the normal supervisory process. Developments pertaining to the Principles and Standards, as well as new requirements such as those imposed by the EU CRD IV are followed closely and if necessary will be implemented in

South Africa.

EC8

The supervisor determines that the bank’s Board and senior management know and understand the bank’s and banking group’s operational structure and its risks, including those arising from the use of structures that impede transparency (e.g., special-purpose or related structures). The supervisor determines that risks are effectively managed and mitigated, where appropriate.

Description and findings re EC8

Regulation 39(6)(a)(i) requires that the Board of directors and senior management of a bank possess sufficiently detailed knowledge of all the major business lines of the bank to ensure that the policies, processes, procedures, controls and risk monitoring systems are appropriate and effective.

Regulation 36(8)(b) requires that, in addition to BA 600 (Consolidated return), a bank or controlling company must furnish the Registrar with qualitative information relating to:

The group structure based on business line structure and legal structure.
The respective main business activities conducted by the material entities included in the consolidated return.
The business model or strategy adopted by the relevant bank or controlling company and whether or not the financial activities conducted within the banking group cut across legal entities or are conducted autonomously within individual financial entities.
The strategy adopted by the relevant bank or controlling company in respect of intragroup transactions and transactions with related persons or entities.

The BSD holds annual meetings with the Boards of the banks where issues that affect the bank and banking group, including regulatory issues, are discussed. This interaction enables the BSD to determine the level of knowledge of the directors regarding the structure and activities of the bank.

EC9

The supervisor has the power to require changes in the composition of the bank’s Board if it believes that any individuals are not fulfilling their duties related to the satisfaction of these criteria.

Description and findings re EC9

In terms of the provisions of BA section 60(6), the Registrar may object to the appointment or continued employment of a chief executive officer, director or executive officer of a bank if the Registrar reasonably believes that the chief executive officer, director or executive officer concerned is not, or is no longer a fit and proper person to hold that appointment, or if it is not in the public interest that such chief executive officer, director or executive officer holds or continues to hold such appointment.

When the Registrar wishes to terminate the appointment or the continued employment of a chief executive officer, director or executive officer of a bank, the Registrar has to notify in writing (a) the chief executive officer, director or executive officer concerned; (b) the chairperson of the Board of directors of that bank (except if the chairperson of the Board is the person whose appointment the Registrar wishes to terminate, in which case each director of the bank concerned shall be notified); (c) the chief executive officer of that bank (except if the chief executive officer is the person whose appointment the Registrar wishes to terminate, in which case the deputy chief executive officer shall be notified) of his or her intention, and of the grounds for the proposed termination.

AC1

Laws, regulations or the supervisor require banks to notify the supervisor as soon as they become aware of any material and bona fide information that may negatively affect the fitness and propriety of a bank’s Board member or a member of the senior management.

Description and findings re AC1

Regulation 47 requires a bank to report an offence in writing to the Registrar within 30 days after the bank becomes aware of the reportable offence. Such reportable offences include:

a breach of the fiduciary duty of a member of the Board of directors, an employee in charge of a risk-management function or an executive officer;
any act of a member of the Board of directors, an employee in charge of a risk management function or an executive officer that results in or will probably result in the reputation of the bank being adversely affected;
any act of a member of the Board of directors, an employee in charge of a risk management function or an executive officer that results in or will probably result in the bank contravening the code of conduct or ethical code of any institution of which the bank is a member or with which the bank is associated;
any reportable irregularity as envisaged in section 45 of the Auditing Profession Act, 2005 (Act 26 of 2005), as amended, which irregularity was brought to the attention of the Board of directors and/or senior management of the relevant bank.

Assessment of Principle 14

Compliant

Comments

Through regulations and practice, the SARB places strong emphasis on sound and effective corporate governance at all banks in South Africa. BSD staff is able to assess the quality of corporate governance at individual banks through regular meetings, as well as review of audit reports and Board and Board committee minutes.

Principle 15

Risk management process. The supervisor determines that banks³² have a comprehensive risk management process (including effective Board and senior management oversight) to identify, measure, evaluate, monitor, report and control or mitigate³³ all material risks on a timely basis and to assess the adequacy of their capital and liquidity in relation to their risk profile and market and macroeconomic conditions. This extends to development and review of contingency arrangements (including robust and credible recovery plans where warranted) that take into account the specific circumstances of the bank. The risk management process is commensurate with the risk profile and systemic importance of the bank.³⁴

EC1

The supervisor determines that banks have appropriate risk management strategies that have been approved by the banks’ Boards and that the Boards set a suitable risk appetite to define the level of risk the banks are willing to assume or tolerate. The supervisor also determines that the Board ensures that:

(a) A sound risk management culture is established throughout the bank;
(b) Policies and processes are developed for risk-taking, that are consistent with the risk management strategy and the established risk appetite;
(c) Uncertainties attached to risk measurement are recognized;
(d) Appropriate limits are established that are consistent with the bank’s risk appetite, risk profile and capital strength, and that are understood by, and regularly communicated to, relevant staff; and
(e) Senior management takes the steps necessary to monitor and control all material risks consistent with the approved strategies and risk appetite.

Description and findings re EC1

Regulation 39 (Process of corporate governance) states that the Board of directors of a bank is ultimately responsible for an adequate and effective process of corporate governance, including effective risk management. The regulation cites 27 specific types of risk that could be included in the risk management process. In particular, Regulation 39(5)(a-b) states that, at a minimum, the risk management processes, practices, procedures and policies:

Shall be adequate for the size and nature of the activities of the bank…and shall periodically be adjusted in light of the changing risk profile or financial strength of the bank, financial innovation or external market developments;
Shall be duly aligned with, and, where appropriate, provide specific guidance for the successful implementation of and the continued adherence to, the business strategy, goals and objectives, and the risk appetite or tolerance for risk, of the bank;
Shall duly specify relevant limits and allocated capital relating to the bank’s various risk exposures.

In practice, the BSD utilizes the SREP to assess a bank’s compliance with Regulation 39, including a check on whether risk management policies are Board approved. In addition, prudential meetings are held to discuss various risk areas and to establish the adequacy of the overall risk management process that includes senior management’s monitoring and control of all material risks in line with the Board-approved policies and processes. Risk management is also discussed at meetings with banks’ Boards of directors, risk committees, audit committees and external auditors.

The BSD also utilizes bi-annual graph discussions with banks. During these meetings, all risk areas are discussed with senior management to ensure correct reporting and understanding with regard to the regulations. During these meetings, financial data as reported to the BSD are discussed with banks and are benchmarked against the bank’s strategies. The BSD also uses these meetings to highlight concerns or irregularities detected. The analysis division prepares a closing summary for each risk area that contains a conclusion highlighting the positive and negative features based on that risk area. The presentation may also contain an overall summary of the main features highlighted in the risk area conclusions, if required.

EC2

The supervisor requires banks to have comprehensive risk management policies and processes to identify, measure, evaluate, monitor, report and control or mitigate all material risks. The supervisor determines that these processes are adequate:

(a) To provide a comprehensive “bank-wide” view of risk across all material risk types;
(b) For the risk profile and systemic importance of the bank; and
(c) To assess risks arising from the macroeconomic environment affecting the markets in which the bank operates and to incorporate such assessments into the bank’s risk management process.

Description and findings re EC2

Regulation 39(1) to (6) establishes such requirements for the risk management process. As mentioned in EC1, the BSD utilizes a variety of techniques to determine the adequacy of the risk management policies and procedures at individual banks. For instance, prudential meetings are held to discuss various risk areas and to establish the adequacy of the overall risk management processes that includes senior management’s monitoring and control of all material risks in line with the Board-approved policies and processes. Risk management is also discussed at meetings with banks’ Boards of directors, risk committees, audit committees and external auditors.

As part of the ICAAP reviews, the BSD investigates the process followed by banks to identify all material risk exposures, as well as the mapping to risk appetite frameworks.

EC3

The supervisor determines that risk management strategies, policies, processes and limits are:

(a) Properly documented;
(b) Regularly reviewed and appropriately adjusted to reflect changing risk appetites, risk profiles and market and macroeconomic conditions; and
(c) Communicated within the bank

The supervisor determines that exceptions to established policies, processes and limits receive the prompt attention of, and authorization by, the appropriate level of management and the bank’s Board where necessary.

Description and findings re EC3

Prudential meetings are held with banks to discuss various risk areas and to establish the adequacy of the overall risk management processes, which includes an assessment of whether exceptions to policies, processes and limits receive prompt attention and, where appropriate, senior management and/or Board authorization are obtained. In addition, the BSD may request internal audit/external audit to review specific areas for compliance with a bank’s policies, including limits.

During their on-site work, BSD staff review a bank’s risk management policies and procedures, as well as any relevant internal documentation such as “risk appetite tables.”

EC4

The supervisor determines that the bank’s Board and senior management obtain sufficient information on, and understand, the nature and level of risk being taken by the bank and how this risk relates to adequate levels of capital and liquidity. The supervisor also determines that the Board and senior management regularly review and understand the implications and limitations (including the risk measurement uncertainties) of the risk management information that they receive.

Description and findings re EC4

BA Section 64 requires that a risk and capital management committee of the Board of directors be established.

Through the assessment of the bank’s ICAAP, the BSD determines whether the Board and senior management understand the risks being taken and how these risks influence capital adequacy. The annual Board discussions support this process. In addition, during the IRB application approval process, the BSD focuses on senior management understanding of risks.

Prudential meetings are held to discuss various risk areas and to establish the adequacy of the overall risk management process, which includes an assessment of whether the policies and processes are appropriate in light of the banks risk profile and business plan.

At the above meetings, an assessment is also made of the reporting of risk information to the Board and senior management. Such assessment includes the adequacy of information provided and Board and senior management understanding of the information.

EC5

The supervisor determines that banks have an appropriate internal process for assessing their overall capital and liquidity adequacy in relation to their risk appetite and risk profile. The supervisor reviews and evaluates banks’ internal capital and liquidity adequacy assessments and strategies.

Description and findings re EC5

Through the assessment of a bank’s ICAAP (including strategies), the BSD assesses the overall capital adequacy and processes in relation to the banks risk profile. Such an assessment takes into account the bank’s size and complexity.

On-site meetings are held with banks in order to determine overall liquidity adequacy and processes in relation to risk appetite and risk profiles.

Regulation 38 (Capital adequacy) provides power to the Registrar to strengthen risk management processes if found inadequate.

EC6

Where banks use models to measure components of risk, the supervisor determines that:

(a) Banks comply with supervisory standards on their use;
(b) The banks’ Boards and senior management understand the limitations and uncertainties relating to the output of the models and the risk inherent in their use; and
(c) Banks perform regular and independent validation and testing of the models

The supervisor assesses whether the model outputs appear reasonable as a reflection of the risks assumed.

Description and findings re EC6

Prudential meetings are held to discuss those risk areas where banks use models to measure the components of risk. During these meetings it is established whether independent validation and testing of these models and systems are performed.

With regard to credit risk, for IRB banks, the bank’s estimates and models used for that purpose are subject to specific additional review as specified by the BSD on an annual basis. Furthermore, the external auditor will produce the ‘long form report’ in that regard. The BSD also requires banks to submit their “annual validation report” on selected asset classes.

With regard to operational risk, regular meetings are held with all banks on the AMA for operational risk.

EC7

The supervisor determines that banks have information systems that are adequate (both under normal circumstances and in periods of stress) for measuring, assessing and reporting on the size, composition and quality of exposures on a bank-wide basis across all risk types, products and counterparties. The supervisor also determines that these reports reflect the bank’s risk profile and capital and liquidity needs, and are provided on a timely basis to the bank’s Board and senior management in a form suitable for their use.

Description and findings re EC7

Regulation 23 (Minimum requirements) requires a bank to have, among other things, sufficiently robust information systems. Information systems is a topic that BSD staff discuss with banks during numerous meetings (with the Board of directors, chief executive officer, audit committee, compliance, internal audit) and is usually also a focus area for banks wanting to implement new products and advanced model approaches. During meetings with external auditors, a bank’s management information systems, as well as systems in general, are discussed. The BSD also receives Board and risk committee packs, which are reviewed on an ad hoc basis to determine that the Board and senior management are receiving appropriate and accurate information. Certain banks, through the BSD operational risk team, receive specific information system reviews or on-site reviews.

In early 2014, the BSD issued Guidance Note 3. The note, which is based on the Basel Committee’s Principles for Effective Risk Data Aggregation and Risk Reporting (issued in January 2013), reiterates the importance of adhering to sound risk management practices, specifically with regard to risk data aggregation and risk reporting. The note includes a detailed questionnaire that banks had to submit to the Registrar so that the BSD could determine the status of banks’ implementation of the eleven principles.

EC8

The supervisor determines that banks have adequate policies and processes to ensure that the banks’ Boards and senior management understand the risks inherent in new products,³⁵ material modifications to existing products, and major management initiatives (such as changes in systems, processes, business model and major acquisitions). The supervisor determines that the Boards and senior management are able to monitor and manage these risks on an ongoing basis. The supervisor also determines that the bank’s policies and processes require the undertaking of any major activities of this nature to be approved by their Board or a specific committee of the Board.

Description and findings re EC8

Regulation 39 (Process of corporate governance) has several provisions related to the required risk management procedures for the review and assessment of any potential new products or activities.

Furthermore, during operational risk on-site reviews BSD staff will assess the new product approvals process and policies that banks have in place to assess the risk of new products.

EC9

The supervisor determines that banks have risk management functions covering all material risks with sufficient resources, independence, authority and access to the banks’ Boards to perform their duties effectively. The supervisor determines that their duties are clearly segregated from risk-taking functions in the bank and that they report on risk exposures directly to the Board and senior management. The supervisor also determines that the risk management function is subject to regular review by the internal audit function.

Description and findings re EC9

BA Section 64A(2) states that the risk and capital management committee of the Board shall assist it to: establish an independent risk management function and establish and implement a process of internal controls and reviews to ensure the integrity of the overall risk and capital management process. In addition, Regulation 39 contains several provisions related to the independence of risk control units.

The BSD reviews the various risk management functions of a bank as part of the SREP. During discussions with internal audit, specific evaluation of the risk management function is covered to ensure that it is regularly reviewed. In addition, prudential meetings are held with banks’ risk management and control functions (including internal audit) to establish whether appropriate segregation of duties are in place and to confirm whether these functions report directly to senior management and the Board.

During operational risk on-site reviews, BSD staff holds meetings with a bank’s internal audit department in order to assess the work done by them on operational risk and related matters and to determine what the findings or outcomes of their work have been.

EC10

The supervisor requires larger and more complex banks to have a dedicated risk management unit overseen by a Chief Risk Officer (CRO) or equivalent function. If the CRO of a bank is removed from his/her position for any reason, this should be done with the prior approval of the f and generally should be disclosed publicly. The bank should also discuss the reasons for such removal with its supervisor.

Description and findings re EC10

As mentioned in EC9, BA Section 64A(2) states that the risk and capital management committee of the Board shall assist it to: establish an independent risk management function and establish and implement a process of internal controls and reviews to ensure the integrity of the overall risk and capital management process. Assessment of this requirement is assessed as part of the SREP.

Larger and more complex banks are assessed for compliance with all standards, including the requirement to have independent and adequately resourced risk and audit functions. During discussions with internal audit, specific evaluation of the risk management function is covered to ensure that it is regularly reviewed.

EC11

The supervisor issues standards related to, in particular, credit risk, market risk, liquidity risk, interest rate risk in the banking book and operational risk.

Description and findings re EC11

The Regulations relating to banks have detailed requirements related to specific risk categories, as follows:

Regulations 23-25 - Credit risk

Regulation 26 - Liquidity risk

Regulation 28 - Market risk

Regulation 30 - Interest-rate risk

Regulation 31 - Equity risk in the banking book

Regulation 33 - Operational risk

These various regulations are described in further detail in subsequent CPs.

EC12

The supervisor requires banks to have appropriate contingency arrangements, as an integral part of their risk management process, to address risks that may materialize and actions to be taken in stress conditions (including those that will pose a serious risk to their viability). If warranted by its risk profile and systemic importance, the contingency arrangements include robust and credible recovery plans that take into account the specific circumstances of the bank. The supervisor, working with resolution authorities as appropriate, assesses the adequacy of banks’ contingency arrangements in the light of their risk profile and systemic importance (including reviewing any recovery plans) and their likely feasibility during periods of stress. The supervisor seeks improvements if deficiencies are identified.

Description and findings re EC12

Regulation 36(8) requires banks and controlling companies to submit in writing to the Registrar qualitative information relating to the strategy adopted in respect of contingency planning, including the extent to which contingency planning is centralized or managed on a business or legal entity basis.

In practice, the BSD utilizes several specific tools to ensure that banks have appropriate contingency planning processes. The SREP drives most of these.

Market risk: Stress testing, system validation and operational risk responsibilities such as business continuity planning, disaster recovery and other continuity policies are checked during IMA applications/renewals and IMA assessments and thematic reviews.

Liquidity: ALM reviews are conducted both off-site and on-site. The availability of contingency plans is assessed during the ALM review. Certain banks during the past two years were subject to a liquidity simulation exercise where the bank, BSD and external auditors were involved in testing the bank’s liquidity contingency plans and processes under a simulated stress situation.

The review of the bank’s ICAAP covers all material risks that a bank faces, which includes reputational, strategic, technological and any other risk not specifically covered in the BCPs.

During 2012 and 2013, specific focus was placed on the development of the banks’ recovery plans. Detailed discussions were held with banks and this was also a ‘flavor of the year” topic for discussion at meetings between BSD management and bank Boards.

EC13

The supervisor requires banks to have forward-looking stress testing programmes, commensurate with their risk profile and systemic importance, as an integral part of their risk management process. The supervisor regularly assesses a bank’s stress testing programme and determines that it captures material sources of risk and adopts plausible adverse scenarios. The supervisor also determines that the bank integrates the results into its decision-making, risk management processes (including contingency arrangements) and the assessment of its capital and liquidity levels. Where appropriate, the scope of the supervisor’s assessment includes the extent to which the stress testing programme:

(a) Promotes risk identification and control, on a bank-wide basis
(b) Adopts suitably severe assumptions and seeks to address feedback effects and system-wide interaction between risks;
(c) Benefits from the active involvement of the Board and senior management; and
(d) Is appropriately documented and regularly maintained and updated.

The supervisor requires corrective action if material deficiencies are identified in a bank’s stress testing programme or if the results of stress tests are not adequately taken into consideration in the bank’s decision-making process

Description and findings re EC13

Regulation 39(5) requires banks to have risk management processes, practices, procedures and policies that are sufficiently robust to ensure that the bank regularly conducts appropriate stress-testing or scenario analysis and also to ensure that the bank maintains sufficient liquidity and capital adequacy buffers to remain solvent during prolonged periods of financial market stress and illiquidity. Additional sections of Regulation 39 set out other requirements related to the various aspects of stress testing and Regulation 23 focuses on stress testing of credit risk while Regulation 28 focuses on stress testing of market risk (see CPs 17 and 22 below).

The review of a bank’s ICAAP usually includes discussions related to stress testing and scenario testing, assumptions made, stress-testing results and how they link to the capital buffer as well as management actions.

With regard to market risk, the utility of stress testing as a management tool is verified during IMA assessment, market risk thematic reviews, stress testing thematic reviews and to a certain extent in ICAAP assessments.

EC14

The supervisor assesses whether banks appropriately account for risks (including liquidity impacts) in their internal pricing, performance measurement and new product approval process for all significant business activities.

Description and findings re EC14

The review of a bank’s ICAAP covers discussions based on performance measurement and EVA, pricing and return on risk adjusted capital.

AC1

The supervisor requires banks to have appropriate policies and processes for assessing other material risks not directly addressed in the subsequent Principles, such as reputational and strategic risks.

Description and findings re AC1

Regulation 39 sets out a total of 27 risk types that banks need to be aware of and manage, including reputational and strategic risk.

The BSD utilizes the SREP to assess the management of various additional risk categories by banks. The review of a bank’s ICAAP covers all material risks that a bank faces, which includes reputational, strategic, technological and any other risk not specifically covered in the BCPs.

Assessment of Principle 15

Compliant

Comments

The SARB’s SREP cycle places emphasis on verifying that banks have robust risk management policies and procedures.

A recent significant increase in supervisory staff has allowed the BSD to form specialized teams to review the major risk categories. While the skills of some of the newer members of these teams are in the process of being strengthened, primarily through on-the-job experience, the teams have enhanced the BSD’s understanding of the risks faced by South African banks, most especially at the largest institutions.

Principle 16

Capital adequacy.³⁶ The supervisor sets prudent and appropriate capital adequacy requirements for banks that reflect the risks undertaken by, and presented by, a bank in the context of the markets and macroeconomic conditions in which it operates. The supervisor defines the components of capital, bearing in mind their ability to absorb losses. At least for internationally active banks, capital requirements are not less than the applicable Basel standards.

EC1

Laws, regulations or the supervisor require banks to calculate and consistently observe prescribed capital requirements, including thresholds by reference to which a bank might be subject to supervisory action. Laws, regulations or the supervisor define the qualifying components of capital, ensuring that emphasis is given to those elements of capital permanently available to absorb losses on a going concern basis.

Description and findings re EC1

BA Section 70 deals with minimum capital requirements for banks and banking groups. The provisions of the Act are implemented through Regulation 38 (Capital adequacy and leverage).

The BSD has fully implemented Basel II, 2.5 and is in the process of fully implementing Basel III. Capital is calculated on a consolidated and solo basis for all South African banks, as well as foreign branches, to consistently observe prescribed capital requirements and capital buffers.

Capital is calculated and measured in the following tiers: CET 1, Tier 1 and Total Capital. BA Section 1 defines “additional tier 1 capital,” “additional tier 1 unimpaired reserve funds,” “common equity tier 1 capital,” “common equity tier 1 unimpaired reserve funds,” “tier 2 capital” and “tier 2 unimpaired reserve funds.”

BA Sections 70 and 70A prescribe minimum capital requirements based on risk-weighted assets for banks and groups respectively.

Regulation 38(8) prescribes capital requirements (base minimum, systemic capital requirements, domestically systemic important banks, conservation buffer, countercyclical buffer, idiosyncratic risk requirement and the Board buffer). Regulation 38(9)(a)(i) prescribes the minimum capital set per tier of capital.

Directive 5/2013 – prescribes the components of capital with emphasis on those that are permanently available to absorb losses.

For the plan for the phase-in of Basel III, see below.

Shading indicates transition periods - all dates are as of 1 January

	Basel III	2013	2014	2015	2016	2017	2018	2019
Common Equity Tier 1 requirements (CET1)
Minimum CET1 Ratio (per Basel III)	4,5%	3,5%	4,0%	4,5%	4,5%	4,5%	4,5%	4,5%
Pillar 2A for CET1		1,0%	1,5%	2,0%	1,75%	1,50%	1,0%	0,50%
Minimum CET1 plus Pillar 2A		4,5%	5,5%	6,5%	6,25%	6,0%	5,5%	5,0%
Phasing in of D-SIB requirements at CET1 level ¹					25%	50%	75%	100%
Capital Conservation buffer²	2,5%				0,625%	1,25%	1,875%	2,5%
Countercyclical buffer (maximum per cent, if imposed)²	2,5%				0,625%	1,25%	1,875%	2,5%
Tier 1 requirements (T1)
Minimum Tier 1 Ratio (per Basel III)	6,0%	4,5%	5,5%	6,0%	6,0%	6,0%	6,0%	6,0%
Pillar 2A for T1		1,5%	1,5%	2,0%	1,5%	1,25%	1,0%	0,75%
Minimum T1 plus Pillar 2A		6,0%	7,0%	8,0%	7,5%	7,25%	7,0%	6,75%
Phasing in of D-SIB requirements at Tier 1 level¹					25%	50%	75%	100%
Total capital requirements
Minimum Total Capital Ratio (per Basel III)	8,0%	8,0%	8,0%	8,0%	8,0%	8,0%	8,0%	8,0%
Pillar 2A for Total Capital (maximum 2.0%)		1,5%	2,0%	2,0%	1,75%	1,50%	1,25%	1,0%
Minimum Total Capital plus Pillar 2A		9,5%	10,0%	10,0%	9,75%	9,5%	9,25%	9,0%
Phasing in of specified D-SIB charge at Total Capital level¹					25%	50%	75%	100%
Capital instruments that no longer qualify as additional Tier 1 or Tier 2 capital	Phased out over 10-year horizon beginning 2013

¹ The aggregate requirement for Pillar 2A and D-SIB will not exceed 2.0 per cent for CET1, 2.5 per cent for Tier 1 and 3.5 per cent in respect of the total capital-adequacy ratio

² The capital conservation buffer together with the countercyclical buffer will be applied at CET1 level and will also be required to be met at both a Tier 1 and Total capital level.

EC2

At least for internationally active banks,³⁷ the definition of capital, the risk coverage, the method of calculation and thresholds for the prescribed requirements are not lower than those established in the applicable Basel standards.

Description and findings re EC2

Regulations 38(9)(a)(i), 38(9)(a)(ii) and 38(9)(a)(iii) prescribe the phase-in of the South African base minimum requirements that are more onerous than Basel.

Directive 5/2013 – Prescribes minimum capital requirements, and the phase-in thereof, that are higher than the Basel standards.

EC3

The supervisor has the power to impose a specific capital charge and/or limits on all material risk exposures, if warranted, including in respect of risks that the supervisor considers not to have been adequately transferred or mitigated through transactions (e.g., securitization transactions)³⁸ entered into by the bank. Both on-balance sheet and off- balance sheet risks are included in the calculation of prescribed capital requirements.

Description and findings re EC3

Regulation 38(4) empowers the Registrar to prescribe additional capital requirements in respect of any risk type or risk exposure.

Regulation 38(8)(e)(iii) prescribes a bank-specific additional capital requirement for idiosyncratic risk.

Per the Basel standards, both on-balance sheet and off-balance sheet risks are included in the calculation of prescribed capital requirements.

EC4

The prescribed capital requirements reflect the risk profile and systemic importance of banks³⁹ in the context of the markets and macroeconomic conditions in which they operate and constrain the build-up of leverage in banks and the banking sector. Laws and regulations in a particular jurisdiction may set higher overall capital adequacy standards than the applicable Basel requirements.

Description and findings re EC4

BA Section 4(7)(ii) prescribes that the Registrar may disclose factors relating to the setting of capital adequacy ratios in excess of the minimum. These factors assist the Registrar in establishing bank-specific capital requirements for individual banks.

Regulation 38(4) empowers the Registrar to impose additional capital if the aggregated risk exposure of a bank does not reflect its risk profile (and the Registrar applies this Pillar 2 surcharge in practice).

Regulation 38(8)(e)(ii) prescribes an additional minimum capital requirement for systemic risk.

Regulation 38(8)(e)(vi) prescribes an additional capital requirement for the largest banks (systemically important).

Regulation 38(8)(e)(vii) prescribes a Board buffer that is based on stress testing and macro-economic conditions.

Regulation 38(8)(g) prescribes a countercyclical capital buffer in the event of excessive credit growth or the buildup of system-wide risks.

Regulation 38(17)(a) prescribes a leverage ratio to prevent the build-up of excessive on-and off-balance sheet leverage.

Regulation 38(17)(b)(iv) prescribes a minimum leverage ratio of 4 percent.

EC5

The use of banks’ internal assessments of risk as inputs to the calculation of regulatory capital is approved by the supervisor. If the supervisor approves such use:

(a) Such assessments adhere to rigorous qualifying standards;
(b) Any cessation of such use, or any material modification of the bank’s processes and models for producing such internal assessments, are subject to the approval of the supervisor;
(c) The supervisor has the capacity to evaluate a bank’s internal assessment process in order to determine that the relevant qualifying standards are met and that the bank’s internal assessments can be relied upon as a reasonable reflection of the risks undertaken;
(d) The supervisor has the power to impose conditions on its approvals if the supervisor considers it prudent to do so; and
(e) If a bank does not continue to meet the qualifying standards or the conditions imposed by the supervisor on an ongoing basis, the supervisor has the power to revoke its approval.

Description and findings re EC5

The Regulations relating to banks set out numerous requirements for banks utilizing the more advanced measurement approaches. These include (but are not limited to):

Regulation 23(3)(b) prescribes that prior approval is required from the Registrar to apply the IRB approach for credit risk and Regulation 23(10)(a) requires continuous compliance with the qualifying conditions.
Regulation 23(10)(b)(v11) requires banks applying internal models for equity risk in the banking book to obtain prior written approval of the Registrar and also sets out quantitative and qualitative requirements.
Regulation 28(4)(b) and (c) requires banks applying internal models to measure market risk to obtain prior written approval from the Registrar, subject to certain conditions.

The Registrar has the authority to impose additional conditions on a bank and approval for use of an internal model can be revoked if conditions cease to be met. In practice, there is an example of a bank’s approval having been revoked.

As part of the SREP, BSD staff regularly reviews banks’ internal assessment processes and internal models approaches. The BSD acknowledged that they face an ongoing challenge finding qualified staff for models validation as there is a shortage of individuals in South Africa with highly technical quantitative skills. The SARB has addressed this issue, in part, through in-house training initiatives.

EC6

The supervisor has the power to require banks to adopt a forward-looking approach to capital management (including the conduct of appropriate stress testing).⁴⁰ The supervisor has the power to require banks:

(a) to set capital levels and manage available capital in anticipation of possible events or changes in market conditions that could have an adverse effect; and
(b) to have in place feasible contingency arrangements to maintain or strengthen capital positions in times of stress, as appropriate in the light of the risk profile and systemic importance of the bank.

Description and findings re EC6

Regulation 23(11(b)(ix) sets out a stress testing requirement for banks that have adopted the IRB approach for credit risk.

Regulation 39(6) requires the Board and senior management to have in place an MIS system that can generate forward looking scenario analysis that captures stressed conditions and requires senior management to conduct stress tests on a periodic basis. The BSD also issued a guidance note in 2008 on stress testing requirements.

Regulation 39(8)(h) requires the incorporation of stress testing in the ICAAP and further requires stress testing to be compared against the impact of capital.

Regulation 39(16)(a)(v)(B) requires senior management to ensure the ICAAP incorporates stress testing and measures to ensure the bank builds and maintains capital buffers that would ensure the bank could withstand severe market downturns. It also requires that the ICAAP examines future capital resources under adverse conditions and analyses capital instruments during stress.

Regulation 39(16)(b)(v) requires that the ICAAP incorporate stress testing the result of which shall be considered in evaluating the adequacy of capital buffers.

Regulation 39(5)(d) states that risk management processes shall regularly conduct stress testing or scenario analysis and should ensure the bank maintains adequate liquidity and capital during prolonged periods of market stress.

In practice, BSD staff discusses stress testing and management actions to limit the impact of stresses on banks during on-site ICAAP meetings. In addition, projected capital adequacy ratios are calculated to show the impact of stresses on banks before and after management actions on a forward-looking basis (for the upcoming three years).

AC1

For non-internationally active banks, capital requirements, including the definition of capital, the risk coverage, the method of calculation, the scope of application and the capital required, are broadly consistent with the principles of the applicable Basel standards relevant to internationally active banks.

Description and findings re AC1

The BSD applies the Basel capital requirements to all banks in South Africa, irrespective of whether they are internationally active.

AC2

The supervisor requires adequate distribution of capital within different entities of a banking group according to the allocation of risks.⁴¹

Description and findings re AC2

It is up to a bank to determine how it distributes capital within different entities of the banking group; however, certain regulations apply. These include Regulation 36(8)(b)(ix) which requires banks to submit in writing to the Registrar qualitative information relating to the bank’s strategy to monitor capital in relation to risks incurred by entities and the allocation of capital amongst various entities within the banking group.

Assessment of Principle 16

Compliant

Comments

The SARB has adopted or is in the process of adopting the various components of Basel II, 2.5 and III according to or in advance of the schedule established by the Basel Committee. Capital is calculated on a consolidated and solo basis for all banks and the BSD has the authority to impose additional capital requirements on individual banks, as deemed necessary. The BSD has applied the three Basel ratios (common equity tier 1, tier 1 and total capital) as well as systemic capital requirements, large bank capital add-ons and a “Board buffer” that ensures that banks do not fall below the minimum requirements. BSD staff regularly assesses banks’ capital management and planning, most intensely at the largest (IRB) banks.

Principle 17

Credit risk.⁴² The supervisor determines that banks have an adequate credit risk management process that takes into account their risk appetite, risk profile and market and macroeconomic conditions. This includes prudent policies and processes to identify, measure, evaluate, monitor, report and control or mitigate credit risk⁴³ (including counterparty credit risk)⁴⁴ on a timely basis. The full credit lifecycle is covered including credit underwriting, credit evaluation, and the ongoing management of the bank’s loan and investment portfolios.

EC1

Laws, regulations or the supervisor require banks to have appropriate credit risk management processes that provide a comprehensive bank-wide view of credit risk exposures. The supervisor determines that the processes are consistent with the risk appetite, risk profile, systemic importance and capital strength of the bank, take into account market and macroeconomic conditions and result in prudent standards of credit underwriting, evaluation, administration and monitoring.

Description and findings re EC1

Numerous regulations exist that support the elements of EC1. Primary among these are the following:

Regulation 39(4)-(6) states that a bank shall have in place a comprehensive risk management process, practices and procedures and Board approved policies for credit risk and counterparty credit risk
Regulation 23(11)(b)(iii)(A) provides that, for IRB banks, there should be a duly documented credit policy with should be applied consistently over time for internal risk management purposes
Regulation 39(7)(a)(ii)(D) requires that an IRB bank shall bring to the attention of senior management and the Board of directors matters such as credit concentration or any violations of specific risk or appetite limits
Regulation 39(5)(b) requires that the risk management policies, processes and procedures should be aligned with business strategy goals and objectives and risk appetite or tolerance of risk of the bank

As part of its overall supervisory process, the BSD ensures that there are appropriate governance structures within all banks that address all risks, including credit risk, and their particular composition, for example: risk appetite, risk profile, systemic importance and capital strength of the bank. The ICAAP meeting that is held annually with the banks entails calculating, understanding, monitoring and managing of economic capital as it relates to credit and other risks. Stress testing is also done as part of this process using macroeconomic simulations and variables to assess the effect that credit and other risks can have on the bank and more importantly the bank’s capital adequacy ratio and ability to absorb, mitigate and manage such events should they occur.

EC2

The supervisor determines that a bank’s Board approves, and regularly reviews, the credit risk management strategy and significant policies and processes for assuming,⁴⁵ identifying, measuring, evaluating, monitoring, reporting and controlling or mitigating credit risk (including counterparty credit risk and associated potential future exposure) and that these are consistent with the risk appetite set by the Board. The supervisor also determines that senior management implements the credit risk strategy approved by the Board and develops the aforementioned policies and processes.

Description and findings re EC2

Regulation 39(18) requires a bank’s Board of directors to assess at least once a year whether processes relating to corporate governance, internal controls, risk management (including credit risk management) implemented by the bank successfully achieve the objectives specified by the Board. This assessment must be documented and reviewed by the external auditors, who in turn would report to the Registrar if they did not concur with the assessment conducted by a bank’s Board. The Registrar also has the authority to request a copy of the assessment directly from a bank although this is done on a very infrequent basis.

In practice, the bank’s BSD relationship team will discuss credit risk management strategies and significant policies and processes during prudential meetings focused on credit risk. Reliance will also be placed on work performed by the internal and external auditors and specific findings identified by them will be followed up during these meetings.

Peer group comparisons, trend analysis, etc. specific to credit risk are compiled based on monthly quantitative information (BA200 reporting series). This is discussed periodically with senior management and at least annually during a meeting with the bank’s Board. These meetings confirm that the bank’s quantitative information reflects the bank’s adopted strategies, policies, etc. Furthermore, BSD staff will engage specifically with the bank on significant deviations from peers, BSD’s expectations and economic trends. For IRB banks, separate on-site visits focusing specifically on the retail and wholesale portfolios are conducted.

During 2013, banks were required to complete a questionnaire for counterparty credit risk that, among other things, described the governance of counterparty credit risk, the process and frequency for review and future planned changes to policy. Counterparty credit risk on-site meetings were also held with certain banks based on the size of their counterparty credit risk book.

EC3

The supervisor requires, and regularly determines, that such policies and processes establish an appropriate and properly controlled credit risk environment, including:

(a) A well documented and effectively implemented strategy and sound policies and processes for assuming credit risk, without undue reliance on external credit assessments;
(b) Well defined criteria and policies and processes for approving new exposures (including prudent underwriting standards) as well as for renewing and refinancing existing exposures, and identifying the appropriate approval authority for the size and complexity of the exposures;
(c) Effective credit administration policies and processes, including continued analysis of a borrower’s ability and willingness to repay under the terms of the debt (including review of the performance of underlying assets in the case of securitization exposures); monitoring of documentation, legal covenants, contractual requirements, collateral and other forms of credit risk mitigation; and an appropriate asset grading or classification system;
(d) Effective information systems for accurate and timely identification, aggregation and reporting of credit risk exposures to the bank’s Board and senior management on an ongoing basis;
(e) Prudent and appropriate credit limits, consistent with the bank’s risk appetite, risk profile and capital strength, which are understood by, and regularly communicated to, relevant staff;
(f) Exception tracking and reporting processes that ensure prompt action at the appropriate level of the bank’s senior management or Board where necessary; and
(g) Effective controls (including in respect of the quality, reliability and relevancy of data and in respect of validation procedures) around the use of models to identify and measure credit risk and set limits.

Description and findings re EC3

Refer to the responses to EC 1 and EC 2 above. Also relevant to this EC are the following:

Regulation 23 requires banks to have a duly documented credit policy.
Regulation 39 requires that the Board of directors of a bank shall ensure that the bank establishes and maintains an independent credit risk control unit that shall be headed by a person who reports directly to the chief executive officer and the bank’s Board of directors or to an independent chief risk officer if one has been appointed by the bank.

The BSD places some reliance on the external auditors, with specific reference to Regulation 46 (Audit reports), to confirm the quality of the bank’s credit environment. Section 4 requires the external auditor of a bank to report to the Registrar within 120 days of the bank’s financial year-end any significant weaknesses in the system of internal controls that came to the auditor’s attention while performing the necessary auditing procedures as regards the policies, practices and procedures of the bank relating to, among other things, the granting of loans; the making of investments; and the ongoing management of the loan and investment portfolios.

The external auditor will review the quantitative information submitted to the BSD via the BA 200 series and will comment on the underlying processes, systems, etc. supporting the generation of the series. The external auditor’s report in terms of Regulation 46 is reviewed, assessed and discussed with the auditors, as well as the bank’s audit committee as part of the SREP.

For IRB banks, the bank’s estimates and models used for that purpose will be subject to specific additional review as specified by the BSD on an annual basis. The external auditor will produce the ‘long form report’ in that regard and the report will be reviewed by the BSD as part of the SREP.

In addition, the BSD has had discussions with banks to ensure a “single client view” across the bank. Where banks’ systems are unable to do so, the BSD has discussed with banks the need to upgrade their systems.

EC4

The supervisor determines that banks have policies and processes to monitor the total indebtedness of entities to which they extend credit and any risk factors that may result in default including significant unhedged foreign exchange risk.

Description and findings re EC4

Regulation 39(5)(d) requires that risk management processes, practices, procedures and policies at a bank shall be robust enough to determine and monitor the total indebtedness of entities to which the bank extends credit. Banks typically utilize credit bureaus to help in this endeavor.

BSD staff includes this issue on the agendas for prudential meetings with banks and discusses policies and procedures with senior management.

EC5

The supervisor requires that banks make credit decisions free of conflicts of interest and on an arm’s length basis.

Description and findings re EC5

BA Section 60 requires directors and officers of a bank to avoid any conflicts of interest and that the process of corporate governance shall ensure that mechanisms and procedures are established and maintained to minimize or avoid potential conflicts of interest between the business interests of the bank.

There is also a requirement in Regulation 36 that, from a consolidated supervision perspective, intercompany/intergroup loans should be conducted on an arm’s-length basis and that for intragroup advances not conducted at arm’s length, banks shall provide the Registrar in writing with information regarding these transactions.

Regulation 39 sets out the requirement that the Board of Directors and senior management shall ensure adequate segregation of duties to promote sound governance and effective risk management in the bank, and avoid conflict of interests.

There are also extensive regulations related to transactions with related parties. These include the regulations cited in CP 20 - Transactions with Related Parties.

EC6

The supervisor requires that the credit policy prescribes that major credit risk exposures exceeding a certain amount or percentage of the bank’s capital are to be decided by the bank’s Board or senior management. The same applies to credit risk exposures that are especially risky or otherwise not in line with the mainstream of the bank’s activities.

Description and findings re EC6

There are several regulations related to the banks’ oversight and management of major credit risk exposures. These include the regulations cited in CP 19 - Concentration Risk and Large Exposure Limits. By law, a bank may not make investments or grant loans or other credit to any person in an aggregate amount exceeding 10 percent of its capital and reserves without the permission of its board of directors or a committee appointed for such purpose.

In practice, BSD staff has discussions with the management of banks to determine how loan approvals are being governed, including Board approval of larger credit risk exposures. The topic is also included in discussions with the banks’ internal auditors, especially with regard to wholesale business where larger exposures exist. In addition, BSD staff review the approval policies and processes, including the limits applied to the approval process.

EC7

The supervisor has full access to information in the credit and investment portfolios and to the bank officers involved in assuming, managing, controlling and reporting on credit risk.

Description and findings re EC7

The BA provides powers of inspection to the Registrar and stipulates that the Registrar may direct a bank to provide any information in order for the Registrar to fulfill his duties. Various regulations also support the Registrar’s ability to access information.

In practice, the BSD can request any information from banks not captured in the regulatory returns and any internal reports. For credit risk prudential meetings held with individual banks, a copy of the latest reports submitted to the Credit Risk Committee can be requested and any concerns discussed at the meeting.

The BSD also has full access to all staff and can ask to meet with specific individuals.

EC8

The supervisor requires banks to include their credit risk exposures into their stress testing programmes for risk management purposes.

Description and findings re EC8

Banks are required to incorporate credit risk exposures in their stress testing exercises and banking regulations establish numerous specific requirements for banks to stress test various aspects of their credit risk. These regulations include (but are not limited to):

Regulation 23(11)(b)(ix) - stress testing requirements for IRB banks
Regulation 23(15)(c)(iv) - assessment through scenario analysis and stress testing of whether the level of capital held against CCP exposures are adequate
Regulation 36(14)(b)(ii)(C) - policies, processes, procedures and systems should enable senior management to conduct stress testing for credit concentration risk
Regulation 39(5)(d)(vii) - risk management policies, processes, procedures and systems shall ensure that banks conduct regular stress testing or scenario analysis
Regulation 39(6)(b)(vi) - senior management shall periodically conduct stress tests on the bank’s main risk exposures
Regulation 39(16)(a)(v)(B)(iii) - Senior management of the bank shall incorporate robust stress testing to complement and validate the bank’s measures and give the Board of directors and senior management a better understanding of the bank’s exposures
Regulation 39(16)(a)(v)(E) - senior management of the bank shall define the bank’s stress testing objectives and scenarios.
Regulation 39(16)(b)(v) - a sound capital assessment program should be in place to incorporate forward-looking stress testing
Regulation 39(16)(d)(ii)(vi) - periodic reviews of the risk management process includes review of appropriate stress testing

In addition, Guidance Note 9/2008 - High level guidance for stress testing - sets out additional guidance from the BSD regarding stress testing at individual banks.

With regard to the supervisory process in place, the BSD conducts ICAAP assessments on an annual basis, and stress testing forms part of the issues covered in this process. Once the document submitted by the bank has been reviewed, an on-site meeting is held with the bank and the results of the ICAAP are discussed and any areas of concern regarding stress testing are raised.

The BSD also requests banks to perform a common scenario stress test where the factors to be stressed are provided to the banks by the BSD.

Assessment of Principle 17

Compliant

Comment

Regulation 39 clearly sets out the requirement for adequate policies and procedures related to credit risk management, approved by the Board of directors and effectively implemented by management. BSD staff, including the analyst(s), credit specialist team and on-site review team, takes an active role in assessing the quality of credit risk management at all banks, including as part of the SREP.

Principle 18

Problem assets, provisions and reserves.⁴⁶ The supervisor determines that banks have adequate policies and processes for the early identification and management of problem assets, and the maintenance of adequate provisions and reserves.⁴⁷

EC1

Laws, regulations or the supervisor require banks to formulate policies and processes for identifying and managing problem assets. In addition, laws, regulations or the supervisor require regular review by banks of their problem assets (at an individual level or at a portfolio level for assets with homogenous characteristics) and asset classification, provisioning and write-offs.

Description and findings re EC1

Regulation 39(3) identifies credit risk “and in particular risks arising from impaired or problem assets and the bank’s related impairments, provisions and reserves” as one of the types of risk that may arise from a bank’s on and off-balance sheet activities. Regulation 39(4) subsequently requires a bank, as a minimum, to a have in place comprehensive risk management processes, practices, procedures related to problem assets, provisions and reserves.

Regulation 39 also requires the risk management processes and practices to be adequate for the size and nature of the activities of the bank and for the bank to ensure that both the Board and senior management receive appropriate and timely communication on all related risks, including problem assets.

Regulation 39(5)(d)(xiii) states that a bank’s risk management processes, practices, procedures and policies shall be sufficiently robust to ensure that the bank’s Board of directors and senior management receive timely and appropriate information regarding the condition of the bank’s respective asset portfolios, including matters related to the relevant classification of credit exposure, the level of impairment or provisioning, and major problem assets.

Various aspects of Regulation 23 (Credit risk: monthly return), Section 22 (Credit impairment) set out the regulatory requirements for dealing with and reporting problem assets. The Section states, as a minimum, every bank:

Shall have in place a sufficiently robust system for the calculation of credit impairment in accordance with the relevant requirements specified in Financial Reporting Standards issued from time to time;
Shall have in place sufficiently robust processes and Board-approved policies, and dedicated resources to ensure -
- the early identification of assets of deteriorating credit quality;
- ongoing oversight of problem assets or credit exposure;
That the bank periodically reviews and assesses (1) all relevant problem assets at an individual level, or a portfolio level in the case of credit exposures with homogeneous characteristics, (2) the adequacy of the bank’s asset classification, provisioning and write-offs, and (3) the value, adequacy and enforceability of all relevant risk mitigation instruments or contracts, including guarantees, credit derivative instruments or other forms of collateral or credit protection;
That all relevant off-balance sheet exposures are duly considered;
That the bank’s credit impairments and write-offs reflect realistic repayment and recovery expectations;
Ongoing collection of past due loans;
That the bank’s Board of directors receives timely and appropriate information on the condition of the bank’s relevant credit portfolios, including the classification of credit exposures, the level of provisioning and major problem assets.

EC2

The supervisor determines the adequacy of a bank’s policies and processes for grading and classifying its assets and establishing appropriate and robust provisioning levels. The reviews supporting the supervisor’s opinion may be conducted by external experts, with the supervisor reviewing the work of the external experts to determine the adequacy of the bank’s policies and processes

Description and findings re EC2

Regulation 46 (Audit reports) Section 4 requires the external auditor of a bank to report to the Registrar within 120 days of the bank’s financial year-end any significant weaknesses in the system of internal controls that came to the auditor’s attention while performing the necessary auditing procedures as regards the policies, practices and procedures of the bank relating to, among other things, the relevant credit impairments or loan loss provisions and reserves.

The external auditor is required under Regulation 46(9) to hold preliminary discussions with the BSD prior to the annual audit. Interpretive matters arising from audits performed by external auditors are also sent to BSD to obtain clarity on the interpretation of such items.

In most cases, the BSD relies on work by the external auditors to determine the adequacy of a bank’s policies and processes for grading and classifying assets and establishing appropriate and robust provisioning levels. If any significant weaknesses are identified by the external auditors, BSD staff will follow this up during the normal course of supervisory interaction with the bank.

With regard to other supervisory activities, the approval process for PD and LGD models includes an evaluation of whether the models apply the definition of default correctly.

EC3

The supervisor determines that the bank’s system for classification and provisioning takes into account off-balance sheet exposures.⁴⁸

Description and findings re EC3

Regulation 23 (Credit risk: monthly return), Section 22 (Credit impairment) requires banks to include all relevant off-balance sheet exposures in their consideration and reporting of credit impairment.

In this regard, the BSD relies on the work of external auditors to determine that a bank gives due consideration to off-balance sheet exposures when determining classifications and provisioning.

EC4

The supervisor determines that banks have appropriate policies and processes to ensure that provisions and write-offs are timely and reflect realistic repayment and recovery expectations, taking into account market and macroeconomic conditions.

Description and findings re EC4

As mentioned under EC2, Regulation 23(22) requires banks to have in place sufficiently robust processes and Board approved policies, and sufficient dedicated resources to ensure that the bank’s credit impairments and write-offs reflect realistic repayment and recovery expectations.

In practice, provisions must be determined in terms of IAS 39 (Financial Instruments: Recognition and Measurement), which requires the bank to consider at each reporting period whether there is objective evidence of impairment. Such evidence includes national or local economic conditions that correlate with defaults on the assets in the group.

With regard to supervisory oversight, it has been the policy of the BSD to place reliance on the external auditors’ assessment of a bank’s provisioning levels as part of their statutory audit. Any significant issues raised by the external auditors are addressed by the BSD during follow-up meetings with bank management. In respect of the work performed by external auditors, the BSD held extensive discussions with the South African Institute of Chartered Accountants (SAICA) to ensure the appropriateness of the Regulation 46 reports in view of the applicable audit standards and BSD requirements. In September 2013 a revised audit matrix was approved by BSD management that specifies the level of assurance to be given by external auditors.

In addition, recognizing the added risk since the start of the global financial crisis, in 2012 the BSD initiated a project to review the adequacy of impairments raised by selected banks, mostly IRB banks (the largest banks in South Africa) and banks engaged in unsecured lending. The BSD’s on-site review team has been primarily responsible for these reviews, with the assistance, where appropriate, of the credit risk and quantitative analysis teams. These reviews continue in 2014.

EC5

The supervisor determines that banks have appropriate policies and processes, and organizational resources for the early identification of deteriorating assets, for ongoing oversight of problem assets, and for collecting on past due obligations. For portfolios of credit exposures with homogeneous characteristics, the exposures are classified when payments are contractually in arrears for a minimum number of days (e.g., 30, 60, 90 days). The supervisor tests banks’ treatment of assets with a view to identifying any material circumvention of the classification and provisioning standards (e.g., rescheduling, refinancing or reclassification of loans).

Description and findings re EC5

See EC 1 above for relevant regulations pertaining to the early identification of deteriorating assets. In addition, Regulation 67 (Definitions) stipulates that an exposure that is overdue more than 90 days shall be classified as in default. Circular 2 of 2014 (Interpretation of definition of default as outlined in regulation 67 of the Regulations relating to Banks) also provides information in this regard.

Classification in terms of Regulation 24 (Credit risk - Directives and interpretations for completion of the quarterly return concerning credit risk) sets out the following classification categories for banks on the Standardised Approach to credit risk:

Overdue between 60 and 90 days - Special mention
Overdue between 91 and 180 days - Substandard (unless sufficient security is held by the bank)
Overdue between 181 and 365 days - Doubtful (unless sufficient security is held by the bank)
Overdue for more than one year - Loss

For IRB banks, the classification of loans is based on a combination of both objective (days in arrears) and subjective criteria. All loans overdue more than 90 days are classified as in default with the classification category based on the number of days in arrears. In addition, when a bank is of the opinion that an obligor is unlikely to pay its credit obligations in full, without recourse by the bank to actions such as the realization of security, the exposure shall be classified as in default.

The SREP gives due consideration to banks’ policies and procedures for the early identification of deteriorating assets, as well as for management and collection of problem assets. Credit risk prudential meetings between the BSD and bank management normally include a discussion on credit risk management processes, including the ongoing oversight of problem assets.

During 2013, the BSD’s on-site team conducted a detailed “deep dive” review of the provision, write-off and collection policy (including the application of the policy) of a bank in the unsecured lending sector. The project continues in 2014 with other unsecured lenders.

In addition, BSD staff conducted research with regard to how banks treat rescheduled/restructured transactions after the terms and conditions have been changed. It was noted that banks treat such transactions differently. Consequently, the BSD is in the process of finalizing a directive that will address the inconsistencies. This directive includes a provision that loans, once restructured, must be reported at a minimum as Special Mention so as to prohibit banks from using restructuring as a means of concealing the extent of problem loans.

EC6

The supervisor obtains information on a regular basis, and in relevant detail, or has full access to information concerning the classification of assets and provisioning. The supervisor requires banks to have adequate documentation to support their classification and provisioning levels.

Description and findings re EC6

Form BA200 (Credit risk: monthly return) contains details of the classification of credits and assets and provisioning and is submitted to the Registrar on a monthly basis. In addition, Form BA210 (Credit risk: quarterly return) provides additional details on credit risk, including restructured credit exposures and specific impairments related to large exposures, industry sectors and for watch list clients on a quarterly basis.

Banks are required to have a duly documented credit policy that specifies the bank’s process relating to the assignment of ratings to credit exposures (i.e., grading).

The proposed directive on restructured credit exposures requires banks to keep evidence in support of whether or not a restructure is considered necessary because of financial distress of the obligor, in which case the exposure must be assessed for impairment.

In practice, information is submitted to the BSD via Oracle Financial Analyser (OFA) and validation rules are in place to ensure that all returns are received from banks by the prescribed dates.

EC7

The supervisor assesses whether the classification of the assets and the provisioning is adequate for prudential purposes. If asset classifications are inaccurate or provisions are deemed to be inadequate for prudential purposes (e.g., if the supervisor considers existing or anticipated deterioration in asset quality to be of concern or if the provisions do not fully reflect losses expected to be incurred), the supervisor has the power to require the bank to adjust its classifications of individual assets, increase its levels of provisioning, reserves or capital and, if necessary, impose other remedial measures.

Description and findings re EC7

Regulation 23(22)(b) states:

When the Registrar is of the opinion that the policies and procedures applied by a bank during its assessment of asset quality, risk mitigation and related credit impairment are inadequate, the Registrar may require the relevant bank to raise a specified credit impairment amount against potential credit losses, for example, by requiring in writing the said bank to transfer a specified amount from retained earnings or distributable reserves to a non-distributable reserve.

Through the ICAAP, the supervisor can increase the minimum capital requirement (either through increasing the minimum ratio or increasing the risk weighted exposure amount). Regulation 38(4) affords the Registrar the power to increase prudential capital requirements commensurate with a bank’s risk profile. One of the factors that would be taken into consideration when considering an increase is the BSD’s view of the accuracy of asset classification and credit impairments.

The assessors were made aware of a few recent instances where the BSD had discussions with banks regarding the adequacy of their provisioning and the banks acted to address supervisory concern as a result. One such bank received formal notification of the BSD’s concerns and resolved the situation in a timely manner, obviating the need for the Registrar to amend the bank’s capital or provisions.

EC8

The supervisor requires banks to have appropriate mechanisms in place for regularly assessing the value of risk mitigants, including guarantees, credit derivatives and collateral. The valuation of collateral reflects the net realizable value, taking into account prevailing market conditions.

Description and findings re EC8

For banks on the simplified standardized, standardized and foundation IRB approaches to credit risk, Regulation 23 requires banks to apply certain standards to credit risk mitigants, including the requirement that a reduction in the risk exposure of a bank shall be allowed only if such collateral or guarantee can be realized by the bank under normal market conditions (e.g., the value at which the collateral can be realized in the market does not materially differ from its book value…). In addition, a bank shall mark its collateral to market and revalue its collateral at regular intervals but not less frequently than once every six months. Regulation 23 also contains general and specific requirements for credit derivatives. For Foundation IRB banks, there are also unique requirements for commercial real estate and other physical collateral valuation.

For the major banks on the advanced IRB approach, Regulation 23 requires LGD ratios and EAD amounts to be based on economic and market conditions that are relevant and current, and shall be reviewed on a regular basis but not less frequently than once a year or when material new information is obtained.

EC9

Laws, regulations or the supervisor establish criteria for assets to be:

(a) identified as a problem asset (e.g., a loan is identified as a problem asset when there is reason to believe that all amounts due, including principal and interest, will not be collected in accordance with the contractual terms of the loan agreement); and
(b) reclassified as performing (e.g., a loan is reclassified as performing when all arrears have been cleared and the loan has been brought fully current, repayments have been made in a timely manner over a continuous repayment period and continued collection, in accordance with the contractual terms, is expected).

Description and findings re EC9

With regard to the identification of problem assets, see the details of Regulations 67 and 24 described under EC 5.

The proposed directive on restructured credit exposures requires restructured credit exposures to be classified as in default until a minimum of three full consecutive payments under the revised terms and conditions have been received before the exposure can be reclassified as performing. It is expected that the new directive will be issued no later than September 2014.

In terms of Regulation 23(11)(b)(iii)(I), banks are required to have a duly documented credit policy that shall comprehensively deal with overdue amounts, exposures that are in default and re-aging of facilities. Banks therefore need to document their policy on when to reclassify defaulted loans to performing.

EC10

The supervisor determines that the bank’s Board obtains timely and appropriate information on the condition of the bank’s asset portfolio, including classification of assets, the level of provisions and reserves and major problem assets. The information includes, at a minimum, summary results of the latest asset review process, comparative trends in the overall quality of problem assets, and measurements of existing or anticipated deterioration in asset quality and losses expected to be incurred.

Description and findings re EC10

See the references to Regulations 23(22) and 39(5) described above.

BSD staff reviews management information (i.e., Board packs), mainly for significant portfolios, on an ad hoc basis. In addition, the BSD reviews the minutes of Board and risk committee meetings to establish the issues being discussed.

At credit risk prudential meetings between BSD staff and bank Boards, one of the agenda items is usually a discussion on corporate governance relating to credit risk, including the type and extent of reporting of credit risk information to the Board.

EC11

The supervisor requires that valuation, classification and provisioning, at least for significant exposures, are conducted on an individual item basis. For this purpose, supervisors require banks to set an appropriate threshold for the purpose of identifying significant exposures and to regularly review the level of the threshold.

Description and findings re EC11

Regulations do not specifically require banks to set a threshold for the purpose of identifying significant exposures and to regularly review the level of such threshold; however, in terms of Regulation 23(22)(a)(i), banks are required to determine any credit impairment in accordance with the relevant requirements specified in Financial Reporting Standards from time to time. Banks must therefore comply with IAS 39 for determining the provisioning for financial instruments such as loans and advances. In terms of paragraph 58 of IAS 39 an entity first assesses whether objective evidence of impairment exists individually for financial assets that are individually significant, and individually or collectively for financial assets that are not individually significant.

Furthermore, the proposed directive on restructured credit exposures will require that the assessment of distressed restructured classifications should be done on a case-by-case basis. In terms of this directive, once a restructure has been classified as distressed, it must be tested for impairment under IAS 39. In addition, on a quarterly basis, disclosure of large exposures is required per person (“person” is defined in regulation 67) in terms of Regulation 24(2)(e). The disclosure includes any specific impairment raised against a large exposure. Large exposures are determined in terms of BA Section 73 and Regulation 24(6) and (7).

The definition of default requires the assessment for wholesale exposures to be made per obligor. For the retail portfolio, the evaluation is performed at a facility level where no single exposure shall be seen as significant.

EC12

The supervisor regularly assesses any trends and concentrations in risk and risk build-up across the banking sector in relation to banks’ problem assets and takes into account any observed concentration in the risk mitigation strategies adopted by banks and the potential effect on the efficacy of the mitigant in reducing loss. The supervisor considers the adequacy of provisions and reserves at the bank and banking system level in the light of this assessment.

Description and findings re EC12

Credit concentration risk is monitored by geography as well as sector (or industry). The BSD receives geographic credit information in three ways, namely, the form BA210 classifies credit by (1) continent, (2) according to the IMF Financial Soundness Indicator template, and (3) the BSD receives the PIIGS country survey (the form BA202 which is submitted by the five largest banking institutions). The banks also submit credit exposures by industry sector classification (on Form BA210). This information is monitored and published in the Financial Stability Review and the Bank Supervision Annual Report. Before publication, there is a review of trends and the draft reports are submitted to senior SARB management. Furthermore, presentations are made every second month to the Financial Stability Committee, which includes presentations on Financial Stability Indicators (both by sector classification and geographic classification).

A banking sector overview is presented to the BSD on a monthly basis. The credit risk portion of this presentation is prepared by the Credit Risk division in the BSD and covers the banking sector as a whole. The presentation looks at trends in total credit exposure, default exposure, impaired advances, specific and portfolio credit impairments and impairment ratios. Where increasing trends are noted, this is discussed and, where necessary, action will be initiated.

For example, an area that has received a lot of attention in the past two years as a result of the monitoring of trends and concentrations in risk has been the unsecured lending sector. Significant growth was identified in this area and there was a concern about the risk that might be caused to the industry. Due to this, unsecured lending received a lot of scrutiny by the BSD in order to understand the risk management practices surrounding these types of assets. The BSD conducted on- and off-site reviews of banks unsecured retail lending portfolios (as well as conducting a joint review of two large insurers with the Financial Services Board), included this as a “flavor of the year” topic for discussion with bank Boards, and continues to prepare and submit reports of build-ups of risk in this category to the frontline analysis teams. Increased focus was also placed on the adequacy of provisions relating to unsecured loans, including on-site assessments of provisions for unsecured lending.

Risk mitigation concentrations are currently not actively monitored; however, in South Africa, cash, government bonds and certain high quality shares would be the most typical forms of collateral. Guarantees are also used for credit risk mitigation purposes. For counterparty credit risk, a questionnaire was issued to banks which had to indicate the type of collateral used for OTC derivatives. From the responses received it is evident that there is a high concentration in cash collateral for such exposures.

Assessment of Principle 18

Compliant

Comments

Through the use of reports submitted on a regular basis, the review of external auditor reports and selected on-site examinations, the BSD monitors problem assets at individual banks. Supervisory staff evaluates the adequacy of banks’ provisioning for problem assets on both an individual bank and peer group basis.

The assessors encourage the BSD to finalize as soon as possible the draft Directive on restructured credit exposures which will help to prevent banks from using restructuring to improve their classified loan levels. The compliant rating issued for Principle 18 is based, in part, on the expectation that this directive will be issued in the very near term.

Principle 19

Concentration risk and large exposure limits. The supervisor determines that banks have adequate policies and processes to identify, measure, evaluate, monitor, report and control or mitigate concentrations of risk on a timely basis. Supervisors set prudential limits to restrict bank exposures to single counterparties or groups of connected counterparties.⁴⁹

EC1

Laws, regulations or the supervisor require banks to have policies and processes that provide a comprehensive bank-wide view of significant sources of concentration risk.⁵⁰ Exposures arising from off-balance sheet as well as on-balance sheet items and from contingent liabilities are captured.

Description and findings re EC1

Regulation 36(14)(b) requires banks to have in place robust Board approved policies, processes, procedures and systems to allow management to identify and monitor their concentration risk levels.

Form BA 210, which is submitted to the BSD on a quarterly basis, requires banks to report their large exposures and the distribution of credit exposures per sector. These exposures include both on- and off-balance sheet exposures.

EC2

The supervisor determines that a bank’s information systems identify and aggregate on a timely basis, and facilitate active management of, exposures creating risk concentrations and large exposure⁵¹ to single counterparties or groups of connected counterparties.

Description and findings re EC2

Regulation 39(6)(a)(iii) requires the Board and senior management of a bank to ensure that there are management information systems in place that, amongst other things, allow for the proactive management of risk and provide regular information regarding the bank’s aggregate risk profile.

Regulation 39(4) requires banks to have management processes, practices, procedures and Board approved policies to manage risks listed in Regulation 39(3) which includes concentration risk.

The BSD reviews banks’ information systems during on-site reviews. If deemed necessary, the BSD can communicate any concerns it may have with regard to a bank’s information systems to the relevant management within the bank.

EC3

The supervisor determines that a bank’s risk management policies and processes establish thresholds for acceptable concentrations of risk, reflecting the bank’s risk appetite, risk profile and capital strength, which are understood by, and regularly communicated to, relevant staff. The supervisor also determines that the bank’s policies and processes require all material concentrations to be regularly reviewed and reported to the bank’s Board.

Description and findings re EC3

Regulation 24(7)(a) and (b) establish prescribed percentages related to specified concentration risk. A bank or controlling company may not make investments or any form of credit to any person/entity that is greater than 10% of its capital and reserves without the approval of the Board and notification to the Registrar. In addition, a bank or controlling company may not make an investment or grant any form of credit that exceeds 25% of the bank’s capital and reserves without the prior written approval of the Registrar. In practice such requests to the Registrar are exceptionally rare.

Regulation 39(3) requires banks to manage risks on an ongoing basis; these risks may arise from the banks’ on- and off-balance sheet exposures and include concentration risk.

Regulation 39(4) requires banks to have in place comprehensive Board approved risk management processes, practices and procedures to identify, measure, monitor, control, price, mitigate and report on risks, which include concentration risk.

BA Directive 5/2008 - ‘Composition of Board-Appointed Committee to Approve Large Exposures’ - requires a bank’s Board to actively monitor and make decisions on large credit exposures.

In practice, the BSD monitors Board and management oversight of concentration risk through the SREP. This includes a review of bank policies and Board approved procedures and the review of Board and Board committee meeting mintues. Concentrations are also discussed at credit risk meetings and graph discussions. Finally, concentration risk is addressed through the ICAAP reviews.

EC4

The supervisor regularly obtains information that enables concentrations within a bank’s portfolio, including sectoral, geographical and currency exposures, to be reviewed.

Description and findings re EC4

Form BA 210, which banks submit to the BSD on a quarterly basis, includes information related to sectoral, geographical and currency exposures of the bank. These quarterly returns are reviewed by BSD analysts.

EC5

In respect of credit exposure to single counterparties or groups of connected counterparties, laws or regulations explicitly define, or the supervisor has the power to define, a “group of connected counterparties” to reflect actual risk exposure. The supervisor may exercise discretion in applying this definition on a case by case basis.

Description and findings re EC5

Regulations relating to banks do not use the exact term “connected counterparties” but instead refer to “connected persons,” which is defined in Regulation 67 (Definitions) as “two or more persons, whether natural or juristic, that, unless proved to the contrary, constitute a single risk due to the fact that one of them has direct or indirect control over the other or others” or “two or more persons… between whom there is no relationship or control, but they are to be regarded as constituting a single risk due to the fact that they are so interconnected that should one of them experience financial difficulties, the other or all of them would be likely to encounter repayment difficulties.”

EC6

Laws, regulations or the supervisor set prudent and appropriate⁵² requirements to control and constrain large credit exposures to a single counterparty or a group of connected counterparties. “Exposures” for this purpose include all claims and transactions (including those giving rise to counterparty credit risk exposure), on-balance sheet as well as off- balance sheet. The supervisor determines that senior management monitors these limits and that they are not exceeded on a solo or consolidated basis.

Description and findings re EC6

See response to EC3.

In addition, Regulation 36(14)(d) provides a broad definition of “large exposure” to include on- and off-balance sheet exposures and various transactions, including those giving rise to counterparty exposure.

Banks are required to report such transactions on both a consolidated and solo basis and management monitoring of the limits is reviewed as part of the SREP.

EC7

The supervisor requires banks to include the impact of significant risk concentrations into their stress testing programmes for risk management purposes.

Description and findings re EC7

Regulation 36(14)(b)(ii)(C) requires banks to conduct appropriate stress testing and scenario analysis in respect of concentration risk.

The BSD reviews these stress tests through its annual ICAAP reviews.

AC1

In respect of credit exposure to single counterparties or groups of connected counterparties, banks are required to adhere to the following

(a) Ten percent or more of a bank’s capital is defined as a large exposure; and
(b) Twenty-five percent of a bank’s capital is the limit for an individual large exposure to a private sector non-bank counterparty or a group of connected counterparties.

Minor deviations from these limits may be acceptable, especially if explicitly temporary or related to very small or specialized banks.

Description and findings re AC1

See response to EC3. In addition, BA Section 73(4) states that the Registrar may exempt certain exposures by means of a circular.

Assessment of Principle 19

Compliant

Comments

Regulations require the Board and senior management to establish and maintain adequate policies and procedures related to concentration risk and large exposures. The BSD utilizes reports received from banks on a quarterly basis to monitor large exposures and risk concentrations. In addition, the BSD monitors Board and management oversight of concentration risk through the SREP and ICAAP reviews.

Principle 20

Transactions with related parties. In order to prevent abuses arising in transactions with related parties⁵³ and to address the risk of conflict of interest, the supervisor requires banks to enter into any transactions with related parties⁵⁴ on an arm’s length basis; to monitor these transactions; to take appropriate steps to control or mitigate the risks; and to write off exposures to related parties in accordance with standard policies and processes.

EC1

Laws or regulations provide, or the supervisor has the power to prescribe, a comprehensive definition of “related parties.” This considers the parties identified in the footnote to the Principle. The supervisor may exercise discretion in applying this definition on a case by case basis.

Description and findings re EC1

Regulation 36(6)(c) states that a “related person” in respect of a bank or controlling company includes:

Any associate of the relevant bank or controlling company;
A significant shareholder of the relevant bank or controlling company;
A Board member of the relevant bank or controlling company, or a close family member of the Board member;
A member of senior management of the relevant bank or controlling company, or a close family member of the member of senior management;
A key member of staff of the relevant bank or controlling company, or a close family member of the key member of staff;
A company controlled by any shareholder of the relevant bank or controlling company;
Any majority owned or controlled entity;
Any significant minority owned or controlled entity; and
Any other person or entity specified in writing by the Registrar.

EC2

Laws, regulations or the supervisor require that transactions with related parties are not undertaken on more favorable terms (e.g., in credit assessment, tenor, interest rates, fees, amortization schedules, requirement for collateral) than corresponding transactions with non-related counterparties.⁵⁵

Description and findings re EC2

Regulation 24(9) - Matters specifically related to connected lending or lending to a related person - requires banks and controlling companies to have in place robust processes, procedures, systems and Board approved policies to ensure that transactions with related parties are conducted on an arm’s-length basis.

In addition, Regulation 39(6)(a) requires the Board and senior management of a bank to ensure that the monitoring and reporting of individual and aggregate exposures to related persons are subject to an independent individual credit review process.

EC3

The supervisor requires that transactions with related parties and the write-off of related- party exposures exceeding specified amounts or otherwise posing special risks are subject to prior approval by the bank’s Board. The supervisor requires that Board members with conflicts of interest are excluded from the approval process of granting and managing related party transactions.

Description and findings re EC3

Regulation 24(9)(a)(iv) requires that any transaction with a related person and the write-off of any related party exposure exceeding one percent of the bank or controlling company’s qualifying common equity tier 1 capital and reserve funds, or otherwise posing special risks, is subject to the prior written approval of the Board of directors of the bank or controlling company.

In addition, Regulation 24(9)(a)(ii) states that no person benefitting from a particular loan or exposure is responsible for the preparation of the loan assessment or credit decision, or the subsequent management of the exposure or any relevant matter related to that exposure.

EC4

The supervisor determines that banks have policies and processes to prevent persons benefiting from the transaction and/or persons related to such a person from being part of the process of granting and managing the transaction.

Description and findings re EC4

As mentioned in EC 3, Regulation 24(9) requires that every bank and every controlling company must have in place Board approved policies and procedures to ensure that “no person benefitting from a particular loan or exposure is responsible for the preparation of the loan assessment or credit decision, or the subsequent management of the exposure or any relevant matter related to that exposure.”

BSD staff makes the determination that a bank is following this requirement primarily through its discussions with internal audit.

EC5

Laws or regulations set, or the supervisor has the power to set on a general or case by case basis, limits for exposures to related parties, to deduct such exposures from capital when assessing capital adequacy, or to require collateralization of such exposures. When limits are set on aggregate exposures to related parties, those are at least as strict as those for single counterparties or groups of connected counterparties.

Description and findings re EC5

Regulation 24(9)(b) states that when the Registrar is of the opinion that a bank or controlling company’s policies, processes, procedures and systems related to connected lending or lending to a related person are inadequate, the Registrar may require the relevant bank or controlling company:

to deduct from its capital and reserve funds such amount relating to the said transactions or exposures as may be specified in writing by the Registrar; and/or
to obtain adequate collateral in respect of the relevant exposure.

While there is no regulatory provision enabling the Registrar to set limits for transactions with related parties other than intra-group companies, BA Section 73 prescribes limits in terms of when Board approval is required and for which transactions written approval of the Registrar is required.

Regulation 36(16) deals with matters specifically related to intragroup transactions or exposures and specifies that the Registrar may set limits in respect of intra-group transactions or exposures.

EC6

The supervisor determines that banks have policies and processes to identify individual exposures to and transactions with related parties as well as the total amount of exposures, and to monitor and report on them through an independent credit review or audit process. The supervisor determines that exceptions to policies, processes and limits are reported to the appropriate level of the bank’s senior management and, if necessary, to the Board, for timely action. The supervisor also determines that senior management monitors related party transactions on an ongoing basis, and that the Board also provides oversight of these transactions.

Description and findings re EC6

Banks are required to provide selected information on a quarterly basis (see response to EC7 below). The bank needs to respond to the following questions in terms of each specific exposure reported:

Are loans and advances to related persons/intra-group entities conducted on an arm’s length basis? (Yes = 1; no = 2)
When no, a separate schedule of all exposure to related persons/ intra-group entities not at arm’s length shall on request be submitted in writing.
Does the Board of directors of the relevant bank or controlling company effectively monitor extensions of credit to related persons/intra-group entities? (Yes = 1; no=2)
Are appropriate steps taken to control or mitigate the risks relating to related persons/intra-group exposures? (Yes = 1; no = 2.

Any areas identified as a concern during the ongoing analysis of the relevant prescribed returns will be included as a topic of discussion in prudential meetings held with banks.

Also see the response to EC2.

EC7

The supervisor obtains and reviews information on aggregate exposures to related parties.

Description and findings re EC7

Regulation 24(2)(g) and Form BA 210 require quarterly reporting of selected information in respect of connected lending or lending to a related person.

Regulation 36(2)(b) and Form BA 600 require quarterly reporting of the nature and extent of intragroup exposures and any relevant exposures to a connected or related person.

In practice, the information provided by banks on Forms BA 210 and BA 600 are reviewed by BSD staff as part of the SREP and other ongoing supervisory analysis of individual banks.

Assessment of Principle 20

Compliant

Comments

Regulations set out a comprehensive definition of “related person” and require banks and controlling companies to conduct transactions with related parties on an arm’s-length basis. In addition, Regulation 39 requires the Board and senior management of a bank to ensure that the monitoring and reporting of individual and aggregate exposures to related persons are subject to an independent individual credit review process.

The BSD receives and reviews information on transactions with related parties on a quarterly basis. Any matters of concern would be included as a topic of discussion in prudential meetings held with individual banks.

The assessors recommend that the SARB amend its regulations so that the Registrar has the ability to set limits on exposures to any related parties. At this point, it only has the ability to set limits on intragroup transactions and exposures.

Principle 21

Country and transfer risks. The supervisor determines that banks have adequate policies and processes to identify, measure, evaluate, monitor, report and control or mitigate country risk⁵⁶ and transfer risk⁵⁷ in their international lending and investment activities on a timely basis.

EC1

The supervisor determines that a bank’s policies and processes give due regard to the identification, measurement, evaluation, monitoring, reporting and control or mitigation of country risk and transfer risk. The supervisor also determines that the processes are consistent with the risk profile, systemic importance and risk appetite of the bank, take into account market and macroeconomic conditions and provide a comprehensive bank-wide view of country and transfer risk exposure. Exposures (including, where relevant, intra-group exposures) are identified, monitored and managed on a regional and an individual country basis (in addition to the end-borrower/end-counterparty basis). Banks are required to monitor and evaluate developments in country risk and in transfer risk and apply appropriate countermeasures.

Description and findings re EC1

Regulation 39(3) identifies country risk and transfer risk as two of the types of risk that may arise from a bank’s on- and off- balance sheet activities. Regulation 39(4) subsequently requires a bank, as a minimum, to a have in place comprehensive risk management processes, practices and procedures, and Board approved policies to identify, measure, monitor, control, and appropriately price, mitigate and communicate or report country and transfer risk amongst other risk types.

Regulation 39 also requires the risk management processes and practices to be adequate for the size and nature of the activities of the bank and for the bank to ensure that both the Board and senior management receive appropriate and timely communication on all related risks, including country and transfer risk. The Regulation outlines further requirements in regards to the identification, monitoring and reporting of country and transfer risk, as well as the monitoring of developments in country and transfer risk and the application of appropriate countermeasures.

Annual on-site reviews are conducted by the BSD to assess banks policies, and the risk management processes against these requirements. For instance, annual prudential meetings held with banks include a discussion on issues such as the operating environment in those jurisdictions where the bank has exposure. In addition, banks are also required to submit quarterly statutory returns outlining, inter alia, their total exposures and the credit quality of such exposures to the various geographical regions (Form BA 210, lines 118-174)

EC2

The supervisor determines that banks’ strategies, policies and processes for the management of country and transfer risks have been approved by the banks’ Boards and that the Boards oversee management in a way that ensures that these policies and processes are implemented effectively and fully integrated into the banks’ overall risk management process.

Description and findings re EC2

Regulation 39(4) requires all risk management policies, strategies and processes to be approved by the Board. BSD staff reviews the policies and processes related to country and transfer risks for all banks engaged in activities resulting in such risks. This is done primarily as part of the SREP.

EC3

The supervisor determines that banks have information systems, risk management systems and internal control systems that accurately aggregate, monitor and report country exposures on a timely basis; and ensure adherence to established country exposure limits.

Description and findings re EC3

Regulation 39(5)(h)(ii) requires risk management processes and procedures to ensure that country exposures are accurately monitored and reported in the bank’s information systems, risk management systems and internal control systems. In addition, Regulation 39(5)(h)(iii) requires banks to continuously adhere to established country exposure limits.

The BSD makes this determination as part of its SREP, including through meetings and on-site reviews.

EC4

There is supervisory oversight of the setting of appropriate provisions against country risk and transfer risk. There are different international practices that are all acceptable as long as they lead to risk-based results. These include:

a) The supervisor (or some other official authority) decides on appropriate minimum provisioning by regularly setting fixed percentages for exposures to each country taking into account prevailing conditions. The supervisor reviews minimum provisioning levels where appropriate.
(b) The supervisor (or some other official authority) regularly sets percentage ranges for each country, taking into account prevailing conditions and the banks may decide, within these ranges, which provisioning to apply for the individual exposures. The supervisor reviews percentage ranges for provisioning purposes where appropriate.
(c) The bank itself (or some other body such as the national bankers association) sets percentages or guidelines or even decides for each individual loan on the appropriate provisioning. The adequacy of the provisioning will then be judged by the external auditor and/or by the supervisor.

Description and findings re EC4

Regulation 39(5)(h)(v) requires banks to raise appropriate provisions for loss against country and transfer risk. While the BSD has not, to date, set any country specific percentage limits, it requires banks to have such limits approved internally as part of the risk appetite setting process. In addition, banks must also have policies and processes in place to monitor adherence to these approved limits. Furthermore, the quarterly BA 210 statutory returns submitted by banks provide a breakdown of provisions for various geographical regions (see BA 210 lines 118-193). This information is utilized by BSD staff to assess and evaluate the appropriateness of banks’ provisions for the geographical regions to which they have exposures.

On an annual basis the external auditors of the bank are also required to report to the BSD any significant weaknesses in the system of internal controls that may have come to their attention during their audit in regards to the bank’s overall credit granting activities.

EC5

The supervisor requires banks to include appropriate scenarios into their stress testing programmes to reflect country and transfer risk analysis for risk management purposes.

Description and findings re EC5

Regulation 39 requires banks’ risk management processes, practices, procedures and policies to be sufficiently robust to ensure that regular stress testing or scenario analysis is conducted in regards to inter alia country and transfer risk.

EC6

The supervisor regularly obtains and reviews sufficient information on a timely basis on the country risk and transfer risk of banks. The supervisor also has the power to obtain additional information, as needed (e.g., in crisis situations).

Description and findings re EC6

On a quarterly basis the BSD receives, in the form of statutory returns, data on banks exposures to foreign countries, broken down into various geographical regions (see BA 210 lines 118-193). In addition, the BSD can also collect additional information as and when needed, for instance during crisis situations. For instance, at the height of the crisis period, the BSD collected information on banks’ exposures to some of the Euro countries (PIIGS specifically) on a monthly basis.

Assessment of Principle 21

Compliant

Comments

Since the last BCP assessment, Regulation 39 has been amended to specifically include country and transfer risks. In addition, the BA 210 quarterly report was amended in 2011 and now requires more granular information on bank’s country and transfer risks. While the level of country and transfer risk for most banks remains relatively small, the BSD monitors such exposures on an ongoing basis through the SREP and includes this risk category as part of its discussions with bank Boards, management and auditors, as appropriate.

Principle 22

Market risk. The supervisor determines that banks have an adequate market risk management process that takes into account their risk appetite, risk profile, and market and macroeconomic conditions and the risk of a significant deterioration in market liquidity. This includes prudent policies and processes to identify, measure, evaluate, monitor, report and control or mitigate market risks on a timely basis.

EC1

Laws, regulations or the supervisor require banks to have appropriate market risk management processes that provide a comprehensive bank-wide view of market risk exposure. The supervisor determines that these processes are consistent with the risk appetite, risk profile, systemic importance and capital strength of the bank; take into account market and macroeconomic conditions and the risk of a significant deterioration in market liquidity; and clearly articulate the roles and responsibilities for identification, measuring, monitoring and control of market risk.

Description and findings re EC1

Regulation 39(3) identifies market risk as one of the types of risk that may arise from a bank’s on and off-balance sheet activities. Regulation 39(4) subsequently requires a bank, as a minimum, to a have in place comprehensive risk-management processes, practices and procedures, and Board approved policies to identify, measure, monitor, control, and appropriately price, mitigate and communicate or market risk amongst other risk types.

Regulation 39 also requires the risk management processes and practices to be adequate for the size and nature of the activities of the bank and for the bank to ensure that both the Board and senior management receive appropriate and timely communication on all related risks, including market risk. The Regulation outlines further requirements in regards to the identification, monitoring and reporting of market risk, as well as the monitoring of developments in market risk.

In addition, Regulation 28 (Market risk) indicates the methods for calculating bank-wide market risk while Regulation 39(13) states that a bank that trades in contracts or positions that are measured at FV shall implement robust governance structures and control procedures as part of its risk management framework for the prudent valuation of the said instruments, contracts or positions. Regulation 39(14)(b) sets out specific corporate governance principles for IMA Banks.

Finally, the BSD has issued several Circulars, Guidance Notes and Directives related to market risk management.

The SREP includes on-site analysis of individual bank’s market risk policies and practices. This includes quarterly discussions held with the largest banks. Off-site analysis is performed on all banks.

There is also a process in place for the completion of Questionnaires (IMA, Treasury) by banks, which are in turn assessed by BSD market risk analysts. This review process leads to the identification of response weaknesses, gaps or IMA problems, as well as any need for follow-up or supplementary information. This is then followed by an on-site review regarding the structure, roles, responsibilities, methods, systems, plans, problems and other factors related to market risk. Finally, BSD staff prepares a report summarizing the process and key findings.

Regular reports include:

Value-at-Risk (VaR) measures - Reported on daily and monthly basis (See BA 325 and BA 320 market risk returns);
Stressed VaR (SVaR) measures - Reported on daily and monthly basis (See BA 325 and BA 320 market risk returns);
Market risk measures (risk weighted exposure, VaR and SVaR) are reported for banking groups on a quarterly basis via the BA 600 and BA 610 returns. These returns are specifically tailored for consolidated supervision and foreign operations;

VaR limit utilizations across banks are monitored on a monthly basis. Where a bank does not have IMA approval for market risk reporting purposes, the standardized approach equivalent is reported. The standardized rules are prescribed in Regulation 28(7), which is in line with the standardized rules set forth in the Basel capital standards. Key performance measures are reviewed and discussed at quarterly onsite meeting with banks with internal model approach approval.

The market risk specialist team of the BSD currently consists of five individuals, including a manager.

EC2

The supervisor determines that banks’ strategies, policies and processes for the management of market risk have been approved by the banks’ Boards and that the Boards oversee management in a way that ensures that these policies and processes are implemented effectively and fully integrated into the banks’ overall risk management process.

Description and findings re EC2

The BSD makes the determinations set out in EC2 through a combination of on-site and off-site reviews (see response to EC1). In particular, quarterly discussions related to market risk are held with the largest banks. Supervisory staff determines that adequate policies and procedures for the day-to-day management of market risk are in place. Banks are required to submit the most recent Board-approved market risk policies as part of the IMA renewal process.

Non-IMA banks can be classified into two categories:

1. smaller banks and or branches that may trade some FX products. These banks do not have quarterly on-site reviews; however due to the trading business in some, Treasury reviews will be conducted at these banks and branches; and
2. the remaining standardized banks in South Africa have limited trading exposure in the market. Due to their limited systemic risk from a market risk perspective, their market risk queries and discussions (if any) may be included in the graph discussions. Even though these banks may be subject to less on-site review, similar stringent rules are in place from a regulatory perspective in terms of policies and risk being governed in the appropriate fashion.

In addition, as part of the review of banks’ ICAAPs, supervisors determine that bank Boards oversee management in a way that ensures that the policies and procedures approved by the Board are implemented effectively and fully integrated into the banks’ overall risk management process.

EC3

The supervisor determines that the bank’s policies and processes establish an appropriate and properly controlled market risk environment including:

(a) effective information systems for accurate and timely identification, aggregation, monitoring and reporting of market risk exposure to the bank’s Board and senior management;
(b) appropriate market risk limits consistent with the bank’s risk appetite, risk profile and capital strength, and with the management’s ability to manage market risk and which are understood by, and regularly communicated to, relevant staff;
(c) exception tracking and reporting processes that ensure prompt action at the appropriate level of the bank’s senior management or Board, where necessary;
(d) effective controls around the use of models to identify and measure market risk, and set limits; and
(e) sound policies and processes for allocation of exposures to the trading book.

Description and findings re EC3

The Regulations prescribe that banks should have information systems that can be effectively used for risk management purposes. Banks with IMA approval are required to provide a quarterly update on any system changes. This is a standard agenda item for quarterly IMA meetings. In addition, the IT risk/operational risk section of the BSD will communicate with the market risk team should anything pertaining to market risk systems arise as a result of their meetings/reviews.

The Regulations prescribe that banks should have in place a limit structure that is commensurate with the bank’s risk profile and can be adequately monitored. Banks with IMA approval are required on an annual basis to provide the BSD with their approved market risk limits as part of the IMA renewal questionnaire. A large portion of quarterly onsite meeting discussions is around business strategy and risk appetite. Limit structures and limit utilizations are discussed.

Internal VaR and Stressed VaR limits are reported on a daily and monthly basis via the BA 325 (line items 24-35) and BA 320 (100-110) market risk regulatory reporting returns. Internal committee packs are sent to the BSD on a monthly basis. These typically contain discussions around limit reviews and any breaches that may have occurred during the period. Signed limit mandates are typically sent to BSD on an annual basis. Internal Audit will review whether limits have been adhered to.

The Regulations also prescribe that banks should have in place policies and processes pertaining to exception tracking and relevant reporting escalation processes so as to ensure prompt response/action by senior management. Banks are requested on a regular basis (annually) to provide the BSD with their market risk policy and any supporting policies that would detail the necessary reporting lines. During onsite meetings, exception tracking and associated governance controls are discussed.

The Regulations prescribe that banks should have effective controls around the use of models to identify and measure market risk and the subsequent setting of limits. Policies detailing the use of models for market risk measurement and limit setting are reviewed on an annual basis, unless changes have been made prior to the annual review.

Banks are required to have minimum standards for policies and processes pertaining to the allocation of trading book exposures. In addition, banks are required to regularly review their policies and processes pertaining to trading book exposures. Banks are also required to send the BSD a trading/banking book split policy on an annual basis.

EC4

The supervisor determines that there are systems and controls to ensure that banks’ marked-to-market positions are revalued frequently. The supervisor also determines that all transactions are captured on a timely basis and that the valuation process uses consistent and prudent practices, and reliable market data verified by a function independent of the relevant risk-taking business units (or, in the absence of market prices, internal or industry- accepted models). To the extent that the bank relies on modeling for the purposes of valuation, the bank is required to ensure that the model is validated by a function independent of the relevant risk-taking businesses units. The supervisor requires banks to establish and maintain policies and processes for considering valuation adjustments for positions that otherwise cannot be prudently valued, including concentrated, less liquid, and stale positions.

Description and findings re EC4

The BSD determines that there are systems and controls to ensure that banks’ marked-to-market positions are revalued frequently. Banks are required to have adequate policies and processes in place that address systems and controls applicable to marked-to-market revaluations. These policies are sent to the BSD on a regular basis. The supervisor also determines that all transactions are captured on a timely basis and that the valuation processes use consistent and prudent practices, and reliable market data verified by a function independent of the relevant risk-taking business units (or, in the absence of market prices, internal or industry-accepted models). Certain banks will provide independent market verification status reports on a quarterly basis to the BSD.

To the extent that a bank relies on modeling for the purposes of valuation, the bank is required to ensure that the model is validated by a function independent of the relevant risk-taking businesses units. If a bank does make use of mark-to-model valuations, the bank is required to adhere to the rules specified in the regulations.

The BSD requires banks to establish and maintain policies and processes for considering valuation adjustments for positions that otherwise cannot be prudently valued, including concentrated, less liquid, and stale positions. Regulations specify that banks should have in place policies and processes related to valuation adjustments for positions that cannot be prudently valued.

Recently banks were encouraged to review the EBA document released on prudent valuation adjustments and many local banks have done work in this regard.

EC5

The supervisor determines that banks hold appropriate levels of capital against unexpected losses and make appropriate valuation adjustments for uncertainties in determining the fair value of assets and liabilities.

Description and findings re EC5

Regulation 39 requires banks to hold capital based on the nature, complexity and risk inherent in the banks activities and specifies that banks need to have procedures for valuation adjustments specifically for (i) uncertainty due to liquidity in the markets and (ii) model risk for complex products.

As part of the SREP, quarterly on-site discussions are held with systemically important banks. Off-site analysis is completed on the system. The supervisory questionnaire forwarded for completion by banks requires pricing and valuation methods used for all products including less liquid products. Additionally, banks are expected to adhere to the IFRS rules at a minimum.

EC6

The supervisor requires banks to include market risk exposure into their stress testing programmes for risk management purposes.

Description and findings re EC6

Regulation 39 requires that, as a minimum, the risk management processes, practices, procedures and policies shall be sufficiently robust to ensure that the bank regularly conducts stress testing and scenario analysis. IMA banks are required to have in place a rigorous and comprehensive process of stress testing.

Banks with IMA approval are required to send their stress testing results on a monthly basis to the BSD. Ad hoc stress testing exercises are also conducted.

Assessment of Principle 22

Compliant

Comments

The SARB has implemented a comprehensive approach to the supervision of market risk, especially at the largest banks that have been approved for the IMA. For most banks in South Africa, market risk remains at rather modest levels.

Principle 23

Interest rate risk in the banking book. The supervisor determines that banks have adequate systems to identify, measure, evaluate, monitor, report and control or mitigate interest rate risk⁵⁸ in the banking book on a timely basis. These systems take into account the bank’s risk appetite, risk profile and market and macroeconomic conditions.

EC1

Laws, regulations or the supervisor require banks to have an appropriate interest rate risk strategy and interest rate risk management framework that provides a comprehensive bank-wide view of interest rate risk. This includes policies and processes to identify, measure, evaluate, monitor, report and control or mitigate material sources of interest rate risk. The supervisor determines that the bank’s strategy, policies and processes are consistent with the risk appetite, risk profile and systemic importance of the bank, take into account market and macroeconomic conditions, and are regularly reviewed and appropriately adjusted, where necessary, with the bank’s changing risk profile and market developments.

Description and findings re EC1

Regulation 39(3) identifies interest rate risk as one of the risks that may arise from a bank’s on- and off-balance sheet activities. Regulation 39(4) subsequently requires a bank, as a minimum, to a have in place comprehensive risk-management processes, practices and procedures, and Board approved policies to identify, measure, monitor, control, and appropriately price, mitigate and communicate or report interest rate risk amongst other risk types.

Regulation 39 also requires the risk management processes and practices to be adequate for the size and nature of the activities of the bank and for the bank to ensure that both the Board and senior management receive appropriate and timely communication on all related risks, including interest rate risk.

Banks file information on their IRRBB with the Registrar on a monthly basis on Report BA 330 – Interest Rate Risk: Banking Book. In practice, the BSD evaluates IRRBB primarily through the SREP. Assessment of policies and their implementation takes place during the ALM reviews, both off-site and on-site. As part of the SREP, the BSD sends out a questionnaire to the bank and then assesses its responses and, as needed, poses further questions. During Stage 4 of the SREP (Focused review), the BSD engages with senior management to verify the quality of the bank’s ALM. For systemically important banks, an on-site visit will occur irrespective of the initial analysis.

IRRBB is also assessed as part of the ICAAP process.

EC2

The supervisor determines that a bank’s strategy, policies and processes for the management of interest rate risk have been approved, and are regularly reviewed, by the bank’s Board. The supervisor also determines that senior management ensures that the strategy, policies and processes are developed and implemented effectively.

Description and findings re EC2

Banks are required to submit a completed questionnaire related to IRRBB prior to an on-site review by the BSD (typically conducted on a two-year cycle for the larger banks and on an ad hoc basis for other banks). The on-site reviews typically focus on established limits and controls. In addition, off-site data is filed and monitored on a monthly basis.

EC3

The supervisor determines that banks’ policies and processes establish an appropriate and properly controlled interest rate risk environment including:

(a) comprehensive and appropriate interest rate risk measurement systems;
(b) regular review, and independent (internal or external) validation, of any models used by the functions tasked with managing interest rate risk (including review of key model assumptions);
(c) appropriate limits, approved by the banks’ Boards and senior management, that reflect the banks’ risk appetite, risk profile and capital strength, and are understood by, and regularly communicated to, relevant staff;
(d) effective exception tracking and reporting processes which ensure prompt action at the appropriate level of the banks’ senior management or Boards where necessary; and
(e) effective information systems for accurate and timely identification, aggregation, monitoring and reporting of interest rate risk exposure to the banks’ Boards and senior management.

Description and findings re EC3

See response to EC 1 above.

In practice, the assessment of policies and implementation of these policies takes place during ALM (Asset and Liability Management) reviews (both off-site and on-site reviews). The first step is to send out a questionnaire, followed by assessment of the responses. For systemically relevant banks an on-site visit will occur irrespective of the quality of the response.

EC4

The supervisor requires banks to include appropriate scenarios into their stress testing programmes to measure their vulnerability to loss under adverse interest rate movements.

Description and findings re EC4

In addition to the shock scenario that the BSD applies to banks (200bp parallel shift), banks are required to submit their own specific stress test scenarios to the BSD. During on-site visits, the results of such stress tests for interest rate risk would be discussed, as well as any actions the bank may be taking due to the results.

AC1

The supervisor obtains from banks the results of their internal interest rate risk measurement systems, expressed in terms of the threat to economic value, including using a standardized interest rate shock on the banking book.

Description and findings re AC1

Banks report the impact on their economic capital to the BSD on a periodic basis. The BSD is in the process of strengthening its program of review of and follow-up on this information.

AC2

The supervisor assesses whether the internal capital measurement systems of banks adequately capture interest rate risk in the banking book.

Description and findings re AC2

Interest rate risk in the banking book forms part of the ICAAP process. The bank’s approach to management of interest rate risk in the banking book and the capital impact thereof is also discussed with the bank and, where required, certain recommendations are made and followed-up.

Assessment of Principle 23

Compliant

Comments

Banks in South Africa currently deal with minimal interest rate risk in the banking book due to the fact that a large percentage of lending is done on a floating rate basis. The BSD, as part of its SREP, reviews the policies and procedures in place at banks to manage such risk. The BSD also noted that they are giving IRRBB more focus in 2014 and providing additional training to members of the analysis teams.

The assessors encourage the BSD to continue with its plans to further strengthen its review of banks’ internal interest rate risk measurement systems.

Principle 24

Liquidity risk. The supervisor sets prudent and appropriate liquidity requirements (which can include either quantitative or qualitative requirements or both) for banks that reflect the liquidity needs of the bank. The supervisor determines that banks have a strategy that enables prudent management of liquidity risk and compliance with liquidity requirements. The strategy takes into account the bank’s risk profile as well as market and macroeconomic conditions and includes prudent policies and processes, consistent with the bank’s risk appetite, to identify, measure, evaluate, monitor, report and control or mitigate liquidity risk over an appropriate set of time horizons. At least for internationally active banks, liquidity requirements are not lower than the applicable Basel standards.

EC1

Laws, regulations or the supervisor require banks to consistently observe prescribed liquidity requirements including thresholds by reference to which a bank is subject to supervisory action. At least for internationally active banks, the prescribed requirements are not lower than, and the supervisor uses a range of liquidity monitoring tools no less extensive than, those prescribed in the applicable Basel standards.

Description and findings re EC1

Banks in South Africa are currently subject to two prudential liquidity requirements: a cash reserve requirement and a liquid assets requirement (both based on a percentage of adjusted external liabilities). In addition, as a member of the Basel Committee, the SARB has committed to implementing the LCR and NSFR requirements, with the LCR going into effect on 1 January 2015.

Regulation 26 (Liquidity risk) requires both on- and off-balance sheet information on various aspects of liquidity risk to be filed with the Registrar (Form BA 300). This includes information on the LCR and NSFR ratios that the SARB is implementing according to the BCBS phase-in requirements. The regulation also provides guidance on the calculation of the LCR and NSFR.

Directive 2/2013 (Matters relating to the LCR) was sent to all banks on in March 2013 advising banks of the BSD’s intention to incorporate all the BCBS changes made to the calculation of the LCR in their document published in January 2013 (Basel III: The Liquidity Coverage Ratio and liquidity risk monitoring tools). In addition, Guidance Note 6/2013 was sent to all banks in August 2013 detailing the provision of a committed liquidity facility (CLF) to banks by the SARB to meet LCR requirements subject to certain conditions, adopting one of Alternative Liquidity Approaches defined in the Basel text. However, banks are required to meet the 60% minimum LCR without use of CLF when the phased-in implementation of the LCR starts in 2015.

Regulation 29 requires daily reporting of a bank’s liquid asset position, as well as a daily LCR to be reported on Form BA 325.

The BSD monitors liquidity risk through the SREP, which includes daily analysis of regulatory reports and funding levels.

EC2

The prescribed liquidity requirements reflect the liquidity risk profile of banks (including on- and off-balance sheet risks) in the context of the markets and macroeconomic conditions in which they operate.

Description and findings re EC2

As a member of the Basel Committee, the SARB has committed to implementing the LCR and NSFR requirements. As with several other Committee member countries, certain aspects of the South African financial market make implementation of the LCR and NSFR difficult (e.g., a limited supply of government bonds, an illiquid and small corporate debt market and disintermediation of retail funding through money market funds into the banking sector). The BSD is closely monitoring bank data in order to follow the progress of banks in meeting the new requirements.

EC3

The supervisor determines that banks have a robust liquidity management framework that requires the banks to maintain sufficient liquidity to withstand a range of stress events, and includes appropriate policies and processes for managing liquidity risk that have been approved by the banks’ Boards. The supervisor also determines that these policies and processes provide a comprehensive bank-wide view of liquidity risk and are consistent with the banks’ risk profile and systemic importance

Description and findings re EC3

Regulation 39(3) identifies liquidity risk as one of the types of risk that may arise from a bank’s on and off-balance sheet activities. Regulation 39(4) subsequently requires a bank, as a minimum, to a have in place comprehensive risk management processes, practices and procedures, and Board approved policies to identify, measure, monitor, control, and appropriately price, mitigate and communicate or report liquidity risk amongst other risk types.

Regulation 39 also requires the risk management processes and practices to be adequate for the size and nature of the activities of the bank and for the bank to ensure that both the Board and senior management receive appropriate and timely communication on all related risks, including liquidity risk.

The BSD, as part of its SREP, monitors adherence to the Regulation 39 requirements.

EC4

The supervisor determines that banks’ liquidity strategy, policies and processes establish an appropriate and properly controlled liquidity risk environment including:

(a) clear articulation of an overall liquidity risk appetite that is appropriate for the banks’ business and their role in the financial system and that is approved by the banks’ Boards;
(b) sound day-to-day, and where appropriate intraday, liquidity risk management practices;
(c) effective information systems to enable active identification, aggregation, monitoring and control of liquidity risk exposures and funding needs (including active management of collateral positions) bank-wide;
(d) adequate oversight by the banks’ Boards in ensuring that management effectively implements policies and processes for the management of liquidity risk in a manner consistent with the banks’ liquidity risk appetite; and
(e) regular review by the banks’ Boards (at least annually) and appropriate adjustment of the banks’ strategy, policies and processes for the management of liquidity risk in the light of the banks’ changing risk profile and external developments in the markets and macroeconomic conditions in which they operate.

Description and findings re EC4

Regulation 39(16) sets out the key features a bank’s policies, processes and procedures relating to governance, effective risk management, adequate capital and internal controls shall contain.

The BSD conducts both on-site and off-site ALM reviews as part of the SREP. In addition, with regard to the larger banks in South Africa, the BSD sends out a questionnaire on liquidity risk every two years. BSD staff reviews the responses to the questionnaire and additional questions might be posed. The BSD then conducts on-site work and meets with bank management where the bank’s liquidity risk management is discussed in detail based in part on the results of the questionnaire. This enables the BSD to get a sense of the end- to-end management of liquidity risk at the bank. Following these meetings, the BSD sends a formal letter to the bank summarizing its findings and making recommendations, where necessary. In addition, through peer comparison, the BSD is able to formulate a view on industry best practice and identify leaders and laggers.

EC5

The supervisor requires banks to establish, and regularly review, funding strategies and policies and processes for the ongoing measurement and monitoring of funding requirements and the effective management of funding risk. The policies and processes include consideration of how other risks (e.g., credit, market, operational and reputation risk) may impact the bank’s overall liquidity strategy, and include:

(a) an analysis of funding requirements under alternative scenarios;
(b) the maintenance of a cushion of high quality, unencumbered, liquid assets that can be used, without impediment, to obtain funding in times of stress;
(c) diversification in the sources (including counterparties, instruments, currencies and markets) and tenor of funding, and regular review of concentration limits;
(d) regular efforts to establish and maintain relationships with liability holders; and
(e) regular assessment of the capacity to sell assets.

Description and findings re EC5

Regulation 39(5)(i) sets out the criteria for a liquidity risk function. It states that risk management processes, practices, procedures and policies shall in the case of liquidity risk be sufficiently robust to ensure that the bank:

conducts comprehensive cash flow forecasting;
duly specifies, implements and maintains appropriate limits in respect of its funding sources, including all relevant products, counterparties and markets;
conducts robust liquidity scenario stress testing, including stress tests in respect of such bank specific or sector specific scenarios as may be specified in writing by the Registrar;
develops and maintains robust and multifaceted contingency funding plans; and
maintains a sufficient cushion of liquid assets to meet contingent liquidity needs.

EC6

The supervisor determines that banks have robust liquidity contingency funding plans to handle liquidity problems. The supervisor determines that the bank’s contingency funding plan is formally articulated, adequately documented and sets out the bank’s strategy for addressing liquidity shortfalls in a range of stress environments without placing reliance on lender of last resort support. The supervisor also determines that the bank’s contingency funding plan establishes clear lines of responsibility, includes clear communication plans (including communication with the supervisor) and is regularly tested and updated to ensure it is operationally robust. The supervisor assesses whether, in the light of the bank’s risk profile and systemic importance, the bank’s contingency funding plan is feasible and requires the bank to address any deficiencies.

Description and findings re EC6

Regulation 26(13) requires banks to maintain a liquidity cushion, made up of unencumbered liquid assets, to protect the bank against liquidity stress events, including potential losses of unsecured and typically available secured funding sources. Regulation 36 also requires a bank to submit to the Registrar in writing qualitative information relating to its strategy in respect of contingency planning.

In practice, the BSD reviews such contingency funding plans as part of its on-site and off- site ALM reviews. In particular, BSD staff determine how a bank arrived at the amount they need to “survive” in a crisis situation.

EC7

The supervisor requires banks to include a variety of short-term and protracted bank- specific and market-wide liquidity stress scenarios (individually and in combination), using conservative and regularly reviewed assumptions, into their stress testing programmes for risk management purposes. The supervisor determines that the results of the stress tests are used by the bank to adjust its liquidity risk management strategies, policies and positions and to develop effective contingency funding plans.

Description and findings re EC7

Regulations 26 and 39 set out a variety of requirements related to stress testing, including liquidity stress scenarios.

In practice, the BSD receives the assumptions that banks apply for the idiosyncratic scenario and judge these relative to those of the bank’s peers. For the BSD, the LCR requirements supersede the domestic banks’ internal liquidity stress requirements, thereby providing additional assurance that liquidity is adequate. The four largest South African banks conduct liquidity simulation exercises facilitated by a third party and these exercises are observed by BSD staff. These simulations aid in “walking through” and understanding the banks’ contingency funding plans.

EC8

The supervisor identifies those banks carrying out significant foreign currency liquidity transformation. Where a bank’s foreign currency business is significant, or the bank has significant exposure in a given currency, the supervisor requires the bank to undertake separate analysis of its strategy and monitor its liquidity needs separately for each such significant currency. This includes the use of stress testing to determine the appropriateness of mismatches in that currency and, where appropriate, the setting and regular review of limits on the size of its cash flow mismatches for foreign currencies in aggregate and for each significant currency individually. In such cases, the supervisor also monitors the bank’s liquidity needs in each significant currency, and evaluates the bank’s ability to transfer liquidity from one currency to another across jurisdictions and legal entities.

Description and findings re EC8

Regulation 26 (Liquidity risk) sets out several requirements related to foreign currency business. Form BA 300 (monthly report) contains a table that has a foreign exchange contractual maturity ladder and analysis of this report is conducted monthly by the BSD.

Regulation 26(12)(a)(vi) requires that, while the bank has to report its LCR in rand on a solo and consolidated basis, the bank has to continuously meet its liquidity needs in each relevant currency.

In practice, the BSD monitors individual banks’ potential vulnerability through the regular ALM reviews conducted both on-site and off-site as part of the SREP.

AC1

The supervisor determines that banks’ levels of encumbered balance-sheet assets are managed within acceptable limits to mitigate the risks posed by excessive levels of encumbrance in terms of the impact on the banks’ cost of funding and the implications for the sustainability of their long-term liquidity position. The supervisor requires banks to commit to adequate disclosure and to set appropriate limits to mitigate identified risks.

Description and findings re AC1

Regulation 26 addresses issues related to unencumbered assets. In particular, the following regulations apply:

Regulation 26(12)(a) Specified minimum requirements of the LCR which requires unencumbered assets.
Regulation 26(12)(a)(iv) defines unencumbered assets referred to above.
Regulation 26(13) Available sources of stress funding and related matters
Regulation 26(14)(c) Matters related to the calculation of a bank’s required amount of stable funding (RSF) - All require unencumbered assets. Table 4
Regulation 26 (14) (c)(ii)(C) - off-balance-sheet exposures
Regulation 27 (6) Available unencumbered assets

The BSD determines compliance with the requirements through its off-site and on-site ALM reviews as part of the SREP.

Assessment of Principle 24

Compliant

Comments

The BSD has already initiated adoption of the LCR by South African banks and intends to implement the NSFR on schedule as well. This is despite the fact that South Africa (like several other Basel Committee member countries) is disadvantaged by a limited supply of government bonds, an illiquid and small corporate debt market and disintermediation of retail funding through money market funds into the banking sector.

Principle 25

Operational risk. The supervisor determines that banks have an adequate operational risk management framework that takes into account their risk appetite, risk profile and market and macroeconomic conditions. This includes prudent policies and processes to identify, assess, evaluate, monitor, report and control or mitigate operational risk⁵⁹ on a timely basis.

EC1

Law, regulations or the supervisor require banks to have appropriate operational risk management strategies, policies and processes to identify, assess, evaluate, monitor, report and control or mitigate operational risk. The supervisor determines that the bank’s strategy, policies and processes are consistent with the bank’s risk profile, systemic importance, risk appetite and capital strength, take into account market and macroeconomic conditions, and address all major aspects of operational risk prevalent in the businesses of the bank on a bank-wide basis (including periods when operational risk could increase).

Description and findings re EC1

Regulation 39(3) identifies operational risk as one of the types of risk that may arise from a bank’s on- and off-balance sheet activities. Regulation 39(4) subsequently requires a bank, as a minimum, to a have in place comprehensive risk management processes, practices and procedures, and Board approved policies to identify, measure, monitor, control, and appropriately price, mitigate and communicate or report operational risk amongst other risk types.

Regulation 39 also requires the risk management processes and practices to be adequate for the size and nature of the activities of the bank and for the bank to ensure that both the Board and senior management receive appropriate and timely communication on all related risks, including operational risk.

In addition, in 2013, the BSD issued Guidance Note 2/2013 instructing banks to implement the principles contained in the Basel Committee’s Principles for the Sound Management of Operational Risk. Principles 1 and 2 of the document cover the criteria contained in EC1 of this CP.

EC2

The supervisor requires banks’ strategies, policies and processes for the management of operational risk (including the banks’ risk appetite for operational risk) to be approved and regularly reviewed by the banks’ Boards. The supervisor also requires that the Board oversees management in ensuring that these policies and processes are implemented effectively.

Description and findings re EC2

Regulation 39(15) requires banks adopting an AMA for operational risk to have in place an independent operational risk management function responsible for the development of:

Policies and procedures relating to operational risk management and control, including policies to address areas of non-compliance, which policies shall be approved by the bank’s Board of directors
Strategies to identify, measure, monitor and control or mitigate the bank’s exposure to operational risk

As mentioned in EC1, Guidance Note 2/2013 requires all banks to implement the Basel Committee’s Principles for the Sound Management of Operational Risk. Principles 1-5 of the document cover the criteria contained in EC2 of this CP.

EC3

The supervisor determines that the approved strategy and significant policies and processes for the management of operational risk are implemented effectively by management and fully integrated into the bank’s overall risk management process.

Description and findings re EC3

As with other risk categories, the BSD’s SREP is the primary tool for supervisory oversight of banks’ management of operational risk. In addition, annual onsite reviews have been conducted by the BSD for the five largest banks to assess banks policies, and the risk management processes against these requirements. As of 2014, a two-year on-site review cycle has been implemented. For medium to small banks, on-site reviews are conducted if operational risk issues are detected by the analysts during their off-site analysis.

EC4

The supervisor reviews the quality and comprehensiveness of the bank’s disaster recovery and business continuity plans to assess their feasibility in scenarios of severe business disruption which might plausibly affect the bank. In so doing, the supervisor determines that the bank is able to operate as a going concern and minimize losses, including those that may arise from disturbances to payment and settlement systems, in the event of severe business disruption.

Description and findings re EC4

Regulation 36(8)(b)(xi), relating to the quarterly consolidated return, requires banks to submit in writing to the Registrar qualitative information on the strategy adopted by the bank or controlling company in respect of contingency planning, including the extent to which contingency planning is centralized or managed on a business or legal entity basis.

As mentioned in EC1, Guidance Note 2/2013 requires all banks to implement the Basel Committee’s Principles for the Sound Management of Operational Risk. Principles 10 of the document covers the criteria contained in EC4 of this CP.

As with other aspects of this CP, the SREP is utilized to review the quality and comprehensiveness of a bank’s disaster recovery and business continuity plans.

EC5

The supervisor determines that banks have established appropriate information technology policies and processes to identify, assess, monitor and manage technology risks. The supervisor also determines that banks have appropriate and sound information technology infrastructure to meet their current and projected business requirements (under normal circumstances and in periods of stress), which ensures data and system integrity, security and availability and supports integrated and comprehensive risk management.

Description and findings re EC5

Regulation 39(3) identifies technological risk as one of the types of risk that may arise from a bank’s on- and off-balance sheet activities. Regulation 67 (Definitions) defines operational risk to include inadequate or failed internal systems. In addition, IT risk is included in operational risk for the purposes of Forms BA 400 and 410.

Guidance Note 2/2010 included information technology as part of the ‘flavor of the year” topics for discussions held with the Boards of directors during 2010. Guidance Note 2/2014 includes “information technology (IT) project governance” as a topic during 2014.

The Basel Committee paper referenced above, which all banks must adhere to, includes various aspects of information technology risks.

The SREP includes the IT aspects of operational risk. The BSD has recently hired an additional IT expert (the IT risk team now stands at two, excluding the manager) to enhance the department’s review of IT risk at individual banks and across the system as a whole.

EC6

The supervisor determines that banks have appropriate and effective information systems to:

(a) Monitor operational risk;
(b)Compile and analyze operational risk data; and
(c) Facilitate appropriate reporting mechanisms at the banks’ Boards, senior management and business line levels that support proactive management of operational risk.

Description and findings re EC6

Various regulations require banks to have appropriate information systems to monitor operational risk and keep the Board of directors, senior management and business units apprised of the operational risks of the bank. For example, Regulation 39(15) requires banks adopting an AMA for operational risk to have in place an independent operational risk management function responsible for the design and implementation of:

A methodology for the measurement of the bank’s exposure to operational risk
A risk reporting system relating to operational risk

The same regulation requires the operational risk management function to:

Have in place an internal operational risk measurement system that is closely integrated into the day-to-day risk management processes and subject to regular validation and independent review
Have techniques to allocate capital to major business units and create incentives to improve operational risk management throughout the bank
Report on a regular basis its exposure to operational risk, including material losses, to the management of the bank’s business units, senior management and the Board of directors

The desktop analysis stage of the SREP is one of the key methods for supervisory verification of the information systems related to operational risk at individual banks, which provides that banks:

Shall have in place adequate measures to take appropriate action, including in cases of non-compliance with internal policies, controls and procedures
Shall duly document the bank’s operational risk management systems
Shall have in place a process to ensure compliance with the bank’s documented set of internal policies, controls and procedures concerning the operational risk management system
Shall have in place a robust operational risk management process, which is subject to regular review by the bank’s internal and/or external auditors

EC7

The supervisor requires that banks have appropriate reporting mechanisms to keep the supervisor apprised of developments affecting operational risk at banks in their jurisdictions.

Description and findings re EC7

Form BA 400 - Operational risk: six-monthly return - (for banks utilizing the BIA, Standardized or Advanced Measurement Approaches for calculating the capital requirement for operational risk) and Form BA 410 - Operational risk: six-monthly return - (for banks utilizing an AMA to submit selected information in respect of, among other things, the bank’s loss event types, recorded losses and recovery of losses, which information is based on specified business lines and specified loss event types) are utilized to capture information on banks’ operational risk, to determine that they are holding adequate capital against such risk and to obtain information on bank-specific internal loss data. Banks that utilize the Standardized Approaches, although not specifically required to do so as per the Regulation, have also been requested bilaterally to complete Form BA 410.

EC8

The supervisor determines that banks have established appropriate policies and processes to assess, manage and monitor outsourced activities. The outsourcing risk management programme covers:

(a) Conducting appropriate due diligence for selecting potential service providers;
(b) Structuring the outsourcing arrangement;
(c) Managing and monitoring the risks associated with the outsourcing arrangement;
(d) Ensuring an effective control environment; and
(e) Establishing viable contingency planning.

Outsourcing policies and processes require the bank to have comprehensive contracts and/or service level agreements with a clear allocation of responsibilities between the outsourcing provider and the bank.

Description and findings re EC8

Regulation 39(3) identifies outsourcing of material tasks or functions as one of the types of risk that may arise from a bank’s on and off-balance sheet activities. Regulation 39(4) subsequently requires a bank, as a minimum, to a have in place comprehensive risk management processes, practices and procedures, and Board approved policies to identify, measure, monitor, control, and appropriately price, mitigate and communicate or report outsourcing risk amongst other risk types.

Regulation 39 also requires the risk management processes and practices to be adequate for the size and nature of the activities of the bank and for the bank to ensure that both the Board and senior management receive appropriate and timely communication on all related risks, including outsourcing risk.

Regulation 36(8) requires banks to provide the Registrar with qualitative information relating to the control structure adopted by the bank or controlling company relating to outsourcing.

Regulation 48 (Internal audit) requires the internal audit function to be a permanent function of the bank; however, a bank may outsource some of its internal audit functions subject to the prior written approval of, and such conditions as may be specified in writing by, the Registrar. In these instances, the bank’s Board of directors and senior management shall remain ultimately responsible for the adequacy and effectiveness of the bank’s system of internal controls and internal audit.

Guidance Note 3/2008 deals with outsourcing functions within banks. As mentioned in EC1, Guidance Note 2/2013 requires all banks to implement the Basel Committee’s Principles for the Sound Management of Operational Risk, various sections of which relate to outsourcing.

As part of the supervisory process, BSD staff reviews documents such as bank-specific outsourcing arrangement questionnaires, in order to satisfy themselves that due diligence procedures related to outsourcing have been followed.

AC1

The supervisor regularly identifies any common points of exposure to operational risk or potential vulnerability (e.g., outsourcing of key operations by many banks to a common service provider or disruption to outsourcing providers of payment and settlement activities).

Description and findings re AC1

Guidance Note 3/2014 states that effective risk data aggregation and reporting could assist with identifying common points of exposure to operation risk as well as potential vulnerabilities.

As part of the SREP review, the BSD takes note during on-site visits of outsourcing to common service providers in the industry. A typical service provider that falls within this scope in South Africa is Telkom, which provides fixed-line data and voice to the whole industry.

Staff from the BSD also attends the Operational Risk Subcommittee (ORS) of the Financial Sector Contingency Forum (FSCF). The primary objectives of the FSCF are to identify potential threats of a systemic nature that may adversely impact the stability of the South African financial sector, to develop and coordinate appropriate plans, mechanisms and structures to mitigate these threats, and to manage systemic crises. The ORS comprises stakeholders from the South African Reserve Bank, the Payments Association of South Africa, the Johannesburg Stock Exchange, the National Disaster Management Centre, STRATE, Financial Services Board, Banking Association of South Africa, BankServ Africa and the five largest banks in the country.

Assessment of Principle 25

Compliant

Comments

The SARB has developed a robust program for assessing the quality of operational risk management at individual banks. This combines on-site and off-site analysis of the systems in place at banks. The BSD has enhanced the specialist team for operational risk, which includes IT experts.

Principle 26

Internal control and audit. The supervisor determines that banks have adequate internal control frameworks to establish and maintain a properly controlled operating environment for the conduct of their business taking into account their risk profile. These include clear arrangements for delegating authority and responsibility; separation of the functions that involve committing the bank, paying away its funds, and accounting for its assets and liabilities; reconciliation of these processes; safeguarding the bank’s assets; and appropriate independent⁶⁰ internal audit and compliance functions to test adherence to these controls as well as applicable laws and regulations.

EC1

Laws, regulations or the supervisor require banks to have internal control frameworks that are adequate to establish a properly controlled operating environment for the conduct of their business, taking into account their risk profile. These controls are the responsibility of the bank’s Board and/or senior management and deal with organizational structure, accounting policies and processes, checks and balances, and the safeguarding of assets and investments (including measures for the prevention and early detection and reporting of misuse such as fraud, embezzlement, unauthorized trading and computer intrusion). More specifically, these controls address:

(a) Organizational structure: definitions of duties and responsibilities, including clear delegation of authority (e.g., clear loan approval limits), decision-making policies and processes, separation of critical functions (e.g., business origination, payments, reconciliation, risk management, accounting, audit and compliance);
(b) Accounting policies and processes: reconciliation of accounts, control lists, information for management;
(c) Checks and balances (or “four eyes principle”): segregation of duties, cross-checking, dual control of assets, double signatures; and
(d) Safeguarding assets and investments: including physical control and computer access.

Description and findings re EC1

The Banks Act contains several provisions related to internal controls and audit. These include:

Section 60A - compliance function of banks;
Section 60B - corporate governance; and
Section 64 - audit committee of a bank or controlling company.

In addition, various regulations set out the key elements of the internal control, audit and compliance functions

Regulation 39 - process of corporate governance, inter alia setting out requirements pertaining to Board members and executive and senior management of banks, including the requirement to ensure the establishment, implementation and effective functioning of adequate internal control frameworks.
Regulation 40 - guidelines relating to the conduct of directors, including the requirement to report annually to the Registrar on the adequacy and effectiveness of a bank’s internal control framework.
Regulation 41 - composition of the Board of directors, including the prohibition of the chairman of a bank or controlling company being on the audit committee of the controlling company or any of its banks.
Regulation 46 - requirement for external auditors to annually assess banks’ internal control frameworks and to identify and report to the Registrar any weaknesses.
Regulation 48 - requirements pertaining to the internal audit function of banks.
Regulation 49 - requirements pertaining to the compliance function of banks.

The SREP cycle (notably Stages 2 to 4), includes a wide range of interactions with banks and the external auditors of banks in order to gather information relating to, and assess the adequacy and effectiveness of, banks’ internal control frameworks. Any material weaknesses identified will be documented and communicated to the bank, either to executive/senior management or the Board of directors, and actions by the bank to address weaknesses will be tracked until resolved.

In addition, periodic reviews are performed in respect of internal audit and compliance reports, as well as external audit reports to further facilitate BSD’s assessment and monitoring of the internal control frameworks of banks.

EC2

The supervisor determines that there is an appropriate balance in the skills and resources of the back office, control functions and operational management relative to the business origination units. The supervisor also determines that the staff of the back office and control functions have sufficient expertise and authority within the organization (and, where appropriate, in the case of control functions, sufficient access to the bank’s Board) to be an effective check and balance to the business origination units.

Description and findings re EC2

In addition to the tools and measures described in EC1, annual meetings with the chief executive officer, head of internal audit, head of the compliance function and the external auditors will include a discussion of human resources. This will include discussions on such matters as staff numbers, skills, experience, turnover, and segregation of duties. Agendas pertaining to prudential meetings with operational and other functional and administrative managers, as per the supervisory program, will typically also include a discussion on these topics.

EC3

The supervisor determines that banks have an adequately staffed, permanent and independent compliance function⁶¹ that assists senior management in managing effectively the compliance risks faced by the bank. The supervisor determines that staff within the compliance function are suitably trained, have relevant experience and have sufficient authority within the bank to perform their role effectively. The supervisor determines that the bank’s Board exercises oversight of the management of the compliance function.

Description and findings re EC3

BA Section 60A and Regulation 49 (Compliance function) require all banks in South Africa to establish an independent compliance function. Further, Regulation 49 prescribes minimum requirements pertaining to the compliance function, including:

The compliance function shall be headed by a senior executive officer of the bank with the authority to communicate directly and freely in respect of any relevant matter, including, for example, decisions made by the management of the bank that may be in conflict with legal or regulatory requirements with the members of chairman of the bank’s Board of directors, with the members or chairman of the audit committee or with the external auditor of the bank.
The compliance function shall have adequate resources and stature in order to ensure that non-compliance with laws and regulations or supervisory requirements by the bank can be duly addressed.

In addition, Regulation 39 (Process of corporate governance) includes the requirement that Board members and executive and senior management of banks ensure that compliance risk is adequately monitored and managed.

Staff of the BSD holds annual meetings with the head of the compliance function of banks in order to discuss and assess the appropriateness and effectiveness of the function. These discussions cover a wide range of topics relevant to the compliance function, including reporting lines into the governance structures of the bank. These meetings are based on an agenda prepared by the BSD. Any material weaknesses identified during these meetings are documented and communicated to the bank, either to executive/senior management or the Board of directors (if regarded as necessary owing to the materiality of the issue) and actions by the bank to address weaknesses will be tracked until resolved.

In addition, periodic reviews are performed in respect of internal audit and compliance reports, as well as external audit reports to further facilitate the BSD’s assessment and monitoring of the appropriateness and effectiveness of a bank’s compliance function.

EC4

The supervisor determines that banks have an independent, permanent and effective internal audit function⁶² charged with:

(a) Assessing whether existing policies, processes and internal controls (including risk management, compliance and corporate governance processes) are effective, appropriate and remain sufficient for the bank’s business; and
(b) Ensuring that policies and processes are complied with.

Description and findings re EC4

Regulation 48 (Internal audit) states that “in order to evaluate and improve the effectiveness of a bank’s risk management, control, capital management and governance processes and/or systems, a bank shall establish an independent and objective internal audit function…” The regulation sets out the requirements pertaining to the internal audit function of banks, including:

The audit function shall form an integral part of the ongoing monitoring of the bank’s system of internal controls, and the bank’s internal capital assessment procedure;
Based on the nature and extent of the bank’s operation and risk exposure, shall be appropriately structured within the bank’s governance structure;
Based on the governance structure of the bank, shall report directly to the bank’s chief executive officer, Board of directors or audit committee;
Shall have sufficient resources and appropriately trained staff;
Shall be functionally independent from the activities audited and the day-to-day internal control processes of the bank;
Shall be able to conduct any assignment with objectivity and impartiality;
Shall be headed by a senior executive officer of the bank with the authority to communicate directly and freely…with the members or chairman of the bank’s Board of directors, with the members or chairman of the bank’s audit committee, or with the external auditor of the bank, where appropriate;
Shall be subject to independent review…by an independent person or committee such as external audit or the bank’s audit committee;
Shall adopt and comply with all relevant generally accepted internal audit standards;
May from time to time meet with the bank’s external auditor…and shall provide the bank’s external auditor access to any relevant internal audit reports;
Shall have in place a sufficiently robust process in order to follow up responses that relate to audit findings, whether or not recommendations have been implemented, and whether or not the department’s concerns were appropriately addressed’
Shall regularly report to and advise senior management and the Board of directors or audit committee on the performance of the internal control system and the achievement of the objectives of the internal audit department.

Annual meetings are held between the BSD and the head of internal audit of banks in order to discuss and assess the appropriateness and effectiveness of the function. These discussions cover a wide range of topics relevant to the internal audit function, including reporting lines into the governance structure of the bank. The meetings are based on an agenda prepared by the BSD. Any material weaknesses identified during these meetings are documented and communicated to the bank, either to executive/senior management or the Board of directors (if regarded as necessary owing to the materiality of the issue) and actions by the bank to address weaknesses will be tracked until resolved.

The BSD is furnished annually with the internal audit plan of a bank. In addition, periodic reviews are performed in respect of internal audit and compliance reports, as well as external audit reports to further facilitate BSD’s assessment and monitoring of the appropriateness and effectiveness of a bank’s internal audit function.

The appropriateness, effectiveness and work performed by the internal audit function are also discussed at the annual meeting held with the audit committee of banks.

Most supervisory dealings with bank management across the bank’s operations typically include an agenda item dealing with internal audit interaction and findings.

EC5

The supervisor determines that the internal audit function:

(a) Has sufficient resources, and staff that are suitably trained and have relevant experience to understand and evaluate the business they are auditing;
(b) Has appropriate independence with reporting lines to the bank’s Board or to an audit committee of the Board, and has status within the bank to ensure that senior management reacts to and acts upon its recommendations;
(c) Is kept informed in a timely manner of any material changes made to the bank’s risk management strategy, policies or processes;
(d) Has full access to and communication with any member of staff as well as full access to records, files or data of the bank and its affiliates, whenever relevant to the performance of its duties;
(e) Employs a methodology that identifies the material risks run by the bank;
(f) Prepares an audit plan, which is reviewed regularly, based on its own risk assessment and allocates its resources accordingly; and
(g) Has the authority to assess any outsourced functions.

Description and findings re EC5

See description provided in EC4 above.

The various requirements of EC5 typically form part of the items discussed during annual meetings with the heads of internal audit.

Assessment of Principle 26

Compliant

Comments

The BSD closely monitors the adequacy of internal controls and compliance at individual banks. Through such off-site practices as the review of banks’ internal reports and regular meetings with Board audit committees, internal auditors and compliance officers, the BSD is able to assess the quality of internal controls and audit at banks.

Principle 27

Financial reporting and external audit. The supervisor determines that banks and banking groups maintain adequate and reliable records, prepare financial statements in accordance with accounting policies and practices that are widely accepted internationally and annually publish information that fairly reflects their financial condition and performance and bears an independent external auditor’s opinion. The supervisor also determines that banks and parent companies of banking groups have adequate governance and oversight of the external audit function.

EC1

The supervisor⁶³ holds the bank’s Board and management responsible for ensuring that financial statements are prepared in accordance with accounting policies and practices that are widely accepted internationally and that these are supported by recordkeeping systems in order to produce adequate and reliable data.

Description and findings re EC1

IFRS accounting standards are applied to all banks and controlling companies in South Africa without any deviations.

BA Section 75 as well as Regulations 3(1), 4(1) and 44(1) of the Regulations relating to Banks, place the onus on the management of a bank to prepare financial statements in accordance with International Financial Reporting Standards (IFRS) and that management takes responsibility for these.

Sections 24 (Forms and standards for company records) and 28 (Accounting records) of the Companies Act refer to the requirements for banks to maintain records. Sections 29 (1) and 29 (5) require that financial statements conform to the financial reporting standards. Section 30(1) further requires that the financial statements be prepared annually.

BA Section 85 places the responsibility on the management of the bank to certify the returns or any other documents (which would therefore include financial statements) submitted to the Registrar as correct. This would therefore imply that they have been prepared as required.

EC2

The supervisor holds the bank’s Board and management responsible for ensuring that the financial statements issued annually to the public bear an independent external auditor’s opinion as a result of an audit conducted in accordance with internationally accepted auditing practices and standards.

Description and findings re EC2

Regulation 46(6) requires that audit reports be rendered in accordance with the wording and practices of the Independent Regulatory Board for Auditors (which conforms to internationally accepted auditing practices and standards).

Section 30(2) of the Companies Act requires that annual financial statements be audited and section 30(3) requires that they include an auditor’s report.

Section 90 of the Companies Act details the requirements for an auditor of a company (bank), including the independence requirement (Section 90(2)(b)) and registration with the Independent Regulatory Board for Auditors (Section 90(2)(a)).

BA Section 65 places the duty on the bank to furnish the Registrar with copies of the financial statements. Regulation 46 (1) requires that annual returns submitted to the Registrar be audited.

EC3

The supervisor determines that banks use valuation practices consistent with accounting standards widely accepted internationally. The supervisor also determines that the framework, structure and processes for fair value estimation are subject to independent verification and validation, and that banks document any significant differences between the valuations used for financial reporting purposes and for regulatory purposes.

Description and findings re EC3

Regulation 3(1) specifies that all returns shall be prepared in accordance with Financial Reporting Standards and regulation 3(2) states that the same accounting policy shall apply to both the annual financial statements and the regulatory returns, unless otherwise provided.

Regulations 2 and 3(3) address the need for returns submitted to the Registrar to be reconcilable to the bank’s management accounts and/or Board reports and annual financial statements.

Regulation 3(4) addresses the requirement for banks adopting the fair value option to have robust risk management policies, procedures and controls in place, to comply with the requirements of the relevant Financial Reporting Standard, and be subject to independent verification and validation.

In practice, BSD staff makes such determinations as part of their ongoing supervisory work, supported in part through their discussions with banks’ external auditors.

EC4

Laws or regulations set, or the supervisor has the power to establish the scope of external audits of banks and the standards to be followed in performing such audits. These require the use of a risk and materiality based approach in planning and performing the external audit.

Description and findings re EC4

Section 5 of the Companies Act gives prevalence to the Auditing Profession Act. In terms of Section 2(c) of the Auditing Profession Act, the Act is aimed at improving the development and maintenance of internationally comparable ethical standards and auditing standards for auditors. The Independent Regulatory Board for Auditors established under the Auditing Profession Act has adopted the International Standards on Auditing issued by the International Auditing and Assurance Standards Board as the applicable auditing standards to be applied by registered auditors (responsible for the audit of banks). The ISAs (ISA 300, 315 and 320) include requirements for audits to be conducted following a risk and materiality based approach in planning and performing an external audit.

Regulation 46 deals with the additional scoping requirements for auditors in relation to the audits of banks.

EC5

Supervisory guidelines or local auditing standards determine that audits cover areas such as the loan portfolio, loan loss provisions, non-performing assets, asset valuations, trading and other securities activities, derivatives, asset securitizations, consolidation of and other involvement with off-balance sheet vehicles and the adequacy of internal controls over financial reporting.

Description and findings re EC5

International Standards on Auditing (ISAs) determine that a risk and materiality based approach be followed when planning and conducting audits. Audits of banks include areas such as the loan portfolio, loan loss provisions, non-performing assets, asset valuations, trading and other securities activities, derivatives, asset securitizations, consolidation of and other involvement with off-balance sheet vehicles and the adequacy of internal controls over financial reporting. In addition, Regulation 46(4) requires that the auditor report to the Registrar specifically on the granting of loans, the making of investments, the ongoing management of the loan and investment portfolios and the relevant credit impairments, loan loss provisions and reserves.

EC6

The supervisor has the power to reject and rescind the appointment of an external auditor who is deemed to have inadequate expertise or independence, or is not subject to or does not adhere to established professional standards.

Description and findings re EC6

BA Section 61(3) gives the power to the Registrar to either refuse the application for the appointment of an auditor or withdraw any approval of an auditor due to reasons specified in the section. The form BA 006 is to be completed by banks for approval of appointment of an auditor.

Section 62 provides that the Registrar may appoint an auditor if for any reason the bank fails to make such appointment.

EC7

The supervisor determines that banks rotate their external auditors (either the firm or individuals within the firm) from time to time.

Description and findings re EC7

Section 92 of the Companies Act requires that auditors (specifically, the senior partner) be rotated from time to time (typically every five years).

BA Section 61(3) also states that the Registrar may refuse the re-appointment of an auditor who has already served the prescribed number of years consecutively.

EC8

The supervisor meets periodically with external audit firms to discuss issues of common interest relating to bank operations.

Description and findings re EC8

Regulation 46(9) provides for discussions to be held between the auditors and the Registrar to discuss matters pertaining to the audit of a bank. Bilateral meetings are held between the BSD and the auditors of each bank annually (refer to BA Section 4(4)(e)).

In addition, the BSD participates in various banking industry groups where interaction with external audit firms takes place.

EC9

The supervisor requires the external auditor, directly or through the bank, to report to the supervisor matters of material significance, for example failure to comply with the licensing criteria or breaches of banking or other laws, significant deficiencies and control weaknesses in the bank’s financial reporting process or other matters that they believe are likely to be of material significance to the functions of the supervisor. Laws or regulations provide that auditors who make any such reports in good faith cannot be held liable for breach of a duty of confidentiality.

Description and findings re EC9

Regulation 46 (Audit reports) Sections (2)-(4) detail the scope of the auditors’ reporting requirements to the Registrar, which includes the requirements relating matters of material significance, compliance with laws and regulations and significant deficiencies in internal controls.

BA Section 63(1) details the functions of the auditor in relation to the Registrar and includes the requirement for the auditor to report on matters which may endanger the bank’s ability to continue as a going concern, impair the protection of depositors’ funds, be contrary to the principles of sound management (including risk management) or amounts to inadequate maintenance of internal controls.

Section 63(3) further states that an auditor acting under the Act may not under any circumstances be deemed to be in contravention of the law or code of professional conduct to which the auditor may be subject.

In addition, bilateral meetings are held between BSD staff and the external auditors prior to an audit to discuss, amongst other things, any areas of concern as well as scoping requirements for the year’s audit. Trilateral meetings are also held after an audit between the BSD, external auditors and the audit committee of the bank to discuss key external and internal audit findings.

AC1

The supervisor has the power to access external auditors’ working papers, where necessary.

Description and findings re AC1

In terms of BA Section 4(4) the Registrar may review the work done by an external auditor of a bank.

Assessment of Principle 27

Compliant

Comments

Banks in South Africa are required to publish their financial statements based on IFRS standards, and to have the statements audited. The supervisory process is based, in part, on a strong working relationship between the BSD and banks’ external auditors.

Principle 28

Disclosure and transparency. The supervisor determines that banks and banking groups regularly publish information on a consolidated and, where appropriate, solo basis that is easily accessible and fairly reflects their financial condition, performance, risk exposures, risk management strategies and corporate governance policies and processes.

EC1

Laws, regulations or the supervisor require periodic public disclosures⁶⁴ of information by banks on a consolidated and, where appropriate, solo basis that adequately reflect the bank’s true financial condition and performance, and adhere to standards promoting comparability, relevance, reliability and timeliness of the information disclosed.

Description and findings re EC1

Regulation 43 (Public disclosure) sets out the detailed requirements for public disclosure of information by banks and states that:

a bank shall disclose in its annual financial statements and other disclosures to the public, reliable, relevant and timely qualitative and quantitative information that enables the users of that information, among other things, to make an accurate assessment of the bank’s financial condition, including its capital adequacy position, and financial performance, business activities, risk profile and risk management practices…

Regulation 43(2) details the extent of disclosures to be made by banks to ensure that they reflect the bank’s true financial condition and performance, and adhere to standards promoting comparability, relevance, reliability and timeliness of the information disclosed.

Subject to certain conditions as may be specified in writing by the Registrar, Regulation 43(3) states that when a bank is controlled by a controlling company, another bank, or an institution approved by the Registrar that conducts business similar to the business of a bank in a country other than South Africa, the requirements of Regulation 43 shall apply to such controlling company, bank or institution instead of the bank.

Financial disclosures are made in line with the requirements of IFRS as part of the annual financial statements and are audited as part of the external audit of banks.

The Registrar has also fully implemented the Pillar 3 disclosure requirements set out in Basel II. Regulation 43 (3) requires that all bank controlling companies submit the full set of Pillar 3 disclosures.

EC2

The supervisor determines that the required disclosures include both qualitative and quantitative information on a bank’s financial performance, financial position, risk management strategies and practices, risk exposures, aggregate exposures to related parties, transactions with related parties, accounting policies, and basic business, management, governance and remuneration. The scope and content of information provided and the level of disaggregation and detail is commensurate with the risk profile and systemic importance of the bank.

Description and findings re EC2

Regulation 43(2) requires that both qualitative and quantitative disclosures be made and sets out the detailed disclosure requirements. This includes disclosures on a bank’s financial performance, financial position, risk management strategies and practices, risk exposures, governance and remuneration. Disclosures related to aggregate exposures to related parties, transactions with related parties, accounting policies, and basic business, management, governance and remuneration are included in the required IFRS disclosures as part of the annual financial statements. Banks’ disclosures are periodically reviewed by the BSD’s relationship teams/bank analysts as part of their ongoing work.

In reviewing the annual reports of several banks, the assessors determined that the scope of disclosure for banks is quite extensive, including both qualitative and quantitative information.

EC3

Laws, regulations or the supervisor require banks to disclose all material entities in the group structure.

Description and findings re EC3

Regulation 43(2) requires banks to disclose information relating to material entities in the group structure.

EC4

The supervisor or another government agency effectively reviews and enforces compliance with disclosure standards.

Description and findings re EC4

The Pillar 3 Disclosure function of the BSD (with the aid of the risk and analysis teams) is responsible for the review and enforcement of disclosure standards.

Pillar 3 disclosures submitted by banks are reviewed according to resource availability. These disclosures are reviewed for completeness and reconciled on a sample basis to the supervisory returns. Neither the Pillar 3 requirements nor the Regulations relating to Banks require that Pillar 3 disclosures be audited; however, where material errors/discrepancies are noted as part of the BSD’s review, these are communicated to the bank in question.

Directive 8 of 2013 was issued to communicate banks’ revised Pillar 3 disclosure requirements in line with the changes in the Basel III framework.

EC5

The supervisor or other relevant bodies regularly publishes information on the banking system in aggregate to facilitate public understanding of the banking system and the exercise of market discipline. Such information includes aggregate data on balance sheet indicators and statistical parameters that reflect the principal aspects of banks’ operations (balance sheet structure, capital ratios, income earning capacity, and risk profiles).

Description and findings re EC5

The South African Reserve Bank (SARB) publishes information relating to the banking sector on a monthly basis.

The data series includes such topics as balance sheet and off-balance sheet activities, capital adequacy, large exposures and such risk categories as credit, liquidity, market, interest rate risk in the banking book, counterparty and currency.

AC1

The disclosure requirements imposed promote disclosure of information that will help in understanding a bank’s risk exposures during a financial reporting period, for example on average exposures or turnover during the reporting period.

Description and findings re AC1

The SARB adheres to and has fully adopted the Pillar 3 disclosure requirements as prescribed by the Basel framework.

Assessment of Principle 28

Largely Compliant

Comments

The banks in South Africa are required to disclose a wide range of information to the public on a regular basis.

As is permitted under the Basel capital framework, Pillar 3 disclosures are not currently audited. Therefore it is important for these disclosures to be reviewed on a consistent basis by BSD staff. Currently, the reports are only reviewed on a sporadic basis. With recent staff increases, the BSD should endeavor to assign the responsibility for reviewing the Pillar 3 disclosures to either analysts or other individuals with the requisite skills. The alternative to a consistent internal review process would be to impose a requirement that the reports be reviewed by the banks’ external auditors.

Principle 29

Abuse of financial services. The supervisor determines that banks have adequate policies and processes, including strict customer due diligence (CDD) rules to promote high ethical and professional standards in the financial sector and prevent the bank from being used, intentionally or unintentionally, for criminal activities.⁶⁵

EC1

Laws or regulations establish the duties, responsibilities and powers of the supervisor related to the supervision of banks’ internal controls and enforcement of the relevant laws and regulations regarding criminal activities.

Description and findings re EC1

BA Sections 3, 4, 5, 6, 7, 8, 9, and 10 give powers to the Registrar to supervise banks. Furthermore, in the Regulations relating to Banks:

Regulation 39 requires a bank to manage its risk, of which one of the risks includes “detection and prevention of criminal activities.”
Regulation 47 dealing with reportable offences requires banks to report an offence in writing to the Registrar within 30 days after the bank became aware of any Money Laundering (ML)/Terrorist Financing (TF) activity in which the bank was involved and which was not identified in a timely manner and reported as required by law, including those requirements contained in the Financial Intelligence Center Act (FICA).
BA Regulation 50 requires a bank to have robust structures, policies and processes in place to guard against market abuse, financial fraud, market manipulation, financing of terrorism and money laundering.

FICA Schedule 2 lists the SARB and the Registrar as a supervisory body. Each supervisory body listed in Schedule 2 has the primary responsibility for supervising those accountable institutions regulated or supervised by it for compliance with the FICA and the Money Laundering and Terrorist Financing Control Regulations. FICA Section 45 sets out the supervisory responsibilities relating to accountable institutions. Every supervisory body is responsible for supervising and enforcing compliance with the FICA or any order, determination or directive made in terms of the FICA by all accountable institutions regulated or supervised by it. Then, FICA Section 45(1A) inserts this duty into the statutory mandate of each supervisory body and makes it a core function of that supervisory body.

FICA Section 45B gives powers to the BSD to conduct routine inspections to confirm that banks are committed to ensuring that their business is conducted in conformity with high ethical standards, laws and regulations. Section 45B (b) gives powers to the BSD to conduct non-routine inspections. The Constitutional Court in 2014 ruled this power of non-routine inspections as unconstitutional on the ground of the right to privacy and the prohibition of warrantless searches. The assessors were informed that the Court ordered such inspections to be suspended 18 months after the ruling and the relevant authorities are preparing to amend the act before the deadline.

The FIC, the Financial Intelligence Unit in South Africa, or BSD may in terms of Section 43A issue directives regarding the application of the FICA. For directives specifically applies for banks, the BSD is assumed to issue such directives.

EC2

The supervisor determines that banks have adequate policies and processes that promote high ethical and professional standards and prevent the bank from being used, intentionally or unintentionally, for criminal activities. This includes the prevention and detection of criminal activity, and reporting of such suspected activities to the appropriate authorities.

Description and findings re EC2

FICA Section 42 requires banks, as accountable institutions to formulate and implement internal rules concerning key requirements contained in the FICA and related Regulations.

The Money Laundering and Terrorist Financing Control Regulations, Chapter 5 in Regulations 25, 26 and 27 provide guidelines on policies, processes and working methods to be implemented in order to demonstrate appropriate money laundering and terrorist financing internal controls within an accountable institution. A specialized AML/CFT review team was established within the BSD in 2011. The BSD has created an internal Anti-Money Laundering and Combating the Financing of Terrorism Supervisory Manual (AML/CFT manual), within which it has set out the processes and procedures to be followed by the BSD in carrying out its supervisory duties as outlined in the FICA. In order to protect the integrity of the banking system from being compromised by money laundering and the financing of terrorism and proliferation, the AML/CFT manual contains detailed guidelines on how the department will undertake supervision and assessment of compliance of a bank’s AML/CFT controls through both on-site and off-site responsibilities. In the BSD’s view, this links to the mission of the BSD, which is “to promote the soundness of the banking system and to minimize systemic risk through the effective and efficient application of international regulatory and supervisory standards.”

As part of its off-site supervision, the BSD also receives monthly statistical AML returns from banks which provide updated information on:

Whether the bank’s policies and rules on anti-money laundering and terrorist financing control measures had been updated during the past month.
Number of suspicious transaction reports (STR’s) during the past month, including the total of amounts involved and particular mention of the highest amount involved.
Statistics and breakdown of the number of employees that received AML/CFT specific training during the past month.

The BSD’s onsite inspection on AML/CFT procedures includes amongst others procedures to assess the adequacy of banks’ internal rules and working methods (policies and procedures) to prevent the bank being used for money laundering and the financing of terrorism. The onsite inspection is conducted based on risks a bank poses to the system. The supervisory plan is formulated by information provided by various sources including off-site analysis, meeting with bank management, internal and external auditors’ reports, among others.

Since the AML/CFT team was established in 2012, large banks as well as some foreign branches with strong cross-border operations were chosen as the priority for on-site activities. After all of these inspections are completed, the focus has shifted to smaller banks, although not all banks have been covered. The BSD explains they look at not only bank sizes but also their business such as customer bases and products they offer, in prioritizing banks. The inspections for large banks are conducted by around 10 staff members and take 6-8 weeks. For small banks, the team could consist of around 5 staff members and take as short as 3 weeks. Usually, these inspections result in 40-50 findings.

As mentioned in EC1, the Regulations, particularly Regulation 50, set out general requirements for banks to have in place robust structures, policies and processes to manage ML/FT risks. Although the primary AML/CFT legislation (FICA) does not provide a firm legal basis for the BSD to assess adequacy of specific AML/CFT policies and procedures against the international best practices and take supervisory actions accordingly, the BSD, on the basis of its broader supervisory powers provided by the BA and its Regulations, expects banks to apply a risk-based approach by establishing ML/FT risk assessment frameworks and taking proportionate mitigating measures. Thus, in the BSD’s view, the scope of its supervision has extended beyond the current FICA to require implementation of the non-enforceable FIC Guidance Notes (in particular Guidance Note 3) and the FATF standard such as enhanced CDD measures on high risk customers. However, this interpretation is not yet officially tested as the formal sanctions applied to banks so far are based on the FICA and not the BA.

In order for the BSD to apply a risk-based approach in its supervision of ML/FT risk in banks, preliminary risk matrix and other supervisory tools are being developed to help identify higher risk institutions to which on-site inspections should be targeted. Since the transformation from a rules-based supervisory approach to a risk-based one is still at an early stage, the BSD’s supervisory practices have not yet fully adapted to this transformation and the supervisory expectations have not been communicated sufficiently clearly to, nor fully internalized by the banks.

EC3

In addition to reporting to the financial intelligence unit or other designated authorities, banks report to the banking supervisor suspicious activities and incidents of fraud when such activities/incidents are material to the safety, soundness or reputation of the bank.⁶⁶

Description and findings re EC3

Regulation 47, dealing with reportable offences, requires banks to report an offence in writing to the Registrar of Banks within 30 days after the bank became aware of any money laundering and financing of terrorism activity in which the bank was involved and which was not identified in a timely manner and reported as required by law, including those requirements contained in the FICA. Furthermore, reportable offenses also includes those incidents that results in or will result in the bank losing in excess of one percent of its qualifying capital and reserve funds. The assessors were informed that this has happened before where a bank found that their reporting process had not been properly followed.

In addition, FICA Sections 27, 28, 28A, 29, 30 and 31 require banks to report information that may be related to crime to authorities for further investigation and prosecution where necessary.

EC4

If the supervisor becomes aware of any additional suspicious transactions, it informs the financial intelligence unit and, if applicable, other designated authority of such transactions. In addition, the supervisor, directly or indirectly, shares information related to suspected or actual criminal activities with relevant authorities.

Description and findings re EC4

FICA Section 36 stipulates that if the BSD knows or suspects that an accountable institution such as a bank, wittingly or unwittingly has received or is about to receive the proceeds of unlawful activities or has been used or may be used in the future for money laundering purposes, it must advise the FIC and any other supervisory body and furnish all information and records.

The FIC shares financial intelligence information with law enforcement agencies such as South African Police Services, Directorate for Priority Crime Investigation, and the South African Revenue Services. The law enforcement authorities investigate and prosecute based on the financial intelligence produced by the FIC.

The BSD’s supervisory procedures ensure that banks have suspicious transaction detection systems and processes in place. There are specific inspection procedures that include a review by the BSD of suspicious and unusual transactions detected by automated systems or by staff and determining whether these transactions were analyzed by the bank and reported to the FIU. There were cases that as a result of onsite inspections the BSD identified unreported suspicious and unusual transactions as well as unreported large cash transactions. The BSD in these instances informed the FIC of the aforementioned non-reporting.

EC5

The supervisor determines that banks establish CDD policies and processes that are well documented and communicated to all relevant staff. The supervisor also determines that such policies and processes are integrated into the bank’s overall risk management and there are appropriate steps to identify, assess, monitor, manage and mitigate risks of money laundering and the financing of terrorism with respect to customers, countries and regions, as well as to products, services, transactions and delivery channels on an ongoing basis. The CDD management programme, on a group-wide basis, has as its essential elements:

(a) A customer acceptance policy that identifies business relationships that the bank will not accept based on identified risks;
(b) A customer identification, verification and due diligence programme on an ongoing basis; this encompasses verification of beneficial ownership, understanding the purpose and nature of the business relationship, and risk-based reviews to ensure that records are updated and relevant;
(c) Policies and processes to monitor and recognize unusual or potentially suspicious transactions;
(d) Enhanced due diligence on high-risk accounts (e.g., escalation to the bank’s senior management level of decisions on entering into business relationships with these accounts or maintaining such relationships when an existing relationship becomes high-risk);
(e) Enhanced due diligence on politically exposed persons (including, among other things, escalation to the bank’s senior management level of decisions on entering into business relationships with these persons); and
(f) Clear rules on what records must be kept on CDD and individual transactions and their retention period. Such records have at least a five year retention period.

Description and findings re EC5

(a) FICA Section 21 sets out the customer identification and verification requirements. The Money Laundering and Terrorist Financing Control Regulations, Chapter 5, Regulations 25 and 26 set out the requirement to have documented internal rules related to the establishment and verification of customer identities, as well as the record keeping rules together with guidelines on policies, processes and working methods to be implemented. The FIC issues guidance based on section 4(c) of the FIC Act to assist accountable institutions and the relevant supervisory bodies with the practical application of certain requirements of the FICA. FICA assigns relevant supervisors the duties to assess accountable institution’ alignment with the guidance provided through the Guidance notes, through the supervisory body inspection powers and responsibilities contained in section 45. FICA Guidance note 3 sets out the client acceptance policy requirements under paragraph 5.

(b) Money Laundering and Terrorist Financing Control Regulations, Chapter 1, Regulations 3 to 16 provide for the specific customer identification and verification requirements for different categories of clients. Regulation 19 provides requirements regarding the ongoing maintenance of customer information. This is supplemented by FICA Guidance note 3 paragraph 14 provides further details, including conduct of due diligence reviews on existing relationships at appropriate times.

(c) Money Laundering and Terrorist Financing Control Regulations, Regulation 27 sets out the requirement of accountable institutions to have internal rules concerning the detection and reporting of suspicious and unusual transactions.

(d) FICA Guidance note 3 sets out under paragraphs 2, 3, 4 and 5 the due diligence processes to be followed in respect of higher risk customers. For example, paragraph 4 provides a detailed list that should be considered in identifying higher risk customers. Then, paragraph 5 requires a graduated customer acceptance policy for higher risk customers.

(e) FICA Guidance note 3 also sets out under paragraphs 25 to 27, the enhanced due diligence requirements in respect of Politically Exposed Persons, including the escalation to senior management for related decisions.

(g) FICA Sections 22, 23, 24, 25, and 26 stipulate the record-keeping requirements including records to be kept, retention period, admissibility of records and access to such records.

The BSD’s onsite inspection procedures assess whether banks comply with CDD, record-keeping requirements in the various legislation and FIC Guidance notes as outlined above. In addition, the inspection procedures also assesses banks compliance to the “internal rules” requirements, essentially ensuring that banks have policies, procedures and working methods for CDD, enhanced CDD for higher risk customers. The onsite assessment goes further and assesses the adequacy of these policies, procedures and working methods, which includes an assessment of the banks’ risk-based approach to customer acceptance and general CDD. In case of a bank controlling company, the BSD’s assessment covers group-wide policies, although the FICA requirements only apply to banks.

The BSD also at on-site inspections assesses banks’ enhanced due diligence procedures for the acceptance of higher risk customers such as politically exposed persons or higher risk transactions such as money services businesses and trade finance transactions.

As mentioned in EC2, in the BSD’s view, although FICA Guidance notes themselves do not have power of law, the BSD can take supervisory measures based on these guidelines as these are regarded to set expectations for structures, policies, processes and procedures that banks need to adhere as stipulated in BA Regulation 50 on such issues as identifying customers, maintaining ethical standards in all business transactions, providing adequate training and guidance to staff, maintaining internal records of transactions, and reporting suspicious customers and transactions, among others. In practice, the BSD’s inspections often includes findings regarding compliance with FICA guidance notes, the banks’ corrective actions on which are followed-up off-site.

The BSD recently imposed administrative fines on 4 large banks for their failures to comply with the FICA, which was detected through its on-site activities. Failures in the CDD practices were one of the reasons for the fines.

EC6

The supervisor determines that banks have in addition to normal due diligence, specific policies and processes regarding correspondent banking. Such policies and processes include:

(a) Gathering sufficient information about their respondent banks to understand fully the nature of their business and customer base, and how they are supervised; and
(b) Not establishing or continuing correspondent relationships with those that do not have adequate controls against criminal activities or that are not effectively supervised by the relevant authorities, or with those banks that are considered to be shell banks.

Description and findings re EC6

FICA Guidance note 3 for Banks sets out under paragraph 28, citing this EC, the AML/CFT control measures that need to be put in place by a bank in respect of correspondent banking relationships which includes gathering sufficient information about the respondent bank.

A number of principles set out by the Wolfsberg group have been used to determine the risk indicators to be considered in order for a bank to ascertain the AML/CFT risks associated to having a relationship with a particular respondent bank, and then to determine to commensurate level of due diligence to be undertaken in respect of such bank.

The BSD’s inspection procedures includes and assessments of the existence of and the adequacy of bank’s internal rules, policies and procedures and working methods in dealing with correspondent banks. The BSD explains that the correspondent banking inspection procedures were developed from the standards in the FATF Recommendations as well as the FICA Guidance note listed above.

EC7

The supervisor determines that banks have sufficient controls and systems to prevent, identify and report potential abuses of financial services, including money laundering and the financing of terrorism.

Description and findings re EC7

FICA Sections 27, 28, 28A, 29 and 32 set out the reporting obligations in respect of threshold reports, property associated with terrorists and related activities, suspicious and unusual activities as well as information requests from authorized persons.

Regulation 21 of the Money Laundering and Terrorist Financing Control Regulations sets out the requirement for accountable institutions to obtain information that will assist in identifying proceeds of unlawful activities or money laundering activities. Regulation 27 sets out the requirement for accountable institutions to have internal rules concerning the detection and reporting of suspicious and unusual transactions.

In practice, a large number of banks in South Africa utilize customer screening systems and automated suspicious and unusual transaction monitoring systems to detect banking system abuse and potential or suspected money laundering and terrorist financing activities. Manual processes of client monitoring is also utilized by all banks to detect and report banking system abuse and identify potential or suspected money laundering and terrorist financing activities.

On-site inspection procedures have been developed and are incorporated within the AML/CFT manual which is used during supervisory interactions and inspection to determine the robustness of the preventative controls put in place within a bank to safeguard against money laundering, terrorist financing and associated financial crime based on Regulation 50, among others. As explained in EC1, the comprehensive on-site inspections focusing on AML/CFT has been conducted since the establishment of responsible teams in 2012, with inspections on all large banks has completed. As mentioned below, these inspections led to the recent application of administrative fines for large banks due to weakness in their frameworks, including their controls and systems over monitoring and reporting suspicious transactions.

EC8

The supervisor has adequate powers to take action against a bank that does not comply with its obligations related to relevant laws and regulations regarding criminal activities.

Description and findings re EC8

The amendment to the FICA in 2010 empowered the BSD in terms of section 45C to impose administrative sanctions on banks non-compliant with the Act. The BSD exercised these powers very recently by fining most of the large banks in April 2014 based on the findings of on-site inspections.

Furthermore, As requirements by FICA and relevant regulations are regarded as comprising requirements under the BA, the Registrar has can apply a number of measures under the BA, although no formal measures against banks on AML/CFT issues based on the BA have not been taken to date.

EC9

The supervisor determines that banks have:

(a) Requirements for internal audit and/or external experts⁶⁷ to independently evaluate the relevant risk management policies, processes and controls. The supervisor has access to their reports;
(b) Established policies and processes to designate compliance officers at the banks’ management level, and appoint a relevant dedicated officer to whom potential abuses of the banks’ financial services (including suspicious transactions) are reported;
(c) Adequate screening policies and processes to ensure high ethical and professional standards when hiring staff; or when entering into an agency or outsourcing relationship; and
(d) Ongoing training programmes for their staff, including on CDD and methods to monitor and detect criminal and suspicious activities.

Description and findings re EC9

(a) BA Regulation 48 requires banks to establish an independent and objective internal audit function to evaluate and improve the effectiveness of a bank’s risk management, control and governance processes and/or systems, including those related to abuse of financial services. Copies of reports emanating from such internal and/or external audit exercises conducted are submitted to BSD. (See relevant CPs).

(b) FICA Section 43(b) sets out the requirements for accountable institutions to appoint a compliance officer tasked with the responsibility of ensuring that the bank and its employees comply with the FICA and its internal rules.

(c) BA Regulation 50 requires banks to have adequate structures, policies, processes and procedures to maintain high ethical standards in all business transactions.

(d) FICA Section 43(a) sets out the requirement for the accountable institution to provide training to its employees in order to ensure that the bank complies with the provisions of the FICA and its internal rules. In addition, BA Regulation 50 requires banks to provide adequate training and guidance to their staff.

The BSD’s onsite inspection procedures, as prescribed in the AML/CFT Supervisory Manual, assess banks’ compliance with the regards to ongoing training of employees on AML/CFT, the appointment of an AML/CFT compliance officer. In addition, the BSD also review banks’ internal audit reports on compliance with AML/CFT requirements as part of conducting AML/CFT onsite inspections. The BSD’s inspection procedures also include an assessment of whether internal audit has performed an independent review of AML/CFT, such as the suspicious transaction monitoring systems.

As part of the quarterly AML/CFT “prudential” meetings with banks, discussions are also held with the banks on internal audit’s involvement in assessing compliance with AML/CFT requirements. Issues related to AML/CFT compliance are also discussed at prudential meetings with banks’ internal audit and compliance functions.

EC10

The supervisor determines that banks have and follow clear policies and processes for staff to report any problems related to the abuse of the banks’ financial services to either local management or the relevant dedicated officer or to both. The supervisor also determines that banks have and utilize adequate management information systems to provide the banks’ Boards, management and the dedicated officers with timely and appropriate information on such activities.

Description and findings re EC10

The BSD’s AML Teams established inspections procedures to determine whether banks have policies and processes for staff to report any problems related to the abuse of the banks’ financial services to either local management or the relevant dedicated officer or to both. It also looks at the adequacy of management information systems.

EC11

Laws provide that a member of a bank’s staff who reports suspicious activity in good faith either internally or directly to the relevant authority cannot be held liable.

Description and findings re EC11

FICA Section 38 provides for the protection of persons making reports in terms of the FIC Act. The Protected Disclosures Act 26 of 2000 (PDA) protects persons who reports suspicious activities in good faith.

EC12

The supervisor, directly or indirectly, cooperates with the relevant domestic and foreign financial sector supervisory authorities or shares with them information related to suspected or actual criminal activities where this information is for supervisory purposes.

Description and findings re EC12

The FIC is the only institution permitted to share financial intelligence information with law enforcement agencies such as South African Police Services, Directorate for Priority Crime Investigation, and the South African Revenue Services. The law enforcement authorities investigate charge and prosecute based on the financial intelligence gathered by the FIC. The FIC further shares the state of compliance information with FATF, ESAAMLG, BIS, IMF, and Egmont Group where necessary.

The BSD does not have the discretion to share details of suspected or actual criminal activities with external third parties, save for its duty to report and share information with the FIC and relevant supervisory bodies related to suspected facilitation of money laundering or proceeds of crime by a bank in terms of FICA Section 36.

The BSD does however share issues of non-compliance with AML/CFT requirements of particular banking institutions with other domestic and international supervisory authorities with whom the BSD have a MOU in place.

EC13

Unless done by another authority, the supervisor has in-house resources with specialist expertise for addressing criminal activities. In this case, the supervisor regularly provides information on risks of money laundering and the financing of terrorism to the banks.

Description and findings re EC13

The FIC has AML/CFT specialists who interact with accountable institutions in South Africa including banks. The FIC bears the sole responsibility for receipt and analysis of suspicious transactions reports.

The BSD have AML/CFT specialists (10 staff members dedicated to AML/CFT solely) who are also inspectors in terms of FICA Section 45A. This BSD team is responsible to assess and enforce compliance with the FICA, and not to investigate and/ or address criminal activities.

The FIC and BSD however jointly conduct AML/CFT prudential meetings and to discuss money laundering controls, terrorist financing controls, suspicious transaction reports and trends, predicate crimes, and cyber-crime trends.

The BSD is afforded certain powers in terms of BA Sections 81 to 84 to control the activities of unregistered persons that have not been granted a license to operate the business of a bank by the Registrar. These activities are, however, confined to illegal deposit-taking only.

The above-mentioned provisions provide, among other things, that the Registrar may do the following in respect of unregistered persons that are suspected of taking deposits from the general public in contravention of the BA:

Apply to court for an order prohibiting anticipated or actual schemes involved in illegal deposit-taking.
Extract information from unregistered persons.
Inspect the affairs of an unregistered person.
Direct such a person to repay such money if the Registrar is satisfied that a person has illegally taken deposits from the general public.
Appoint a manager to manage and control the repayment of the money unlawfully obtained.

Assessment of Principle 29

Largely Compliant

Comments

The BA and associated regulations as well as the revised FICA provide a generally adequate framework for supervising banks’ policies and processes against abuse of financial services. On the implementation front, the BSD has significantly stepped up its effort for supervision of measures against abuse of financial services, including the AML/CFT measures: a dedicated unit for the AML/CFT issues was established and has been conducting on-site inspections with inspections on large banks completed; administrative fines are recently imposed on some large banks on the AML/CFT issues; and more attention is being paid to these issues in the whole SREP process.

However, some weakness still remains. The Guidance Notes issued by the FIC which contain many essential requirements relevant to many ECs in this CP as well as the concept of risk- based approach do not have the legal enforceability under the FICA. Even though they are applied by the BSD in its supervision, their enforceability through the general supervisory power based on the BA has not yet been formally tested. In addition, on-site inspections of all banks are not yet completed.

The assessors thus recommend:

The authorities to proceed with the planned revision of the FICA to incorporate the risk-based approach to the AML/CFT issues and ensure the enforceability of a number of essential elements currently included in the FICA Guidance Notes.
The BSD to continue the current effort on the AML/CFT on-site inspections to cover all banks expeditiously and improve approaches and techniques based on the lessons learned.

Table 3.

Summary Compliance with the Basel Core Principles

Table 3.

Summary Compliance with the Basel Core Principles

Core Principle	Grade	Comments
1. Responsibilities, objectives and powers	LC	The BA and associated rules provide a broadly appropriate framework for regulating and supervising banks. It also provides clear responsibilities of and adequate powers to the Registrar of Banks and the Bank Supervision Department. However, the lack of legally defined objectives of the supervisor as well as regulation and supervision of banks is a shortcoming of the current BA and related legislation to be fully compliant with this CP. The assessors note and welcome, however, the authorities plan to address this issue in the expected twin peaks reform. In addition, to further improve the effectiveness and efficiency of the regulatory process, the assessors also recommend the authorities to review the following issues: The extent of delegation of powers in the Banks Act, with a view to transfer the power to set granular requirements from tier 2 rules (regulations), which need to be issued by the Minister, to tier 3 rules (circulars, directives), which can be issued by the Registrar. This would give more flexibility in fine-tuning the regulatory framework. The composition of the Standing Committee for the Revision of the Banks Act, with a view to require its members to be not currently involved in not only any regulated entities but also bodies that represent interests of those regulated entities, to insulate the process from direct industry interests. Instead, as experts on financial business, the Committee could include retired officials from the industry or academics.
2. Independence, accountability, resourcing and legal protection for supervisors	LC	The BSD has an appropriate level of resources with highly qualified staff and substantial specialist skills recently added, even though some of them need to accumulate experiences further. The legal protection of the supervisor is also adequate. Its operational independence is fully respected in practice, but there are a few areas where the framework needs to be enhanced to enshrine the operational independence of the supervisor in related legislation and make it fully compliant with the CP. Particularly, regarding the appointment and removal processes of the Registrar, the legal framework should be revised to include (A) a fixed term of the appointment, (B) specific reasons for the removal, and (C) the requirement to publish the reasons for removal, as required in EC2. In terms of the involvement of the Minister in a few supervisory actions, although the assessors understand the supervisor’s decisions are respected in practice, there is a need to ensure that the Minister’s power is exercised under the principle of constrained discretion. Also, improvements in regulatory frameworks such as those on competition policies that overlap with the banking legislation have possibly reduced the need for the Minister’s discretion. The authorities should therefore review the legislation to limit the cases that require the Minister’s involvement to those that are absolutely necessary and clarify in the laws objectives for intervention. Regarding the supervisory resources, while the assessors saw the current level as broadly adequate given the limited number of supervised entities, the authorities should review the adequacy of resources reflecting expected changes in the responsibility of the supervisor under the new twin peaks structure, taking into account the need for further improvements in its supervisory approach as recommended in CP 8, 9 and 12.
3. Cooperation and collaboration	C	Legal provisions as well as operational frameworks for cooperation and collaboration with domestic and foreign authorities are in place. Regarding the confidentiality of information, although the assessors view the current legal framework and its practical application provides a reasonable assurance of protecting the confidentiality of supervisory information, the reliance on SARBA Section 33 as well as the manner BA Section 89 is stipulated leave room for the information to be used for non- supervisory purposes. It is therefore recommended the authorities review the relevant provisions of the BA to ensure the confidential information shall only be used for supervisory purposes, unless specifically required by court orders or provisions in other laws as provided in EC3 and 4.
4. Permissible activities	C	The Banks Act provides clear definitions of activities that are only permitted to be conducted by registered banks, including taking deposits from the public.
5. Licensing criteria	C	Provisions in the laws and regulations related to licensing and the process followed by the BSD provide a comprehensive framework to assess the adequacy of new registrations for banks, including foreign bank branches. The BSD adequately assesses applications in practice.
6. Transfer of significant ownership	C	The power given to the supervisor by laws and regulations as well as the current supervisory practices provide adequate control and oversight regarding significant ownership of a bank and a controlling company.
7. Major acquisitions	C	The regulatory framework subjects major acquisitions and investments by banks and controlling companies to prior approval by the Registrar. The BSD also has well established supervisory practices to limit and monitor risks arising from such activities.
8. Supervisory approach	LC	The SREP cycle and the risk rating system provide an adequate general framework of supervisory approach for the BSD. These processes focusing on individual banks and banking groups are complemented by sector- wide approaches such as the “flavor of the year” topics as well as enhanced thematic on-site reviews. However, the approaches related to resolution of banks required in EC 6 and 7 are still in the process of development, which lead to the rating above. Although those on the recovery plans as well as contingency planning have started, work on resolution plans for systemic banks has yet to begin. The assessors understand the required power will not be given until the expected legislation on bank resolution becomes effective and urge the authorities to enact the bill expeditiously. Another important issue related to this principle is planned transition to the twin peaks supervisory structure. The transition should involve not only providing the prudential supervisor responsibility over various financial sector entities, but also improved oversight over systemic risk and wider financial groups. The new prudential supervisor should therefore review the supervisory approach once the organizational changes are completed in order to enable it to have capacity to monitor the prudential risk of the entire financial system as well as that of financial conglomerates. This may require a more formalized framework to detect and assess system-wide and cross-sectoral risks and its integration to supervision of individual financial groups and regulated financial institutions. New tools to address those risks may also need to be added to its arsenal, such as common scenario stress testing across different financial sectors and a risk rating framework that takes into account the entire risk of financial groups. Close cooperation with the planned Financial Stability Oversight Committee and its secretariat will be essential in these endeavors.
9. Supervisory techniques and tools	C	The BSD has improved its supervisory techniques and tools significantly. In particular, it has moved from a model relying substantially on external auditors for on-site work to one where the BSD’s own staff conducts a number of on-site reviews to complement the work of external auditors, including deep-dive reviews that verify banks’ actual practices through such means as extensive review of loan files. It has also added a number of risk specialists who conduct on-site reviews on particular risk areas including model validations, but also other topics related to particular risk areas. These improvements, in addition to detailed and intensive off-site analysis and frequent interactions with various levels of banks/banking groups, including their Boards, equip the BSD with wide-ranging high quality techniques and tools that are appropriate for providing oversight of risk profiles and operations of banks and banking groups in South Africa. The assessors encourage the BSD to further continue its effort to enhance its ability to conduct deep-dive on-site reviews and improve tools and technique to assess and monitor spill over risks to the banks from non banking activities in their financial groups.
10. Supervisory reporting	C	The regulatory framework requires banks and controlling companies to periodically submit a broad range of information. Strong regulatory and supervisory processes exist to ensure accuracy and comparability of submitted returns. Well developed procedures for analyzing collected information and feeding into supervisory actions are in place.
11. Corrective and sanctioning powers of supervisors	MNC	While there have been a few significant improvements since the last assessment, the major problem of the need for 30 days prior notice in suspending registration or restricting activities based on BA Sections 23, 24 and 26 has not been changed. The newly introduced power of directives under BA Section 6(6) as well as the application of a motion by the court could address the issue partially. But the former still requires consultation with the relevant bank and the bank may challenge on the ground that a similar due process to that of Section 24 should be required for sanctions with similar effect. The latter is yet untested and relies on a court’s judgment, which may take a different position than that of the supervisor. Given supervisors would consider taking such drastic measures only in cases where the risk is imminent and large, impact to the public could be significant, and when the relevant bank is not cooperating with the supervisor, any possible delays in or uncertainty regarding the outcome of the process needs to be avoided. The assessors understand the strong framework for licensing and corporate governance as well as relatively stable structure of the banking industry enables the supervisor to address these issues in a cooperative manner using less formal and stringent measures in most of the cases. However, the supervisor needs to be prepared for cases where these cooperative and more informal measures may not work—the framework for corrective and enforcement actions need to cover such situations. The assessors are thus still of the view that strengthening laws to provide the Registrar with the power to suspend or limit a bank’s activities without delay is essential to improve compliance with the CP. The lack of ability for the supervisor to fine individuals related to banks, such as Board members and senior management, is another important gap in the current regulatory framework in relation to EC5, which also contributed to the above grading.
12. Consolidated supervision	C	The supervisory and reporting framework provides an adequate framework for monitoring and assessing risks to banks in South Africa from non-banking and foreign banking operations in banking groups to be compliant with this CP. However, given the prevalence of conglomerate-type financial groups in South Africa, the authorities should make further effort to monitor and manage risks arising from non-banking activities or parent entities of a financial group (some of which are not bank controlling companies) to which a South African bank belongs. In this regard, as described in CP 8 and 9, the authorities should strengthen its technique, such as group-wide stress testing, to monitor and assess those risks. The authorities should further improve the recovery and resolution planning of large banking groups particularly once the necessary power is given to the supervisor by the expected new legislation. Such planning should also consider scenarios where shocks originate from non banking entities or parent groups.
13. Home-host relationships	LC	The current arrangements and frameworks for cooperation with foreign supervisors are broadly adequate, although cooperation with supervisors in other African countries needs further enhancement as the South African banking groups are expected to continue to expand their operations in these countries. To further improve the effectiveness of cooperation and ensure adequate oversight is carried out on African operations of South African banking groups, the assessors encourage the authorities to continue their efforts to support the capacity building of these supervisors. The authorities also need to finalize their policies and processes on the conduct of on-site reviews/inspections of South African banks’ cross-border operations in other African countries and enhance practices, with due consideration to the risk those operations pose to the parent banks. These should in time evolve to incorporate joint supervisory activities with the host supervisors. The supervisor should also enhance its effort in cross-border recovery and resolution planning, lack of which is reflected in the rating of this CP. Given a few of the big banks have strong ties with the UK, the recovery and resolution plans need to be developed with close collaboration with the UK authorities. Furthermore, as a few South African banking groups’ foreign operations in other African groups have become systemically important for some host jurisdictions, in developing recovery and resolution plans of these groups, due regards need to be paid to the impact on these jurisdictions’ financial system. This will also require close cooperation with supervisory authorities in these jurisdictions.
14. Corporate governance	C	Through regulations and practice, the SARB places strong emphasis on sound and effective corporate governance at all banks in South Africa. BSD staff is able to assess the quality of corporate governance at individual banks through regular meetings, as well as review of audit reports and Board and Board committee minutes.
15. Risk management process	C	The SARB’s SREP cycle places emphasis on verifying that banks have robust risk management policies and procedures. A recent significant increase in supervisory staff has allowed the BSD to form specialized teams to review the major risk categories. While the skills of some of the newer members of these teams are in the process of being strengthened, primarily through on-the-job experience, the teams have enhanced the BSD’s understanding of the risks faced by South African banks, most especially at the largest institutions.
16. Capital adequacy	C	The SARB has adopted or is in the process of adopting the various components of Basel II, 2.5 and III according to or in advance of the schedule established by the Basel Committee. Capital is calculated on a consolidated and solo basis for all banks and the BSD has the authority to impose additional capital requirements on individual banks, as deemed necessary. The BSD has applied the three Basel ratios (common equity tier 1, tier 1 and total capital) as well as systemic capital requirements, large bank capital add-ons and a “Board buffer” that ensures that banks do not fall below the minimum requirements. BSD staff regularly assesses banks’ capital management and planning, most intensely at the largest (IRB) banks.
17. Credit risk	C	Regulation 39 clearly sets out the requirement for adequate policies and procedures related to credit risk management, approved by the Board of directors and effectively implemented by management. BSD staff, including the analyst(s), credit specialist team and on-site review team, takes an active role in assessing the quality of credit risk management at all banks, including as part of the SREP.
18. Problem assets, provisions, and reserves	C	Through the use of reports submitted on a regular basis, the review of external auditor reports and selected on-site examinations, the BSD monitors problem assets at individual banks. Supervisory staff evaluates the adequacy of banks’ provisioning for problem assets on both an individual bank and peer group basis. The assessors encourage the BSD to finalize as soon as possible the draft Directive on restructured credit exposures which will help to prevent banks from using restructuring to improve their classified loan levels. The compliant rating issued for Principle 18 is based, in part, on the expectation that this directive will be issued in the very near term.
19. Concentration risk and large exposure limits	C	Regulations require the Board and senior management to establish and maintain adequate policies and procedures related to concentration risk and large exposures. The BSD utilizes reports received from banks on a quarterly basis to monitor large exposures and risk concentrations. In addition, the BSD monitors Board and management oversight of concentration risk through the SREP and ICAAP reviews.
20. Transactions with related parties	C	Regulations set out a comprehensive definition of “related person” and require banks and controlling companies to conduct transactions with related parties on an arm’s-length basis. In addition, Regulation 39 requires the Board and senior management of a bank to ensure that the monitoring and reporting of individual and aggregate exposures to related persons are subject to an independent individual credit review process. The BSD receives and reviews information on transactions with related parties on a quarterly basis. Any matters of concern would be included as a topic of discussion in prudential meetings held with individual banks. The assessors recommend that the SARB amend its regulations so that the Registrar has the ability to set limits on exposures to any related parties. At this point, it only has the ability to set limits on intragroup transactions and exposures.
21. Country and transfer risks	C	Since the last BCP assessment, Regulation 39 has been amended to specifically include country and transfer risks. In addition, the BA 210 quarterly report was amended in 2011 and now requires more granular information on bank’s country and transfer risks. While the level of country and transfer risk for most banks remains relatively small, the BSD monitors such exposures on an ongoing basis through the SREP and includes this risk category as part of its discussions with bank Boards, management and auditors, as appropriate.
22. Market risk	C	The SARB has implemented a comprehensive approach to the supervision of market risk, especially at the largest banks that have been approved for the IMA. For most banks in South Africa, market risk remains at rather modest levels.
23. Interest rate risk in the banking book	C	Banks in South Africa currently deal with minimal interest rate risk in the banking book due to the fact that a large percentage of lending is done on a floating rate basis. The BSD, as part of its SREP, reviews the policies and procedures in place at banks to manage such risk. The BSD also noted that they are giving IRRBB more focus in 2014 and providing additional training to members of the analysis teams. The assessors encourage the BSD to continue with its plans to further strengthen its review of banks’ internal interest rate risk measurement systems.
24. Liquidity risk	C	The BSD has already initiated adoption of the LCR by South African banks and intends to implement the NSFR on schedule as well. This is despite the fact that South Africa (like several other Basel Committee member countries) is disadvantaged by a limited supply of government bonds, an illiquid and small corporate debt market and disintermediation of retail funding through money market funds into the banking sector.
25. Operational risk	C	The SARB has developed a robust program for assessing the quality of operational risk management at individual banks. This combines on-site and off-site analysis of the systems in place at banks. The BSD has enhanced the specialist team for operational risk, which includes IT experts.
26. Internal control and audit	C	The BSD closely monitors the adequacy of internal controls and compliance at individual banks. Through such off-site practices as the review of banks’ internal reports and regular meetings with Board audit committees, internal auditors and compliance officers, the BSD is able to assess the quality of internal controls and audit at banks.
27. Financial reporting and external audit	C	Banks in South Africa are required to publish their financial statements based on IFRS standards, and to have the statements audited. The supervisory process is based, in part, on a strong working relationship between the BSD and banks’ external auditors.
28. Disclosure and transparency	LC	The banks in South Africa are required to disclose a wide range of information to the public on a regular basis. As is permitted under the Basel capital framework, Pillar 3 disclosures are not currently audited. Therefore it is important for these disclosures to be reviewed on a consistent basis by BSD staff. Currently, the reports are only reviewed on a sporadic basis. With recent staff increases, the BSD should endeavor to assign the responsibility for reviewing the Pillar 3 disclosures to either analysts or other individuals with the requisite skills. The alternative to a consistent internal review process would be to impose a requirement that the reports be reviewed by the banks’ external auditors.
29. Abuse of financial services	LC	The BA and associated regulations as well as the revised FICA provide a generally adequate framework for supervising banks’ policies and processes against abuse of financial services. On the implementation front, the BSD has significantly stepped up its effort for supervision of measures against abuse of financial services, including the AML/CFT measures: a dedicated unit for the AML/CFT issues was established and has been conducting on-site inspections with inspections on large banks completed; administrative fines are recently imposed on some large banks on the AML/CFT issues; and more attention is being paid to these issues in the whole SREP process. However, some weakness still remains. The Guidance Notes issued by the FIC which contain many essential requirements relevant to many ECs in this CP as well as the concept of risk-based approach do not have the legal enforceability under the FICA. Even though they are applied by the BSD in its supervision, their enforceability through the general supervisory power based on the BA has not yet been formally tested. In addition, on-site inspections of all banks are not yet completed.

Table 3.

Summary Compliance with the Basel Core Principles

Core Principle	Grade	Comments
1. Responsibilities, objectives and powers	LC	The BA and associated rules provide a broadly appropriate framework for regulating and supervising banks. It also provides clear responsibilities of and adequate powers to the Registrar of Banks and the Bank Supervision Department. However, the lack of legally defined objectives of the supervisor as well as regulation and supervision of banks is a shortcoming of the current BA and related legislation to be fully compliant with this CP. The assessors note and welcome, however, the authorities plan to address this issue in the expected twin peaks reform. In addition, to further improve the effectiveness and efficiency of the regulatory process, the assessors also recommend the authorities to review the following issues: The extent of delegation of powers in the Banks Act, with a view to transfer the power to set granular requirements from tier 2 rules (regulations), which need to be issued by the Minister, to tier 3 rules (circulars, directives), which can be issued by the Registrar. This would give more flexibility in fine-tuning the regulatory framework. The composition of the Standing Committee for the Revision of the Banks Act, with a view to require its members to be not currently involved in not only any regulated entities but also bodies that represent interests of those regulated entities, to insulate the process from direct industry interests. Instead, as experts on financial business, the Committee could include retired officials from the industry or academics.
2. Independence, accountability, resourcing and legal protection for supervisors	LC	The BSD has an appropriate level of resources with highly qualified staff and substantial specialist skills recently added, even though some of them need to accumulate experiences further. The legal protection of the supervisor is also adequate. Its operational independence is fully respected in practice, but there are a few areas where the framework needs to be enhanced to enshrine the operational independence of the supervisor in related legislation and make it fully compliant with the CP. Particularly, regarding the appointment and removal processes of the Registrar, the legal framework should be revised to include (A) a fixed term of the appointment, (B) specific reasons for the removal, and (C) the requirement to publish the reasons for removal, as required in EC2. In terms of the involvement of the Minister in a few supervisory actions, although the assessors understand the supervisor’s decisions are respected in practice, there is a need to ensure that the Minister’s power is exercised under the principle of constrained discretion. Also, improvements in regulatory frameworks such as those on competition policies that overlap with the banking legislation have possibly reduced the need for the Minister’s discretion. The authorities should therefore review the legislation to limit the cases that require the Minister’s involvement to those that are absolutely necessary and clarify in the laws objectives for intervention. Regarding the supervisory resources, while the assessors saw the current level as broadly adequate given the limited number of supervised entities, the authorities should review the adequacy of resources reflecting expected changes in the responsibility of the supervisor under the new twin peaks structure, taking into account the need for further improvements in its supervisory approach as recommended in CP 8, 9 and 12.
3. Cooperation and collaboration	C	Legal provisions as well as operational frameworks for cooperation and collaboration with domestic and foreign authorities are in place. Regarding the confidentiality of information, although the assessors view the current legal framework and its practical application provides a reasonable assurance of protecting the confidentiality of supervisory information, the reliance on SARBA Section 33 as well as the manner BA Section 89 is stipulated leave room for the information to be used for non- supervisory purposes. It is therefore recommended the authorities review the relevant provisions of the BA to ensure the confidential information shall only be used for supervisory purposes, unless specifically required by court orders or provisions in other laws as provided in EC3 and 4.
4. Permissible activities	C	The Banks Act provides clear definitions of activities that are only permitted to be conducted by registered banks, including taking deposits from the public.
5. Licensing criteria	C	Provisions in the laws and regulations related to licensing and the process followed by the BSD provide a comprehensive framework to assess the adequacy of new registrations for banks, including foreign bank branches. The BSD adequately assesses applications in practice.
6. Transfer of significant ownership	C	The power given to the supervisor by laws and regulations as well as the current supervisory practices provide adequate control and oversight regarding significant ownership of a bank and a controlling company.
7. Major acquisitions	C	The regulatory framework subjects major acquisitions and investments by banks and controlling companies to prior approval by the Registrar. The BSD also has well established supervisory practices to limit and monitor risks arising from such activities.
8. Supervisory approach	LC	The SREP cycle and the risk rating system provide an adequate general framework of supervisory approach for the BSD. These processes focusing on individual banks and banking groups are complemented by sector- wide approaches such as the “flavor of the year” topics as well as enhanced thematic on-site reviews. However, the approaches related to resolution of banks required in EC 6 and 7 are still in the process of development, which lead to the rating above. Although those on the recovery plans as well as contingency planning have started, work on resolution plans for systemic banks has yet to begin. The assessors understand the required power will not be given until the expected legislation on bank resolution becomes effective and urge the authorities to enact the bill expeditiously. Another important issue related to this principle is planned transition to the twin peaks supervisory structure. The transition should involve not only providing the prudential supervisor responsibility over various financial sector entities, but also improved oversight over systemic risk and wider financial groups. The new prudential supervisor should therefore review the supervisory approach once the organizational changes are completed in order to enable it to have capacity to monitor the prudential risk of the entire financial system as well as that of financial conglomerates. This may require a more formalized framework to detect and assess system-wide and cross-sectoral risks and its integration to supervision of individual financial groups and regulated financial institutions. New tools to address those risks may also need to be added to its arsenal, such as common scenario stress testing across different financial sectors and a risk rating framework that takes into account the entire risk of financial groups. Close cooperation with the planned Financial Stability Oversight Committee and its secretariat will be essential in these endeavors.
9. Supervisory techniques and tools	C	The BSD has improved its supervisory techniques and tools significantly. In particular, it has moved from a model relying substantially on external auditors for on-site work to one where the BSD’s own staff conducts a number of on-site reviews to complement the work of external auditors, including deep-dive reviews that verify banks’ actual practices through such means as extensive review of loan files. It has also added a number of risk specialists who conduct on-site reviews on particular risk areas including model validations, but also other topics related to particular risk areas. These improvements, in addition to detailed and intensive off-site analysis and frequent interactions with various levels of banks/banking groups, including their Boards, equip the BSD with wide-ranging high quality techniques and tools that are appropriate for providing oversight of risk profiles and operations of banks and banking groups in South Africa. The assessors encourage the BSD to further continue its effort to enhance its ability to conduct deep-dive on-site reviews and improve tools and technique to assess and monitor spill over risks to the banks from non banking activities in their financial groups.
10. Supervisory reporting	C	The regulatory framework requires banks and controlling companies to periodically submit a broad range of information. Strong regulatory and supervisory processes exist to ensure accuracy and comparability of submitted returns. Well developed procedures for analyzing collected information and feeding into supervisory actions are in place.
11. Corrective and sanctioning powers of supervisors	MNC	While there have been a few significant improvements since the last assessment, the major problem of the need for 30 days prior notice in suspending registration or restricting activities based on BA Sections 23, 24 and 26 has not been changed. The newly introduced power of directives under BA Section 6(6) as well as the application of a motion by the court could address the issue partially. But the former still requires consultation with the relevant bank and the bank may challenge on the ground that a similar due process to that of Section 24 should be required for sanctions with similar effect. The latter is yet untested and relies on a court’s judgment, which may take a different position than that of the supervisor. Given supervisors would consider taking such drastic measures only in cases where the risk is imminent and large, impact to the public could be significant, and when the relevant bank is not cooperating with the supervisor, any possible delays in or uncertainty regarding the outcome of the process needs to be avoided. The assessors understand the strong framework for licensing and corporate governance as well as relatively stable structure of the banking industry enables the supervisor to address these issues in a cooperative manner using less formal and stringent measures in most of the cases. However, the supervisor needs to be prepared for cases where these cooperative and more informal measures may not work—the framework for corrective and enforcement actions need to cover such situations. The assessors are thus still of the view that strengthening laws to provide the Registrar with the power to suspend or limit a bank’s activities without delay is essential to improve compliance with the CP. The lack of ability for the supervisor to fine individuals related to banks, such as Board members and senior management, is another important gap in the current regulatory framework in relation to EC5, which also contributed to the above grading.
12. Consolidated supervision	C	The supervisory and reporting framework provides an adequate framework for monitoring and assessing risks to banks in South Africa from non-banking and foreign banking operations in banking groups to be compliant with this CP. However, given the prevalence of conglomerate-type financial groups in South Africa, the authorities should make further effort to monitor and manage risks arising from non-banking activities or parent entities of a financial group (some of which are not bank controlling companies) to which a South African bank belongs. In this regard, as described in CP 8 and 9, the authorities should strengthen its technique, such as group-wide stress testing, to monitor and assess those risks. The authorities should further improve the recovery and resolution planning of large banking groups particularly once the necessary power is given to the supervisor by the expected new legislation. Such planning should also consider scenarios where shocks originate from non banking entities or parent groups.
13. Home-host relationships	LC	The current arrangements and frameworks for cooperation with foreign supervisors are broadly adequate, although cooperation with supervisors in other African countries needs further enhancement as the South African banking groups are expected to continue to expand their operations in these countries. To further improve the effectiveness of cooperation and ensure adequate oversight is carried out on African operations of South African banking groups, the assessors encourage the authorities to continue their efforts to support the capacity building of these supervisors. The authorities also need to finalize their policies and processes on the conduct of on-site reviews/inspections of South African banks’ cross-border operations in other African countries and enhance practices, with due consideration to the risk those operations pose to the parent banks. These should in time evolve to incorporate joint supervisory activities with the host supervisors. The supervisor should also enhance its effort in cross-border recovery and resolution planning, lack of which is reflected in the rating of this CP. Given a few of the big banks have strong ties with the UK, the recovery and resolution plans need to be developed with close collaboration with the UK authorities. Furthermore, as a few South African banking groups’ foreign operations in other African groups have become systemically important for some host jurisdictions, in developing recovery and resolution plans of these groups, due regards need to be paid to the impact on these jurisdictions’ financial system. This will also require close cooperation with supervisory authorities in these jurisdictions.
14. Corporate governance	C	Through regulations and practice, the SARB places strong emphasis on sound and effective corporate governance at all banks in South Africa. BSD staff is able to assess the quality of corporate governance at individual banks through regular meetings, as well as review of audit reports and Board and Board committee minutes.
15. Risk management process	C	The SARB’s SREP cycle places emphasis on verifying that banks have robust risk management policies and procedures. A recent significant increase in supervisory staff has allowed the BSD to form specialized teams to review the major risk categories. While the skills of some of the newer members of these teams are in the process of being strengthened, primarily through on-the-job experience, the teams have enhanced the BSD’s understanding of the risks faced by South African banks, most especially at the largest institutions.
16. Capital adequacy	C	The SARB has adopted or is in the process of adopting the various components of Basel II, 2.5 and III according to or in advance of the schedule established by the Basel Committee. Capital is calculated on a consolidated and solo basis for all banks and the BSD has the authority to impose additional capital requirements on individual banks, as deemed necessary. The BSD has applied the three Basel ratios (common equity tier 1, tier 1 and total capital) as well as systemic capital requirements, large bank capital add-ons and a “Board buffer” that ensures that banks do not fall below the minimum requirements. BSD staff regularly assesses banks’ capital management and planning, most intensely at the largest (IRB) banks.
17. Credit risk	C	Regulation 39 clearly sets out the requirement for adequate policies and procedures related to credit risk management, approved by the Board of directors and effectively implemented by management. BSD staff, including the analyst(s), credit specialist team and on-site review team, takes an active role in assessing the quality of credit risk management at all banks, including as part of the SREP.
18. Problem assets, provisions, and reserves	C	Through the use of reports submitted on a regular basis, the review of external auditor reports and selected on-site examinations, the BSD monitors problem assets at individual banks. Supervisory staff evaluates the adequacy of banks’ provisioning for problem assets on both an individual bank and peer group basis. The assessors encourage the BSD to finalize as soon as possible the draft Directive on restructured credit exposures which will help to prevent banks from using restructuring to improve their classified loan levels. The compliant rating issued for Principle 18 is based, in part, on the expectation that this directive will be issued in the very near term.
19. Concentration risk and large exposure limits	C	Regulations require the Board and senior management to establish and maintain adequate policies and procedures related to concentration risk and large exposures. The BSD utilizes reports received from banks on a quarterly basis to monitor large exposures and risk concentrations. In addition, the BSD monitors Board and management oversight of concentration risk through the SREP and ICAAP reviews.
20. Transactions with related parties	C	Regulations set out a comprehensive definition of “related person” and require banks and controlling companies to conduct transactions with related parties on an arm’s-length basis. In addition, Regulation 39 requires the Board and senior management of a bank to ensure that the monitoring and reporting of individual and aggregate exposures to related persons are subject to an independent individual credit review process. The BSD receives and reviews information on transactions with related parties on a quarterly basis. Any matters of concern would be included as a topic of discussion in prudential meetings held with individual banks. The assessors recommend that the SARB amend its regulations so that the Registrar has the ability to set limits on exposures to any related parties. At this point, it only has the ability to set limits on intragroup transactions and exposures.
21. Country and transfer risks	C	Since the last BCP assessment, Regulation 39 has been amended to specifically include country and transfer risks. In addition, the BA 210 quarterly report was amended in 2011 and now requires more granular information on bank’s country and transfer risks. While the level of country and transfer risk for most banks remains relatively small, the BSD monitors such exposures on an ongoing basis through the SREP and includes this risk category as part of its discussions with bank Boards, management and auditors, as appropriate.
22. Market risk	C	The SARB has implemented a comprehensive approach to the supervision of market risk, especially at the largest banks that have been approved for the IMA. For most banks in South Africa, market risk remains at rather modest levels.
23. Interest rate risk in the banking book	C	Banks in South Africa currently deal with minimal interest rate risk in the banking book due to the fact that a large percentage of lending is done on a floating rate basis. The BSD, as part of its SREP, reviews the policies and procedures in place at banks to manage such risk. The BSD also noted that they are giving IRRBB more focus in 2014 and providing additional training to members of the analysis teams. The assessors encourage the BSD to continue with its plans to further strengthen its review of banks’ internal interest rate risk measurement systems.
24. Liquidity risk	C	The BSD has already initiated adoption of the LCR by South African banks and intends to implement the NSFR on schedule as well. This is despite the fact that South Africa (like several other Basel Committee member countries) is disadvantaged by a limited supply of government bonds, an illiquid and small corporate debt market and disintermediation of retail funding through money market funds into the banking sector.
25. Operational risk	C	The SARB has developed a robust program for assessing the quality of operational risk management at individual banks. This combines on-site and off-site analysis of the systems in place at banks. The BSD has enhanced the specialist team for operational risk, which includes IT experts.
26. Internal control and audit	C	The BSD closely monitors the adequacy of internal controls and compliance at individual banks. Through such off-site practices as the review of banks’ internal reports and regular meetings with Board audit committees, internal auditors and compliance officers, the BSD is able to assess the quality of internal controls and audit at banks.
27. Financial reporting and external audit	C	Banks in South Africa are required to publish their financial statements based on IFRS standards, and to have the statements audited. The supervisory process is based, in part, on a strong working relationship between the BSD and banks’ external auditors.
28. Disclosure and transparency	LC	The banks in South Africa are required to disclose a wide range of information to the public on a regular basis. As is permitted under the Basel capital framework, Pillar 3 disclosures are not currently audited. Therefore it is important for these disclosures to be reviewed on a consistent basis by BSD staff. Currently, the reports are only reviewed on a sporadic basis. With recent staff increases, the BSD should endeavor to assign the responsibility for reviewing the Pillar 3 disclosures to either analysts or other individuals with the requisite skills. The alternative to a consistent internal review process would be to impose a requirement that the reports be reviewed by the banks’ external auditors.
29. Abuse of financial services	LC	The BA and associated regulations as well as the revised FICA provide a generally adequate framework for supervising banks’ policies and processes against abuse of financial services. On the implementation front, the BSD has significantly stepped up its effort for supervision of measures against abuse of financial services, including the AML/CFT measures: a dedicated unit for the AML/CFT issues was established and has been conducting on-site inspections with inspections on large banks completed; administrative fines are recently imposed on some large banks on the AML/CFT issues; and more attention is being paid to these issues in the whole SREP process. However, some weakness still remains. The Guidance Notes issued by the FIC which contain many essential requirements relevant to many ECs in this CP as well as the concept of risk-based approach do not have the legal enforceability under the FICA. Even though they are applied by the BSD in its supervision, their enforceability through the general supervisory power based on the BA has not yet been formally tested. In addition, on-site inspections of all banks are not yet completed.

Recommended Actions and Authorities Comments

A. Recommended Actions

Table 4.

Recommended Actions to Improve Compliance with the Basel Core Principles and the Effectiveness of Regulatory and Supervisory Frameworks

Table 4.

Recommended Actions to Improve Compliance with the Basel Core Principles and the Effectiveness of Regulatory and Supervisory Frameworks

Reference Principle	Recommended Action
Principle 1	Define objectives of the supervisor in the legal framework. Review the extent of delegation of powers in the Banks Act, with a view to transfer the power to set granular requirements from tier 2 rules (regulations), which need to be issued by the Minister, to tier 3 rules (circulars, directives), which can be issued by the Registrar. Review the composition of the Standing Committee for the Revision of the Banks Act, with a view to require its members to be not currently involved in not only any regulated entities but also bodies that represent interests of those regulated entities, to insulate the process from direct industry interests. Instead, as experts on financial business, the Committee could include retired officials from the industry or academics.
Principle 2	Revise the legal framework for the head of the supervisor to include (A) a fixed term of the appointment, (B) specific reasons for the removal, and (C) the requirement to publish the reasons for removal, as required in EC2. Review the legislation to limit the cases that require the Minister’s involvement to those that are absolutely necessary and clarify in the laws objectives for intervention. Review the adequacy of resources reflecting expected changes in the responsibility of the supervisor under the new twin peaks structure, taking into account the need for further improvements in its supervisory approach as recommended in CP 8, 9 and 12.
Principle 3	Review the relevant provisions of the BA to ensure the confidential information shall only be used for supervisory purposes, unless specifically required by court orders or provisions in other laws.
Principle 8	Enact legislation to provide the supervisor power related to resolution of banks expeditiously and develop resolution plans. The new prudential supervisor should review the supervisory approach once the organizational changes are completed in order to equip it with capacity to monitor the prudential risk of the entire financial system as well as that of financial conglomerates.
Principle 9	Continue the effort to enhance the supervisor’s ability to conduct deep-dive on-site reviews. Improve tools and technique to assess and monitor spill over risks to the banks from non banking activities in their financial groups.
Principle 11	Strengthen laws to provide the supervisor with the power to suspend or limit a bank’s activities without delay. Provide the power to fine individuals related to banks.
Principle 12	Strengthen the supervisory technique, such as group-wide stress testing, to monitor and assess risks arising from non-banking activities or parent entities of a financial group in which a South African bank belongs to. Improve the recovery and resolution planning of large banking groups particularly once the necessary power is given to the supervisor by the expected new legislation. Such planning should also consider scenarios where shocks originate from non banking entities or parent groups.
Principle 13	Continue efforts to support the capacity building of host supervisors of African operations of South African banking groups to further improve the effectiveness of cooperation and ensure adequate oversight of those operations. Finalize policies, processes and practices to conduct on-site reviews/inspections of South African banks’ cross border operations in other African countries. Enhance its effort in cross-border recovery and resolution planning with close collaboration with the UK authorities as well as paying due regards to the impact on financial systems of jurisdictions where South African banks’ operations are significant. This will also require close cooperation with supervisory authorities in these jurisdictions.
Principle 18	Finalize as soon as possible the draft Directive on restructured credit exposures which will help to prevent banks from using restructuring to improve their classified loan levels.
Principle 20	Amend the Regulations so that the Registrar has the ability to set limits on exposures to any related parties.
Principle 23	Continue with the plans to further strengthen its review of banks’ internal interest rate risk measurement systems.
Principle 28	Review Pillar 3 disclosures consistently either by the BSD’s internal staff or by requiring external auditors to do it.
Principle 29	Proceed with the planned revision of the FICA to incorporate the risk-based approach to the AML/CFT issues and ensure the enforceability of a number of essential elements currently included in the FICA Guidance Notes. Continue the current effort on the AML/CFT on-site inspections to cover all banks expeditiously and improve approaches and techniques based on the lessons learned.

Table 4.

Recommended Actions to Improve Compliance with the Basel Core Principles and the Effectiveness of Regulatory and Supervisory Frameworks

Reference Principle	Recommended Action
Principle 1	Define objectives of the supervisor in the legal framework. Review the extent of delegation of powers in the Banks Act, with a view to transfer the power to set granular requirements from tier 2 rules (regulations), which need to be issued by the Minister, to tier 3 rules (circulars, directives), which can be issued by the Registrar. Review the composition of the Standing Committee for the Revision of the Banks Act, with a view to require its members to be not currently involved in not only any regulated entities but also bodies that represent interests of those regulated entities, to insulate the process from direct industry interests. Instead, as experts on financial business, the Committee could include retired officials from the industry or academics.
Principle 2	Revise the legal framework for the head of the supervisor to include (A) a fixed term of the appointment, (B) specific reasons for the removal, and (C) the requirement to publish the reasons for removal, as required in EC2. Review the legislation to limit the cases that require the Minister’s involvement to those that are absolutely necessary and clarify in the laws objectives for intervention. Review the adequacy of resources reflecting expected changes in the responsibility of the supervisor under the new twin peaks structure, taking into account the need for further improvements in its supervisory approach as recommended in CP 8, 9 and 12.
Principle 3	Review the relevant provisions of the BA to ensure the confidential information shall only be used for supervisory purposes, unless specifically required by court orders or provisions in other laws.
Principle 8	Enact legislation to provide the supervisor power related to resolution of banks expeditiously and develop resolution plans. The new prudential supervisor should review the supervisory approach once the organizational changes are completed in order to equip it with capacity to monitor the prudential risk of the entire financial system as well as that of financial conglomerates.
Principle 9	Continue the effort to enhance the supervisor’s ability to conduct deep-dive on-site reviews. Improve tools and technique to assess and monitor spill over risks to the banks from non banking activities in their financial groups.
Principle 11	Strengthen laws to provide the supervisor with the power to suspend or limit a bank’s activities without delay. Provide the power to fine individuals related to banks.
Principle 12	Strengthen the supervisory technique, such as group-wide stress testing, to monitor and assess risks arising from non-banking activities or parent entities of a financial group in which a South African bank belongs to. Improve the recovery and resolution planning of large banking groups particularly once the necessary power is given to the supervisor by the expected new legislation. Such planning should also consider scenarios where shocks originate from non banking entities or parent groups.
Principle 13	Continue efforts to support the capacity building of host supervisors of African operations of South African banking groups to further improve the effectiveness of cooperation and ensure adequate oversight of those operations. Finalize policies, processes and practices to conduct on-site reviews/inspections of South African banks’ cross border operations in other African countries. Enhance its effort in cross-border recovery and resolution planning with close collaboration with the UK authorities as well as paying due regards to the impact on financial systems of jurisdictions where South African banks’ operations are significant. This will also require close cooperation with supervisory authorities in these jurisdictions.
Principle 18	Finalize as soon as possible the draft Directive on restructured credit exposures which will help to prevent banks from using restructuring to improve their classified loan levels.
Principle 20	Amend the Regulations so that the Registrar has the ability to set limits on exposures to any related parties.
Principle 23	Continue with the plans to further strengthen its review of banks’ internal interest rate risk measurement systems.
Principle 28	Review Pillar 3 disclosures consistently either by the BSD’s internal staff or by requiring external auditors to do it.
Principle 29	Proceed with the planned revision of the FICA to incorporate the risk-based approach to the AML/CFT issues and ensure the enforceability of a number of essential elements currently included in the FICA Guidance Notes. Continue the current effort on the AML/CFT on-site inspections to cover all banks expeditiously and improve approaches and techniques based on the lessons learned.

B. Authorities’ Response to the Assessment

We would like to express our appreciation to the IMF assessment team for their professionalism, their guidance and their insights into supervision. We found the experience very valuable towards improving our understanding of the Basel Core Principles, and ultimately, improving the regulatory framework and supervisory processes. We also appreciated the constructive engagements with the assessment team. The recommendations will be used as input during the establishment of the new Prudential Authority (PA) to strengthen its compliance with the BCPs and assist the PA to promote and enhance the safety and soundness of financial institutions.

The assessment team was comprised of Elizabeth Roberts (external expert) and Mamoru Yanase (IMF).

In the World Economic Forum’s Global Competitiveness Report of 2013/14, South Africa was ranked as the number one nation in the world for Auditing and Reporting Standards. South Africa also received number one rankings for Efficacy of Corporate boards, Protection of minority shareholder’s interests, Regulation of securities exchanges and Legal rights index achievements.

In this document, “banking group” includes the holding company, the bank and its offices, subsidiaries, affiliates and joint ventures, both domestic and foreign. Risks from other entities in the wider group, for example non-bank (including non-financial) entities, may also be relevant. This group-wide approach to supervision goes beyond accounting consolidation.

The activities of authorising banks, ongoing supervision and corrective actions are elaborated in the subsequent Principles.

Such authority is called “the supervisor” throughout this paper, except where the longer form “the banking supervisor” has been necessary for clarification.

In this document, “risk profile” refers to the nature and scale of the risk exposures undertaken by a bank.

In this document, “systemic importance” is determined by the size, interconnectedness, substitutability, global or cross-jurisdictional activity (if any), and complexity of the bank, as set out in the BCBS paper on Global systemically important banks: assessment methodology and the additional loss absorbency requirement, November 2011.

Please refer to Principle 1, Essential Criterion 1.

Principle 3 is developed further in the Principles dealing with “Consolidated supervision” (12), “Home-host relationships” (13) and “Abuse of financial services” (29).

The Committee recognizes the presence in some countries of non-banking financial institutions that take deposits but may be regulated differently from banks. These institutions should be subject to a form of regulation commensurate to the type and size of their business and, collectively, should not hold a significant proportion of deposits in the financial system.

This document refers to a governance structure composed of a board and senior management. The Committee recognizes that there are significant differences in the legislative and regulatory frameworks across countries regarding these functions. Some countries use a two-tier board structure, where the supervisory function of the board is performed by a separate entity known as a supervisory board, which has no executive functions. Other countries, in contrast, use a one-tier board structure in which the board has a broader role. Owing to these differences, this document does not advocate a specific board structure. Consequently, in this document, the terms “board” and “senior management” are only used as a way to refer to the oversight function and the management function in general and should be interpreted throughout the document in accordance with the applicable law within each jurisdiction.

Therefore, shell banks shall not be licensed. (Reference document: BCBS paper on shell banks, January 2003).

Please refer to Principle 14, Essential Criterion 8.

Please refer to Principle 29.

While the term “supervisor” is used throughout Principle 6, the Committee recognizes that in a few countries these issues might be addressed by a separate licensing authority.

In the case of major acquisitions, this determination may take into account whether the acquisition or investment creates obstacles to the orderly resolution of the bank.

On-site work is used as a tool to provide independent verification that adequate policies, procedures and controls exist at banks, determine that information reported by banks is reliable, obtain additional information on the bank and its related companies needed for the assessment of the condition of the bank, monitor the bank’s follow-up on supervisory concerns, etc.

Off-site work is used as a tool to regularly review and analyze the financial condition of banks, follow up on matters requiring further attention, identify and evaluate developing risks and help identify the priorities, scope of further off-site and on-site work, etc.

Please refer to Principle 10.

In the context of this Principle, “prudential reports and statistical returns” are distinct from and in addition to required accounting reports. The former are addressed by this Principle, and the latter are addressed in Principle 27.

Please refer to Principle 2.

Please refer to Principle 1, Essential Criterion 5.

May be external auditors or other qualified external parties, commissioned with an appropriate mandate, and subject to appropriate confidentiality restrictions.

May be external auditors or other qualified external parties, commissioned with an appropriate mandate, and subject to appropriate confidentiality restrictions. External experts may conduct reviews used by the supervisor, yet it is ultimately the supervisor that must be satisfied with the results of the reviews conducted by such external experts.

Please refer to Principle 1.

Please refer to footnote 19 under Principle 1.

Please refer to Principle 16, Additional Criterion 2.

See Illustrative example of information exchange in colleges of the October 2010 BCBS Good practice principles on supervisory colleges for further information on the extent of information sharing expected.

Please refer to footnote 27 under Principle 5.

The OECD (OECD glossary of corporate governance-related terms in “Experiences from the Regional Corporate Governance Roundtables,” 2003, www.oecd.org/dataoecd/19/26/23742340.pdf). defines “duty of care” as “The duty of a board member to act on an informed and prudent basis in decisions with respect to the company. Often interpreted as requiring the board member to approach the affairs of the company in the same way that a ‘prudent man’ would approach their own affairs. Liability under the duty of care is frequently mitigated by the business judgment rule.” The OECD defines “duty of loyalty” as “The duty of the board member to act in the interest of the company and shareholders. The duty of loyalty should prevent individual board members from acting in their own interest, or the interest of another individual or group, at the expense of the company and all shareholders.”

“Risk appetite” reflects the level of aggregate risk that the bank’s Board is willing to assume and manage in the pursuit of the bank’s business objectives. Risk appetite may include both quantitative and qualitative elements, as appropriate, and encompass a range of measures. For the purposes of this document, the terms “risk appetite” and “risk tolerance” are treated synonymously.

For the purposes of assessing risk management by banks in the context of Principles 15 to 25, a bank’s risk management framework should take an integrated “bank-wide” perspective of the bank’s risk exposure, encompassing the bank’s individual business lines and business units. Where a bank is a member of a group of companies, the risk management framework should in addition cover the risk exposure across and within the “banking group” (see footnote 19 under Principle 1) and should also take account of risks posed to the bank or members of the banking group through other entities in the wider group.

To some extent the precise requirements may vary from risk type to risk type (Principles 15 to 25) as reflected by the underlying reference documents.

It should be noted that while, in this and other Principles, the supervisor is required to determine that banks’ risk management policies and processes are being adhered to, the responsibility for ensuring adherence remains with a bank’s Board and senior management.

New products include those developed by the bank or by a third party and purchased or distributed by the bank.

The Core Principles do not require a jurisdiction to comply with the capital adequacy regimes of Basel I, Basel II and/or Basel III. The Committee does not consider implementation of the Basel-based framework a prerequisite for compliance with the Core Principles, and compliance with one of the regimes is only required of those jurisdictions that have declared that they have voluntarily implemented it.

The Basel Capital Accord was designed to apply to internationally active banks, which must calculate and apply capital adequacy ratios on a consolidated basis, including subsidiaries undertaking banking and financial business. Jurisdictions adopting the Basel II and Basel III capital adequacy frameworks would apply such ratios on a fully consolidated basis to all internationally active banks and their holding companies; in addition, supervisors must test that banks are adequately capitalized on a stand-alone basis.

Reference documents: Enhancements to the Basel II framework, July 2009 and: International convergence of capital measurement and capital standards: a revised framework, comprehensive version, June 2006.

In assessing the adequacy of a bank’s capital levels in light of its risk profile, the supervisor critically focuses, among other things, on (a) the potential loss absorbency of the instruments included in the bank’s capital base, (b) the appropriateness of risk weights as a proxy for the risk profile of its exposures, (c) the adequacy of provisions and reserves to cover loss expected on its exposures and (d) the quality of its risk management and controls. Consequently, capital requirements may vary from bank to bank to ensure that each bank is operating with the appropriate level of capital to support the risks it is running and the risks it poses.

“Stress testing” comprises a range of activities from simple sensitivity analysis to more complex scenario analyses and reverses stress testing.

Please refer to Principle 12, Essential Criterion 7.

Principle 17 covers the evaluation of assets in greater detail; Principle 18 covers the management of problem assets.

Credit risk may result from the following: on-balance sheet and off-balance sheet exposures, including loans and advances, investments, inter-bank lending, derivative transactions, securities financing transactions and trading activities.

Counterparty credit risk includes credit risk exposures arising from OTC derivative and other financial instruments.

“Assuming” includes the assumption of all types of risk that give rise to credit risk, including credit risk or counterparty risk associated with various financial instruments.

Principle 17 covers the evaluation of assets in greater detail; Principle 18 covers the management of problem assets.

Reserves for the purposes of this Principle are “below the line” non-distributable appropriations of profit required by a supervisor in addition to provisions (“above the line” charges to profit).

It is recognized that there are two different types of off-balance sheet exposures: those that can be unilaterally cancelled by the bank (based on contractual arrangements and therefore may not be subject to provisioning), and those that cannot be unilaterally cancelled.

Connected counterparties may include natural persons as well as a group of companies related financially or by common ownership, management or any combination thereof.

This includes credit concentrations through exposure to: single counterparties and groups of connected counterparties both direct and indirect (such as through exposure to collateral or to credit protection provided by a single counterparty), counterparties in the same industry, economic sector or geographic region and counterparties whose financial performance is dependent on the same activity or commodity as well as off-balance sheet exposures (including guarantees and other commitments) and also market and other risk concentrations where a bank is overly exposed to particular asset classes, products, collateral, or currencies.

The measure of credit exposure, in the context of large exposures to single counterparties and groups of connected counterparties, should reflect the maximum possible loss from their failure (i.e., it should encompass actual claims and potential claims as well as contingent liabilities). The risk weighting concept adopted in the Basel capital standards should not be used in measuring credit exposure for this purpose as the relevant risk weights were devised as a measure of credit risk on a basket basis and their use for measuring credit concentrations could significantly underestimate potential losses (see “Measuring and controlling large credit exposures, January 1991).

Such requirements should, at least for internationally active banks, reflect the applicable Basel standards. As of September 2012, a new Basel standard on large exposures is still under consideration.

Related parties can include, among other things, the bank’s subsidiaries, affiliates, and any party (including their subsidiaries, affiliates and special purpose entities) that the bank exerts control over or that exerts control over the bank, the bank’s major shareholders, Board members, senior management and key staff, their direct and related interests, and their close family members as well as corresponding persons in affiliated companies.

Related party transactions include on-balance sheet and off-balance sheet credit exposures and claims, as well as, dealings such as service contracts, asset purchases and sales, construction contracts, lease agreements, derivative transactions, borrowings, and write-offs. The term transaction should be interpreted broadly to incorporate not only transactions that are entered into with related parties but also situations in which an unrelated party (with whom a bank has an existing exposure) subsequently becomes a related party.

An exception may be appropriate for beneficial terms that are part of overall remuneration packages (e.g., staff receiving credit at favorable rates).

Country risk is the risk of exposure to loss caused by events in a foreign country. The concept is broader than sovereign risk as all forms of lending or investment activity whether to/with individuals, corporates, banks or governments are covered.

Transfer risk is the risk that a borrower will not be able to convert local currency into foreign exchange and so will be unable to make debt service payments in foreign currency. The risk normally arises from exchange restrictions imposed by the government in the borrower’s country. (Reference document: IMF paper on External Debt Statistics – Guide for compilers and users, 2003).

Wherever “interest rate risk” is used in this Principle the term refers to interest rate risk in the banking book. Interest rate risk in the trading book is covered under Principle 22.

The Committee has defined operational risk as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. The definition includes legal risk but excludes strategic and reputational risk.

In assessing independence, supervisors give due regard to the control systems designed to avoid conflicts of interest in the performance measurement of staff in the compliance, control and internal audit functions. For example, the remuneration of such staff should be determined independently of the business lines that they oversee.

The term “compliance function” does not necessarily denote an organizational unit. Compliance staff may reside in operating business units or local subsidiaries and report up to operating business line management or local management, provided such staff also have a reporting line through to the head of compliance who should be independent from business lines.

The term “internal audit function” does not necessarily denote an organizational unit. Some countries allow small banks to implement a system of independent reviews, e.g., conducted by external experts, of key internal controls as an alternative.

In this Essential Criterion, the supervisor is not necessarily limited to the banking supervisor. The responsibility for ensuring that financial statements are prepared in accordance with accounting policies and practices may also be vested with securities and market supervisors.

For the purposes of this Essential Criterion, the disclosure requirement may be found in applicable accounting, stock exchange listing, or other similar rules, instead of or in addition to directives issued by the supervisor.

The Committee is aware that, in some jurisdictions, other authorities, such as a financial intelligence unit (FIU), rather than a banking supervisor, may have primary responsibility for assessing compliance with laws and regulations regarding criminal activities in banks, such as fraud, money laundering and the financing of terrorism. Thus, in the context of this Principle, “the supervisor” might refer to such other authorities, in particular in Essential Criteria 7, 8 and 10. In such jurisdictions, the banking supervisor cooperates with such authorities to achieve adherence with the criteria mentioned in this Principle.

Consistent with international standards, banks are to report suspicious activities involving cases of potential money laundering and the financing of terrorism to the relevant national centre, established either as an independent governmental authority or within an existing authority or authorities that serves as an FIU.

These could be external auditors or other qualified parties, commissioned with an appropriate mandate, and subject to appropriate confidentiality restrictions.

Same Series

Other Publishers

Save
Cite
Email this content

Share Link

Copy this link, or click below to email it to a friend
Email this content
or copy the link directly:

https://elibrary.imf.org/view/journals/002/2015/055/article-A001-en.xml
The link was not copied. Your current browser may not support copying via this button.

Link copied successfully

Collapse
Expand

South Africa: Financial Sector Assessment Program-Detailed Assessment of Compliance on the Basel Core Principles for Effective Banking Supervision

Author:

International Monetary Fund. Monetary and Capital Markets Department

Volume/Issue:: Volume 2015: Issue 055

Publisher:: International Monetary Fund

ISBN:: 9781484309773

ISSN:: 1934-7685

Pages:: 196

DOI:: https://doi.org/10.5089/9781484309773.002

Keywords
Background Information and Methodology
Institutional and Market Structure—Overview
- A. Institutional Framework for Regulation and Supervision
- B. Overview of the Banking Sector
Preconditions for Effective Banking Supervision
Detailed Assessment
Recommended Actions and Authorities Comments
- A. Recommended Actions
- B. Authorities’ Response to the Assessment

View raw image

Figure 1.

Financial Assets in South Africa

View raw image

Figure 2.

Shares of Banking Assets

Table 4.

Recommended Actions to Improve Compliance with the Basel Core Principles and the Effectiveness of Regulatory and Supervisory Frameworks

Reference Principle	Recommended Action
Principle 1	Define objectives of the supervisor in the legal framework. Review the extent of delegation of powers in the Banks Act, with a view to transfer the power to set granular requirements from tier 2 rules (regulations), which need to be issued by the Minister, to tier 3 rules (circulars, directives), which can be issued by the Registrar. Review the composition of the Standing Committee for the Revision of the Banks Act, with a view to require its members to be not currently involved in not only any regulated entities but also bodies that represent interests of those regulated entities, to insulate the process from direct industry interests. Instead, as experts on financial business, the Committee could include retired officials from the industry or academics.
Principle 2	Revise the legal framework for the head of the supervisor to include (A) a fixed term of the appointment, (B) specific reasons for the removal, and (C) the requirement to publish the reasons for removal, as required in EC2. Review the legislation to limit the cases that require the Minister’s involvement to those that are absolutely necessary and clarify in the laws objectives for intervention. Review the adequacy of resources reflecting expected changes in the responsibility of the supervisor under the new twin peaks structure, taking into account the need for further improvements in its supervisory approach as recommended in CP 8, 9 and 12.
Principle 3	Review the relevant provisions of the BA to ensure the confidential information shall only be used for supervisory purposes, unless specifically required by court orders or provisions in other laws.
Principle 8	Enact legislation to provide the supervisor power related to resolution of banks expeditiously and develop resolution plans. The new prudential supervisor should review the supervisory approach once the organizational changes are completed in order to equip it with capacity to monitor the prudential risk of the entire financial system as well as that of financial conglomerates.
Principle 9	Continue the effort to enhance the supervisor’s ability to conduct deep-dive on-site reviews. Improve tools and technique to assess and monitor spill over risks to the banks from non banking activities in their financial groups.
Principle 11	Strengthen laws to provide the supervisor with the power to suspend or limit a bank’s activities without delay. Provide the power to fine individuals related to banks.
Principle 12	Strengthen the supervisory technique, such as group-wide stress testing, to monitor and assess risks arising from non-banking activities or parent entities of a financial group in which a South African bank belongs to. Improve the recovery and resolution planning of large banking groups particularly once the necessary power is given to the supervisor by the expected new legislation. Such planning should also consider scenarios where shocks originate from non banking entities or parent groups.
Principle 13	Continue efforts to support the capacity building of host supervisors of African operations of South African banking groups to further improve the effectiveness of cooperation and ensure adequate oversight of those operations. Finalize policies, processes and practices to conduct on-site reviews/inspections of South African banks’ cross border operations in other African countries. Enhance its effort in cross-border recovery and resolution planning with close collaboration with the UK authorities as well as paying due regards to the impact on financial systems of jurisdictions where South African banks’ operations are significant. This will also require close cooperation with supervisory authorities in these jurisdictions.
Principle 18	Finalize as soon as possible the draft Directive on restructured credit exposures which will help to prevent banks from using restructuring to improve their classified loan levels.
Principle 20	Amend the Regulations so that the Registrar has the ability to set limits on exposures to any related parties.
Principle 23	Continue with the plans to further strengthen its review of banks’ internal interest rate risk measurement systems.
Principle 28	Review Pillar 3 disclosures consistently either by the BSD’s internal staff or by requiring external auditors to do it.
Principle 29	Proceed with the planned revision of the FICA to incorporate the risk-based approach to the AML/CFT issues and ensure the enforceability of a number of essential elements currently included in the FICA Guidance Notes. Continue the current effort on the AML/CFT on-site inspections to cover all banks expeditiously and improve approaches and techniques based on the lessons learned.

Topics

Countries

Series

About

Resources

Abstract

Background Information and Methodology

Institutional and Market Structure—Overview

A. Institutional Framework for Regulation and Supervision

B. Overview of the Banking Sector

Preconditions for Effective Banking Supervision

A. Macroeconomic Environment

B. Frameworks for Financial Stability Oversight, Crisis Management, and Systemic Protection

C. Infrastructures for the Financial Sector

Detailed Assessment

Recommended Actions and Authorities Comments

A. Recommended Actions

B. Authorities’ Response to the Assessment

Same Series

Other IMF Content

Other Publishers

Inter-American Development Bank

The World Bank

Share Link

Table of Contents

Headings

Figures

Metrics