This volume is a product of the staff of the International Bank for Reconstruction and Development/The World Bank. The World Bank does not guarantee the accuracy of the data included in this work. The findings, interpretations, and conclusions expressed in this paper do not necessarily reflect the views of the Executive Directors of the World Bank or the governments they represent. The material in this publication is copyrighted. FINANCIAL SECTOR ASSESSMENT PROGRAM BULGARIA CORPORATE GOVERNANCE REVIEW OF THE BANKING SECTOR TECHNICAL NOTE APRIL 2017 This Technical Note was prepared by Jean Michel Lobet, Senior Financial Sector Specialist, in the context of a joint World Bank-IMF Financial Sector Assessment Program mission in Bulgaria during January 2017 led by Ilias Skamnelos, World Bank and Michael Moore, IMF, and overseen by Finance & Markets Global Practice, World Bank and the Monetary and Capital Markets Department, IMF. The note contains technical analysis and detailed information underpinning the FSAP assessment’s findings and recommendations. Further information on the FSAP program can be found at www.worldbank.org/fsap. THE WORLD BANK GROUP FINANCE & MARKETS GLOBAL PRACTICE CONTENTS Background: About the Bank Governance Review ................................................................ iii Acknowledgements ............................................................................................................... vi Acronyms ............................................................................................................................ vii Executive Summary............................................................................................................... 1 Main Findings ...................................................................................................................... 4 A. Market Setting, Risk Factors, and Governance Culture............................................................4 B. Regulatory and Institutional Framework ..................................................................................6 C. Structure and Ownership..........................................................................................................8 D. Board Function ....................................................................................................................... 11 E. Risk Oversight ........................................................................................................................ 19 F. Internal Audit ......................................................................................................................... 23 G. External Audit ........................................................................................................................ 27 H. Disclosure and Transparency ................................................................................................. 28 Annex 1: Policy Recommendations ...................................................................................... 29 ii Background: About the Bank Governance Review The definition of corporate and bank Why good corporate governance matters governance for banks Corporate governance is commonly defined Implementing good bank governance is of as the structures and processes for the particular significance in creating a robust direction and control of corporations, and stable banking sector in support of specifying the distribution of rights and sustained financial and private sector responsibilities among the main participants development, and economic growth. Indeed, in the corporation and spelling-out the rules banks: and procedures for making decisions on  Manage a significant portion of a nation’s corporate affairs.1 Specific to banks, wealth through savings and must corporate governance is defined as the therefore be governed appropriately in manner in which the business and affairs of order to uphold the public trust; if banks are governed by their boards and senior governed poorly, people’s livelihoods management, which affects how they: (i) set could be at stake, potentially turning corporate objectives; (ii) operate the bank’s public opinion against current political business on a day-to-day basis; (iii) meet the leadership. obligation of accountability to their shareholders and take the interests of  Provide the preponderance of financing stakeholders into account; (iv) align for the great majority of enterprises and corporate activities and behavior with the individuals, particularly in emerging expectation that banks will operate in a safe markets; therefore, the strength and and sound manner and in compliance with capacity of banks take on greater applicable laws and regulations; and (v) importance in terms of funding economic protect the interests of depositors.2 growth. The importance of corporate governance  May well be expected to make credit and liquidity available in what are likely to be Improving corporate governance can serve a difficult market conditions in the years number of important public policy ahead. objectives. Over the years, the importance of corporate governance has been highlighted With this in mind, it is important to note that by an increasing body of academic research. banks generally have specific governance Studies have shown that good corporate challenges and complexities since they take governance practices have led to significant on significant volumes of risk-bearing assets. increases in economic value-added of firms, Hence, weak risk management frameworks higher productivity, and lower risk of and internal controls can cause severe and systemic financial failures for countries.3 rapid financial crises. The collapse of a single bank cannot only destroy shareholder value 1 3 The Organization for Economic Cooperation and Corporate Governance and Performance Around Development (OECD): OECD Principles of the World: What We Know and What We Don’t. Corporate Governance; 2004. Inessa Love, The World Bank Group, June 2008. 2 The Basel Committee on Banking Supervision: Principles for enhancing corporate governance; July 2015. iii but also value for its depositors and may resources to be directed toward troubled require a costly bail-out or liquidation by the institutions and where needed the most. authorities (and ultimately the tax payers).  Promote corporate governance reforms in Ensuring that banks are well governed is thus individual institutions, thereby enhancing of central concern to not only banking the soundness of a specific bank. regulators, but to the Government more broadly and other stakeholders. The Review focuses on the overall banking sector. The scope of the Review includes: These country-specific and more general bank-related risks make well developed  A review of the: (i) legal and regulatory governance frameworks and practices of framework, (ii) corporate governance banks in Bulgaria a key condition for practices of banks, and (iii) enforcement financial market stability, judicious credit framework vis-à-vis a set of benchmarks allocation, and growth. based on internationally recognized good practices in bank governance;4 Objective and scope of this Bank Governance Review  A set of policy recommendations for the BNB on how to improve upon corporate This Review was prepared at the request of governance in Bulgaria; and the Bulgaria National Bank (BNB). It presents the setting and the circumstances for  An action plan on how to implement the the development of governance policies and Review’s policy recommendations and practices in the Bulgarian banking system effect reforms. and reviews the effect of existing governance Bank Governance Review Methodology policy and practices on the oversight of banking sector related risks and prudential The Review Methodology was developed in supervision. response to requests by World Bank client countries to evaluate and communicate The objective of this Review is to help governance risks potentially affecting the strengthen the corporate governance performance and stability of their banking practices of banks in Bulgaria. Specifically, it sectors. As such, the Review Methodology intends to: approaches bank governance from the  Further legal and regulatory reforms in perspective of a risk based policy framework Bulgaria based on the enclosed that is key for the comprehensive assessment recommendations. of system vulnerabilities.  Enable the BNB to increasingly rely on The Methodology is based on the Basel the relevant internal and reporting Committee’s Principles for Corporate systems in those banks that have Governance in banking institutions and also demonstrated better management and grounded in best practices emanating from controls, therefore allowing supervisory the banking industry as a whole and World 4 The benchmarks are heavily based upon the Basel institutions such as the Organization for Economic Committee’s 2006 Guidance on “Enhancing Co-operation and Development (OECD), Corporate Governance for Banking Organizations” European Union, Asia Pacific Economic and the 2015 “Principles for enhancing corporate Committee (APEC), International Finance governance”, as well as inputs from public Corporation (IFC), and the World Bank itself. documents issued by a number of supervisory agencies, rating agencies, and international iv Bank experience. Using a set of focused questionnaires, a survey of a sample of banks is conducted. A high level review of the country’s bank supervisory process is also performed, focusing on the supervisor’s emphasis on board and management oversight and risk issues. For more detailed presentation and explanation of these Principles, see “Principles for enhancing corporate governance”, Basel Committee, July 2015, at http://www.bis.org/bcbs/publ/d328.htm v Acknowledgements The review team conducted its field work in January 2017, as part of the joint World Bank – IMF Financial Sector Assessment Program (FSAP) Update. During the mission, it met with a number of market participants. To understand the nature of existing governance practices and to gain a deeper understanding of the systemic issues in bank governance, the review team, in coordination with the Bulgaria National Bank, surveyed all banks operating in Bulgaria (except for the foreign branches) and met with eight commercial banks which represent approximately 60 percent of total bank assets. The team conducted extensive interviews, following up on the responses to previously distributed surveys. The debriefings with the banks included meetings with CEOs, board members, internal auditors, financial officers, and representatives from the compliance and risk management units. The team also met with the Bulgaria National Bank and its supervisors. The Report reflects technical discussions with the above entities as well as other relevant stakeholders whom the FSAP mission would like to thank for their time and invaluable insight into corporate governance practice in Bulgaria. The FSAP mission would like to expressly thank the Bulgaria National Bank for its support and help in organizing meetings with key stakeholders. The information received on the legal and regulatory framework, supervisory and enforcement regime, as well as current corporate governance practices was indispensable for the development of the Review. The Review was conducted by Jean Michel Lobet, Senior Financial Sector Specialist (Finance and Markets, Middle East and North Africa) with additional inputs from members of the World Bank – IMF FSAP Team subsequent to this review. vi Acronyms ALCO Assets and Liabilities Committee APE Agence des Participations de l’Etat BCBS Basel Committee for Banking Supervision BDB Bulgarian Development bank BNB Bulgaria National Bank BSE Bulgaria Stock Exchange CA Commerce Act CEO Chief Executive Officer CFO Chief Financial Officer CRO Chief Risk Officer EBA European Banking Authority EBRD European Bank of Reconstruction and Development EU European Union FSAP Financial Sector Assessment Program IAS/IFRS International Accounting Standards/International Financial Reporting Standards IFC International Finance Corporation IMF International Monetary Fund ISA International Standards on Auditing IFRS International Financial and Reporting Standards JSC Joint Stock Company JSCL Joint Stock Company Law LCI Law on Credit Institutions MB Management Board MoF Ministry of Finance NPLs Non-Performing Loans OECD Organization for Economic Cooperation and Development POSA Public Offerings Securities Act SME Small and Medium Size Enterprise UBO Ultimate Beneficial Owner WBG World Bank Group vii Executive Summary 1. The corporate governance regulatory framework has seen a positive evolution over the years since Bulgaria’s accession to the EU. EU directives and regulations have been transposed into the domestic framework, aimed at: i) strengthening the supervisory board function (i.e. minimum qualification requirements for supervisory board members and enhancement of the work of the supervisory board by requiring the creation of technical subcommittees such as the risk, nomination, and remuneration); ii) enhancing the independence and effectiveness of the key internal control functions (audit, risk, and compliance); and iii) improving the quality and disclosure of financial information (i.e. implementation of IFRS standards). The benefits of these regulatory developments have not, however, always been welcomed by banks, sometimes perceived as a compliance burden. 2. Despite these regulatory improvements, the implementation of corporate governance norms is uneven across the sector. There are diverse corporate governance practices, with variations largely correlated to the ownership structure - foreign, domestic private and state- owned. The most developed practices are observed in foreign bank subsidiaries, particularly in the area of internal controls and risk management. These banks have implemented their head office practices, but this does not always translate into best corporate governance practices. Domestic private banks have a highly concentrated ownership structure, exercised through few individuals or through corporations (that sometimes make the identification of ultimate beneficial owners more difficult for the regulator and the public in general). In these banks, despite the structures on paper, the differentiation of the roles played among shareholders, SB members and MB members is more difficult, de facto, leaving much of the real management of the institution heavily influenced by the controlling shareholder(s). Finally, the state plays a minor role in the sector through one bank with a focused developmental objective (financing SMEs). As in the case of domestic private banks, the governance of this bank is highly aligned with the objectives of the major shareholder. 3. The SBs in Bulgaria do not have the authority or the position to fulfill the full scope of their duties. To fulfill their mandate5, supervisory boards require technical competencies and skills and, more importantly, independence from the shareholders and from management. Supervisory boards in Bulgaria are composed of skilled professionals, but lack independence. The ownership of both domestic and foreign banks is highly concentrated, and the majority shareholder has the final word on the appointments of key supervisory and managerial functions (including internal controls). This potentially compromises the duty of care assigned to both the SB and senior management and creates an environment whereby management is beholding to the controlling shareholder. In such an environment, clear segregation of duties and introduction of much more independent boards would help to strengthen the management team and refocus and expand their responsibilities and accountability to all stakeholders, including the depositors, the public in 5 According to the Basel Corporate Governance Principles, SBs are tasked with the roles of directing and overseeing the bank strategy, overseeing management’s performance, ensuring financial performance and soundness, ensuring the effectiveness of key control functions (audit, risk and compliance) and setting the risk appetite. 1 general, the regulator, as well as the shareholder. Some banks, mostly those that are listed on the Bulgarian Stock Exchange and a few foreign, have included independent directors in their respective SBs. However, the local definition of independence (i.e. not being an employee bank or not owning more than 25% of the shares of the bank) falls short of international standards making their independence questionable and blurring the effectiveness of key committees (risk, audit, remuneration and nomination). The role of SBs in Bulgaria needs to be elevated to align it with the practices of other European countries. These boards need to evolve from a “policy approving body” to an “oversight body” and be more involved in strategy, management oversight, risk governance, and monitoring of related party lending and other large exposures. 4. The audit function is not in compliance with global good practices. The Law on Financial Audit requires all public interest companies (including banks) to set up an audit committee. This committee must be presided and composed by “outsiders” to the bank which usually are professionals with accounting backgrounds. The committee is appointed by and reports to the shareholders assembly. The members of this committee do not go through the fit and proper test of BNB, like regular supervisory board members. These “outsiders”, who are members of the audit committee, can potentially create problems with confidentiality and accountability issues since they are not bound by the same duties as supervisory board members. The internal audit function also presents important accountability failures. The head of internal audit is appointed by and reports to the shareholders meeting, breaching the well accepted principle that “internal audit serves as the eyes and ears of the supervisory board.” The lack of independence of the boards and the blurred accountability lines of the audit function, particularly present in domestic banks, have weakened the oversight function of the SB. Beyond the existing macroeconomic challenges, the breakdown of the oversight chain, as well as weak risk management practices, could have also contributed to the deterioration of the credit portfolio of certain banks since 2014. Furthermore, banks are now required to receive dual independent audits. This reform is not welcomed by the industry nor the audit profession. The impact of this initiative remains unclear at this time, particularly in the case of differing opinion of auditors or accountability in case of breach of duty. 5. Risk management has become the key priority for all banks after the KTB failure in 2014. The independence and effectiveness of this function are in the process of being strengthened in several banks. Many banks have recruited or are in the process of recruiting Chief Risk Officers (CRO). In some instances, banks have elevated the role of the CRO and these are now members of the management (MB) and are reporting to the SB in accordance with good practices. Many banks have also created risk committees at the SB level. Despite these improvements, implementation of good risk management practices remains uneven. Risk management departments of some banks still provide opinions on lending decisions or sit on the credit committee with voting responsibility for credit proposals, compromising the independence of this function. 6. The effectiveness and consistent application of good corporate governance requires BNB’s strong commitment. As of today, the supervision of corporate governance by BNB has been exercised on two fronts: i) through the fit and proper test conducted on SB and MB members; 2 and ii) during the onsite and offsite supervisory process, part and parcel to the examination of the respective bank activities which represent key components of corporate governance. However, supervisory oversight and understanding of the status of governance practices in the sector can be further strengthened. The supervisor could employ the use of horizontal (or targeted) examinations whereby it conducts governance reviews in each bank (or a set of key banks) as a single supervisory examination or event. This would provide the supervisor comparative insight from bank to bank, allow it prioritize the key governance issues in the sector, and help define the supervisory response required in each institution – and overall. BNB is currently in the process of reviewing its manuals and procedures to enhance the supervisory process of corporate governance and to segregate supervision of these functions per the standards of EBA. An enhanced mechanism of supervision in this area and effective enforcement will contribute to the harmonization of practices and standards of corporate governance of banks in Bulgaria. Table. Summary of FSAP Main Recommendations6 Enhance the role of the SB by: i) making the definition of independent SB members stricter7 NT (lower percentage of shares, family or professional relatedness, cooling off period for retired executives); ii) requiring a majority of independent directors in SBs; and iii) elevating the audit committee function to a SB level and require any outside members to be vetted by the BNB. (BNB) Review the process of approval of related party exposures and other large exposures by I requiring SB approval and monitoring of these transactions. (BNB) Review the appointment process of the head of internal audit to ensure that it is appointed by NT and reports to the SB (or to the audit committee if it becomes a subcommittee of the SB). (BNB) Develop new operation manuals to improve supervision of corporate governance by the BNB I to allow a targeted analysis and rating of key functions (management, SB, internal controls, risk and ownership). (BNB) 6 Annex 1 offers the Full Recommendations. 7 See IFC Guidance on Independent Directors. 3 Main Findings A. Market Setting, Risk Factors, and Governance Culture 1. The Bulgarian banking sector is dominated by foreign banks. Foreign banks account for 76 percent of total bank assets as of end 2015. The market is composed of 18 foreign banks, 6 of which are foreign branches; 8 domestic banks (one of which is of systemic importance); 1 municipal bank and 1 state development bank (see figure 1). The current structure of the Bulgarian banking sector has provided stability since the 1998 crisis thanks to the presence of large foreign banks (France, Germany, Austria, Italy, Greece, Japan and Turkey), steady profits, and significant capital buffers. Figure 1: Ownership composition of Bulgarian Banking Sector 1 1 Foreign 8 Domestic-Private State-Owned Municipal 18 Source: WBG Bank Corporate Governance Survey 2. Despite the apparent safe structure of the banking system, over the last two years. the sector faced important challenges due to external and domestic factors. The spillover effects of the Greek crisis on the Greek bank subsidiaries operating in Bulgaria and the Corporate Commercial Bank (KTB) failure8 highlighted certain weaknesses in the current structure and the need for the banking supervisor, the Bulgarian National Bank (BNB), to step up its supervisory capabilities to oversee and safeguard the soundness of the banking system. The failure of KTB depleted the deposit insurance fund forcing it to find new financing sources through international financial institutions including the World Bank Group (WBG) and the European Bank for Reconstruction and Development (EBRD). Over the last few years, banks have accumulated 8 KTB was the second largest domestic Bulgarian Bank. The bank failed in 2014 mostly due to mismanagement and related lending. The failure of the bank had serious implications on the stability of the Bulgarian financial sector. For more information, please visit BNB’s website: http://www.bnb.bg/PressOffice/POPressReleases/POPRDate/PR_20140711_EN 4 significant levels of NPLs that were at around 20 percent in June 2016 according to the ratios under local disclosure framework9 3. Bank ownership remains concentrated, particularly in the domestic banking sector, significantly affecting the implementation of solid corporate governance practices. There are diverse corporate governance practices in the Bulgarian banking sector, with variations largely correlated to the ownership structure - foreign, domestic private and state-owned. Domestic private banks have a highly concentrated ownership structure, exercised through few individuals or through corporations (that sometimes makes the identification of ultimate beneficial owners more difficult). In these banks, despite the structures on paper, the differentiation of the roles played among shareholders, SB members and MB members is more difficult, de facto, leaving much of the real management of the institution heavily influenced by the controlling shareholder(s). The most developed practices are observed in foreign bank subsidiaries, particularly in the area of internal controls and risk management. These banks have implemented the head office practices, but this does not always translate into best corporate governance practices as it will be described in the following sections. 4. The country lacks a corporate governance ecosystem. Other than the Corporate Governance Committee10 which has issued the Corporate Governance Code, there is no ecosystem of corporate governance in Bulgaria. Corporate governance is perceived by market players as a compliance burden and its potential benefits are not yet understood. The country does not have an institute of directors or think tanks that can help raise awareness about the importance of the topic. Major international consulting firms or law firms have not developed corporate governance services/practices. According to major law firms, corporate governance only becomes a concern when foreign investors purchase stakes in Bulgarian companies. In that situation, corporate governance due diligence and action plans are developed by private consulting firms. Beyond these situations, local companies or banks do not seek any corporate governance services from consulting firms. This lack of an effective ecosystem affects the behavior of foreign investors. According to local law firms and audit firms, foreign investors when they invest in domestic corporations always take a majority position in order to exercise control over the company. Foreign investors rarely take minority positions in domestic corporations (i.e. some pension funds). However, if they do, foreign investors sign very detailed shareholder agreements and usually negotiate one or two board sits as a condition to get into the capital of a company. 9 The local NPL ratio definition is more conservative than that of the EBA and the IMF’s FSIs. For example, the figure stands at 14 percent according to the EBA definition. 10 The National Committee on Corporate Governance (the Committee or NCGC) was established for the promotion of best practices in corporate governance and the development of the Bulgarian National Corporate Governance Code (Code or BNKKU). The Committee is a permanent independent body set up under the aegis of the Bulgarian Stock Exchange-Sofia (BSE) and the Financial Supervision Commission (FSC), The Committee was established on September 3, 2009 on the principle of public-private partnership for consultations and cooperation at a national level on matters of corporate governance. For more information, please visit: http://nkku.bg/mission_statement/25/ 5 B. Regulatory and Institutional Framework 5. The corporate governance regulatory framework has seen a positive evolution since Bulgaria’s accession to the European Union (EU). EU directives and regulations have been transposed into the domestic framework, aimed at: i) strengthening the SB function (i.e. minimum qualification requirements for SB members or enhancement of the work of the SB by encouraging the creation of technical subcommittees such as risk, nomination, and remuneration); ii) enhancing the independence and effectiveness of the key internal control functions (audit, risk, and compliance); and iii) improving the quality and disclosure of financial information (i.e. implementation of IFRS standards). The benefits of these regulatory developments, however, have not always been welcomed by banks and are sometimes perceived as a compliance burden. 6. The corporate governance framework for banks is set forth by the Commerce Act (CA) and the Law on Credit Institutions (LCI) as well as specific regulations and ordinances issued by the BNB. The BNB has issued additional regulations on risk management and internal controls to complement the existing regulatory framework. The CA establishes two types of corporate forms, including the Limited Liability Company and Joint Stock Company.11 However, in Bulgaria banks can only be incorporated as joint stock companies.12 The CA provides for the different corporate governance structures and duties, including the general shareholders meeting, supervisory board and MB. In addition, it provides regulation on related-party transactions and major transactions; election and removal of directors; dividend policy; preemptive rights; squeeze out rules; director duties and director liability regime; disclosure procedures and external audit requirements. The LCI outlines, inter alia, the requirements to become a shareholder, a supervisory board or MB member of a bank, conflict of interest regulations, and disclosure requirements. Article 73 of the LCI also charges the banks’ “managing bodies” (supervisory board in case of a two tier system or the board of directors in case of one tier system) with more detailed duties compared to the CA, such as approving bank organizational structure, delegations of authority, approving bank strategy and risk management, internal control systems, money laundering policies, and approving remuneration policies of high level executives. The BNB has issued regulations on risk management, internal controls and remuneration of executives. Additional corporate governance requirements in the case of listed banks are laid out in the Public Offering of Securities Act (POSA), and Listing Rules of the Bulgaria Stock Exchange (BSE), including disclosure procedures, inclusion of independent directors in supervisory boards and compliance with the corporate governance code. The law creating the Bulgarian Development Bank (BDB) provides additional corporate governance requirements for this bank including supervisory board composition and ownership structure. 7. Banks operating in the Bulgarian market are under the supervision of the BNB. All commercial banks, including the only state-owned bank (BDB) and the Municipal Bank are under the supervision of the BNB. Supervision is applied on the same terms for both private (domestic and foreign) and state-owned banks. The BNB is in a unique situation as there are very few 11 CA Article 64/ 12 Article 7 of the LCI 6 countries in the world where the banking sector of a country is majority foreign owned and of systemic importance. Due to the high presence of foreign owned banks, the BNB has signed memorandum of understanding (or through EU arrangements) with all the regulators from the countries where the parent banks have their headquarters. This way regulators can exchange relevant information to enhance the effectiveness of the supervisory process. 8. The BNB plays an important role in the development and implementation of corporate governance practices in Bulgarian banks. First, the BNB is in charge of conducting the “fit and proper” tests of bank founders (both individuals and legal entities) during the incorporation process. Any founder with 3 percent or more of the shares of the bank is required to go through the fit and proper test. Second, the BNB controls the ownership and transfer of shares of all banks (Article 28 LCI). Any person or entity acquiring 20, 33 or 50 percent of the shares of a bank must seek clearance from the BNB. Third, the BNB conducts fit and proper tests of SB members and MB members. Article 11 of the LCI specifies clear qualification and honorability criteria for prospective supervisory and MB members and CEOs. However, the BNB does not perform fit and proper tests of the heads of key control functions (audit, risk and compliance). Fourth, BNB controls compliance with corporate governance rules (disclosure, supervisory board composition and risk management, internal audit and internal control functions) during its supervisory process. However, the supervisor has not yet employed the use of horizontal (or targeted or thematic) reviews of governance (collectively or individually in the areas of, for instance, SB function and oversight, key control functions (internal audit, risk management, compliance, etc.) across the banks in the sector. The supervisor could employ the use of horizontal (or targeted) examinations whereby it conducts governance reviews in each bank (or a set of key banks) as a single supervisory examination or event. This would provide the supervisor comparative insight from bank to bank, allow it prioritize the key governance issues in the sector, and help define the supervisory response required in each institution – and overall. BNB is currently in the process of reviewing its manuals and procedures to enhance the supervisory process of corporate governance and to segregate supervision of these functions per the standards of EBA. An enhanced mechanism of supervision in this area and effective enforcement will contribute to the harmonization of practices and standards of corporate governance of banks in Bulgaria. 9. Bulgaria has a corporate governance code applicable to listed companies issued by the Corporate Governance Committee. Currently, there are 4 banks that are listed on the BSE.13 The Code was recently updated to comply with the latest developments of the revised OECD Corporate Governance principles of 2015. The positioning of the corporate governance code within the Bulgarian legal framework is not clear. The code is structured to function in a “comply or explain” basis; however, no specific monitoring or reporting system is in place. The authority in charge of the monitoring is the Corporate Governance Committee; however, the Committee has not been very active. No reports or benchmarking studies have been issued since the inception of the Code. Furthermore, the POSA requires listed companies to disclose a “program for the application of internationally recognized standards of good corporate governance”. However, such a disclosure by listed banks does not take place in practice. The BNB has no mechanism to encourage and 13 First Investment Bank, Central Cooperative Bank, Bulgarian-American Credit Bank and Texim Bank. 7 monitor compliance with the Corporate Governance Code and has no plans to issue voluntary norms or a regulation for corporate governance for banks. 10. Despite the improvements on the corporate governance legal framework since the accession to the EU, important shortcomings remain. The laws are not very clear regarding the duties of supervisory board members. The approval process of related party transactions in banks is problematic as it has been delegated to the managing board (MB) instead of the supervisory board (see paragraph 29). The definition of independent director is inadequate compared to international standards and the positioning and role of the audit committee is not aligned with global good practices. Furthermore, the judicial system has limited knowledge and capabilities to enforce effectively corporate governance rules. According to legal professionals, the court system in Bulgaria is considered to lack independence and objectivity, and is not seen as a good source of shareholder redress. Court actions are considered to be expensive and slow.14 Over the years, courts have not issued case law related to corporate governance, particularly in the case of director duties, making the practical enforcement of corporate governance very unpredictable. The insurance industry has not developed a director liability insurance product so far due to the lack of shareholder suits against directors. C. Structure and Ownership 11. The ownership structure of Bulgarian banks can be divided in three different groups. First, and the most predominant, is the foreign owned banks. There are 12 foreign owned banks15 in Bulgaria among which many are of systemic importance. These banks are usually 100 percent subsidiaries of foreign bank groups such as Societe Generale (France), Raiffeisen (Austria), Unicredit (Italy), Eurobank Group, among other global banking groups. Since these foreign subsidiaries are controlled by the parent bank, most of the decisions and policies are decided abroad and validated locally by the subsidiary. It is rare that these banks go against the instructions from the parent company and most of the important decisions (risk appetite, audit plans or large exposures) are decided by the parent bank. Second, there are 8 private domestic banks. In this case, the ownership is highly concentrated in the hands of a few individuals or in other instances they are 100 percent subsidiaries of local conglomerates. In the latter group, the identification of the ultimate beneficial owner (UBO) is sometimes more difficult for the regulator and the public. In these banks the decision making process, governance and strategy are highly concentrated in the hands of the controlling owner. Third, Bulgaria has only one state-owned bank that is owned at 14 According to the Doing Business 2017 report it takes 564 days and cost 23.8 percent of the value of a claim to enforce a contract. The country receives 10 points out 18 for quality of the judicial procedures: http://www.doingbusiness.org/data/exploreeconomies/bulgaria#enforcing-contracts 15 As of end 2016 there are also 5 branches of foreign banks which have not been assessed for the purposes of this study. 8 99.9 percent by the Ministry of Finance (MoF). This bank has a developmental objective and has a focused mandate to finance the development of SMEs16 and is not a deposit taking institution.17 12. The ownership structure has implications in the way corporate governance is practiced in the banks. There are diverse corporate governance practices, with variations largely correlated to the ownership structure - foreign, domestic private and state-owned: Foreign owned banks 13. Foreign banks follow the corporate governance practices of the parent bank; however, this does not necessarily translate into good corporate governance practices. Corporate governance of foreign owned subsidiaries remains a challenging topic and the key question for regulators. The challenge is always to strike the right balance between what can be achieved at the parent company level and what can be achieved at the subsidiary level. This is particularly delicate when the subsidiary is not of material importance for the group but it is of systemic importance in Bulgaria, the host country. In the Bulgarian case, most of the policies including risk management, internal control, credit policies and large exposures of foreign banks are controlled by the parent bank. Boards are usually composed of executives from the head office and play more of a procedural role of validation of group policies rather than a leadership role (see section on the board function). This model could work when foreign subsidiaries have small operations in the country. However, in Bulgaria the majority of the banks are foreign owned and many of these are of systemic importance. In this case, a systemically important (subsidiary) bank that is highly controlled by its head office is not optimal since the failure of such an institution can have serious implications on financial stability. The role and autonomy of the subsidiary vis a vis the parent company, particularly in the case of systemic banks, must evolve to ensure balance between group level issues and country specific issues. Although it cannot be expected from an SB of a subsidiary to lead the strategy, it can provide essential inputs to ensure that the strategy that is developed at the group level is sound and practicable and takes into consideration the local realities. Input by local boards protect local stakeholders and encourage a better understanding of local conditions and local risks. For that to happen, the boards of these banks should move from a simple policy validation role to a real leadership role. The expectations of the regulator in terms of corporate governance should vary proportionally in function of the size and systemic status of the foreign subsidiary. In other words, foreign subsidiaries of systemic importance must comply with more stringent corporate governance requirements while the smaller ones could have simpler corporate governance systems in place (i.e. frequency of meetings of the SB, number of independent SB members or number of SB subcommittees, role in the strategy development process and development of risk management policies). As most of the governance regulations follow a “principle of proportionality”18, it is in the hands of the BNB to ensure that solid corporate governance practices are implemented in practice in these foreign subsidiaries. 16 Article 2 of the BDB Act 17 The bank collects a limited amount of deposits (i.e. employees) but not for the purposes of financial intermediation. 18 Corporate governance structures must be in implemented depending on the level and complexity of the institution. 9 Domestic banks 14. Corporate governance remains an important challenge in domestic banks. Corporate governance failures already have had significant consequences in the Bulgarian banking sector as the KTB failure demonstrated. This scandal demonstrated the risk of a weak legal framework and highly concentrated bank ownership in the hands of those willing to perpetrate abusive related party lending and allow weak systems of internal controls. Among the eight domestic banks, one is of systemic importance.19 The current ownership structure of domestic banks presents the following challenges. First, if ownership is in the hands of very few individuals, which is the case of the domestic systemic bank, banks will face significant challenges on raising capital in case of bank weaknesses. This poses significant risks to the stability of the system particularly when a systemic bank is controlled by two individuals. Second, high concentration of ownership with some banks having branches in offshore jurisdictions such as Cyprus, creates important risks of related party lending and tunneling. This issue is further accentuated by the weak governance environment and related legal framework with highly concentrated bank ownership where the key oversight and control positions (SB, MB and internal control functions) are, de facto, all under the control of the major shareholder. Similar to foreign owned banks, the regulator must pay significant attention to domestic banks and require strong corporate governance to prevent abuses particularly on the delimitation of the different key control positions. State-Owned Bank 15. Bulgaria has only one state bank with a relatively small and focused operation. The MoF owns 99% of the shares of the BDB. The remaining shares are owned by DSK bank as a legacy from the post-socialist transition days. The MoF manages the SB nomination process, represents the state in annual shareholders meetings, monitors financial performance and more importantly decides on the mandate of the bank. Despite the MoF being the owner of the bank, the Ministry of Economy also plays an important role in the governance of the bank as this ministry is highly involved in providing orientations of the strategy for the bank. Ownership of State-Owned Enterprises (SOEs) in Bulgaria is not centralized. Different sectorial and central ministries own SOEs and ownership rights are not exercised in a consistent manner. In the case of the BDB ownership rights are exercised through a small Directorate within the MoF. The MoF does not have in place specific procedures to nominate directors. Every appointment is within the authority of the Minister of Finance. The MoF also lacks a specific framework to monitor performance through KPIs or performance contracts with the BDB. A centralized ownership of SOEs could provide more coherence and professionalization to the ownership function of the state (see Box 1). 19 First Investment Bank 10 Box 1: Centralized ownership of SOEs, the French case of the Agence des Participations de l’Etat France’s Agence des Participations de l’Etat (APE) describes its role across four separate parameters:  A dedicated shareholder. The various functions performed by the government in its relations with state-owned companies are potentially conflicting: it has to act as a shareholder, a customer, or a regulator. In an open and competitive environment, it is necessary to make a clear distinction between these main aspects and to better identify the shareholder activity. The APE has been created to address the shareholder role within the legal framework and in accordance with government guidelines. Its main task is to optimize the value of government assets. The APE coordinates with other ministries to determine the global strategy and provide guidance for the state as a shareholder.  An effective shareholder. The APE is the main adviser of the Economy Ministry on all matters concerning the government's position as a shareholder. This responsibility covers the main aspects of a company's life cycle: strategy, investments and financing, mergers and acquisitions, and equity transactions.  A transparent shareholder. The APE has to be transparent when dealing with other ministries, the Parliament, and citizens. It achieves this transparency by presenting the combined accounts of the main government-controlled entities that fall within its scope, regardless of their legal structure.  An efficient shareholder. To be successful, companies need a professional shareholder they can deal with. The APE is a privileged and regular partner of company directors, focusing on three goals: maintaining transparent and smooth relations with the companies based on a true strategic dialogue, improving their governance, and developing the government's capacity to act as an effective shareholder able to anticipate and make adequate proposals. Source: State-Owned Enterprises Corporate Governance Toolkit, Word Bank Group D. Board Function 16. The board of directors is the function where key responsibilities of a bank converge. Given that banks are considered special interest entities that play a key role in all economies, bank boards are charged with the public’s trust to act responsibly and with integrity. Boards have special duties to act in the best interest of all stakeholders, not only the owners. The board must set the appropriate “tone at the top” through which it directs the manner in which the bank conducts its business - through strategic planning, risk parameters, and policies. It must set clear risk parameters within which management and staff execute the business plan. It must ensure key control functions are established and independent so that it can monitor the bank’s existing and prospective risks, the overall success of its business strategy, and financial performance and 11 soundness. As a result, the board must be composed of a balanced mix of skills and experience, must be objective, and must fulfil its fiduciary duty through prudently guiding the bank. The boards in Bulgarian banks have yet to fulfil the full scope of their responsibilities. Bulgarian banks’ SBs, notwithstanding their ownership structure (domestic, foreign or state), must evolve from a policy approving function to a leadership role by setting and monitoring overall strategy and risk appetite, overseeing management, and (dis)approving related party transactions. It furthermore, must be informed and assisted by the independent review functions of internal audit and risk management as well as an effective financial control and reporting system. Nature, Role and Duties 17. The structure of boards in Bulgaria is quite unique as the legal framework allows for both one tier and two tier boards. More than 75 percent of the companies listed in the BSE follow a one-tier board structure.20 However, in the case of banks, the majority use the two-tier system which includes a SB, a MB, a CEO and in some instances two executive directors. There are only three banks out of 21 that use the unitary board system.21 In this context, according to the CA and LCI, SB members are elected by the shareholders meeting and all must be non-executive but not necessarily independent. In this system, the MB members are elected and supervised by the SB. 18. Although the CA and the LCI outline some of the key functions of the SB, these fall short compared to what is expected from a SB according to global good practices. The LCI charges the SBs with approving bank organizational structure, allowing delegation of authority, approving bank strategy and risk management, overseeing the implementation of internal review systems, and money laundering policies, and approving remuneration policies of high level executives. However, the law is silent regarding the role of the SB and (dis)approval of transactions with related parties or the (dis)approval of major exposures (see paragraph 29).22 In practice, the above- mentioned transactions are handled by the MB. The SB reviews the financial statements; however, it does not sign them, since these are signed by the MB, the CFO, and the external auditor. The SB does not appoint or supervise the internal audit function and is not in charge of the audit committee. The latter is of particular concern and in contradiction with the law as the SB is ultimately liable for the effectiveness of internal controls systems and quality of the financial information. 19. The relevant laws outline both the duty of care and duty of loyalty of the members of the SB; however, these remain underdeveloped under the Bulgarian legal system. Article 237 of the CA specifies that directors are required to perform their functions with the care of a “good merchant” (i.e. business judgement rule). Furthermore, the Article 51(5) of the LCI requires bank 20 Corporate governance ROSC 2009. 21 United Bulgarian Bank, Piraeus Bank and Bulgarian American Credit Bank. 22 According to the LCI law, exposures to related parties cannot exceed 25% of the portfolio and 10% to a single related party. 12 “administrators” and other employees of the bank to work in the best interest of the bank and its customers. However, according to local legal practitioners, these duties are not well understood and local courts have not developed these legal concepts through specific case law. This has resulted in almost no director liability litigation. Nomination procedures, composition and structures 20. SB members are elected, de facto, by the controlling shareholders. According to the CA, SB members are elected by the shareholders meeting. In a high ownership concentration environment, the nomination is straight forward. SB members are therefore elected by the controlling shareholder regardless of the ownership structure of the bank (foreign, domestic or state-owned). In the case of domestic banks, board members are appointed by the controlling owner. These are sometimes family members, executives from the broader group or both. In the case of foreign subsidiaries, the majority of board members are appointed by the controlling shareholder and are usually executives from the parent bank. For state-owned bank, the three board members23 are directly selected by the Minister of Finance and are usually high level staff from the MoF (see Box 2 with examples of board nominations in selected state-owned banks). Box 2: Examples of board nominations in two state-owned development banks from Canada and South Africa The Development Bank of Canada (DBC) and Development Bank of South Africa (DBSA) operate with a one board system and have a well-developed framework for the selection of board members. The law establishes general fit and proper requirements for selection of board members. In both cases, a board committee prepares an assessment of the skill requirements of the board members, recommends skill requirements for the selection of new directors and assesses the capacities of the current board members. A shortlist is typically prepared by professional headhunters and the list of candidates is presented to the shareholder representative (the government). Although the government may decide not to select a candidate from the shortlist, and appoint an outsider, shareholders have typically accepted candidates from the shortlist. When selecting outsider candidates, the government gets exposed to criticism for lack of transparency. In both cases the Chairman and the CEO are different positions. While no government officials participate on the board of DBC, the Ministry of Provincial and Local Government is represented on the DBSA board (but this Ministry does not have a direct role in the ownership function). In both cases, however, the CEO is not appointed by the board, which is an important shortcoming. Source: Rudolph 2009 23 The size of this board is insufficient. See discussion on SB size in Paragraph 22. 13 21. SB terms are very long compared to other jurisdictions. Currently, board members have mandates of five years which can be renewed for an unlimited number of times. A significant number of board members have kept their position for a significant number of many years preventing the renewal of boards with members that can bring fresh perspectives. In addition, long SB terms affect the objectivity of board members since they become too close to the MB members and controlling shareholder thereby hindering the objective oversight role of the function. 22. SBs in Bulgaria are composed of skilled professionals; however, they lack overall independence and objectivity. SBs in Bulgaria are fairly small in terms of number of members (see figure 2). On average SB are composed of five members. The current SB members comply with the fit and proper criteria set by the LCI. Only two domestic banks and three foreign banks, which are also listed on the prime tier of the BSE, have independent board members (see figure 3). The low numbers of independent board members also affect the effectiveness of the subcommittees of the SB (see discussion on board committees). The remaining non-executive SB members are very close to the controlling owner either through family links or by having an executive position at the parent bank. These strong links between SBs and owners can potentially affect the objectiveness of the function. Independent directors are becoming more popular in bank boards around the world. These individuals can potentially bring objectiveness and professionalize the work of the board as they bring sector or topic-specific knowledge to the SB. The BNB encourages foreign banks to have at least one board member who is fluent in Bulgarian language. However, this guideline is not always followed by foreign banks and a few have 100% foreign board SB members who do not speak the language. Another challenge in the composition of SBs in Bulgarian banks is that, in some instance, board members are legal entities. This is not a good practice as it is difficult to assess the fitness and probity of a legal entity. Figure 2: Size of Bulgarian Bank Supervisory Boards 60 50 40 30 20 10 0 Percentage of Percentage of Percentage of banks < 5 banks 5-7 banks 7> members members members Source: WBG Bank Corporate Governance Survey 14 Figure 3: Percentage of Banks with Independent Board Members 28.57 % Banks with independent directors % of banks without independent 71.43 directors Source: WBG Bank Corporate Governance Survey 23. The definition of independent director present important deficiencies. The definition of independence is not aligned with global good practices. According to the definition of Article 116a of the POSA, an individual board member can be any person or legal entity who owns less than 25% of the shares of the company, a person who has no trade relationship with company, or SB member of a related company. This definition is not comprehensive and allows people with significant control powers to be called an independent board member. For example, one board member of a bank operating in Bulgaria is considered independent despite having had an executive position at the same bank for more than 15 years (i.e. no cooling off period limitation). The definition must be enhanced to ensure the effectiveness of the figure of independent SB member (see Box 3). 15 Box 3: Definition of independent director An independent director:  Has not been employed by the company or its related parties, including its major shareholders (e.g. the state), in the past five years;  Is not affiliated with a company that is an advisor or consultant to the company or its related parties;  Is not affiliated with a significant customer or supplier of the company or its related parties,24 including enterprise or other financial institutions owned or controlled by any of the major shareholders;  Has no personal service contracts with the company, its related parties, or its senior management;  Is not affiliated with a non-profit organization that receives significant funding from the company or its related parties;  Is not employed as an executive of another company where any of the company’s executives serve on that company’s board of directors;  Is not a member of the immediate family of an individual who is, or has been during the past five years, employed by the company or its related parties as an executive officer;  Is not, nor in the past five years has been, affiliated with or employed by a present or former auditor of the company or of a related party; and  Is not a controlling person of the company (or member of a group of individuals and/or entities that collectively exercise effective control over the company) or such person’s close relative, widow, in-law, heir, legatee and successor of any of the foregoing or the executor. Source: IFC Methodology 24. CEOs and key executives are elected by the controlling shareholder. Article 241 of the CA states that the SB elects the CEO and other members of the MB. However, in practice, CEOs are selected directly by the controlling owner (in both domestic and foreign banks), confusing the lines of responsibility and accountability between the CEO and the SB. Once the controlling owners appoint the CEO, the lines of responsibility from the CEO to the SB essentially are bypassed. As a result, CEOs are more obliged to represent and respond to the interests of the major shareholders who appointed them. In all banks interviewed, important decision-making responsibilities were clearly concentrated in the CEO position rather than clearly held and executed by the SB (i.e. related party exposures and major exposures, see paragraph 29). 25. The audit committee, as structured and organized, does not effectively and independently oversee one of the most important functions in a bank, the internal audit function. The ability 24 “Related Party” shall mean, with respect to the Company and its Major Shareholders, any person or entity that controls, is controlled by or is under common control with the Company and its major shareholders. 16 of SBs to execute their responsibility to oversee the critical function of internal audit is severely handicapped by the lack of a subcommittee dedicated to this responsibility. Instead, the Bulgarian Law on Independent Financial Audit provides for the creation of an “audit committee” which operates more like a “revision commission”, a corporate body that is prevalent in post-soviet countries such as the Russian Federation or Moldova. All Bulgarian banks have set up such a committee. This committee has the mandate to monitor the internal audit function like a regular audit committee in other jurisdictions. However, the main differences are within the reporting lines and composition. First, the audit committee is appointed by the shareholders meeting. As a result, the committee is accountable to the shareholders and not to the SB. Second, the committee is not necessarily composed of SB members. The committee is composed of “independent” outside professionals who have accounting, audit and sometimes CPAs backgrounds. In some instances, these committees include a couple of SB members; however, this is not a consistent practice across all banks. As a result, many of the members of current audit committees do not go through a fit and proper test of the BNB. Third, delegating the internal audit oversight responsibility to a committee under the supervision of the shareholders meeting blurs the accountability of one of the key functions of the SB, that of oversight of the internal audit function and assurance of the quality of the financial information. As well, it also handicaps the ability of the SB to oversee internal controls by depriving it of directly reportable body through which to assess the status of the bank’s control and operational environment. This, as a result, hinders SB from discharging its responsibility to oversee internal controls. It is also not clear, if the members of the audit committee have a similar level of fiduciary duties as the SB members including the liability regime in case of fraud or mismanagement. Fourth, the fact that the audit committee is not composed of SB members creates issues with the flow of information to the board. Meetings between this committee and the board are not systematic in practice and exchange of information is not clear. Fifth, the fact that the audit committee is composed by outsiders also raises risks with the management of confidential information by these individuals. More importantly, the fact that the key responsibility of the SB is delegated to a committee that is elected by the shareholders meeting in a highly concentrated ownership environment poses serious risks of conflicts of interests. 26. The BNB encourages banks to create additional subcommittees to professionalize the work of the board. The BNB encourages banks to create 3 subcommittees25 at the SB level: risk, remuneration and nomination. As a result, many banks have created or are in the process of creating these three subcommittees (see figure 4). Although this is a very good step forward to improve the professionalization of the activities of the SB, its implementation seems problematic in practice taking into consideration the current size and composition of SBs. According to global good practices, the three abovementioned committees must be composed of a majority of independent SB members. Therefore, the effective implementation is hindered for the following reasons. First, Bulgarian banks lack independent board members. In order to properly staff these committees every bank should have at least a minimum of 3 independent board members. This 25 Ordinance 7 on risk management and Ordinance 4 on remuneration. 17 number could increase if the audit committee becomes a subcommittee of the board. Second, the SBs of Bulgarian banks are small. This results in having the same board members sitting in multiple committees which defeats the purpose of the specialization of the work of the SB. Globally, on average, board members range in number from 7 to 9 depending on the complexity and size of the bank’s business. This way subcommittees can be properly staffed. The current composition and size of the boards makes the implementation of these measures impractical and the impact limited. Figure 4: Board committees in Bulgarian Banks 100 90 80 70 60 50 40 30 20 10 0 % of banks with risk % of banks with % of banks with committee nomination remuneration committee committee Source: WBG Bank Corporate Governance Survey Evaluation and Training 27. The majority of SB members in Bulgarian banks do not participate in training programs. Although an important number of banks, particularly foreign owned banks, mentioned that directors participate in director induction training programs, very few offer ongoing training opportunities. Most of the training opportunities are for the members of the MB. Periodic training is key for SB members to remain up to date on the latest developments in bank strategy and new products, risk management, and the latest regulatory changes and corporate governance practices. Bulgaria does not have an institute of directors; therefore, a concerted effort to provide ongoing training to board members should be explored in partnership with the bankers’ association. The bankers’ association could work with local universities and think tanks to develop a learning curricula for directors to ensure that they remain up to date on the latest developments relevant to their fields of activity or areas of focus (risk, audit, corporate governance). 18 28. The SBs do not conduct periodic self-evaluations. No bank indicated that its board has conducted a self-assessment of its role, function, and activities. Performance evaluation programs are important to help board members improve their professionalism, to meet the enterprise’s goals and objectives as well as to fulfil assigned responsibilities by law and by the regulator, and, ultimately, to contribute to the enterprise’s bottom line. No company, whether small or big or a nonprofit organization, a government institution or a private or public company, should be exempt from having a formal performance evaluation program. The evaluation of the board function and its members also provides useful information for nomination committees within the company or the ownership units. The results of the evaluation can identify areas of strength as well as areas or technical skills that need building. Related party transactions and large exposures 29. The regulation addressing related party transactions presents important shortcomings . While the LCI provides a comprehensive definition of related parties, approval responsibility is relegated to the MB rather than the SB.26 This arrangement, again, bypasses the oversight of the SB and deters its ability to discharge its responsibility to ensure the financial health of the bank. It also compounds the conflict of interest mentioned above by assigning the approval responsibility to the body that is, de facto, appointed by the (controlling) shareholders. Many countries including the United States, Ireland, Russia and Malaysia, in addition to requiring such credits to be underwritten on an arm’s length basis, also require final approval by a majority of the SB with the interested party abstaining. This is particularly important given that history demonstrates that bank failures and distress, a significant amount of the time, are exacerbated by abusive related party transactions not properly vetted by responsible, independent bank bodies. In some cases, regulators require that only the independent SB members approve such transactions. 30. The SB is also not involved in the approval process of large exposures. According to Article 45 of the LCI large exposures (above 15% of the assets of the bank) must be approved by unanimous vote of the MB. Approval of these sensitive transactions must be handled by the SB due to their complexity and high risk profile.27 It is important to involve the SB in the approval process of large exposures as SB members are ultimately liable for the financial health of the bank. E. Risk Oversight 31. The development of risk strategy, effective risk oversight, and a sound control framework is one of the most critical roles for which bank boards are responsible. Independent risk oversight processes (internal audit, risk management, compliance) are important instruments of 26 According to Article 44 and 45 of the LCI exposures to related parties (10% to a single related party or 25% to a group of connected parties and 15% for large exposures) and large exposures (above 15% of the assets of the bank) must be approved by unanimous vote of the MB. 27 Regulation 0 in the United States or Banking Law of Ireland. 19 the board to ensure that its strategies, risk thresholds, and policies are communicated, monitored, and respected. If boards are adequately empowered to set business strategy and the risk parameters necessary to accomplish that strategy, then the risk management function becomes an important tool for it to understand the success of its directions and the soundness of the institution. Having a strong risk management function allows the board, then, to discharge its duty to oversee the performance of the institution. 32. Risk management has become the key priority for all banks after the KTB failure in 2014. According to the Bank Corporate Governance Survey conducted by the WBG for the purposes of this technical note and the results of a study conducted by a reputable audit firm,28 risk management is the key priority for all Bulgarian banks. Among the key initiatives taken by a large number of banks is the creation of a separate risk function independent from the business line. The functions are usually well staffed (see figure 5). Twenty out of twenty-one banks have created the position of CRO (or equivalent) in order to have one person responsible for overseeing the full complex of risks in the bank. Some banks have given such a level of importance to this position that the CRO is also a member of the MB (see Figure 6). Figure 5: Percentage of Staff Risk Management Function 50 40 30 20 10 0 % of banks with Between 10 and More than 20 Less than 10 20 staff Source: WBG Bank Corporate Governance Survey 28 Ernst & Young, Bank Barometer: http://www.ey.com/gl/en/industries/financial-services/banking---capital- markets/ey-european-banking-barometer-2016 20 Figure 6: Percentage of Banks Where the CRO is Member of the Managing Board % of banks where CRO is member of 47.62 the managing board 52.38 % of banks where CRO is not member of the managing board Source: WBG Bank Corporate Governance Survey 33. Risk is also a key concern at the SB level and therefore risk committees are being created. All banks (except for one) have created a risk subcommittee of the board. Professionalizing the work of the board through the creation of specialized committees contributes significantly to the effectiveness of a SB. However, as it was outlined in paragraph 23, the current composition of boards does not allow the effective implementation of this committee due to the lack of independent board members. 34. The SB, despite its mandate to ensure the oversight of all risks, remains very weak in practice. Boards are required to set the risk appetite of the bank, approve risk policies and monitor key risks (Article 2 Ordinance 7, 2014). However, in practice, boards of Bulgarian banks play a passive role in risk management. The boards of domestic banks delegate most of these tasks to the MB and limit themselves to simply approving policies proposed by management, including the approval of risk appetite. In the case of foreign banks, all policies come from the parent bank and local SBs validate those policies and the risk appetite. 35. The independence of the function could be enhanced by ensuring that the head of risk management reports directly to the SB. The head of the risk management function reports hierarchically to the CEO, with only one exception. Although this practice is not uncommon across 21 many jurisdictions, it is not optimal. If risk is a priority for Bulgarian banks, it is important to enhance the role of the SB and ensure the independence of the function as recommended by the Basel corporate governance principles.29 An independent and strong function include directly reporting to the SB with the SB responsible for hiring, terminating, and evaluating the head of function. Also, the SB must ensure that adequate budget and proper human resources are provided to the function to fulfill its mandate. In the case of foreign banks, the reporting lines of the function are better managed. In most of the cases, the head of risk (or the CRO) reports hierarchically to the CRO of the parent bank. Performance evaluation of the function is also handled by the parent bank. However, the CRO also has a secondary reporting line to the CEO of the subsidiary. According to the Bank Corporate Governance Survey, the head of risk meets twice a year with the SB and/or the risk committee 36. The implementation of good credit risk management practices remains uneven across banks. Credit risk management must be independent from the business line as per the BNB Ordinance 7. Credit risk management systems are more developed in foreign banks, as these apply the models from head office. Most of the domestic banks do not conduct real risk monitoring. Only 3 banks have a chief economist function (all foreign) that provides sectorial and macroeconomic analysis to the credit underwriting and credit monitoring teams to better manage risk. An independent credit surveillance function – that determines the accuracy of credit classification and therefore, the overall credit risk profile of the bank, has yet to fully develop. The current function serves more as a credit risk support activity for the business line which also, in some cases, votes on or offers an opinion on the (dis)approval of credit. The system still has some way to go before a fully developed, independent credit risk surveillance and management function is fully implemented. 37. Sound credit risk management (best) practices are typically constituted by a secondary surveillance function with a direct communication link to the board and which continually monitors and periodically tests portfolio credit quality. Given that the business line is, or should be, closest to the customer, it should be held responsible for monitoring the credit that it sources and books and also be held responsible for flagging credits that start to deteriorate – at the earliest stages. Likewise, credits should be flagged based on real economic deterioration of the borrower rather than waiting for such exposures to be identified ex post (i.e. when they become delinquent) so that timely and active remedial action can be taken by management to minimize risk of loss. A concrete conflict of interest exists when the same unit is responsible for identifying credit deterioration and changing classifications while at the same time analyzing portfolio performance and acting as a surveillance tool for management and the board. A strong governance culture charges all in the institution -- business line / relationship officers, risk surveillance, and internal audit -- with ownership of risk. Strong ownership of risk (credit and other risks) is when all in the institution understand and know what risk is, understand the (prudent) risk parameters and business 29 Basel Corporate Governance Principles for Banks: http://www.bis.org/bcbs/publ/d328.htm 22 strategies set by the board and management, and communicate risk positions and potential risk issues within the institution and with the appropriate persons or units. 38. As indicated in the Bank Corporate Governance Survey, liquidity, operational and interest rate risk are also monitored by all Bulgarian banks. Regarding liquidity risk, all banks monitor this risk through models and stress testing to ensure compliance with the BNB’s statutory ratios.30 In addition, most of the banks have established Asset and Liabilities Committees (ALCO) at the management level. Regarding operational risks, the largest banks explained that they have mapped all operational risks, while the smaller domestic ones are in the process of mapping them in order to comply with BNB requirements.31 Interest rate risk is also managed and controlled in Bulgarian banks. The most sophisticated models for monitoring these risks are found in the foreign banks, which usually implement models from the parent company based on historical simulation of market data that allows monitoring of interest, currency, commodity and equity risks. Smaller domestic banks report they have also developed their own models to monitor and manage interest rate risk. F. Internal Audit 39. While all banks report they have an internal audit function as required by the Ordinance on Internal Control in Banks, in practice, the functions appear to lack adequate independence. Consistent with the LCI and Ordinance 10, banks indicated that the head of internal audit is appointed by the shareholders meeting and that he/she reports to the audit committee. The current reporting and hierarchical positioning of the audit function is inconsistent with global good practices. The internal audit function is designed to serve as the SB’s “eyes and ears” by helping it to understand the status of the bank’s control environment, to detect important control concerns, and overall, to give the SB a level of comfort that surveillance of the bank’s operations is conducted on a regular basis. However, by law, the function is responsible and accountable to the (controlling) shareholders, again bypassing the SB and handicapping its ability to fully discharge its responsible to oversee the financial health of the institution and to oversee management.32 Although all banks reported that at least the head of internal audit meets twice a year with the SB, the current arrangement poses an important risk taking into consideration the level of concentration of ownership particularly in the domestic banking sector. Global good practices recommend that the internal audit should report to the SB through the audit committee (when this is a board committee). The appointment, nomination and performance evaluation must be handled at the board level and not at the managerial or shareholders meeting level. 30 Ordinance 11 on liquidity risk. 31 Guidelines on Operational Market Risk Management: http://www.bnb.bg/bnbweb/groups/public/documents/bnb_law/bs_gl_oper_risk_bg.pdf 32 Ordinance 10 on Internal Audit 23 40. The internal audit functions of foreign banks appear more independent despite the weaknesses in the domestic legal framework. The internal audit functions in foreign banks usually adopt their head office procedures. The head of internal audit of the subsidiary usually reports directly to the head of internal audit in the parent bank. As the management of foreign subsidiaries reported during multiple interviews, “the foreign subsidiary provides the office space and administrative support for the internal audit department, and everything is then controlled by the parent bank”. Even in terms of reporting, the head of internal audit reports hierarchically to the head of internal audit of the parent bank. The performance evaluation is usually also handled by the parent bank. However, to comply with local legislation, the head of internal audit of the subsidiary reports to the audit committee of the subsidiary as well. The advantage is that the countries where parent banks are headquartered such as France, Italy or Germany, the head of internal audit is required to report directly to the SB or the board of directors of the parent bank according to local laws to ensure the independence of the function. 41. In addition to the hierarchical reporting shortcomings of the function, the independence is further hindered due to the prominent role of the CEO in domestic Bulgarian banks. The head of the internal audit meets at least twice a year with the SB. However, the CEO is always present during these meetings. In addition, in the majority of interviewed banks, management has access to audit reports before the SB. In many instances, management provides comments and observations before the board has access to the report. This is problematic taking into consideration the independence concerns of the function. The SB receives only an annual consolidated and summarized audit report. It is key to guarantee that internal audit is able to meet with the board without the presence of the CEO. 42. The annual audit plan is prepared by the internal audit department, and approved by the audit committee. The majority of banks operating in Bulgaria report they have implemented risk based approaches towards the process of audit as per Ordinance 10 (risk based matrix system). All the operations, departments and functions have risk ratings. The number of times that a unit will be subject to an audit is based on its risk rating. Internal audit departments are tasked by law with conducting audit of all units and processes in the period of two years. Both management and the audit committee can provide inputs on the annual audit plan. Internal auditors of banks have access and conduct audits of the subsidiaries of the banks (mostly insurance and leasing companies). 43. The size and composition of the internal audit departments varies relative to the size of the banks. The largest internal audit department has 39 auditors, the smallest one has 3 auditors. In general terms, the internal audit departments of Bulgarian banks seem to be well-staffed (see figure 7). Internal audit departments are composed of a mixture of senior and junior internal auditors. Retention of talented staff does not seem to be a challenge. In terms of competencies, auditors seem to be qualified, and some of them have degrees from western universities. 24 Figure 7: Staff Internal Audit Departments of Banks Operating in Bulgaria 60 50 40 30 20 10 0 % of banks with Less Between 10 and 20 More than 20 staff than 10 staff staff Source: WBG Bank Corporate Governance Survey 44. The legal framework requires the head of internal audit to report to the BNB any instance of mismanagement. Ordinance 10 requires the head of internal audit to maintain the BNB informed in case of mismanagement. Although the Ordinance 10 provides some fit and proper criteria (Article 16) for the head of internal audit of banks, the law does not give powers to the BNB to effectively control the fitness and probity of the head of internal audit. The law does not impose an obligation of notification by the banks when a new head of internal audit has been hired or dismissed. 45. External auditors have mixed opinions on the quality of the work of internal audit departments of domestic Bulgarian banks. Auditors have positive opinions on the quality of the audit departments of the foreign banks. However, they have mixed reviews on the quality and the audit methodology followed by internal audit departments of domestic banks. When performing the external audit of these banks, external auditors analyze the internal audit reports. However, they explained that they would rather not rely on the information contained in these reports to draw conclusions about the financial health and internal practices of banks. 46. Most of the banks have or are in the process of creating a compliance function (see figure 8). Compliance remains a nascent function in the Bulgarian banking sector. Most of the banks have taken steps to strengthen the function, particularly the foreign ones. However, as this is a relatively new function, its role is not sometimes well understood and, in many instances, the function is understaffed. More than 50% of the banks have less than 10 staff dedicated to this function (see figure 9). In foreign banks, the compliance is a separate and independent function, while in smaller banks the function is a division within the internal audit department. The head of the function, in the best case scenario meets once a year with the board. The function remains more of a managerial 25 function than a function to assist the board. Compliance departments usually cover issues such as money laundering and terrorism financing, prevention and settlement of conflicts of interest, and compliance with BNB requirements. Figure 8: Percentage of Banks with Independent Compliance Function 9.52 % of banks with independent compliance function % of banks without 90.48 indepdent compliance function Source: WBG Bank Corporate Governance Survey Figure 9: Staff of Compliance Function in Banks Operating in Bulgaria 80 70 60 50 40 30 20 10 0 % of banks with Less Between 10 and 20 More than 20 staff than 10 staff staff Source: WBG Bank Corporate Governance Survey 26 G. External Audit 47. All banks are required to receive an annual external audit by a professional independent firm. The LCI, CA and Law on Independent Financial Audit require banks to have their accounts externally audited by an independent audit professional. External auditors are, usually, proposed by the SB, and approved at the general shareholders meeting. The review is conducted in compliance with ISA standards. Both domestic and local banks use the services of internationally recognized audit firms. Rotation requirements have just been introduced by the new law on Independent Financial Audit. Until the adoption of this law, which is supposed to come into effect this year, in practice, the same audit firm (and the same team) conducted the external audit for many years in a row. In some cases, the same firm has conducted the external audit for eight years in a row. In addition, the law does not prohibit the firm in charge of conducting the external audit of providing non-audit services to the bank. This issue has also been addressed by the law. The largest international audit firms explained that the rotation and conflict of interest issues were under control in practice since the internal regulations of the audit firms follow international best practices. 48. External auditors have limited exchanges with the SB. Global good practices require that SB play an active role on the external audit process. The SB, through its audit committee, usually are the ones that propose the general auditor to the shareholders. They also review and approve the terms of reference of the auditor. In addition, the external auditor, in compliance with IFRS procedures, usually should meet at least 2 times with the SB during the audit cycle. However, in Bulgaria, the SB does not play an effective role in this area. The external auditor interacts more with the audit committee and/or MB and rarely meets with the board. 49. The external audit function is under strong scrutiny by the country authorities. Since the KTB scandal, the external audit profession has been subject to strong criticism and its integrity has been put into question. As a result of the KTB failure, the Law on Independent Financial Audit has been amended and banks will soon be required to have a dual audit. A dual audit requires banks to hire the services of two audit firms to conduct the audit work. The essence of this approach was to bring the “four eyes principle” into the audit process. However, in practice, this system has shown many weaknesses.33 First, auditors do not conduct two full audits of the bank. What they do is to divide the labor in two and then exchange their findings. This approach is ineffective since it is better to have one lead auditor having a comprehensive understanding of the bank, rather than two with half of a view of the issues. Second, despite that the legislation assigns mutual and joint liability to both lead auditors, when something goes wrong it is very difficult to determine who is 33 Several countries including Denmark and Canada have eliminated joint audits because impact evaluations of the system showed that its benefits do not outweigh the associated costs. Furthermore, there is no evidence that joint audits reduce the risks of bank failures. 27 liable for what. An additional complication in the specific case of Bulgaria is the limited amount of bank audit experience among the external audit firms. Representatives of the largest audit firms in the country have shown concern since, for liability purposes, they only want to partner on joint audits with firms with equivalent capabilities. The banking industry and the audit industry feel that the implementation of this new audit approach is problematic especially since they have not received implementing guidance from the BNB. H. Disclosure and Transparency 50. Bulgarian banks are required to prepare financial statements in compliance with internationally recognized standards. Bulgarian banks are required to prepare and disclose their financial statements in compliance with IFRS standards. Currently, they are in the process of migrating to IFRS 9 standards on impairment calculation (and loss provisioning) of financial assets. Foreign banks seem well-equipped to ensure a smooth transition, as they have received important support for the transition from their parent banks. However, local banks will face more challenges with the transition due to the complexity of the topic and also due to additional capital requirements. All banks publish their financial statements (annual and periodic) on their website. They also prepare and disclose annual reports in both English and Bulgarian. 51. Disclosure of non-financial information is weak. Despite compliance with IFRS standards, disclosure of non-financial information is problematic in Bulgaria. Very few banks disclose biographies of the SB (including other directorships) and MB members in their annual reports and on their websites. Those that disclose the information provide limited amount of detail. Remuneration of key executives and SB members is not systematically disclosed. Banks rarely disclose corporate governance information including risk management and internal audit insights. 28 Annex 1: Policy Recommendations Legal, Regulatory and Supervisory Recommendations Priority Recommendation (High Priority: Address within one year; Medium Priority: Address 1-3 years) Strengthening the LCI:  require the creation of an audit committee at the supervisory board level composed of and presided by High independent supervisory board members.  provide a definition of independent supervisory board members of banks.  strengthen the approval process of related party lending by requiring supervisory board approval of related party exposures.  require supervisory board’s approval of large exposure.  require a percentage of independent supervisory board members in boards based on the complexity of operations and size of the bank.  increase the minimum number of supervisory board members from three to five.  (including implementing ordinances) require appointment of the head of internal audit by the supervisory board as well as the authority to terminate and to conduct his/her performance evaluation. Supervisory board should also ensure adequate resources, both financial and human. High Law on Independent Financial Audit  Develop implementing regulations and provide dissemination training and materials to ensure the effective implementation of the dual audit process.  Allow the BNB to direct the external auditor to focus on a particular area - either bank specific or across the system. Corporate Governance Code/Regulation for Banks: Medium The BNB should lead a collaborative effort (among banks and market participants) to develop a corporate governance regulation for the banking system. The regulation should leverage existing legislation but address the gaps that exist. It should holistically convey the nature and objectives of sound governance and enumerate key requirements for sound governance.  Training for bankers and the BNB should be conducted, in part to explain the benefits and repercussions of implementing or not implementing the regulation.  The BNB should require banks to evaluate the status of their own corporate governance against the new regulation and prepare time bound reform plans that are forwarded to the BNB. The BNB should convey to the banks its process of monitoring and follow up.  The regulation should address, inter alia:  Expectations for a strong governance environment and risk culture, i.e. the need for the bank’s key parties (owners, board members, management) to act with integrity and in the best interest of all stakeholders, not only owners.  The proper, distinct roles of ownership, board oversight, and management to establish the responsibilities and accountabilities of each function. The separation of ownership, oversight, and day to day management should be clearly set out.  Board professionalism, objectivity, and independence. The code should encourage banks to identify ways to enhance board professionalism including identifying ways to attract the necessary talent to boards, particularly independent board members – possibly from abroad. Over the medium term, the proportion of independent, qualified members should be increased.  The role and importance of a strong strategic planning process at the board level. The process should explicitly address the risk considerations of business plans and projected growth areas, the adequacy of existing risk and internal control functions, and the need to correlate risk management and internal audit capacity with growth. Success and performance indicators should be established.  The requirement for independent control functions that are adequately staffed and resourced and which can serve as a tool for the supervisory board to monitor the management, condition, and performance of the bank. 29  Improved transparency and disclosure of financial and nonfinancial information – throughout the year as well as annually.  The requirement for boards to conduct a self-assessment of the its function and the manner and effectiveness with which it discharges its responsibilities. Outside parties might be considered for this as well.  The requirement for boards to evaluate the overall corporate governance structure and function periodically. Outside parties might be considered for this as well. Targeted Supervisory Corporate Governance Assessments: The BNB should design and begin targeted reviews of corporate governance structures and activities in banks. High In the future, a “horizontal” approach whereby all banks receive a targeted corporate gover nance review within 6 months to 1 year should be conducted. The overall results should be compiled and plans to reform and upgrade clearly communicated. Publication of at least summary results should be considered. Bank-Specific Recommendations Priority Recommendation Medium State Bank Governance (Bulgarian Development Bank) - Bank Ownership – Professionalization of the role of the State as the owner of banks:  Elect SOB board members through transparent and competitive recruitment process including the use of headhunter companies.  Strengthen the composition of the supervisory board of the Bulgarian Development Bank by recruiting independent members with banking sector experience.  Increase the number of supervisory board members from three to at least five members.  Sign performance agreements between the ownership unit (MoF) and the supervisory board with key performance indicators to formalize the commitment of the bank to meet the goals and objectives set by the state shareholder.  Build databases of potential directors for SOBs and other SOEs. Supervisory Board Member Training: As a part of boards’ ongoing efforts to remain abreast of current developments and issues within the financial Medium sector as well as to gain additional insights into more technical aspects of the sector and their banks, members and senior executives should identify and attend (or host) periodic workshops and relevant knowledge updates on a regular basis. Supervisory board evaluation: As per global good practices, supervisory boards should go through an annual evaluation process. This process could be done in-house or could also by managed by third party. Risk Management:  Risk management should not be directly involved in the approval of credit. This compromises the unit’s Medium ability to independently flag risk concerns (i.e. head of credit risk management should not vote on credit transactions at the credit committee).  The CRO (or head of risk) should report to the supervisory board. The supervisory board should also have the authority and responsibility to appoint, terminate, and evaluate the performance of the CRO. The supervisory board should ensure that the function has adequate resources, both financial and human.  All control functions (risk management, internal audit, and compliance) should meet periodically with the board without the CEO, other executive board members, or management.  The BNB should be notified in the event the CRO is released / replaced. Internal Audit: Internal audit functions require substantial upgrade: High  Independent reporting lines directly to the supervisory board should be emphasized.  The chief internal auditor should periodically, at least twice a year, report directly to the board without the presence of the CEO, other executive board members, or management.  The stature and authority of the head of internal audit should be elevated and assured, including: 30  SB (or audit committee – once positioned as a part of the supervisory board) appointment and board involvement if the chief internal auditor is dismissed;  board-conducted performance evaluation for the head of internal audit;  adequate resources including staffing and systems; and  appropriate organizational positioning of the audit department Medium Compliance Function: The development of formalized compliance functions, consistent with international standards, should be more actively pursued. Related-Party Transactions:  Supervisory boards should be held responsible and accountable by the BNB for identifying their related High parties, including the UBOs and their interests and affiliated operations.  Banks should likewise be responsible for implementing a methodical system through which related parties are identified, flagged in the course of banking business, evaluated, and monitored.  The BNB should monitor related party transactions and take appropriate action in case of violations. Disclosure and Transparency: Disclosure standards should be upgraded. Nonfinancial disclosures are insufficient and should be expanded to Medium address, inter alia:  Related party transactions  Board member and management biographical information  Director and senior management remuneration (direct and indirect)  Nature and compliance of the bank with good corporate governance practices 31