98303 BOSNIA AND HERZEGOVINA FINANCIAL SECTOR ASSESSMENT PROGRAM June 2015 TECHNICAL NOTE BANKING SECTOR SUPERVISION CORE PRINCIPLES IMPLEMENTATION UPDATE Prepared By José Tuya This Technical Note was prepared by IMF and WB staff in the context of the Financial Sector and Marc Schrijver Assessment Program in Bosnia and Herzegovina, and Monetary and Capital Markets overseen by the Monetary and Capital Markets Department, IMF, and Financial Department, IMF, and the Financial and Private and Private Sector Development, Sector Development Vice Presidency, World Bank. It World Bank contains technical analysis and detailed information underpinning the FSAP’s findings and recommendations. Further information on the FSAP program can be found at http://www.imf.org/external/np/fsap/fssa.aspx, and www.worldbank.org/fsap. INTERNATIONAL MONETARY FUND THE WORLD BANK BOSNIA AND HERZEGOVINA CONTENTS Glossary ___________________________________________________________________________________________ EXECUTIVE SUMMARY ______________________________________________________________________________ 4 INTRODUCTION _________________________________________________________________________________ 8 OVERVIEW OF THE INSTITUTIONAL SETTING AND MARKET STRUCTURE ___________________ 9 PRECONDITIONS FOR EFFECTIVE BANKING SUPERVISION __________________________________ 11 MAIN FINDINGS________________________________________________________________________________ 16 DETAILED RECOMMENDED ACTIONS _________________________________________________________ 31 TABLES 1. Bosnia and Herzegovina: FSAP Key Recommendations on Banking Oversight _________________ 7 2. Federation of Bosnia and Herzegovina: Summary of Key Findings ____________________________ 21 3. Republika Srpska: Summary of Key Findings __________________________________________________ 28 4. Federation of Bosnia and Herzegovina and Republika Srpska: Detailed Recommended Actions to Improve Compliance with the Basel Core Principles and the Effectiveness of Regulatory and Supervisory Frameworks _________________________________________________________________________ 31 APPENDICES I. Federation of Bosnia and Herzegovina: Principle-by-Principle Implementation Review ________ 33 II. Republika Srpska: Principle-by-Principle Implementation Review _____________________________ 90 III. Differences Between Basel II Weights and FBA/RS Weights _________________________________142 2 BOSNIA AND HERZEGOVINA Glossary BARS Banking Agency of Republika Srpska Agency BARS and FBA AQR Asset Quality Review BCBS Basel Committee on Banking Supervision BCP Basel Core Principles for Effective Banking Supervision BiH Bosnia and Herzegovina CBA Currency Board Arrangement CBBH Central Bank Bosnia Herzegovina CP Core Principle DIA Deposit Insurance Agency EWS Early Warning System FBA Banking Agency of the Federation of Bosnia & Herzegovina FBiH Federation of Bosnia and Herzegovina FSI Financial Soundness Indicators IAS International Accounting Standards IFRS International Financial Reporting Standards IDBRS Investment Development Bank of RS ICAAP Internal Capital Adequacy Assessment Program MCO Micro Credit Organizations RS Republika Srpska SCFS Standing Committee for Financial Stability SIB Systemically Important Banks UBPR Uniform Bank Performance Report 3 BOSNIA AND HERZEGOVINA EXECUTIVE SUMMARY1 A review of supervisory practices was conducted to assess progress towards implementation of the Basel Committee Core Principles for Effective Banking Supervision (BCP). A detailed BCP assessment was conducted in 2006 based on the 1999 version of the principles. A factual assessment of compliance was performed this time to measure progress towards BCP implementation since 2006. Each entity, Republika Srpska (RS) and Federation of Bosnia and Herzegovina (FBiH), completed a full self-assessment that was reviewed by the assessors and fully discussed during the mission. The self-assessments and discussions with management and staff of the Banking Agency of Republika Srpska (BARS) and the Banking Agency of Federation Bosnia and Herzegovina (FBA) provided a detailed view of actions undertaken to continue enhancing compliance with the BCPs. The results of the assessment are reported in a technical note with attachments providing detailed principle-by-principle summaries for each entity. However, compliance ratings were not assigned as the focus was on measuring progress. The attachments are formatted as the standard detailed assessment reports (DAR) but do not cover all essential criteria. Although all essential criteria were discussed, and compliance verified, the report was structured to highlight remaining areas in need of improvement and provide a summary of the current state of development. Although regulations2 in both entities are largely harmonized, as are supervisory practices, individual attachments were prepared to reflect the preference of the authorities and the preparation of individual self-assessments. The system of banking supervision oversight has significantly improved since the last review in 2006, but shortcomings remain. Both supervisory authorities have made progress in enhancing the regulatory framework and supervisory processes since the 2006 FSAP.3 The banking agencies are in the process of preparing a new Law on Banks that should address deficiencies in the supervisory powers, resolution tools, and consolidated supervision. These reforms will impact the respective laws on the Banking Agencies by adding supervisory powers. The regulatory framework has been broadened by the issuance of regulations on corporate governance, credit risk management and capital. Comprehensive regulations on risk management have been drafted that will address remaining deficiencies that are highlighted in this assessment. Harmonization in regulation between the entities has been largely achieved and joint planning continues for the implementation of additional regulations and operational improvements. Cooperation and coordination among the various institutions involved in banking oversight is very complex, having potential repercussions in times of financial sector stress. For instance, the SCFS on the state level and the Committee for Coordination of Supervision of the Financial 1 This Technical Note has been prepared by José Tuya, IMF consultant, and Marc Schrijver, World Bank. 2 The terms regulation/decision are used interchangeably in this document. 3 The 2006 BCP assessment was based on the standards as of 1999. The BCP principles have since been revised in 2006 and 2012. 4 BOSNIA AND HERZEGOVINA Sector at the level of the RS seem to have an overlapping mandates. This could become problematic in case of a crisis. In addition, the key players exchange information to certain extent guided by specific arrangements and laws, but crucial information on the risk profile of banks (i.e., the CAMEL rating) is not always shared with relevant stakeholders (the other banking agency, CBBH, and the DIA) which creates information asymmetries. It is therefore important to strengthen the coordination and in exchange of information. The development of an integral contingency plan is encouraging in this respect. Several problem banks are identified and placed under special supervision; however banks may remain in the category for an extended period. The Agencies place problem banks under enhanced supervision and require the banks to submit recovery plans. However, recovery and possible resolution are impacted by the current economy that hinders profitability from lending, difficulties in raising capital from current shareholders or the market and the Agencies’ concerns over triggering system-wide deposit runs. Related party transaction and concentrations risk pose concerns. Supervisory activities frequently identify related and connected party violation of regulatory limits. In addition, there are several domestic banks with opaque ownership structure that affects identification of related parties. Root cause of this problem seems to lie at the licensing and approval process that has been mostly formal instead of substantial, and inadequate corporate governance and risk management at some banks. Enforcement powers are limited when addressing individual supervisory board members and controlling owners. Regulations establish requirements on internal controls and governance and the responsibilities of the supervisory board. However, the enforcement powers of the Agencies are limited for imposing fines on supervisory board members. The authority for replacing or restricting the powers of controlling owners outside of provisional administration can be enhanced to include actions based on the supervisory judgment of the banking supervisor concerning safety and soundness. Loan loss provisioning is based on International Accounting Standards (IAS) and prudential requirements, but provisioning levels may not be adequate. The focus going forward should be on developing supervisory standards to encourage the conservative implementation by banks of factors to be considered in determining incurred losses under IAS. During onsite reviews supervisors have required banks to increase provisions or re-classify assets based on the prudential standard and address IAS provisioning gaps. Additionally, asset quality reviews (AQR) conducted by external accountants revealed cases of under-provisioning based on IAS. The outcome of the AQR raises questions on the quality of the financial audits of banks that fit a broader context. Currently, several domestic banks implemented IFRS 2009. Since, that is the last one that is translated into local language. Further, some external auditors of domestic banks base their opinion on the law on accounting and auditing, instead of IFRS. This makes it difficult to compare different financial statements in the banking sector and brings uncertainty to the quality of the external audit. In addition, the quality assurance of the financial audit is barely developing. Lastly, the appointment of external auditor takes place on a yearly base with a maximum of five 5 BOSNIA AND HERZEGOVINA years. Both agencies don’t have the power to rescind an external auditor. Though they do have the power to consent to the appointment of the external auditor and to refuse the report of an external auditor. The risk exist that yearly change of auditor has an adverse effect on the continuity of the auditor and the quality of the audit. Appointing an external auditor for minimal three years together with the power to rescind will give a different incentive to an external auditor and could have a positive effect on the continuity of the auditor and quality of the audit. Under the legal framework the agencies possess operational independence, however government actions may impact future independence. In the FBiH, there are several domestically owned banks that currently have opaque ownership structures, and where the FBA experiences difficulties in identifying the ultimate beneficiary owners and the related entities. Different sources claim that these banks are connected to politicians and/or their relatives. This could not be confirmed by the assessors. In the RS, there is increasing support of (mostly) domestically owned banks by the development bank that may place BARS in a difficult position when addressing non- viable banks. In that case not only the interest of depositors, the bondholders and the shareholders would be important, but also the interests of the government. This could reduce options for BARS on how to address insolvent banks and protect the safety and soundness of the banking system. 6 BOSNIA AND HERZEGOVINA Table 1. Bosnia and Herzegovina: FSAP Key Recommendations on Banking Oversight Recommendations and Authorities Responsible for Implementation (FBA and BARS) Time1 Identify the ultimate beneficiary owners and their holdings – CP 6 I Conduct additional AQRs in banks with weak solvency and liquidity indicators – CP 16, 17, 18, 24 I Adopt the new Law on Banks that addresses the deficiencies in supervisory powers and consolidated I supervision, appeal of supervisory decisions, definitions of branches, licensing, transfer of significant ownership, major acquisitions, prudential reporting – CP 1, 4-7, 10, 11, 12, 27. Enhance resolution and recovery process to avoid non-viable banks operating in the market for I extended periods – CP 8 Strengthen LOBA (legal protection of BARS, appointment of member MB, director and deputy I director) – CP 2 Enhance coordination and information exchange between CBBH, BARS, FBA and DIA and improve I information sharing (including in crisis times) – CP 3 Deepen the assessment of license, fit and proper (board members, significant owners), transfer of I significant ownership, major acquisitions – CP 4-7 Explicitly assess net risk of limitations of cooperation with supervisory authorities of parents of D-SIB I and mitigate this risk – CP 3, 13 Deepen identification of inherent ML/TF risk profiles of banks – CP 29 I Enhance cooperation and information exchange with FID/SIPA – CP 29 I Strengthen the interaction with the external auditor (BARS) – CP 27 I Evaluate the quality of the external audit and the quality assurance system in relation to the I outcomes of the AQR – CP 27 Enhance disclosure on group structure of banks including ultimate beneficiary owner and insider NT lending – CP 28 Conduct crisis simulation exercise in order to test the cooperation in times of crisis with events both NT on state level and entity level – CP 3 Broaden and link to supervisory judgment enforcement action based on safety and soundness NT concerns – CP 11 Develop a remedial action program focusing on new tools and earlier step-up enforcement and NT heavier fines to expedite corrective action – CP 11 Implement contingency plan in order to harmonize the domestic cooperation and information NT exchange between the banking agencies, the Central Bank and the Deposit insurance – CP 3. Work towards full compliance with IFRS for banks and make the audit opinion explicitly refer to IFRS MT instead of Law on Accounting and auditing – CP 27 Issue prudential guidance to promote adequate provisioning and conservative assumptions for MT trigger events and objective evidence under IAS – CP 18 1 I-Immediate” is within one year; “NT-near-term” is 1–3 years; “MT-medium-term” is 3–5 years. 7 BOSNIA AND HERZEGOVINA INTRODUCTION4 1. In 2006 Bosnia and Herzegovina (BiH) underwent a Basel Core Principles (BCP) assessment based on the 1999 version of the BCPs. Individual assessments were conducted for the Federal Banking Agency (FBA) in the Federation of Bosnia and Herzegovina and for the Banking Agency of Republika Srpska (BARS). Since the assessment, the BCPs were revised in 2006 and again in 2012. 2. The revisions to the BCPs reflect changes in the guidelines issued by the Basel Committee on Banking Supervision (BCBS) and also increased the level of detail and required verification to document the authorities’ practices in monitoring compliance by banks with regulatory requirements and effecting corrective action. 3. In preparation for the current FSAP, the FBA and BARS prepared self-assessments to determine their level of compliance with the current version of the BCPs. Since 2006, the authorities have been upgrading their supervisory processes and regulatory framework and in the current FSAP a principle-by-principle review was conducted to determine the level of progress in meeting the BCP standards. The scope consisted of an analysis of the self-assessments, and responses to detailed questionnaires completed by the authorities and a review of documentation concerning corrective action, reports of inspection, offsite analyses and other key risk areas. However, compliance grades were not assigned since the review did not include verification of all essential criteria. 4 This technical note (TN) analyses banking regulation and supervision practices in Bosnia and Herzegovina using the 2012 version of the Basel Core Principles for Effective Banking Supervision (BCP) framework. This analysis was completed during October 27-November 18, 2014, and reflects the regulatory and supervisory framework in place as of the date of the completion of the analysis. This TN is not a formal assessment against the BCPs; it provides a set of recommendations to the authorities with the view to strengthen the supervisory regimes in Bosnia and Herzegovina. 8 BOSNIA AND HERZEGOVINA Box 1. The 2012 Revised Core Principles The revised BCPs reflect market and regulatory developments since the last revision, taking account of the lessons learnt from the financial crisis in 2008/2009. These have also been informed by the experiences gained from FSAP assessments as well as recommendations issued by the G-20 and FSB, and take into account the importance now attached to: (i) greater supervisory intensity and allocation of adequate resources to deal effectively with systemically important banks; (ii) application of a system-wide, macro perspective to the micro- prudential supervision of banks to assist in identifying, analyzing and taking pre-emptive action to address systemic risk; (iii) the increasing focus on effective crisis preparation and management, recovery and resolution measures for reducing both the probability and impact of a bank failure; and (iv) fostering robust market discipline through sound supervisory practices in the areas of corporate governance, disclosure and transparency. The revised BCPs strengthen the requirements for supervisors, the approaches to supervision and supervisors’ expectations of banks. The supervisors are now required to assess the risk profile of the banks not only in terms of the risks they run and the efficacy of their risk management, but also the risks they pose to the banking and the financial systems. In addition, supervisors need to consider how the macroeconomic environment, business trends, and the build-up and concentration of risk inside and outside the banking sector may affect the risk to which individual banks are exposed. While the BCP set out the powers that supervisors should have to address safety and soundness concerns, there is a heightened focus on the actual use of the powers, in a forward- looking approach through early intervention. The number of principles has increased from 25 to 29. The number of essential criteria has expanded from 196 to 231. This includes the amalgamation of previous criteria (which means the contents are the same), and the introduction of 35 new essential criteria. In addition, for countries that may choose to be assessed against the additional criteria, there are 16 additional criteria. While raising the bar for banking supervision, the Core Principles must be capable of application to a wide range of jurisdictions. The new methodology reinforces the concept of proportionality, both in terms of the expectations on supervisors and in terms of the standards that supervisors impose on banks. The proportionate approach allows assessments of banking supervision that are commensurate with the risk profile and systemic importance of a wide range of banks and banking systems. OVERVIEW OF THE INSTITUTIONAL SETTING AND MARKET STRUCTURE 4. Bosnia and Herzegovina is divided into two semi-autonomous political Entities—the Federation of Bosnia and Herzegovina and the Republika Srpska.5 Both FBiH and RS have their own Parliament, government, judicial system and stock exchange. Similarly, regulatory and supervisory responsibilities for banking, insurance and capital markets lie at the Entity level, while their respective laws and regulations are harmonized to a degree. In addition, there is a central, or “State” level administration but with few enumerated powers. In this context, the Central Bank of 5 The Brcko District, a third distinct entity, has been self-governing since 2000. 9 BOSNIA AND HERZEGOVINA Bosnia and Herzegovina (CBBH) and the Deposit Insurance Authority (DIA) reside at the national level. 5. The financial system in Bosnia and Herzegovina is dominated by a moderately concentrated banking sector. The banking sector accounts for 86 percent of the financial system assets, which are equivalent to 84 percent of GDP as of end-2013. The banking system comprises mostly foreign subsidiaries—82 percent of the banking sector assets, while domestically-owned and public banks account for 16 and 2 percent respectively. Twenty seven banks operate currently in the country (17 in BiH and 10 in RS, with a share of 70 and 30 percent of the banking system). The five largest banks represented about half of banking sector assets in 2013.6 The interbank linkages are limited. Interconnectedness between banks and the insurance sector, as well as between the banks and the RS development bank, is more significant.7 6. As elsewhere in the region, the largest foreign banks operating in Bosnia and Herzegovina are from Austria and Italy. Together with Slovenia these banks make up ¾ of banking sector assets in FBiH and half in RS.8 While most of the foreign subsidiaries have taken a cautious position after the recent crisis, a couple of new foreign banks, albeit small, have been relatively aggressive in expanding their market share. 7. The rest of the non-banking financial system is small. It is distributed among insurance companies (5 percent of financial system assets), leasing companies, investment funds, and microcredit organizations (3 percent of financial system assets each). The share of nonlife insurance (in terms of assets) is below 2 percent of GDP, while life insurance accounts for only 0.3 percent of GDP. There is one stock exchange in each Entity, but capital markets remain underdeveloped. The real-time gross settlement (RTGS) system settles high-value credit funds transfers and net balances submitted by the giro clearing system (GCS) and card switching network. It also handles large-value payments that stem from the capital markets and international payment clearing services. 6 However, the first largest banks presented 70 and 80 percent of FBiH and RS banking assets in each entity respectively. 7 The two development banks are non-deposit taking institutions supporting investments and export-oriented activities in the respective Entities. The development bank in RS plays a major role in providing credit lines for on- lending to the banks via its 6 development funds. It also provides capital to some domestic banks and holds sizeable deposits in some smaller banks in RS. 8 These banks are Raiffeisen, Hypo, Sparkasse (all Austria), Unicredit, Intesa (both Italy), and NLB (Slovenia). However, the intra-group links are often connecting the BIH subsidiaries to the ultimate owner-bank via different other subsidiaries. 10 BOSNIA AND HERZEGOVINA PRECONDITIONS FOR EFFECTIVE BANKING SUPERVISION A. Sound and Sustainable Macroeconomic Policies 8. The banking sector weathered the global financial crisis relatively well. Fueled by a benign global environment and ample lending supported by foreign parent banks’ funding and capital in subsidiaries, bank credit to the private sector grew at an average annual rate of around 25 percent over 2003-07. While the level of credit-to-GDP rose from around 35 to 45 percent over this period, this represented the smallest expansion in the region. However, the associated vulnerabilities became clear during the 2009 crisis when capital inflows came to a halt. A traditional banking sector model and the absence of riskier mortgage and foreign exchange-related instruments in the currency board arrangement (CBA) helped to mitigate the impact of the global financial crisis on the banking sector. 9. The authorities’ response to the crisis shored-up depositors’ confidence and helped to safeguard financial stability. The CBBH swiftly responded to the crisis by lowering bank high reserve requirements in several steps to free-up liquidity. The FBA and BARS closely monitored liquidity and the soundness of the banks. The negotiation of the 2009 SBA with the IMF, participation in the European Bank Coordination Initiative (EBCI) or “Vienna Initiative”, and the two- step increase of deposit insurance coverage to KM 35,000 (€17,000) to all banks,9 helped to preserve market and depositors’ confidence. Moreover, a formalized coordination framework across the agencies through the Standing Committee for Financial Stability (SCFS) was established.10 However, the CBBH is also, according to the Law on the Central Bank, in charge of the coordination of activities between the two banking agencies. 10. The crisis weakened asset quality and profitability of the banking system.11 System- wide NPLs ratios stood at 15.5 percent at end-June 2014, compared to just 3 percent at the onset of the global financial crisis, reflecting the impact the crisis had on the region. Banking sector profitability has deteriorated, partly due to weak economic environment and the region in general, partly due to high regulatory provisioning requirements related to high NPLs (the provisions to NPL ratio is at 68 percent). Owing to poor corporate resolution and insolvency frameworks, asset quality is becoming an important obstacle for re-establishing bank profitability. The sector-wide regulatory capital is at over 17 percent of risk-weighted assets as of end-June 2014, and banks maintain low 9 The most recent increase in the level of deposit insurance was on January 1, 2014 to KM50,000. 10 The Standing Committee on Financial Stability (SCFS) was created in December 2009 through a Memorandum of Understanding (MoU) among the CBBH, the two Banking Agencies, the Deposit Insurance Agency and the Fiscal Council to ensure cooperation at all time for sharing information and assessments of each member to facilitate the achievement of their policy function and financial stability. 11 Three small banks were nationalized or liquidated following the crisis. In addition, Hypo Alpe Adria Bank was nationalized by the Government of Austria in 2009. On October 30, 2014, it announced that it will sell its SEE network to U.S. equity fund Advent International and the European Bank for Reconstruction and Development (EBRD) as co- investor. 11 BOSNIA AND HERZEGOVINA leverage ratios. The recent natural disaster prompted regulatory forbearance measures for loan classification, but so far had relatively mild impact on asset quality. According to the authorities, only about 1 percent of total loans have been restructured so far, even though more loans could be restructured. 11. BiH has adopted a strategy to safeguard financial sector stability and plans to adopt banking laws in line with Basel II. The global financial crisis and its aftermath have revealed significant shortcomings in BiH’s supervisory and regulatory frameworks, including the supervisors’ lack of control over excessive and lax bank lending prior to the crisis. Supported by the SBA, the authorities of BiH have adopted a number of measures to boost their contingency planning and crisis preparedness toolkit. A detailed asset quality review is being conducted for six banks under the enhanced supervision regime.12 Moreover, CBBH and both banking agencies, with assistance from IMF and EU, have made progress in drafting new banking laws. 12. Key risks to the financial sector derive from slow NPL resolution, high dependence from parent banks, and potential weak demand. The balance of financial stability risks has changed since the 2006 FSSA. In particular, credit risk increased dramatically due to lax lending conditions in 2005-8, leading to high NPLs. Owing to poor resolution and insolvency frameworks, asset quality is an important obstacle for reestablishing bank profitability. In terms of macroeconomic risks and inwards spillovers, the overall situation is similar to the 2006 FSAP. Foreign bank subsidiaries are still reliant on parent bank support, which renders the system vulnerable to external developments. Moreover, renewed weakness in the euro area, compounded with deterioration in the health of commercial banks, could result in depositors’ confidence loss. Monetary and financial conditions have tightened, reflecting lower credit growth and liquidity in the system, as well as less risk appetite. B. Well Established Framework for Financial Stability Policy Formulation 13. The macroprudential toolkit is underdeveloped and relies mostly on required reserve management. The required reserves levels were used to mitigate the credit boom as well as the following liquidity crunch before and after the global financial crisis. The CBBH is also conducting top-down stress tests on the main financial risks and, jointly with the banking agencies, has developed a methodology to identify systemic domestic banks. The annual Financial Stability Report, prepared by the CBBH contains a broad range of information on the macroeconomic environment, household and legal entities, financial intermediaries, including the aggregate results of stress test, FSIs, and on financial infrastructure. 12 Vakufska Banka, Hypo Alpe-Adria, Privredna, and MOJA Banka in FBiH have completed the AQRs; Bobar and Banka Srpska’ AQRs in RS are yet to be finalized. 12 BOSNIA AND HERZEGOVINA C. Well-Developed Public Infrastructure 14. Weaknesses in the legal and judicial frameworks have impeded the resolution of NPLs. One of these is the legal impediment (in the Law on Obligations and the Law on Protection of Consumers, the latter being applicable to loans to natural persons) that impedes banks from transferring non-cancelled NPLs to an entity other than a bank. These laws have been a significant obstacle in the ability of banks to resolve NPLs, given that one of the preferred mechanisms for doing so is the sale of NPLs to either a company formed for the purpose within the bank’s group or to an external party which specializes in impaired debt collection. 15. Legal impediment need to be addressed by amending the relevant laws in each entity to enable all NPLs to be transferred to non-bank entities, subject to appropriate safeguards. These safeguards would include the ability of the banking agencies to continue to monitor NPLs where these are located in an AMC within a banking group through consolidated group supervision. In addition, NPLs could be maintained on a credit register to enable credit providers to identify the status of applicants for credit. 16. Another difficulty impeding the resolution of NPLs is the absence of an alternative to bankruptcy. Under BiH laws, there is no satisfactory streamlined process by which a company and its creditors can negotiate a restructuring of debt or the company itself to facilitate a least-cost solution to loan impairment. This results in more companies being placed into bankruptcy than might otherwise be required, with a consequential loss in recovery on the impaired loans and potentially greater costs to the economy in terms of loss of economic activity and jobs. It also results in a large backlog of cases in the courts awaiting decisions. 17. Current monitoring and enforcement arrangements do not ensure that the quality of financial statements meet the standard of IFRS. The audit public oversight systems are nascent, and audit quality assurance systems have only performed preliminary work. It will take at least three to five years of constant effort to implement these systems effectively. In addition, provisions of the new EU audit regulation relating to the monitoring of audits of PIEs will necessitate that the institutions responsible for audit public oversight directly monitor audit firms responsible for PIEs statutory audits and are completely independent from the audit profession. These requirements will imply additional constraints on the capacity of the entities to implement these systems. Financial sector regulatory agencies (under BARS and FBA) have increased their monitoring of financial statements compliance with IFRS and need to continue these efforts by hiring specialized staff or training existing staff in IFRS and at a minimum ISA 700, the standard that governs the audit report. 18. Preliminary results in implementing statutory audit quality assurance systems in both Entities point to a decrease in audit quality and numerous instances of non-compliance with ISA and IFRS. Some of the roots for low audit quality are the constant downward pressure on audit fees, rapid rotation, and late appointment of statutory auditors. 13 BOSNIA AND HERZEGOVINA D. Clear Framework for Crisis Management, Recovery and Resolution 19. Building on recent initiatives, further progress is required to strengthen the framework for recovery and resolution. Although improvements have been made to some of the legal powers for resolution in recent years and the authorities have developed financial crisis contingency plans, significant deficiencies remain in the financial safety net, including in respect of resolution powers, institutional responsibility for resolution, recovery and resolution planning, and resolution funding. 20. There is a need for the establishment of a resolution authority and resolution funding. At present, the FBA and BARS have some of these powers, but are not formally designated as or equipped to be resolution authorities. The proposed new banking laws need to establish clear responsibility for bank resolution with appropriate accountability and transparency. Currently, there is no resolution fund in BiH, other than the deposit insurance fund. Given that open bank resolution of systemically important banks may require funding for various aspects of resolution and that this goes beyond the scope of a deposit insurance fund, a new source of funding will be necessary in order to reduce fiscal risks and moral hazard. 21. The CBBH has no LOLR facility—prohibited by CBBH law—and there are gaps in the banking crisis resolution framework. The framework has benefited from a series of reforms over recent years. These include improvements to some statutory powers for crisis resolution, the development of contingency plans by a number of the agencies responsible for crisis resolution, and the establishment of a formalized coordination framework across the agencies through the SCFS. E. Appropriate Level of Systemic Protection 22. The deposit insurance framework is relatively well developed. The DIA has responsibility for administering a pay-box form of deposit insurance where the deposit insurance fund is financed by annual levies on banks, supported by a €50 million standby facility with the EBRD. Since its establishment, the DIA has made good progress in developing much of the infrastructure required for an effective deposit insurance framework, including MOUs to support coordination with the FBA and BARS, regular testing of depositor data and procedures for making deposit pay-outs. The current level of funding is sufficient to cover all insured deposits in the small domestically-owned banks. 23. Information sharing and coordination arrangements between the DIA and other safety-net participants need to be strengthened. The DIA requires timely information on problem banks to prepare promptly for pay-out cases and manage its liquidity needs accordingly. The current MoU with the banking agencies is more than ten years old and information is not exchanged automatically. To achieve further flow of information between financial safety-net participants, all problem banks in BiH should be regularly discussed in the SCFS. 14 BOSNIA AND HERZEGOVINA F. Effective Market Discipline 24. While sector-wide indicators appear broadly sound, there are pockets of higher vulnerabilities among domestic banks. The domestic banking segment has lower liquidity and capital ratios as well large concentration risks. The asset quality of the domestic banks deteriorated more substantially than that of the foreign banks. As a consequence, the profitability of domestic banks dropped more than that of foreign banks and capital ratios declined faster. The detailed asset quality reviews (AQRs) of the five domestic banks that are under enhanced supervision have revealed capital shortages, of which only two have been corrected. To results of the AQRs performed by reputable external auditors on two domestic banks are long overdue. 25. A number of domestically-owned banks rely heavily on public sector support. In the RS, the development bank (IRBRS), along with the six development funds under its management, holds a sizeable amount of shares and subordinated debt issued by some of the domestically-owned banks that otherwise would be undercapitalized. It also has large credit lines for on-lending to all commercial banks in RS and two in FBiH, and place deposits in four domestic banks. In contrast, the relatively small development bank in the FBiH does not play a similar role. However, some public sector entities have stakes in some domestically-owned banks. Furthermore, some small domestically-owned banks hold each other’s shares, although only up to limited amount. Conglomerates also hold a significant amount of the shares issued by the small domestically-owned banks through their controlled companies engaging in both real and financial sectors. 26. The solvency of a number of domestic banks is under severe pressure and action is needed to deal with weak banks in the near future. There are signs that the business models of the weakest banks have been unsustainable for some time. They faced significantly higher funding costs and had been compelled to cater mostly to sub-par borrowers, with negative impact on asset quality. Without significant capital support from the owners coupled with profound changes in business models, these banks may face difficulties surviving the contested banking market. A number of them have already benefited from public sector capital support without diluting existing shareholders, thereby contributing to moral hazard. Without imminent and decisive actions the banks’ financials will continue to deteriorate leading to a rapid increase of potential resolution costs over time. Therefore, the authorities are advised to develop, as a matter of high priority, a thorough planning process to either facilitate the recovery of these banks (if practicable) or to implement a cost-effective resolution consistent with maintaining the stability of the financial system and protection of insured depositors. As part of the resolution planning process, all resolution options should be carefully assessed, including ensuring the technical readiness of the DIA to pay-out depositors promptly. G. Anti-Money Laundering and Terrorist Finance Issues 27. The 2009 Mutual Evaluation Report conducted by MONEYVAL identified strategic deficiencies in the BiH’s AML/CFT framework, such as deficient and inconsistent criminalization of the money laundering offense across state and entity level legislation and a lack of effective implementation of customer due diligence measures. BiH agreed to an action plan to remedy these 15 BOSNIA AND HERZEGOVINA shortcomings. Although important progress has been made, notably with the enactment of a new AML law, significant deficiencies remain. Failure to implement the action plan in a comprehensive way has resulted in MONEYVAL issuing public statements on BiH in June and September 2014, calling upon members to apply enhanced due diligence measures to transactions with persons and financial institutions from or in the BiH. Further delay in addressing key AML/CFT deficiencies may result in additional scrutiny from the Financial Action Task Force (the standard setter on AML/CFT), with potentially greater negative repercussions for the BiH, notably on correspondent banking relationships. 28. Timely and effective implementation of the action plan is recommended, notably through the enactment of the necessary amendments to the Criminal Code. Staff also recommends that the authorities conduct a national assessment of the ML/TF risks and develop a national strategy in line with its findings. Staff further encourages the authorities to promote greater coordination and cooperation amongst State and Entity level agencies. MAIN FINDINGS A. Main Findings in the Federation of Bosnia and Herzegovina Responsibilities, objectives, powers, independence, accountability, and cooperation (CPs 1-3) 29. The system of banking supervision oversight is significantly improved since the last review in 2006, but further enhancements are necessary. The current Law on Banks has been strengthened after 2006 with regard to transfer of significant ownership, anti-money laundering, consumer protection and provisional administrator. The FBA is in the process of developing a new Law on Banks that should also address some deficiencies in the supervisory powers, recovery and resolution, and consolidated supervision. These reforms will probably also impact the Law on the Banking Agency. With regard to the regulatory framework, this has been broadened by the issuance of regulations on corporate governance, credit risk management and capital. Harmonization in regulation between the entities has been largely achieved and joint planning continues for the implementation of additional regulations and operational improvements. 30. There are clear checks and balances for independence of both supervisory agencies, but the context in which both entities operate could become difficult. The political economy could be behind the opaque ownership structures of domestic banks. At the same time banks and the FBA have trouble identifying the ultimate beneficiary owners of the banks and their holdings which leads to opaque ownership structures. There are also examples where the parliament proposed amendments to the LOBA that could compromise the operational independence of the supervisor. 31. The framework for appeals by financial institutions against supervisory actions should be strengthened. Currently, it is possible that after an appeal the court may temporarily suspend the decision of the FBA, or delay its execution. This could be very damaging for the banking sector that is sensitive to early and timely intervention. 16 BOSNIA AND HERZEGOVINA 32. Cooperation and coordination in BiH is very complex due to the administrative set-up of the country and may have potential repercussions in times of financial sector stress. For instance, the SCFS on the state level and the Committee for Coordination of Supervision of the Financial Sector at the level of the RS seem to have overlapping mandates. This could become problematic in case of a crisis. In addition, the key players exchange information to certain extent guided by specific arrangements and laws, but crucial information on the risk profile of banks (i.e., the CAMEL rating) is not always shared with relevant stakeholders (the other banking agency, CBBH, and the DIA) which creates information asymmetries. It is therefore important to strengthen the coordination and in exchange of information. The development of an integral contingency plan is encouraging in this respect. Ownership, licensing, and structure (CPs 4-7) 33. FBA does not have a clear picture of the ownership structure of several domestic banks in BiH. This includes the identification of the ultimate beneficiary owner and its holdings. As a result, related party lending and group exposures are not fully identified. Root cause of this problem lies at the licensing and approval process (including transfer of significant ownership and major acquisitions), that has been mostly formal instead of substantial and without imposing prudential conditions, if needed. This means that the assessment of the licensing criteria for newly established banks are not comprehensive and focus mostly on describing the prescribed content, rather than assessing criteria of safety and soundness that covers suitability ownership structure, (group) governance (including fit-and-proper of board members and senior management), strategic and operational plans, internal control, risk management and projected financial conditions (including capital base). The same counts for the approval of major acquisitions or investments. The assessment prior to approval focuses mostly on required documentation and the impact on the capital position. There is no explicit assessment whether the new acquisition or investment expose the bank to unnecessary risk, impedes efficient supervision, nor whether the bank has sufficient resources to manage the acquisition or investment. 34. The LOB does not have clear distinctions between bank subsidiaries, branches, representative offices and other operational offices and the activities they can engage. There are different articles in the LOB that give some kind of direction but these are not comprehensive. Methods of ongoing banking supervision (CPs 8-10) 35. Ongoing bank supervision is conducted through a blend of onsite and offsite activities that are detailed in supervisory manuals. Annually a supervisory plan is developed for each bank that addresses planned activities, both onsite and offsite. The scope of the supervisory plan reflects the bank’s risk profile which is determined by considering the following: results of the offsite analyses and onsite inspections, the assigned CAMELS rating, the bank’s annual business plan, early warning system (EWS) risk indicators, Uniform Bank Performance Report (UBPR) and any other public or confidential information available. Onsite inspections focus on evaluating loan portfolio quality, implementation of corrective action, effectiveness of risk management systems and internal controls. Offsite monitoring performs quarter analyses on banks and the system as a whole. The 17 BOSNIA AND HERZEGOVINA offsite department also has the ongoing responsibility for monitoring banks’ compliance with corrective action which in 4/5 rated banks includes regular meeting with bank management. 36. Banks’ risk profile is graded based on an aggregation of risks under the CAMELS categories; Capital, Assets, Management, Earnings, Liquidity and Sensitivity to market risk. A rating for each category is assigned and an overall rating is assigned to the bank. The scale of the ratings is 1-5 with 5 being the highest risk. The criteria considered for rating each risk category and assigning a numerical rating have been detailed in a regulation and published in the Official Gazette. A number of prudential ratios are analyzed under each category and also qualitative factors such as; as quality of risk management. Comparison to system averages is also factored into the rating to highlight areas where the bank appears to be an outlier. Currently the “S” is not rated pending issuance of the market risk decision. 37. FBA conducts collects, reviews and analyzes prudential reports and conduct several controls to ascertain the accuracy of the information. Key controls are formal IT controls, substantive controls by off-site, on-site inspections (since 2009 together with IT inspectors) and assessments of the compliance with law and regulation by the external auditors. Noticed is that the prudential returns are not comprehensive yet. FBA does not receive prudential reports on consolidated basis (see CP 12 Consolidated supervision) nor does she receive reports on pillar 2 capital (see CP 16 Capital), country risk exposure (see CP 21 Country risk) or market risk except foreign exchange positions (see CP 22 Market risk). In addition, the supervisory board nor the external auditor have to attest the prudential returns. Corrective and sanctioning powers of supervisors (CP 11) 38. The FBA has a number of enforcement tools to require banks to effect corrective action but authority to fine individual supervisory board members is limited. The FBA can impose fines, issue orders requiring increases in capital, cease and desist unsafe and unsound practices, impose temporary management and revoking the license. However, the fines that may be currently applied under the administrative procedures are insignificant. The banking law is currently being re-drafted. 39. The FBA has not developed a remedial action program that aggregates all the tools, describes circumstance when they may be applied and outlines benchmarks for applying a hierarchy of actions. While FBA decisions and the banking law address situations that may be subject to sanctions and enforcement action, a comprehensive remedial action program would enhance transparency, ensure consistency in application, provide clear internal guidance and facilitate timely corrective action. 40. Problem banks may remain in that status for extended periods without defined prospects for recovery or resolution. Supervision of problem banks is labor-intensive and resolution costs tend to increase the longer the unstable situation is permitted to exist. Recovery or resolution options should be evaluated early and executed. Allowing banks that may no longer be viable to continue to operate results in increased risk as the bank may undertake transactions to 18 BOSNIA AND HERZEGOVINA raise funds or increase capital with back-to-back operations with other banks that may result in double gearing. Currently authorities face constraints in resolving banks due to inadequate sources of market capital, a weakened economy that limits opportunities for banks to recover and a lack of confidence by depositors that may trigger system-wide deposit runs if a bank is resolved. Consolidated and cross-border banking supervision (CPs 12-13) 41. Consolidated supervision as a concept and practice has not been implemented by FBA. There are no prudential requirements both quantitative and qualitative for the supervision of consolidated supervision. Furthermore, the supervisory agencies do not have the supervisory power to intervene in groups. This will also emphasize the need to have excellent cooperation and information exchange with Austria, Italy and Russia (beyond formal arrangements). Since these countries are the (grand) parents of D-SIB in both the FBiH and the RS. Recently, both FBA and BARS received a confirmation from the Austrian supervisor (FMA) that there are no hindrances anymore to formalize and sign the Memorandum of Understanding (MOU). At the same time both agencies should stay realistic what the value of the MOU is. Furthermore, the current arrangement with the supervisors of Slovenia and Turkey don’t address cross border cooperation and coordination in times of crisis. Corporate governance (CP 14) 42. The FBA has issued Decisions on the Diligent Behavior of Members of Bank’s Bodies (corporate governance} and Suitability Assessment of Banks’ Bodies (fit and proper). Bank compliance would be enhanced by providing additional guidance to banks on FBA expectations for issues to be addressed in a risk appetite statement: quantitative metrics such as value-at-risk, leverage ratio, range of tolerance for problem loan levels, and acceptable stress test losses. And in strategic plans: a comprehensive assessment of current and expected risks, state the business objectives of the bank and express how achieving the objectives will affect the risk profile of the bank. Prudential requirements, regulatory framework, accounting and disclosure (CPs 15-29) 43. Major improvement has been made to the regulatory risk management requirements. Areas in need of attention are: market and country risk, interest rate risk in the banking book and guidance on holistic risk management requirements for banks. As part of Pillar 2 and the Internal Capital Adequacy Assessment Process (ICAAP) implementation the authorities plan to address these issues. A risk management decision has been drafted that provides a bank-wide view and introduces broader risks such as strategic risk. The risk management decision will also address areas not currently regulated. 44. The process of enhancing the capital requirements continues with the adoption of the Decision on Minimum Standards for Capital Management of Banks and Capital Hedge (Capital Decision). Being phased-in, the enhancements incorporate elements of Basel II and III such as: capital conservation buffers, leverage ratio, elimination of Tier III capital, amortizing revaluation 19 BOSNIA AND HERZEGOVINA reserves, limiting loan loss reserves to 1.25 percent of Tier II, and stricter definitions of capital elements. Currently credit risk weighted assets are calculated in compliance with most Basel I requirements, while weighted operational risk is being calculated according to the basic indicator approach, which is to a significant extent in compliance with Basel II. In 2014, amendments and addenda were executed to the Decision on Capital, with the objective of strengthening the structure of capital, introducing protective layers for capital conservation, restraining the rate of financial leverage, and the highest possible level of convergence with the requirements of Basel III (and adoption of deadlines for harmonization with new requirements). Adoption of this decision is a transitional solution until full implementation of Basel II/III, as per banking agencies’’ strategy. 45. Adequacy of provisioning levels in some banks is questionable and IAS requirements from FBA need to be strengthened. Onsite inspections and independent reviews of provisioning identify improper classification of loans and valuation of collateral. Issuing requirements on haircuts for real estate collateral and guarantees (particularly given the restrictions of the guarantor protection law) and on the assumptions for defining impairment would enhance identification of impaired loans and enforcement by FBA. 46. Related party lending, similarly to concentration risk, is an issue of concern at many domestic banks. Onsite inspections often disclose violations of related and connected party lending limits. The violations reflect internal control deficiencies and poor governance. 47. The outcome of the AQR raises questions on the quality of the financial audits of banks that fit a broader context. Currently, several domestic banks implement IFRS 2009 since, this is the last version translated into local language. In addition, some external auditors of domestically owed banks base their opinion on the Law on accounting and auditing instead of IFRS. This makes it difficult to compare financial statements across the banking sector and brings uncertainty to the quality of the external audits. Furthermore, the quality assurance of the financial audit is barely developing. Also, the appointment of external auditors takes place on a yearly base with a maximum of five years. Neither of the agencies have the power to rescind an external auditor. Though they do have the power to consent to the appointment of the external auditor and to refuse the report of an external auditor. There is a risk that changing auditors every year has an adverse effect on the continuity and the quality of the audit. Appointing an external auditor for at least three years, together with the power to rescind, will alter the incentives for external auditor by making the m more candid about the audits. This could have a positive effect on the continuity of the auditor and quality of the audit. 48. FBA needs to put more effort in identifying the inherent ML/TF risks. Recently, a new law and regulation on AML/TF has been adopted. Also the supervisory processes are aligned with these law and regulation. However, there are some concerns. First, more attention could be paid to understanding the inherent ML/TF risk profile of banks and, accordingly, make the supervisory intensity risk based. Second, the follow-up of findings could be strengthened. Third, there seems to be a poor feedback loop between the FBA and the FID. Fourth, it seems that supervision of branches outside the FBiH, but with head-quarters inside the FBiH, are not being inspected on-site for ML/TF activities. 20 BOSNIA AND HERZEGOVINA Table 2. Federation of Bosnia and Herzegovina: Summary of the Key Findings Core Principle Comments 1. Responsibilities, objectives and powers Deficiencies in supervisory powers (see details in Appendix). 2. Independence, accountability, resourcing and Although there seem to be clear checks and legal protection for supervisors balances for independence, the context in which FBA operates is rather intervened with political economy. Court could too easily suspend FBA decision. 3. Cooperation and collaboration Domestic: FBA, BARS and CBBH could exchange more information. Foreign: cooperation with Austria, Italy and Russia is suboptimal. 4. Permissible activities LOB does not distinguish clearly between bank branches, representative offices, and operational units. 5. Licensing criteria FBA does not have explicit power to set prudential conditions on newly licensed banks. License assessment is mostly formal instead of substantive. 6. Transfer of significant ownership Deficiencies in identification of ultimate beneficiary owner. FBA does not have explicit powers to set prudential conditions on transfer of significant ownership. Strengthened requirements of transfer of significant ownership not yet implemented. 7. Major acquisitions Assessment of major acquisitions is mostly formal instead of substantial. 8. Supervisory approach Annual joint planning by onsite and offsite yields a coordinated approach. 9. Supervisory techniques and tools Bank performance reports, early warning system and CAMELS ratings provide risk profile information to calibrate the supervisory scope for each bank. 10. Supervisory reporting Prudential return not comprehensive. 11. Corrective and sanctioning powers of supervisors Corrective action is required from banks and the banking law is being amended to enhance some powers. The power to fine individual supervisory board members is weak. 12. Consolidated supervision Consolidated supervision has not been implemented yet. 13. Home-host relationships FBA has not optimal cooperation and information exchange modalities in place with home countries of several D-SIB. 21 BOSNIA AND HERZEGOVINA Core Principle Comments 14. Corporate governance A set of regulations on corporate governance, suitability and remuneration has been issued in 2013. However, additional guidance on risk appetite statements and strategic planning is warranted. 15. Risk management process Risk management regulations for some risks have been issued but are still missing for IRRBB, country risk and market risk. A broader risk management regulation has been drafted covering these areas. 16. Capital adequacy Implementation of capital standards will continue to be phased-in and specific target dates have been detailed in regulation. 17. Credit risk General requirements and risk management expectations are in the decision on credit risk. 18. Problem assets, provisions, and reserves IFRS and a prudential requirement are followed. Collateral is not deducted when determining prudential reserves. Compliance with provisioning requirements is weak in some banks. 19. Concentration risk and large exposure limits Concentration limit violations are common in some banks due to poor recordkeeping and related party lending. 20. Transactions with related parties Related party regulations establish a broad definition and place strict limits on related party lending. However, related party transactions are an issue at some banks. 21. Country and transfer risks A decision/regulation on country risk has not been issued. Regulation has been drafted. 22. Market risk A decision/regulation on market risk has not been issued and a capital charge for market risk has not been adopted. Regulation has been drafted. 23. Interest rate risk in the banking book Interest rate risk regulations have not been issued. Regulation has been drafted. 24. Liquidity risk Liquidity risk is closely monitored . 25. Operational risk A decision has been issued since 2007 and is effectively supervised. The decision also addresses outsourcing. 26. Internal control and audit Recommendation 2006 are implemented. 27. Financial reporting and external audit IFRS 2014 is not fully implemented. FBA does not have power to rescind external auditor. AQR questions quality of external audit 28. Disclosure and transparency Disclosure of group structure is weak. 22 BOSNIA AND HERZEGOVINA Core Principle Comments 29. Abuse of financial services FBA has limited knowledge on inherent ML/TF risk profile of banks. Cooperation between FBA and FID could be enhanced. Cross entity branches seems not to be supervised (on-site) for ML/TF risks. B. Main Findings in Republika Srpska Accountability and cooperation (CPs 1-3) 49. The current Law on Banks has been strengthened after 2006 with regard to anti- money laundering, consumer protection and provisional administrator. The BARS is working on a new Law on Banks that should address some deficiencies in their supervisory powers, recovery and resolution, and consolidated supervision. These reforms will probably also impact the Law on the Banking Agency. With regard to the regulatory framework, this has been broadened by the issuance of regulations on corporate governance, credit risk management and capital. Harmonization in regulation between the entities has been largely achieved and joint planning continues for the implementation of additional regulations and operational improvements. 50. There are clear checks and balances for independence for BARS , but the context in which it operates could become difficult. There seems to be a substantive interdependence between the government and the domestic banking sector. This means that in case BARS faces a domestic bank with non-viability problems, the government has a substantive interest in how the problem ought to be solved. It appears that in such a case not only the interest of depositors, the bondholders and the shareholders are important, but also the interests of the government. This could put pressure on BARS how to deal with non-viability in her pursue of save and soundness of the banks. 51. Legal protection is weak. Missing is the legal protection for persons appointed by BARS such as temporary administrators or liquidators. Also missing is the indemnification.The provisions framework for appeal on appeal by financial institutions against supervisory actions should be strengthened. Currently, it seems possible that after an appeal the court can suspend the decision of the BARS. This could be very damaging for the banking sector which is sensitive to early and timely intervention. 52. Cooperation and coordination in BiH is very complex due to the administrative arrangement of the country, having potential repercussions in times of financial sector stress. Therefore, it is very difficult to determine who gets which information and when. For instance, the SCFS on the state level and the Committee for coordination of supervision of the financial sector on the level of the RS seem to have an overlapping mandate. This could become problematic in case of a crisis. In addition, there is an information asymmetry where the banking agencies know what the 23 BOSNIA AND HERZEGOVINA financial condition of individual banks is, but won’t share for instance the CAMEL rating with each other, the Central Bank, and only partly with the DIA. The development of an integral contingency plan is encouraging in this respect. Ownership, licensing, and structure (CPs 4-7) 53. BARS does not have a clear picture of the ownership structure of several domestic banks. This includes the identification of the ultimate beneficiary owner and its holdings. As a result related party lending and group exposures are not fully identified. Root cause of this problem lies at the licensing and approval process (including transfer of significant ownership and major acquisitions) that has been mostly formal and without imposing prudential conditions. This means that the assessment of the licensing criteria for newly established banks are not comprehensive. The assessments focus mostly on submitted documentation rather than assessing safety and soundness related criteria that covers suitability ownership structure, (group) governance (including fit-and-proper of board members and senior management), strategic and operational plans, internal control, risk management and projected financial conditions (including capital base). The same applies for the approval of major acquisitions or investments. The assessment prior to approval focus mostly on the required documentation and the impact on the capital position. There is no explicit assessment whether the new acquisition or investment expose the bank to unnecessary risk, impede efficient supervision, nor whether the bank has sufficient resources to manage the acquisition or investment. 54. The LOB does not have clear distinctions between branches, representative offices and other operational offices and the activities they can engage. There are different articles in the LOB that give some kind of direction but these are not comprehensive. Methods of ongoing banking supervision (CPs 8-10) 55. The building blocks for a comprehensive supervisory process are in place. Through a mix of onsite and offsite activities, the BARS develops a risk profile of the banks and assigns risk ratings. The risk rating, which is based on an analysis of capital, asset quality, management, earnings, liquidity and sensitivity to market risk (CAMELS), is then used as a basis for determining the supervisory activities required to accurately assess the banks’ condition. To help the BARS staff in conducting their activities, process manuals for onsite and offsite supervision have been adopted. 56. BARS updates its supervisory strategies using stress test results provided by the CBBH. BARS coordinates with the CBBH in monitoring the banking system and provides quarterly information and comments on assumptions provided by the CBBH. The results of the stress test are discussed within BARS and supervisory strategies are adjusted based on the stress test results. However, in its supervisory process stress testing of individual banks or risks is not incorporated on a regular basis to enable a more forward looking approach. Regulations have not been issued on banks’ use of stress testing. 57. Close coordination exists between offsite and onsite teams. During annual planning for onsite inspections, the offsite department provides input on risks to be reviewed. Quarterly 24 BOSNIA AND HERZEGOVINA analytical reports by offsite unit are shared with the onsite inspectors and significant changes in risk are identified by the offsite unit are incorporated into the onsite inspection planning and meetings between the two areas are held at the conclusion of an onsite inspection to discuss findings by the onsite team. Follow-up on corrective action is performed by offsite with frequent reporting to onsite. 58. BARS conducts collects, reviews and analyzes prudential reports and conduct several controls to ascertain the accuracy of the information. However, the prudential reports are not comprehensive yet. BARS does not receive prudential reports on a consolidated basis (see CP 12 on consolidated supervision) nor does it receive reports on Pillar 2 capital (see CP 16 on capital), country risk exposure (see CP 21 on country risk) or market risk except foreign exchange positions (see CP 22 Market risk). Corrective and sanctioning powers of supervisors (CP11) 59. BARS can demand the controlling owners to inject additional capital. However, when the current owners are unable to inject capital, the options for BARS to insist on alternative channels of capital or resolutions are limited. The ability of banks to sell shares is currently poor due to economic conditions that are not attracting investors and BARS is concerned about resolving even small banks on concerns of system-wide deposit runs. Currently, the development bank has been placing subordinated debt in the banks to improve regulatory capital. When controlling owners remain in place after refusing to inject capital, the risks to the deposit insurance fund are magnified. 60. BARS has available a range of tools to require corrective action from banks but implementation could be enhanced by detailing a remedial action program. Existing regulations should be amended to implement a comprehensive remedial action program and clarify the hierarchy of enforcement actions and introduce new tools. Additionally, enforceable guidance to communicate the expectations of BARS on standards for corporate governance, risk management and other policy areas should be issued to support supervisors’ judgment concerning unsafe and unsound practices and facilitating enforcement. 61. A remedial action program must include well-defined enforcement tools that enable the regulator to apply a wide range of penalties or restrictions that can be adapted to the gravity of the situation. The program must be transparent: BARS should publish the situations under which it would take supervisory action, and describe the supervisory action and the subsequent response should the institution fail to act. BARS’ internal operating procedures should be detailed and prescriptive, identifying the officials authorized to initiate enforcement action , the process to be followed to initiate an enforcement action starting at the field inspector level, through the review process to document and finalize the enforcement action and establishing processing timeframes. In its annual report, BARS should publish the remedial actions taken even if the name of the institution is withheld. Having a transparent, well-defined process with benchmarks and reporting will enhance supervisory accountability. Increased transparency would also aid in defending court cases. 25 BOSNIA AND HERZEGOVINA 62. The remedial action program would help bring together, in a coherent fashion, the graduated application of remedial measures. Some of these elements are addressed in various documents or regulation, but a compilation of the requirements and policies in a well-defined enforcement program would facilitate the initiation of enforcement action. The published guidelines should establish that banks can expect an action when:  Capital falls below a certain level. The action can vary depending on the trigger points and management response. The contingency plan under review introduces enforcement action options at varying capital levels.  Recurring inaccurate filings of regulatory reports or delinquencies should result in daily fines until situation is corrected. Currently there are fines but these could be increased based on recurrence and significance of inaccuracy.  Bank operating policies and processes are inadequate and may lead to a deteriorating financial condition. For example specifically defining inadequate policies and procedures concerning corporate governance and risk management as unsafe and unsound practices and based on supervisory judgment imposing sanctions and fines.  Violations of law are identified. Depending on their gravity, some violations, such as related party dealings, should have automatic fines on the bank and the individual.  Bank soundness falls below acceptable levels established by BARS (based on CAMELS rating). In addition to enhanced supervision; banks should have recovery and resolution plans with strict timeframes to avoid extended periods in categories 4 and 5. Banks in the latter stages of deterioration have adverse impacts on the banking system even if not systemic.  Financial penalties in significant amounts should be applied by BARS to not only management but supervisory board members and controlling owners. This will require amendments to the law. Strict guidelines for ending temporary administration that may include requirements for clearing problem assets, injecting capital before ending administration and avoid approvals based on future commitments by acquirers/investors. 63. A detailed remedial action program will also enhance accountability, as those involved will need to document why action was not taken in the presence of the situations described above. BARS’ internal audit or internal control system should review the Remedial Action Program and its implementation. Consolidated and cross-border banking supervision (CP 12-13) 64. Consolidated supervision as a concept and practice has not been implemented by BARS. There are no prudential requirements, quantitative or qualitative, for consolidated supervision. Furthermore, the BARS does not have supervisory powers to intervene in groups. There is also a need to have strong cooperation and information exchange with Austria, Italy and Russia (beyond formal arrangements). Since these countries are the (grant)parents of D-SIB in both the 26 BOSNIA AND HERZEGOVINA FBiH and the RS. Recently, both FBA and BARS received a confirmation from the Austrian supervisor (FMA) that there were no more hindrances to formalize and sign the MOU. At the same, expectations for the practical value of the MOU is should be realistic. Corporate governance (CP14) 65. BARS has issued the Decisions on Diligence of the Bank’s Management Body (corporate governance} and on the Assessment of Suitability of Members of Banks’ Management Bodies (fit and proper). The regulations are comprehensive. However, additional guidance for developing a risk appetite statement and relating it to the business plan would enhance compliance, particularly given the governance issues in many banks. Prudential requirements, regulatory framework, accounting, and disclosure (CPs 15–29) 66. While significant improvement has been achieved in the regulatory risk management requirements; work remains to be done on market, country, and interest rate in the banking book risks. Issuing a decision on holistic risk management requirements and risk aggregation, and relating it to the risk appetite and business plan would enhance the effectiveness of risk management in banks. The guidance could be developed in conjunction with Pillar 2 and Internal Capital Adequacy Assessment Process (ICAAP) implementation. 67. BARS has adopted a strategy for implementing Basel II/III. Currently, credit risk weighted assets are calculated in compliance with most Basel I requirements, while weighted operational risk is being calculated according to the basic indicator approach, which is to a significant extent in compliance with Basel II. In 2014, amendments and addenda were executed to the Decision on Capital, with the objective of strengthening the structure of capital, introducing protective layers for capital conservation, restraining the rate of financial leverage, and the highest possible level of convergence with the requirements of Basel III (and adoption of deadlines for harmonization with new requirements). Adoption of this Decision is a transitional solution until full implementation of Basel II/III, in compliance with the strategy. 68. The IAS 39 and prudential provisioning and loan classification standards are followed by banks. Although banks are required to follow International Financial Reporting Standards (IFRS), BARS also requires compliance with prudential standards that require a certain level of provisioning based on loan classification categories, defined on prudential concerns (primarily based on time in delinquency status). The prudential requirements serve as a floor to provisioning levels. 69. Onsite inspections frequently identify provisioning deficiencies, raisings concerns about the adequacy of provisioning. Supervisory requirements for collateral valuation, impairment definition and loss assumptions are needed to foment a conservative approach by banks in establishing benchmarks for objective evidence of impairment as well as addressing provisioning levels. Additional training for supervision staff will be required to enforce provisioning and review banks’ assumptions under an IAS environment. 27 BOSNIA AND HERZEGOVINA 70. Onsite inspections frequently identify related party and concentrations violations at banks. These violations reflect deficiencies in corporate governance and risk management and are early indicators of future insolvency if not immediately addressed. The powers of BARS to effect significant fines on supervisory board members through an administrative process are limited. The misdemeanor channel is cumbersome and court decisions are unpredictable. 71. The outcome of the AQR raises questions on the quality of the financial audits of banks that fit a broader context. Currently, several domestic banks implement IFRS 2009 since, this is the last version translated into local language. In addition, some external auditors of domestically owed banks base their opinion on the Law on accounting and auditing instead of IFRS. This makes it difficult to compare financial statements across the banking sector and brings uncertainty to the quality of the external audits. Furthermore, the quality assurance of the financial audit is barely developing. Also, the appointment of external auditors takes place on a yearly base with a maximum of five years. Neither of the agencies have the power to rescind an external auditor. Though they do have the power to consent to the appointment of the external auditor and to refuse the report of an external auditor. The risk exist that yearly change of auditor has an adverse effect on the continuity of the auditor and the quality of the audit. Appointing an external auditor for minimal three years together with the power to rescind will give a different incentive to an external auditor and could have a positive effect on the continuity of the auditor and quality of the audit 72. BARS need to put more effort in identifying the inherent ML/TF risks. Recently, new law and regulation on AML/TF has been adopted Also the supervisory processes are aligned with these law and regulation. However there are some findings. First, more attention could be paid to understanding the inherent ML/TF risk profile of banks and accordingly make the supervisory intensity risk based. Second, the follow-up of findings could be strengthened. Third, there seems not to be a good feedback loop between the BARS and the FID. Fourth, it seems that supervision of branches outside the FBiH, but with head-quarters inside the FBiH, are not being inspected on-site ML/TF activities. Table 3. Republika Srpska: Summary of the Key Findings Core Principle Comments 1. Responsibilities, objectives and powers Some deficiencies in supervisory powers. 2. Independence, accountability, resourcing and Although there seems to be clear checks and legal protection for supervisors balances for independence the context in which BARS operates could become difficult because of substantive interdependence between government and domestic banking sector. Legal protection is inadequate. Court could too easily suspend decision of BARS. 3. Cooperation and collaboration Domestic: Cooperation between FBA, BARS and CBBH is not optimal; Foreign: cooperation with Austria, Italy and Russia is not optimal. 28 BOSNIA AND HERZEGOVINA Core Principle Comments 4. Permissible activities LOB does not have a clear distinction between bank branches, representative offices and operational units. 5. Licensing criteria BARS does not have explicit powers to set prudential conditions on newly licensed banks. License assessment is mostly formal, instead of focusing on substance. 6. Transfer of significant ownership Deficiencies in identification of ultimate beneficiary owner. BARS does not have explicit powers to set prudential conditions on transfer of significant ownership. Strengthened requirements of transfer of significant ownership not yet implemented. 7. Major acquisitions Assessment of major acquisitions is mostly formal instead of focusing on substance. 8. Supervisory approach A blend of onsite and offsite activities provides BARS with an assessment of the bank’s risk profile. 9. Supervisory techniques and tools A number of supervisory tools, including risk rating the banks’ risk profile and detailed performance reports, help supervisors to determine bank soundness. 10. Supervisory reporting Prudential reports not comprehensive yet. Supervisory board does not attest the prudential return. 11. Corrective and sanctioning powers of supervisors The ability to fine supervisory board members is limited by the current low fines that can be imposed under administrative powers. 12. Consolidated supervision Consolidated supervision has not been implemented. 13. Home-host relationships BARS has not established an optimal cooperation and information exchange with home country D- SIBs. 14. Corporate governance Governance regulation was issued in 2013. However, additional guidance on business planning and risk appetite statements is warranted. 15. Risk management process A risk management decision from a bank-wide perspective has not being issued. Decisions have also not been issued for IIRBB, country and market risks, but have been drafted. 16. Capital adequacy Current plans are to implement certain requirements from Basel II/III and specific benchmark dates are detailed in regulation. 29 BOSNIA AND HERZEGOVINA Core Principle Comments 17. Credit risk The credit risk decision was updated in 2011 and provides requirements of the supervisory board to set standards. 18. Problem assets, provisions, and reserves A dual standard is in place as banks must comply with IAS and also with a prudential (regulatory) provisioning standards. The prudential standard sets a floor and may result in banks having to increase provisions. 19. Concentration risk and large exposure limits Concentration violations recur in some banks. 20. Transactions with related parties Related party lending violations are frequently addressed in examination reports. The violation warrants strong supervisory response, including fines. 21. Country and transfer risks Provisioning guidelines are not in place. 22. Market risk Regulation has been drafted and will be implemented as part of the capital regulation 23. Interest rate risk in the banking book Regulations have been drafted on interest rate risk in the banking book. 24. Liquidity risk Comprehensively through balance sheet ratios. 25. Operational risk Guidelines issued on outsourcing and general operational risk. 26. Internal control and audit Recommendations from 2006 are implemented. 27. Financial reporting and external audit IFRS 2014 is not fully implemented. BARS does not have power to rescind external auditors. AQRs question the quality of external audits 28. Disclosure and transparency Disclosure of group structures is weak. 29. Abuse of financial services BARS has limited knowledge on inherent ML/TF risk profile of banks. Cooperation between BARS and FID could be enhanced. Cross entity branches seems not to be supervised on-site for ML/TF risks. 30 BOSNIA AND HERZEGOVINA DETAILED RECOMMENDED ACTIONS Table 4. Federation of Bosnia and Herzegovina and Republika Srpska: Detailed Recommended Actions to Improve Compliance with the Basel Core Principles and the Effectiveness of Regulatory and Supervisory Frameworks Reference Principle Recommended Action Principle 1 - Strengthen supervisory powers (see details in CP 1 of appendix 1 and 2). - Adopt new LOB (see details in CP 1 of appendix 1 and 2). Principle 2 - Adopt staggered appointment members MB, director and deputy director. - Develop more granular qualification criteria. - Strengthen legal protection for BARS - Adopt appeal provision that prevent court from suspension supervisory decision. Principle 3 - Enhance information sharing between CBBH, BARS and FBA. - Align coordination between CB, BARS and FBA Principle 4 - Provide a clear definition for bank branches, representative offices and other operational units and the activities they can conduct. Principle 5-7 - Include supervisory powers in primary law that can impose prudential conditions for license and transfer of ownership. - Make the assessment of license and other approvals more substantive (assessing criteria instead of checking documents). - Identify those banks that have opaque ownership structure, make ownership structure transparent including identifying the ultimate beneficiary owners and its holdings. Principle 10 - Develop prudential returns on consolidated basis, pillar 2, country risk exposures, market risk and restructured loans. Principle (11) - Develop a remedial action program focusing on new tools and earlier step-up enforcement and heavier fines to expedite corrective action. - Increase supervisory administrative authority to impose fines on supervisory board members and increase the amount of the fines. - Improve ability of supervisors to enforce corporate governance and risk management decisions by increased recognition of supervisory judgment in law. - Prompt recovery and resolution actions to avoid non-viable banks from operating for extended periods. 31 BOSNIA AND HERZEGOVINA Principle 12 - Adopt consolidated supervision including definitions, prudential requirements and adopt extra supervisory powers. Principle 13 - Address cross border cooperation and coordination in times of crisis in current and new MOUs. Principle (14) - Issue additional guidance on issues to address in strategic plans and risk appetite statements by banks. Principle (15) - Issue a risk management decision based on a bank-wide approach. And consider risks created by poor strategic planning and reputation risks. Implement the draft regulation on risk management. Principle (18) - Issue prudential guidance to improve provisioning under IAS. Principle (19/20) - Enhance enforcement and increase penalties to encourage banks to improve internal controls and compliance. Principle (21-23) - Implement draft decisions to address country, market and interest rate in the banking book risks. Principle 27 - Implement IFRS 2014 and let audit opinion refer directly to IFRS. - Change law so that BARS does not appoint auditor for one year but for minimal three years; BARS has the power to rescind the appointment of an auditor. - Improve interaction with external auditor. - Evaluate quality external audit and system of quality assurance (follow-up for banking agencies and Ministries of Finance). Principle 28 - Enhance disclosure information on group structures, including ultimate beneficiary owner. Principle 29 - Determine the inherent ML/TF risk. - Enhance cooperation with FID - Coordinate AML/TF on-site supervision of cross border branches. 32 BOSNIA AND HERZEGOVINA Appendix I. Federation of Bosnia and Herzegovina: Principle- by-Principle Implementation Review A. Supervisory Powers, Responsibilities, and Functions Principle 1 Responsibilities, objectives and powers. An effective system of banking supervision has clear responsibilities and objectives for each authority involved in the supervision of banks and banking groups.13 A suitable legal framework for banking supervision is in place to provide each responsible authority with the necessary legal powers to authorize banks, conduct ongoing supervision, address compliance with laws and undertake timely corrective actions to address safety and soundness concerns. 14 Description and The legal framework for banking supervision from a narrow perspective consists of three Findings laws: - Law on the Central Bank - Law on the Banking agency - Law on Banks The Law on the Central Bank stipulate that its objective is to achieve and maintain the stability of the domestic currency (article 2). It does not have an explicit objective to achieve and maintain financial stability in BiH. One of the basic tasks of the CBBH is to coordinate the activities of the agencies responsible for bank licensing and supervision in both the FBiH and RS in ways to be determined by the governing board of the CBBH, including monthly meetings and submission of monthly reports (article 2). The cooperation and coordination of the CBBH and the two supervisory agencies is discussed in detail in CP 3. The Law on the Banking Agency (adopted in 1996) stipulates that the FBA is established with the purpose to improve safety, quality and legal performance in a market-oriented and stable banking in the FBiH (Official Gazette of the FB&H, No 9/96, 27/98, 20/00, 45/00, 59/02, 13/03, 19/03, 47/06, 59/06, 48/08, 34/12 and 77/12). The main tasks of the FBA are: issuing and revoking licenses, supervising and undertaking appropriate measures. There have been three amendments of the LOBA since the last BCP review in 2006. The first was in 2008, when the supervision of micro credit organisations and leasing companies was added to the tasks of the FBA. The second and the third were in 2012 when the articles of confidentiality of information were harmonized with the EU directive (article 19), and the Ombudsman was established as independent organizational unit within the FBA with aim to promote and protect the rights and interests of the consumers (article 4a-h). There are currently no plans to revise the LOBA in near future unless this would be necessary as a result of adopting the new Bank on Law. The Law on Banks, was adopted in 1995 (Official Gazette of the FB&H, No. 2/95, 9/96 and 25/97). Following the adoption of the new Law on Banks in 1998 (Official Gazette of the FB&H, No. 39/98, 32/00, 48/01, 27/02, 41/02, 58/02, 13/03, 19/03, 28/03 and 66/13), the 13 In this document, “banking group” includes the holding company, the bank and its offices, subsidiaries, affiliates and joint ventures, both domestic and foreign. Risks from other entities in the wider group, for example non-bank (including non-financial) entities, may also be relevant. This group-wide approach to supervision goes beyond accounting consolidation. 14 The activities of authorising banks, ongoing supervision and corrective actions are elaborated in the subsequent Principles. 33 BOSNIA AND HERZEGOVINA previous one was superseded, VII – Transitional and Final Provisions, Article 68, last paragraph: „On the date of this Law entering into f orce, the Law on Banks ceases to be effective („Official Gazette of the FB&H“, No. 2/95, 9/96 and 25/97); as well as the application of other laws and regulations that have regulated these matters and were applied on the territory of the Federation up to when this Law entered into force.“ Both the LOB and the secondary regulations issued by the FBA stipulates minimum prudential standards. It broadly covers licensing and authorizations, capital and ownership, management of banks, operational requirements, accounting, auditing and inspection, bankruptcy and liquidation, liabilities, penalties, and violations. There have been several substantive amendments since the last BCP review in 2006. First, in 2011, the LOB was amended to include consumer protection (article 98). Second, in 2013 the LOB was amended with regard to strengthening the requirement on significant ownership (article 2, 23, 24), AML (article 47), the term mandate of a provisional administrator (article 53.2) and creditor’s priorities (article 63). The details on both primary and secondary law are described in the following CPs. In 2014, working groups both in the FBiH and in RS (including Ministry of Finance and banking agencies), are preparing a new LOB. FBA has many supervisory powers (see details in other CPs), but lacks some key supervisory powers in the legislation: - for consolidated supervision (see CP 12). - to impose prudential conditions on licenses and other approvals (see CP 5-7). - to obtain periodic reporting and on-site inspections information on: 1) names and holdings of significant shareholders; 2) the names and holdings of persons who exert controlling influence; and 3) the identity of beneficiary owners of shares held by nominees, custodians or other vehicles persons who exert controlling influence. (see CP 6) - to sanction and fine supervisory board members and significant owners and take away their ownership rights if necessary (see CP 11). - to rescind the external auditor (see CP 27) - to launch resolution of a bank (see CP 8). FBA has several prudential requirement stipulated in secondary regulation, instead of primary law, such as prudential requirements for capital, related lending, large exposures, major acquisitions and transfer of significant ownership. Comments The system of banking supervision in BiH has a reasonable set-up with reasonable clear responsibilities for the banking agencies (FBA and RS) and the CBBH. Although responsibility for financial stability is not aligned across the three institutions. BARS has an explicit mandate to safeguard financial stability whereas CBBH and FBA do not have an explicit mandate for financial stability (see further CP 3). Next, both FBA and RS are in the process of adopting a new LOB. This new law should address some deficiencies in the supervisory powers that should be used to enforce harmful situations of non-compliance (identifying the ultimate beneficiary owners, their holdings and insider lending). This will also impact the Law on the Banking Agency that should give the FBA the supervisory powers that are currently missing (see list above). Furthermore, the prudential requirements could be more stipulated in the primary law instead of the secondary regulation. This will increase the legal certainty and the enforcement power. Recommendation (see specification in other CPs) - Strengthen the supervisory powers. - Adopt new LOBA 34 BOSNIA AND HERZEGOVINA - Adopt new LOB. Principle 2 Independence, accountability, resourcing and legal protection for supervisors . The supervisor possesses operational independence, transparent processes, sound governance, budgetary processes that do not undermine autonomy and adequate resources, and is accountable for the discharge of its duties and use of its resources. The legal framework for banking supervision includes legal protection for the supervisor. Description and The independence of FBA is described in article 5 of the LOBA: ”The FBA is fully Findings autonomous and independent”’. In terms of governance, the managing board (MB) is the managing body of FBA and consists of five members, appointed for a period of five years (article 8). It is the responsibility of the MB to supervise the FBA’s operations. Further, it passes the statute of the FBA, passes general acts and adopts the financial plan en the financial reports of the FBA (article 9). There is an extra provision on changing the Statute. It is determined that the Statute is adopted by the MB, with the parliament’s approval . The Statute particularly establishes the organization, operational procedures, authorizations and rights and obligations of individuals (article 20). This means in practice that the procedure to change a Statute could take a long time. The director performs the following duties: issuing and revoking licenses, undertaking prescribed measures towards banks, micro credit organizations and leasing companies, appointing staff of the FBA and advocating the FBA in court proceedings (article 11). Both the director and the deputy director participate in the MB but have no voting right (article 10). In addition, the FBA established an advisory body that consists of the director, the deputy director, the Assistant director on-site supervision, the assistant airector aegal and the advisor, all standing members. When necessary the heads of micro finance and leasing companies are also invited as temporary members. It is also stipulates that members of the board, the director and the deputy director, staff and representatives must not receive money or other gifts, if that could influence their objectivity in performing their duties for the FBA (article 18). The five members of the managing board are appointed by the Parliament of the FBiH for a period of five years on the basis of a reconciled proposal of the government of the F BiH (article 8). The procedure is as following. First a selection committee of five members is appointed by the government. They offer the position in a public announcement. Then the selection committee selects candidates for interviews. Based on this the selection committee ranks the candidates and submit the list to the government. The LOBA has prescribed the following qualification criteria: ‘members of the board are citizens of the Federation with a high reputation in financial expertise and high moral qualities (article 14). In addition, the selection committee has qualification criteria which are not known to the assessors. In practice, the assessors are told that also ethnicity is very important. Based on this list the government sends a proposal to the parliament. Currently, the MB is about to be renewed (last appointment was six years ago in 2008). A list of 15 candidates (out of 20 applications) is submitted to the government and awaiting for them to transform it into a proposal to be adopted by Parliament. Also the Director and the deputy director are appointed by the parliament, for a term of five years, at the reconciled proposal of the government of the F BiH. They have the same procedure. Although both the director and the deputy director are appointed six years ago in 2008, the procedure for appointing the new director and deputy director is not yet started. The assessors are told that the appointments are waiting for the new parliament to be installed because of the elections of October 2014. The member of the MB, the director 35 BOSNIA AND HERZEGOVINA and the deputy director shall continue to carry out their functions until such time as when the Parliament makes new appointments (article 12). Members of the MB, the director and the deputy director may be released from their job by parliament before the end of their mandate if they are convicted for a felony that makes them undignified for their job, if he/she is not able to perform his/her duty because of his/her state of health, or if an authorized state organ has determined that he/she was involved in a serious infraction that greatly effects the interests and authority of the FBA (article 15). In practice, there have not been cases in the last five years where parliament released members of the MB, a director or a deputy director. The director and the deputy director are responsible for their work to the pParliament (article 9). Annually the FBA are obliged to submit a report on its business operations to the Parliament through government within three months from the end of the reporting year. This report consists of the analysis of the condition in the financial sector (banking, MCO and leasing companies), a description of the activities of the Agency during the reporting year, and a breakdown of the accounts for that year. The report must be approved by the MB (article 27). In 2012 the LOBA was amended with support of IMF to abolish the right to release the director and the deputy director from their duties if they reject adoption of the annual report. The legal protection of the banking agency is described in article 5 of the LOBA. It says that members of the MB, the director, the deputy director, the employees, provisional and liquidation administrators, as well as other individuals recommended or appointed by the FBA to perform certain activities within the mission of the FBA, cannot be prosecuted for criminal actions, nor held responsible in civil law procedure during and after cease of the work or engagement in the FBA for any action conducted in good faith during the implementation of tasks within their authority. In addition, the FBA will reimburse to its employees the costs for legal processes initiated against the employees for actions conducted in good faith while implementing their duties within their authorities. In practice, there have not been cases where employees of the agency are individually prosecuted. The agency has twenty six pending court proceedings. Out of these twenty six law suits five concern micro credit organizations, one involves a leasing company, and the other twenty are coming from banks. Part of the proceedings concerns supervisory decisions of FBA related to the micro credit organizations. There are examples that the court suspended the decision of the FBA against micro credit organizations. The FBA sees the risks that decisions against banks, board members of banks or owners of shares of banks could be also appealed and that the court suspends critical decisions of the FBA (see further CP 11). The FBA is directly finance by the financial sector through a fixed and variable fees structure. The fixed fee constitutes a lump sum per bank (KM 20.000) together with a percentage of total assets (0.015 percent). The variable fees constitute a fee per approval such as license, appointment, transfer of ownership. The fees are based on article 22 of the LOBA that stipulate that the management board of the FBA passes regulation regarding the level of issuance of licenses. The decision on determining service fees for the banking agency’s prescribes the level of the fees. There are no other resources coming from the government or elsewhere. The salaries and other income from the employees of the FBA are regulated by the LOBA and by secondary regulation, such as the rulebook on salaries and other income of the FBA. FBA’s employees are not subject to provisions of the Law on Civil Services. The level of salary seems to be satisfactory. The staff turnover is not high. 36 BOSNIA AND HERZEGOVINA Nevertheless, the budget of the agency seems to be under pressure and there are not many variables the FBA could use. The last couple of years the agency got more responsibilities such as supervision of foreign exchange operations, micro finance organizations and leasing companies, but could not compensate it through asking more service fees according to the FBA. Requiring higher service fees for banks would eventually be put pressure on the interest rate. Further, the FBA does not want to receive government budget. The FBA is therefore more focused on keeping the costs low and is careful in investments. However, there is a need for training staff in areas such as IFRS, Basel, corporate governance, risk management, enforcement, and ICT. Comments Under the legal framework the FBA possesses operational independence. First, the independence is explicitly described by the Law on the Banking Agency. Second, the appointment procedure of the member of the MB, the director and the deputy director is given the context reasonably transparent (with a selection committee, open tender, proposal of government, adoption through Parliament). The procedure could be strengthened by eliminating, as much as possible, the political influence of the appointments which could result from an almost simultaneous appointment of MB, director and deputy director; but also by making the qualification criteria of the selection committee transparent. Third, the governance structure of the agency is fairly balanced and effective with clear responsibilities for the MB (adopting regulation, adopting financial plan) and the director (issuance and revocation of licenses, undertaking measures against banks). Though, efficacy could enhance if changing the statute of the FBA would not need approval of parliament but could be tackled differently. Fourth, the budget is also clearly structured and supports independence of FBA although it is under pressure because of an increase in responsibilities (supervision of foreign exchange operations, MCO and leasing). The accountability is reasonably organized. The director and the deputy director are responsible for their work to the MB, and to the parliament. Also, the MB is responsible for its work to the parliament. The FBA is obliged annually to submit a report on its business operations to the parliament through government within three months from the end of the reporting year. However, the provisions on appeal by financial institutions should be strengthened. Currently, it is possible that after an appeal the court suspends the decision of the FBA. This could be very damaging for the banking sector that is sensitive to early and timely intervention. Although the legal framework supports operational independence, the context in which the FBA operates is rather difficult. The political economy seems to play an important role in the FBiH. Different sources state that some politicians and their relatives have personal interests in the banking sector. At the same time , banks and the FBA have difficulties identifying ultimate beneficiary owners of the banks and their holdings, mostly because of the existence of custody accounts (see further CP 6 Transfer of significant ownership), which leads to opaque ownership structures. This means that it is not clear what the relationship is between the politicians and the banking sector. Furthermore, there are examples that the parliament puts pressure on the operational independence. Recommendations - Adopt a staggered appointment of the members of the managing board, the director and the deputy director. 37 BOSNIA AND HERZEGOVINA - Develop more granular qualification criteria and make it transparent by adopting it in it in the LOBA. - Adopt a provision that prevent the court of suspending a decision to corrective action from the FBA. - Implement risk based supervision to save resources and build capacity - Invest in the quality of staff in particular in corporate governance, risk management, enforcement, IFRS, Basel and ICT. Principle 3 Cooperation and collaboration. Laws, regulations or other arrangements provide a framework for cooperation and collaboration with relevant domestic authorities and foreign supervisors. These arrangements reflect the need to protect confidential information.15 Description and Different laws, regulations and arrangements form together a framework for cooperation Findings and collaboration with domestic and foreign supervisors. Domestic There are different bodies on different levels the FBA cooperates with or joins: - State level: Fiscal Council of BiH (FCBiH), CBBH, Deposit Insurance of BiH (DIA), Association of Banks (ABBiH), Financial Intelligent Unit as part of the SIPA (FIUBiH). There is no resolution authority yet. - Federation: Minister of Finance (FMOF), Insurance Agency (FIA), Securities Exchange Commission (FSEC). - RS: Minister of Finance (RSMOF), Insurance Agency (RSIA), Securities Exchange Commission (RSSEC) The following laws (both on state and entity level) govern these bodies: - Law on Central Bank: CBBH coordinates of the agencies responsible for licensing and supervision, including monthly meetings and monthly reporting (See article 2.3e of the Law on Central Banking). It does not have a mandate for financial stability. - Law on Banking Agency arranges the cooperation (both national and international) and exchange of information. Articles 19b and 19c determine with which bodies FBA may exchange information under the conditions that an agreement is signed that protects confidential information, including international cooperation (article 6). The assessors have observed that the protection of confidential information is included in every agreement they reviewed and there have been so far no incidents with regard to finding confidential information in the public space. - Only in RS: ‘Law on RS Financial sector supervision coordination committee’ (May 14, 2009) regulates the cooperation and coordination of RS Securities Exchange Commission, RS Insurance Agency and BARS by establishment of the RS Financial Sector Coordination Committee (hereafter: the Committee). Members of the Committee are RS Minister of Finance, RS President of Securities Exchange Commission, Director BARS and Director IARS. According to article 2, the Committee facilitates cooperation and coordination to preserve financial stability. The Commission meets at least quarterly and shall be in charge for adoption of the 15 Principle 3 is developed further in the Principles dealing with “Consolidated supervision” (12), “Home - host relationships” (13) and “Abuse of financial services” (29). 38 BOSNIA AND HERZEGOVINA unified strategy and guidelines for the development of the financial sector, and identify potential problems and noticing crisis situations in order to avoid negative consequences (article 6). The Committee reports to RS National Assembly on the condition of the overall financial sector on a yearly basis. In case of any disturbances in the financial market, the Committee informs the RS Government and the RS National Assembly. There are no arrangements on informing the SCFS. The following arrangements govern the cooperation and information exchange between: FBA, BARS, CBBH, DIA, and FCBiH: - FBA – BARS (June 2003): ‘Agreement on Cooperation in the Area of Supervision over Bank Operations’ - FBA – BARS (2006, March 3): ‘Cooperation Agreement’. This arrangement encompasses direct and indirect supervision of all banks in BiH in order to apply prudential standards. This cooperation is illustrated by a number of joint efforts to establish and enhance a stable and efficient banking system, the realization of joint on-site examinations, the development of changes to the legal framework of banking supervision and the exchange of information. A joint working group of the two banking agencies prepared the BCP self-assessments of FBA and RSBA. - FBA – BARS – CBBH (2008, June 12): ‘Memorandum and principles of Cooperation of bank supervision and Cooperation and Exchange of Data and Information’*. This memorandum has the objective to conduct activities pertaining to strengthen financial stability (article 2). Further, based on this memorandum FBA may exchange information on individual banks and supervisory issues (such as licensing or issues of financial stability), such as the information on individual banks and the banking sector, and supervisory issues (article 7). This includes serious weaknesses in a bank’s operations as observed, which may have detrimental effects and/or undermine the future survival of the bank and impact on the financial sector, and data on capital and shareholders (article 9). - FBA – BARS – CBBH (2013, March): ‘Internal guidelines for preparation of stress test and use of prudential instruments’ - FBA – BARS – CBBH (2013, June 30) ‘Memorandum on Establishment of Methodology for Determination of List of SIB in BiH’ - FBA – BARS – DIA (2003, October 7): ’Letter of Agreement’. This agreement defines that information in continuation are to be provided to the DIA upon request. It is also stipulated that FBA and BARS share their rating system that DIA can use for its own purposes, including eligibility assessment. According to Law on DI, a prerequisite to membership in DIA for any bank is minimum rating of 3 on composite basis, with no individual rating component of 5. In practice, on-site inspection reports are being shared on basis of unofficial agreement. However, DIA is of the opinion that they don’t have sufficient information. For instance, because DIA doesn’t receive CAMEL ratings on a continuous basis. Therefore, the DIA has set up their own rating methodology. - FBA – BARS – DIA – FCBiH (2009, December 22): ‘Memorandum of Understanding and Establishment of the Standing Committee for Financial Stability’. It is stated that ‘It is the principle forum for assessing threats to financial stability, and where appropriate, coordinating or agreeing action between th e parties’ (article 3). 39 BOSNIA AND HERZEGOVINA - FBA, BARS, DIA, CBBH, FCBiH (2014): ‘Contingency plan’. This plan is work in progress. It’s main objective is to safeguard and strengthen stability of the banking system by defining measures and procedures that the bank shall take independently or in cooperation with other members of the SCFS. The following arrangements govern the cooperation and information exchange between FBA and FIA, SIPA, FSEC, and ABBiH, - FBA – FIA: (2004, July 19): ‘Memorandum of Understanding’ - FBA – BARS – CBBH – ABBiH (2007, April 12): ‘Memorandum of Cooperation’ - FBA – SIPA (2007, October 1): Memorandum of Understanding’ - FBA – FSEC (2014, October 7): ‘Cooperation and information exchange agreement’. The assessors have observed that in practice there is to a certain extent regular cooperation and information exchange. For instance, the assessors observed that the FBA and BARS don’t share their actual CAMEL rating with CBBH and only partly with DIA. Foreign cooperation The FBiH has 17 banks of which 10 are owned by foreign banks (9 foreign banking groups and 1 non-banking group). These 9 foreign banking groups are domiciled in the following countries Slovenia, Turkey, Austria, Italy and Russia. FBA (and also BARS) have formal (signed) arrangements with the Bank of Slovenia and the Banking Regulation and Supervisory Agency of Turkey. There are no formal arrangements with Austria and Italy because the Law on Banks was with regard to protection of confidential information not aligned with the EU Directives. September 2012 the National Assembly of the Federation amended the LOB to align it with the EU. The expectation is that the LOB is now in line with the EU Directive. This has been informally confirmed both by EBA and the FMA. Therefore, it is expected that the MOU with Austria shall be formalized soon. Afterward FBA will contact the Italian counterparts to formalize their cooperation and information exchange. There is no relation with the supervisor of Russia, because, according to the authorities, Russia does not have a policy of information exchange with foreign supervisors according to the FBA. The following arrangements exists: - Slovenia: Memorandum of Understanding; Bank of Slovenia, FBiH Banking Agency, RS Banking Agency, Central Bank of BiH; November, 2001 - Turkey: Memorandum of Understanding Agency for Regulation and Supervision of Turkey; FBiH Banking Agency, RS Banking Agency, Central Bank of BiH, June, 2009. Further, the FBiH set up arrangement with the following countries partly: - Serbia: Memorandum of Understanding and Cooperation in the Area of Supervision over Banks; National Bank of Serbia, FBiH Banking Agency, RS Banking Agency, Central Bank of BiH; July, 2004 - Croatia: Memorandum of Cooperation, Croatian National Bank, FBiH Banking Agency, RS Banking Agency, Central Bank of BiH, November, 2003 - Montenegro: Memorandum of Understanding and Cooperation in the Area of Supervision over Banks; Central Bank of Montenegro, FBiH Banking Agency, RS Banking Agency, Central Bank of BiH; March, 2007 - SEE: Memorandum of Understanding for the Principle of High Level Cooperation and Coordination between Supervisors of South-East Europe; Bank of Albania, Bank of Greece, National Bank of Bulgaria, Central Bank of Cyprus, Central Bank of Montenegro, National Bank of Republic of Macedonia, National Bank of Romania 40 BOSNIA AND HERZEGOVINA National Bank of Serbia, FBiH Banking Agency, Republika Srpska Banking Agency, Central Bank of BiH; February, 2008. Protection of confidential information The protection of confidential information is arranged in article 19 of the LOBA, according to which the FBA will not disclose confidential information only to those stipulated in the LOBA. This list includes both domestic and foreign supervisory authorities, courts, auditors, ministries of finance and supervisory colleges. The condition for exchange of information is a signed agreement on the cooperation and the mutual exchange of information where there is a specific provision stipulating the obligation of maintaining confidentiality, and the information is only be used for supervisory purpose or administrative and court proceedings. However, in the RS an incident happened after the prosecutor asked for minutes of inspection. These were given by BARS after formal order. But before the minutes reached the prosecutor’s office they were given to natural person that showed these minutes on television. It could be very damaging for a supervisory agency if banks cannot trust that confidential information is found in public space. Though this incident happened in the RS this could also happen in the FBiH, since there is no MoU between FBA and the prosecutors’ office in the FBiH. Comments Domestic cooperation Cooperation and coordination in FBiH is very complex due to the administrative setup of the country. Different laws and arrangements govern these cooperation and information exchange. In general, FBA shares information with BARS, CBBH and DIA to certain extent guided by the mentioned laws and arrangements. However, the cooperation and information exchange could be strengthened. For instance, with regard to the CAMEL rating, crucial information for understanding the risk profile of a bank, it is noticed that FBA only shares the CAMEL ratings with DIA when they issue a report of a comprehensive inspection (together with other prudential information the DIA receives from both the banks and the FBA). This means that the DIA does not have an actual understanding of the risk profile of a bank. Despite the fact that in the MOU of October 7, 2003 it is stated that the aim is to have a joint rating system for all banks in BiH together with FBA and BARS (article 3.2.2), DIA developed its own rating system, because it doesn’t receive actual ratings from FBA (nor does it from BARS). FBA doesn’t share the CAMEL rating with BARS (though both FBA and BARS have the several similar foreign banks). This seems to be crucial information in understanding the risk profile of the different banks and in developing a common understanding of risks across BiH. In article 7 (MOU June 12, 2008) it is even stated that the exchange of information include: the situation in individual banks and the situation in the banking sector and supervisory issues. This includes serious weaknesses in a bank’s operations as observed, which may have detrimental effects and/or undermine the future survival of the bank and impact on the financial sector, and data on capital and shareholders (article 9). FBA also doesn’t share CAMEL ratings with the CBBH although CBBH receive s on a quarterly basis financial indicators. BARS doesn’t have provision when to share granular information (such as CAMEL ratings) with SCFS. Although it is not explicitly agreed that CAMEL ratings should be shared between the different parties, it is stated that the party who becomes aware of the emergence of a potentially serious financial disturbance will inform the SCFS coordinator as 41 BOSNIA AND HERZEGOVINA soon as possible (MOU article 4.1). And “all members of SCFS shall be kept fully informed of assessing systemic nature of financial crisis” (MOU article 4.3). This could be better defined. FIU does not give feedback on the suspicious transactions reported by either banks or FBA. FBA therefore doesn’t know what the nature of the AML risks is in the FBiH. (see further CP 29 AML/TF). There is not yet a clear coordination mechanism (in times of crisis). This could be illustrated be the fact that it is not clear who is responsible for financial stability and takes ownership in case of a crisis. There is no institution responsible for financial stability. And there seem to be several committees that have overlapping mandates. Financial stability as a topic is only mentioned in the MOUs between FBA, BARS and CBBH;the MOU of the SCFS, and the Law on RS Financial sector supervision coordination committee. There is also no free flow of information between the key players: CBBH, FBA, BARS and DIA (see above). Encouraging is the attempt by the authorities to set up a contingency plan for of the BiH on a state level. See also precondition on macro prudential policy. See further preconditions paragraph 21 and 22. Foreign cooperation FBA is close to formalizing the cooperation through a MOU with Austria and Italy. These countries are both important because the parent company of several domestically systemic important banks is seated in these countries. Nevertheless, it is important to determine whether these arrangements will ascertain that FBA receives sufficient information on the parent companies of several D-SIB’s. There are no possibilities for arrangements with Russia. It is not clear to what extent the risk of not having a MOU with the supervisor of Russia is acceptable or should be mitigated. Recommendation - Simplify the arrangements between the different bodies in order to enhance effectiveness of cooperation especially during crisis situations. - Conduct a crisis simulation exercise in order to test the cooperation in times of crisis with events both on a state level and entity level. - FBA should share CAMEL rating with FBA, CBBH and DIA, should determine when to share it with SCFS, and should set-up a joint rating system together with BARS and DIA. - FBA should address the lack of information feedback from the FIU. - Formalize MOUs with the supervisors of Austria and Italy. - Determine whether the risk of having a parent company of a D-SIB without having adequate arrangements with the home supervisor is acceptable or should be mitigated. Principle 4 Permissible activities The permissible activities of institutions that are licensed and subject to supervision as banks are clearly defined and the use of the word “bank” in names is controlled. Description and The LOB does not define the term “bank”. However, article 1 of the LOB describes that the Findings LOB ‘…. regulates the establishment, business operation, governance, supervision and termination of legal persons who engage in the business of receiving money deposits and extending credits, as well as other business operations in accordance with this Law ’. In addition, there are no clear definitions on bank subsidiaries, branches, representative offices or other operational units (inside and outside the FBiH). According to the FBA, this is 42 BOSNIA AND HERZEGOVINA because in reality different banks use different operational forms and have their own rule book. In addition, there are no clear and comprehensive definitions on bank, branches, representative offices or other operational units (inside and outside the FBiH). According to the FBA, this is because in reality different banks use different operational forms and have their own rule book. There are different articles that give some kind of direction but these are not comprehensive. For instance, a bank with headquarters outside the FBiH is permitted to receive money deposits and extend credit through a branch (article 5 of the LOB). Or, banks have the opportunity to ask approval for starting a representative office, but they are not allowed to do banking activities (LOB article 4). And also, bank branches and subsidiaries cannot be established without a written authorization of the FBA (article 36). This includes branches of foreign banks (article 15). Currently, there are no branches, representative offices or other operational units of foreign banks operating in the FBiH. But there are branches, representative offices and other operational units in BiH from banks that have their head office in the FBiHederation or in the Republica Srpska. Article 2 and 3 stipulate that the use of the word “bank” and any deviations such as “banking” in a name is limited to institutions that are licensed and supervised by FBA. In addition, the LOB states that “no one shall engage in the business of receiving money deposits.” A bank obtains the status of a legal entity upon entry into the court registry (article 13 of the LOB). This is published on the website of FBA and CBBH as is required by article 16 of the LOB. The LOB article 39 prescribes the list of activities a bank may conduct under which receiving money deposits or other repayable funds, making and purchasing of loans, participating, buying and selling for its own account or for account of customers, issuing and managing payment instruments, purchase and sale of securities and other activities. In 2013, the LOB article 39 was amended to give banks permission to also do factoring, forfeiting and insurance mediation services. The license of a bank shall specify the banking activities that a bank is authorized to engage in (article 14 of the LOB). Comments The LOB does not have clear distinctions between bank subsidiaries, branches, representative offices and other operational offices and the activities they can engage. There are different articles that give some kind of direction but these are not comprehensive. Recommendation - Improve the definition of bank branches, representative offices and other operational units within RS and outside the RS (including FBiH Brcko District and outside BiH). Harmonize these definitions in the LOB with theBiH and the EU Directives. Don’t let the rule book of individual banks determine the definition as currently seems to be the case. - Clearly define the kind of activities the different operational units (such as a branch) can engage and their (prudential) requirements (see CP 5 on licensing). This is important for accessing the EU that uses a single passport. That means that having an approval of a bank license in another EU country will make it relatively easy to open a branch in another EU country. Principle 5 Licensing criteria. The licensing authority has the power to set criteria and reject applications for establishments that do not meet the criteria. At a minimum, the licensing 43 BOSNIA AND HERZEGOVINA process consists of an assessment of the ownership structure and governance (including the fitness and propriety of board members and senior management) 16 of the bank and its wider group, and its strategic and operating plan, internal controls, risk management and projected financial condition (including capital base). Where the proposed owner or parent organization is a foreign bank, the prior consent of its home supervisor is obtained. Description and License authority Findings FBA is the licensing authority in practice. However it is not explicitly stated that the FBA has the power to set criteria, approve or reject license of banks and different operational units and impose prudential conditions or limitations on newly licensed banks. In article 4 of the LOBA it is stated that ‘it is a task of the FBA to issue licenses’. That implicitly assumes that FBA is the licensing authority as it works in practice accordingly. License criteria The LOB requires for issuing a bank license to let the application be accompanied by the following documents: founding contract, qualification and experience of board members, amount of capital, business plan and list of owners (article 7). A detailed description of what the different document should contain is elaborated upon in the ‘Instruction for licensing and other approvals’ recently strengthened (February 2014). It covers not only the issuing of a bank license but also the authorization of a subsidiary, branch, representative office and other operational units in the FBiH, RS, the Brcko District or outside BiH. Further, it is stated in article 9 of the LOB that a license shall be granted if the amount KM 15 million has been paid, the FBA is confident that the bank will comply with law and regulations, and the projections for the future financial condition of the bank are documented. In addition, a license concerning the founding of a subsidiary of a bank whose headquarters are outside the FBiH shall only be granted if that bank has a banking license issued by the institutions that is in charge of issuing licenses and adequately supervises this bank without hindering the supervision of FBA (article 10-12 of the LOB). Next, also in article 9 of the LOB it is stated that the qualifications and the experience of the board members shall be appropriate (fit-and-proper). The ‘Instruction for licensing and other approvals’ (article 107 – 125) stipulate in detail the documents to be submitted to the FBA. However, it does not elaborate on criteria of suitability such as good reputation, adequate theoretical and practical experience, no conflict of interest, and independence. These are described in the ‘Decision on suitability assessment bank’s bodies’ (article 9 -11) and the ‘Decision on diligent behavior of members of bank’s bodies’ (article 3 -14). Lastly, article 9 of the LOB also stipulates that the holders of significant ownership are of sufficient financial capability and suitable business background. The instruction for licensing and other approvals prescribes in detail the documents to be submitted to the FBA (article 87-93) for both natural and legal persons. 16 This document refers to a governance structure composed of a board and senior management. The Committee recognizes that there are significant differences in the legislative and regulatory frameworks across countries regarding these functions. Some countries use a two-tier board structure, where the supervisory function of the board is performed by a separate entity known as a supervisory board, which has no executive functions. Other countries, in contrast, use a one-tier board structure in which the board has a broader role. Owing to these differences, this document does not advocate a specific board structure. Consequently, in this document, the terms “board” and “senior management” are only used as a way to refer to the oversight function and the managem ent function in general and should be interpreted throughout the document in accordance with the applicable law within each jurisdiction. 44 BOSNIA AND HERZEGOVINA License assessment The assessment of the license application is in practice mostly conducted by the License Department. The last assessment of a bank application took place in 2007. The assessment was mostly compliance based and described the prescribed content of the submitted documents. Although, the single economist of the license department did to a certain extent an assessment of the financial projection without being guided by clear licensing criteria (see previous Paragraph on License criteria) and without clear back-up. And it was just since February 2014 that the licensing requirements were strengthened (see above). Also the assessment of the suitability of the board members is conducted by the License Department. For this purpose the License Department verifies all the information they receive from the bank such as checking criminal records (including tax violations and fraud), calling references, seeking contact with other regulatory bodies (under which FID), using open source search engines and reviewing credit history at the credit registry. The essential he preconditions necessary to do an adequate review of the fit-and-proper documents are not optimal as the FBA is mostly dependent on the due diligence of the banks and the quality of the information the bank sent. It is banks themselves that are obliged to assess (on a continuous base) the fitness-and-propriety of board members. This means that the burden of proof is upon the respective banks. It is very difficult and time consuming to get information from different authorities (e.g., from the different cantons, entities, neighboring countries, or region). There is no connection to Interpol to track possible international criminal activities nor is there a database on a regional level where all the supervisory antecedents of board members are recorded such as suspensions, fines and orders. Lastly, the License Department assesses the suitability of the significant shareholders. This means that the License Department mostly verifies the documents they receive based on the LOB and the Instruction for License and other approvals (though it also assesses information it receives from the banking supervisors). A sample showed that there was barely an assessment of the suitability of the ownership structure, including transparency of the group structure, identification of the ultimate beneficiary owner, the origins of his capital, his capacity to put additional capital in the bank, assessment of his plans. Nor was there an assessment whether the group structure won’t hinder effective impl ementation of corrective measures in the future. The relevant legislation and regulation has been strengthened. Comments License authority The LOBA does not give FBA explicitly the power to set criteria, issue or reject license application, and the power to impose prudential conditions or limitations on a newly licensed bank. License criteria The licensing criteria for newly established banks are not comprehensive and focus mostly on documents submitted rather than the criteria of safety and soundness that covers suitability ownership structure, (group) governance (including fit-and-proper of board members and senior management), strategic and operational plans, internal control, risk management and projected financial conditions (including capital base). The same is applicable for suitability of board members and significant shareholders. It is advised to separate the license criteria from the documentation. Furthermore, the provision that the parent bank in a foreign country should be adequate and should not hinder supervision by 45 BOSNIA AND HERZEGOVINA FBA could be strengthened by requiring a formal MOU between the home supervisor and FBA. License assessment The assessment of a license application, suitability of board members and significant shareholders could be enhanced by making it more substantial by assessing criteria of prudency. Recommendation - Initiate an amendment on the LOBA in order to give FBA explicitly the power to set criteria, issue or reject license application, and impose prudential conditions or limitations on a newly licensed bank. - Expand the license criteria in the LOB and connect these criteria to detailed procedures in the Instruction for licensing and other approvals where it is prescribed how to assess these criteria including listing the minimum level and quality of documents banks are required to submit. - Expand the fit-and-proper criteria of board members in the LOB and align these with the Instruction of license and other approvals, the Decision on the suitability assessment of board members and the Decision on diligent behavior of board members. - Expand the suitability criteria of significant shareholders and address transparency of the ownership structure, the fit-and-proper test of significant shareholders and their capacity to provide additional capital. - Enhance the assessment of the bank license and suitability of shareholders and make it more qualitative, rather than formal. - Include on and off site supervisors in the substantive assessment of a license. Precondition - Set up a regional database to record supervisory antecedents and criminal activities of board members. Principle 6 Transfer of significant ownership. The supervisor17 has the power to review, reject and impose prudential conditions on any proposals to transfer significant ownership or controlling interests held directly or indirectly in existing banks to other parties. Description and Article 2a of LOB defines significant ownership as an interest of at least 10 percent of the Findings aggregate voting right of another legal entity or bank. Importantly, the term “controlling interest” is not defined. However, article 21 (amended in August 2013) stipulates that ‘ no physical or legal person, direct or indirect (through indirect owner,) alone or acting in concert with one or more other persons, may acquire significant voting right in a bank, or increase the amount of his ownership of the bank’s voting shares or capita l in such a way that the thresholds of 10 percent, 33 percent, 50 percent, and 66.7 percent are reached or exceeded without obtaining approval from the agency’. In addition, article 21 also stipulates that a person must submit to the FBA a request for transfer of significant ownership together with information specified in the Instruction for licensing and other approvals. This implies that FBA has the power to review a proposal of significant ownership. 17 While the term “supervisor” is used throughout Principle 6, the Committee recognizes that in a few countries these issues might be addressed by a separate licensing authority. 46 BOSNIA AND HERZEGOVINA In the Instruction on licensing and other approvals (article 87–93) it is specified (since February 2014) which documents shall be submitted by legal persons and by natural persons. Legal persons shall submit their registration certificate, their shareholders, audited financial statements, planned ownership in the bank and the strategic orientation of it, evidence of ownership in other legal entities, outstanding debt, possible violations, and other documents. Private persons shall submit their curriculum vitae, evidence of current employment, tax liabilities, planned ownership in the bank and the strategic orientation, evidence of ownership in other legal persons, outstanding debt, certificate of non- conviction. FBA may reject the application to acquire or increase significant ownership on the following grounds: poor financial condition of the applicant, lack of competence, experience or trustworthiness of the applicants that may jeopardize the interest of the bank and its depositors, unfair competition (or dominance on financial markets), unreliable or uncheckable information and no proof of origin of money. These grounds are specified in article 23 of the LOB (updated in August 2013) and article 89 of the Instruction for licensing and other approvals. This implies that FBA has the power to reject an application. Although FBA in general has the power to impose prudential requirements (article 67.3 of the LOB), FBA does not have the power to impose prudential conditions on transfer of significant ownership such as ring-fencing. That means that the supervisor could take measures to minimize the risk of shareholders misusing their influence. FBA has the power to modify, reverse or address otherwise a change in control that has taken place without the necessary notification or approval from FBA (article 67.7 of the LOB). FBA has detailed information on all major shareholders holding over 10 percent of shares. This information is based on a quarterly report wherein banks report the 15 largest shareholders. In addition, the FBA has insight into the Central Registry of FBH, which contains information on the 10 largest shareholders. Though FBA receives on a regular basis information on the ownership structure, and also places lots of efforts in it during on- site inspections, this has proven to be insufficient to identify the ultimate beneficiary owners and their holdings. Currently, several domestic banks in the Federation have opaque ownership structures and as a result the FBA cannot readily identify related party lending and group exposures. An important problem is the custody accounts that obstruct banks to identify the ultimate beneficiary owner. Recently, on August 2013, an amendment introduced to article 24 of the LOB obliges persons, who have a significant ownership interest in the bank, to notify the FBA. This has proven not to be effective yet. Comments The FBA has implicitly the authority to review and reject a proposal of transfer of significant ownership, but does not have the explicit power to impose prudential conditions to natural or legal persons that hold either direct or indirect significant ownership. Although the LOB and the instruction for licensing and other approvals have been strengthened recently to improve the identification of the ultimate beneficiary owner (including its holdings and origins of capital) and assess its suitability for the bank, this has not yet been implemented (in terms of changing prudential reports on significant ownership or on-site inspections to assess compliance with the new requirements). As a result, the FBA currently does not have a clear picture of the ownership structure of several domestically owned banks (including ultimate beneficiary owner and its holdings). This deeply effects the identification of related party lending and group exposures, undermining the efficacy of a cornerstone of the prudential regime. Recommendation 47 BOSNIA AND HERZEGOVINA - Expand the definition on significant ownership (by aligning it with article 21) and define “controlling interest”. - Change the threshold of 10, 33, 50 and 66 percent in 10, 20, 30, 50 percent in order to align it with EU requirements. - Strengthen the power to change the ownership structure and impose prudential conditions (ring-fencing). - Adapt changes in requirements of significant ownership in prudential reporting requirements. - Establish the supervisory powers to obtain periodic reporting and on-site inspections information on: 1) names and holdings of significant shareholders; 2) the names and holdings of persons who exert controlling influence; and 3) the identity of beneficiary owners of shares held by nominees, custodians or other vehicles persons who exert controlling influence. Implement requirements on ownership structure risk based (through targeted inspection). That means: identify those banks that have an opaque ownership structures, make the ownership structure transparent including identifying the ultimate beneficiary owners and its holdings, identify the related parties and group exposures, and mitigate the risks by intervening if necessary. Principle 7 Major acquisitions. The supervisor has the power to approve or reject (or recommend to the responsible authority the approval or rejection of), and impose prudential conditions on, major acquisitions or investments by a bank, against prescribed criteria, including the establishment of cross-border operations, and to determine that corporate affiliations or structures do not expose the bank to undue risks or hinder effective supervision. Description and FBA has in practice the power to approve or reject major acquisitions by a bank. Article 22 Findings of LOB stipulates that FBA must approve all significant ownership share of a bank in another legal entity. It is stated that banks are required to ask approval for acquiring ownership shares (direct or indirect) in a legal entity that exceed 5 percent of the bank’s core capital or that the sum of all participations exceed 20 percent of the bank’s core capital. It does not have a similar requirement for major investments other than an equity investment. Also, FBA has the power to determine additional restrictions for investments (article 22 LOB). Further it is determined that a bank cannot (directly or indirectly) have a participation in a legal entity that exceeds 15 percent of the bank’s core capital, and the sum of the participations cannot exceed 50 percent of the bank’s core capital. In addition, it is determined that a participation in a non-financial legal entity cannot exceed 10 percent of the bank’ core capital, the sum of the participation in a non -financial legal entity cannot exceed 25 percent, and the participation in a non-financial legal entity cannot exceed 49 percent of the ownership of a non-financial legal entity. Lastly, loans granted to these legal entities shall be considered as participations and are bound to the mentioned participation rules. In the Instruction for licensing and other approvals (article 94-97) it is determined that the following documents should be submitted: court registration of legal entity, financial indicators for the legal entity, decision of the bank how the investment shall be reflected in the bank’s net capital position. Besides thes e documents requirements there are no criteria for assessments of individual proposals determined by law or regulation. The assessment prior to approval focus mostly on the documents to be received and the impact on the capital position. The assessors didn’t observe explicit assessments that determine whether 48 BOSNIA AND HERZEGOVINA the new acquisition (or investment) exposes banks to unnecessary risks (besides its impact on the capital position),. Further, there are no criteria or assessment for cross border acquisitions (or investments) such as adequate flow of information necessary for consolidated supervision, efficacy of supervision in host country; and the ability to exercise supervision on a consolidated basis (see also CP 12 and 13). See also CP 16 Capital for the way these participations are deducted for regulatory capital purposes. It is stipulated that banks not have to deduct participations of less than 5 percent. There is also no limit of the sum of these participations in terms of deduction. Next, it is determined in article 26 of the LOB that status changes in a bank, mergers, acquisitions or divisions of a bank shall require prior authorization of the FBA. In addition, to obtain authorization the bank must submit to the FBA an economic justification and a plan of operations. In article 98 of the Instruction for licensing and other approvals it is determined which documents shall be submitted. FBA may refuse an authorization based on article 27 of the LOB (and article 101 of the instruction for licensing and other approvals) on the following grounds: the resulting bank would fail the minimum capital requirements, the competence and experience of the board members of the resulting bank are not sufficient, or the submitted information was unreliable. Comments FBA has in practice the authority to review or reject a proposal, but this is not explicitly mentioned in the LOBA or LOB. Further, FBA has according to the LOB the power to determine restrictions on investment, but this is not explicitly mentioned in the LOBA. In addition, neither the LOB nor the Instruction for licensing and other approvals do not stipulate explicitly criteria that should be used to assess the proposal for an acquisition or an investment. However, the LOB does limit participations in legal entities (including non-financial legal entities) and require banks to ask for approval. Though it is not defined when banks have to notify the FBA of relatively small participations. Both the LOB and the Instruction for licensing and other approvals require banks to submit a set of documents. The assessment prior to approval focus mostly on the documents to be received and the impact on the capital position. There seems to be no explicit assessment whether the new acquisition or investment expose the bank to unnecessary risk (besides assessing its impact on the capital position), impede efficient supervision, nor whether the bank has sufficient resources to manage the acquisition or investment. Recommendation - Establish approval criteria for major assessment (similar to major acquisitions). - Establish definitions of types and amounts of acquisitions and investments that need prior approval or notification. - Establish explicitly the power to approve and reject and to impose prudential conditions on major acquisitions or investments by a bank against prescribed criteria in both LOB and the LOBA. - Prescribe in the LOB criteria for acquisition of major acquisition such as the criteria that an acquisition may not expose the bank to unnecessary risks or impede efficient supervision. - Prescribe in the LOB criteria for cross border acquisitions and investments such as adequate flow of information necessary for consolidated supervision, efficacy of supervision in host country, and the ability to exercise supervision on a consolidated basis. 49 BOSNIA AND HERZEGOVINA - Make a provision that define that a bank is required to notify the FBA of acquisitions and investments when it is not necessary to ask for approval. Principle 8 Supervisory approach. An effective system of banking supervision requires the supervisor to develop and maintain a forward-looking assessment of the risk profile of individual banks and banking groups, proportionate to their systemic importance; identify, assess and address risks emanating from banks and the banking system as a whole; have a framework in place for early intervention; and have plans in place, in partnership with other relevant authorities, to take action to resolve banks in an orderly manner if they become non-viable. Description and Bank supervision is performed through a mix of onsite inspections and offsite analysis Findings using regulatory reports and other documentation that banks submit to the FBA, plus analysis of other accessible reports, data, information, and documents. Integration of the onsite and offsite activities through joint supervisory action facilitates ongoing bank supervision. Article 5 of the decision on banking supervision requires that offsite supervision be conducted on an ongoing basis and that, based on the monitoring of all relevant data, a periodic (quarterly) analysis be conducted of the performance of each bank and of the overall banking system. The methodology for analyzing performance and assessing the nature, impact, and scope of risks is elaborated in the Manual for Offsite Supervisors. The analysis is summarized by risk categories based on the CAMELS system; for each bank, an assessment is made of each component (Capital, Assets, Management, Earnings, Liquidity, and Sensitivity to market risk). The risk level and trend are reviewed, and in the end the bank is assigned a composite rating. Key risks are determined for each bank, and the results are used to plan the intensity and scope of future oversight and corrective measures to be taken. In 2013, the CBBH, in cooperation with the banking agencies, adopted the Methodology for Determining Systemically Important Banks (SIB) in BiH. Under the supervisory approach, banks that are determined to be systemically important are subject to special oversight, including heightened monitoring of the key risks at those banks and of their overall performance. Factors to determine importance are weighted: size (30 percent), interconnectedness (25percent), complexity as denoted by securities activities (15 percent) and level of total loans, deposits, loans to trade sector, and loans to individuals at 7.5 percent each. Annually, banks are required to provide the FBA with strategic business plans, an annual budget, and a capital plan. These are used to analyze the business focus, strategic direction, and objectives, and in the case of banks that are subsidiaries of foreign banking groups, the future financial and capital support of the parent is analyzed. The FBA performs ongoing monitoring of bank exposures, various types of risk, and risk management following internal methodology (manuals) for onsite and offsite bank. The following provide the foundation for the supervisory process based on the bank’s risk profile: the Decision on Bank Supervision and Procedures of the FBA, the Manual for Offsite Supervisors, the Manual for Onsite Supervisors, and the Criteria for the Internal Rating of Banks (CAMELS) by the FBA. The manuals specify in detail the oversight processes as well as their goals and responsibilities, principles for work and activities, and oversight procedures and systems. The scope of the supervisory activity is determined by: - the level of risk ; 50 BOSNIA AND HERZEGOVINA - the need to assess the risk management system and the adequacy of bank systems for measuring and monitoring risks; - the need to take preventive measures to address identified weaknesses in the risk management process; - promoting the planning and management of supervisory resources and adapting them to the situation at each individual bank. The Manual for Offsite Supervisors sets forth procedures for analyzing bank performance. The manual’s methodology is based on the Criteria for the Internal Rating of Banks by the FBA. Banks are analyzed on the basis of quantitative data, namely ratio indicators, and through comparative analysis of the parameters of individual banks relative to a group of similar banks and the overall banking system. The offsite analysis process also involves analyzing and considering qualitative factors. The bank evaluation system is based on the CAMELS components, and the composite rating is assigned in keeping with that system. A rating of 1 to 5 is assigned for each CAMELS component and for the bank’s composite rating, the risk level and trend are determined, and then the key risks for the individual bank are identified, which defines the bank’s risk profile. The results of the analysis are used to determine the scope for offsite supervision of each bank and the priorities for the next onsite examinations. The main objective of the onsite examination manual is to ensure that a standardized approach and uniform procedures are followed during an examination cycle, which comprises:  planning and preparation of the full/targeted examination;  performance of the full/targeted examination onsite;  the corresponding post-examination process, namely monitoring the bank until the next full/targeted examination. The onsite examination manual elaborates the procedures for planning examinations and supervision (comprising objectives, planning and preparation of the full/targeted examination, organizing preparation of the examination and assigning tasks to the team of inspectors, the examination plan, and a review of financial data from previous examination periods, updated with the data from the current examination), and it also sets forth the examination process, which covers capital, asset quality, bank governance and management, profitability, asset management, fund sources and liquidity maintenance, and foreign exchange risk, as well as the audit and operational risk. The Offsite Supervision Department is involved in preparing information and figures for FSIs (financial soundness indicators) and stress tests performed by the Financial Stability Division at the CBBH. The FBA receives the FSI analysis conducted at the BiH (state) level as well as information and results of the bank stress testing. This information and these findings about the impact of the macroeconomic environment on bank performance are taken into account when assessing the banking system risks. Bank results that raise supervisory concerns are subjected to separate analysis and discussed in meetings with those banks’ management. Such information is also part of the analysis of individual banks during offsite supervision. Banks are asked to take the stress test results into account in future planning or when revising their plans. Based on projected developments in macroeconomic indicators (GDP, inflation, unemployment rate, country risk), as well as the provided CBBH analyses in which the 51 BOSNIA AND HERZEGOVINA vulnerability and risks of the financial system are assessed, and taking into account the banks’ business plans, the key risks of and expected trends in the performance of banks and of the overall banking system are identified (individually). Comments The FBA has developed an integrated supervisory process that includes onsite and offsite supervision, an early warning system, corrective action and follow-up, a process for rating the banks’ risk profile (CAMELS) and interaction with bank management and the Board. During the mission, assessors were able to review the supervisory planning cycle and the documents generated; including offsite analyses reports, inspection reports, procedures manuals and bank communications. In the period since the last FSAP, a separate IT supervision area has been introduced and participates in onsite inspections. This addresses a recommendation from the 2006 BCP review. Principle 9 Supervisory techniques and tools. The supervisor uses an appropriate range of techniques and tools to implement the supervisory approach and deploys supervisory resources on a proportionate basis, taking into account the risk profile and systemic importance of banks. When drawing up annual supervisory plans, systemically important banks are included and Description and onsite reviews are always required. In the case of other banks, depending on the evaluation Findings of the bank’s key risks and overall financial condition, a decision is made about whether to conduct an examination, and about the type of examination (full, targeted according to risk, examination of compliance in applying regulations, examination of the execution of orders). Onsite inspections are planned and conducted in accordance with the evaluation of the bank’s risk profile, and they can be full or of limited (targeted) scope, relating to a specific business segment, currently the primary focus is on an evaluation of asset quality and credit risk management, given the still-dominant exposure of banks to credit risk, together with examinations of the execution of previously ordered corrective measures, as well as examinations of liquidity management and capital management, examinations of information system management, and examinations concerning compliance and observance of provisions of law and consumer protection regulations. The efficiency of the risk management system at the bank level, including the internal control system, is evaluated onsite at the bank, as are the accuracy and reliability of the information that the bank provides to the FBA and of all other areas of performance, resulting in a rating of business indicators based on CAMELS and the assigning of a composite rating to the bank. The methodology used to determine and assess the nature, scope, and significance of the risks to which a bank is exposed, taking into account the bank’s main business activity, risk profile and environment, and internal controls, is elaborated in the manuals for onsite and offsite supervisors. The supervisory rating system is based on the “Criteria for the Internal Rating of Banks by the FBA” and makes it possible to classify banks by risk. The riskiest banks - with a rating of 4 or 5 – are problem banks. These are banks in unsound and unsafe financial condition (rating 4) and banks in poor financial condition – critically poor performance (rating 5). 52 BOSNIA AND HERZEGOVINA Such banks are under ongoing, heightened oversight and are subject to formal measures with restrictions and additional supervisory requirements. Banks with a rating of 3 have one or more individual business components or segments that exhibit weakness, and risk management practices are barely satisfactory. Such banks are a subject of supervisory concern, and the FBA’s attitude toward them is formal. Ratings 2 and 1 are assigned to banks that are completely sound and safe, with good risk management practices, where there is no cause for supervisory concern. The FBA has broad authority under the banking law. The FBA is authorized to withdraw banking licenses (article 17), appoint interim administrators to oversee the bank’s performance (article 53), impose monetary fines (article 65), and issue orders, warnings, and decisions to banks, requiring them to take certain actions (Article 67). The Decision on Bank Supervision and Procedures of the FBA further details the powers of the FBA, its director, and its staff. These powers give the FBA a broad range of options, from informal to formal activity, which can result in the revocation of banking licenses. The FBA ensures that corrective measures are taken in a timely manner (article 7 of the Decision on Bank Supervision and Procedures of the FBA). In practice, when risk conditions warrant, corrective action may be initiated during the onsite inspection. Under article 65 of the banking law, sanctions are imposed on banks on the responsible manager, and the person who committed the infraction. Decisions on corrective measures may be appealed, but such action does not stay execution of the decision. The banks also have the option of bringing an administrative suit under the Administrative Procedure Act. However, the very action of bringing a dispute does not stay execution of the corrective measures either. Decisions on corrective measures are communicated to the bank in writing, and the bank is also asked to report to the FBA in writing and within the established deadline on the implementation of corrective measures, providing proof thereof. The choice of corrective measures is directly related to the severity and/or combination of identified irregularities, weaknesses, failures, or threat. The decision on what sort of corrective measures should be taken is discussed within the supervisory team and among the immediate superiors before the proposal is sent to the supervision board, and it is based on the supervisor’s experience and practice, taking into account the range of corrective measures and the bank’s current status. Bank supervision involves coordinated work and cooperation between the offsite and onsite departments. Each year, an annual Onsite Examination Plan and an Offsite Supervision Action Plan are drafted and adopted by the FBA management board as part of the FBA work program for the following year. The examination plan is based on the determined rating of banks’ financial and operational condition and performance, especially that of banks rated unsound and unsafe – problem banks that are subject to heightened oversight; for other banks, it is also based on the risk profile and the risk level and trend, and onsite inspections are planned (in terms of both type and scope) when it is concluded from an analysis of offsite reports that certain performance-related problem areas, weaknesses, or irregularities exist at the bank. The annual plan takes concrete form in quarterly operational plans. Coordination and information sharing between onsite and offsite supervision work is manifested in the following: 53 BOSNIA AND HERZEGOVINA  the planning of inspections for the upcoming year, where offsite analyses is one of the basic elements for planning the type, scope, period, frequency, and defining risk that will be the subject of the examination in onsite supervision,  regular quarterly reporting on offsite supervision in the form of quarterly analyses of bank performance with a rating, which are examined and, if there is a significant worsening or a negative trend, the decision is made to organize an onsite examination,  exchanging information about the post-inspection process, which addresses post- inspection follow-up, and selection of the type of examination (Offsite Supervision Department usually submits reports about the post-examination process and the degree to which ordered measures have been executed and notifies the Onsite Examination Department,  the provision of offsite information and analyses to the supervisory team in the onsite inspection preparation phase, and its presentation at an internal meeting. After the inspection, onsite presents the findings to the offsite supervisors at an internal meeting and provides reports and documents containing the corrective measures ordered for the bank, which impacts further planning and bank monitoring in the post-inspection process, in accordance with an adopted resolution on the way in which ordered measures are to be monitored by the responsible organizational units in the FBA. The process for planning and conducting onsite inspections is carried out on the basis of the Manual for Onsite Examinations (phases, reports, records, documents). In keeping with the quarterly operational plan, notice of the examination is given at least two weeks in advance (except in the case of ad hoc examinations). At a special sectoral meeting held during that period, the Offsite Department makes a presentation of its findings from ongoing oversight, with recommendations for the onsite inspection process, the aim being to prepare the supervisory team for the upcoming examination and for the all- encompassing examination of the bank’s performance, regardless of whether it is a full or risk-based examination. The responsible supervisor draws up an examination plan and a list of duties for the members of the supervisory team. The examination order, which specifies the subject of the examination, the starting date, the supervisory team, and its obligations, is signed by the director of the Bank Performance Oversight Section and the FBA director. After the onsite examination is completed, an internal meeting is held within the Bank Performance Oversight Section so that the offsite supervisor and the onsite supervisory team can share information. The supervisory team makes a presentation of onsite findings and observations about the conduct of the examination, the cooperativeness of bank officials, and their ability to satisfy the supervisor’s requirements. After that, a report is prepared that is provided to the bank and is available for further offsite supervision. The following is discussed and approved by the supervision board: information about the examination conducted or the proposed composite rating, if a full examination was conducted in accordance with the published “Criteria for the Internal Rating of Banks by the FBA”; a proposal for corrective measures – decision on issuing a written order; the oversight strategy for banks under heightened oversight; and a resolution on how to monitor corrective measures, which serves as the basis for continued offsite and onsite supervision. Comments Assessors were provided with and reviewed, examples of the various supervisory tools employed. These included reports of inspection (full scope, targeted and consumer protection), bank performance reports (UBPR), offsite analysis, CAMELS rating calculations and corrective actions and a review of early warning system reports. Additionally, the 54 BOSNIA AND HERZEGOVINA authorities walked the assessors through the planning, execution and follow-up phases of the supervisory cycle. Principle 10 Supervisory reporting. The supervisor collects, reviews and analyses prudential reports and statistical returns18 from banks on both a solo and a consolidated basis, and independently verifies these reports through either onsite examinations or use of external experts. Description and The LOBA article 23 requires banks to submit to the CBBH and the FBA reports and other Findings information according to their type, extent, and deadlines in accordance with regulations issued by the CBBH. However, the prudential reports are prescribed in the ‘Decision on the form of reports which banks submit to the banking agency’ and two amendments. According to these decisions banks are obliged to submit prudential reports on capital, assets classification, non-performing assets, credit risk concentrations, the 15 largest shareholders of the bank, transactions with related parties, liquidity, foreign currency risk, and effective interest rate. The form of the prudential reports and their time-limits for their submission are prescribed. FBA does not require banks to submit prudential reports on consolidated basis (see further CP 12 Consolidated supervision). There are also no requirements to submit prudential returns for country risk, market risk (except foreign exchange positions) and pillar 2 of Basel 2 (see further CP 16 Capital, CP 22 Market risk, CP 19 Country risk). FBA would like to develop a prudential report on restructured loans. The report with the list of the supervisory board members is submitted in original (in paper form) and with the signature of the chairman of the supervisory board which proves that the reports are accepted by the supervisory board (article 1.2a). The internal auditor certifies by his/her signature that the reports are complete and accurate (article 1.2b). There is no fine attached to not filing an accurate prudential reports. To determine the accuracy several controls are conducted, the following procedures apply:. First, after data entry a cross table control is built in programmatically to check formal accuracy and to ensure the consistency of data in the prudential reports. Second, off-site supervisor performs a substantive control. When inaccuracies are found, the supervisor requests corrections from the bank. When there are significant mistakes in reports or repeated mistakes, the off-site supervisor could use corrective measures. This is rarely used. Third, on-site supervisors test the accuracy of the prudential reports on-site by conducting cross checks between, for instance, the credit file, the general ledger and the credit registry. They compare this information with the off-site prudential reports. Fourth, since 2009 three IT supervisors joined the inspection teams to assess the general IT controls. This has boosted the quality of the prudential reports. This was also a follow-up of the 2006 BCP recommendations. Fifth, the external auditor reviews annually the long form and declares that the long form is in accordance with the Law on Banks, other applicable laws and regulations determining banks’ business operations (article 1 of the decision on the minimum scope, form and contents of the program and report on economic – financial audit of banks). This is not the same standard as an audit opinion of a financial statement. 18 In the context of this Principle, “prudential reports and statistical returns” are distinct from and in addition to required accounting reports. The former are addressed by this Principle, and the latter are addressed in Principle 27. 55 BOSNIA AND HERZEGOVINA The prudential reports (together with other special reports) are being analyzed on a regular basis. This could be daily, weekly, monthly, quarterly, semi-annually or annually (see further CP 9). For an assessment of IAS 39 see further CP 18 (Non-performing assets). Comments FBA conducts collects, reviews and analyzes prudential reports and conduct several controls to ascertain the accuracy of the information. Key controls are formal IT controls, substantive controls by off-site, on-site inspections (since 2009 together with IT inspectors) and assessments of the compliance with law and regulation by the external auditors. Noticed is that the prudential returns are not comprehensive yet. FBA does not receive prudential reports on consolidated basis (see CP 12 Consolidated supervision) nor does she receive reports on Pillar 2 capital (see CP 16 Capital), country risk exposure (see CP 21 Country risk) or market risk except foreign exchange positions (see CP 22 Market risk). Currently, FBA is in the process of developing these prud ential forms as a part of the FBA’s strategy. Recommendation - Develop prudential report on consolidated basis (see CP 12 Consolidated supervision) - Develop several prudential reports aligned with the development of the regulation on Pillar 2 Basel II, country risk exposures, market risk and restructured loans. Principle 11 Corrective and sanctioning powers of supervisors. The supervisor acts at an early stage to address unsafe and unsound practices or activities that could pose risks to banks or to the banking system. The supervisor has at its disposal an adequate range of supervisory tools to bring about timely corrective actions. This includes the ability to revoke the banking license or to recommend its revocation. Description and The basic supervisory tool for the early identification of financial and operational Findings deficiencies and/or negative trends in business operations of individual banks is the EWS (Early Warning System). The identification of potential problems at an early stage enables the FBA to issue warning measures or require corrective action to prevent the escalation of problems. The early warning system supports a forward looking approach to the identification of developing negative trends. The early identification enables timely actions to correct deficiencies and maintain the bank’s stability and that of the system, as a whole. When, through the process of offsite supervision, certain weaknesses and problems in business operations of banks are identified, and even if it has not come to the level of a regulatory violation, a meeting with bank management is initiated. At these meetings, the causes of the identified problems and the weaknesses in the business operations of the bank are analyzed and the supervisor’s concerns are expressed about activities and processes which cause the identified weaknesses and problems. The bank is requested to undertake timely measures for eliminating and resolving these weaknesses. In addition to the above, a written warning is issued to the bank when certain weaknesses are identified, in accordance with article 67 of the banking law. Also, additional periodic reporting requests and the submission of additional documentation are implemented. When an onsite examination discloses weaknesses and deficiencies that do not rise to the level of violations of law or unsafe and unsound practice but may lead to such if not addressed (e.g., weaknesses in the systems of internal controls, inadequate organization, weaknesses in credit risk managing in some phases of the credit process, the lack of coordination among internal official papers and applied practices of banks, and other) the 56 BOSNIA AND HERZEGOVINA findings are communicated to bank management with detailed recommendations for correction. For deficiencies considered critical by the supervisor (e.g., significant weaknesses in the credit granting process), corrective measures are communicated in the form of a written order. Banks with a composite rating of 4 or 5 are problem banks under ongoing, heightened oversight, and are subject to formal measures with restrictions and additional supervisory requirements. A special supervision strategy is adopted for such banks, which means heightened oversight and the need to adopt a Program for Business Rehabilitation and Bank Recovery. The supervision strategy includes a commitment to at least quarterly review the degree of implementation of corrective measures required and of the status of achieving the goals of the rehabilitation program (with the management board and, if necessary, members of the supervisory board). The bank recovery (rehabilitation) program includes a set of measures and activities that the bank’s management is required to undertake in order to get out of the domain of unsound and unsafe performance, with observance of the corrective measures mandated by the FBA and the established deadlines. The plan must include, as a minimum, a Capital Management Plan, a Non-Performing Assets Management Plan, the formation or strengthening of the risk function, an improvement in credit risk management practices, from credit approval to evaluation to collection (early and late and the acceptance and sale of collateral), the enactment of new budgets, requirements for the reexamination and defining of responsibility and causes for the current situation, necessary changes in management and/or the supervisory board, defining an appropriate organization for the bank and improvements in the function of the internal control system, improving internal policies and procedures, internal audit functions with the dominant requirement of independence, and a number of other specific measures (information system, large staff, poor efficiency). The FBA is authorized to revoke a banking license (article 17 of the Banking Law), appoint a temporary administrator to supervise the operations of the bank (article 53), and impose monetary penalties (article 65). The corrective measures undertaken by the FBA in accordance with article 67 of the banking law are as follows: issuing written warnings; holding shareholders meetings; issuing written orders; imposing specific conditions to perform specific financial operations; imposing monetary penalties; suspending the members of the supervisory board, management or staff due to legal violations or insufficient qualifications; suspending voting rights or requiring the sale of shares; adding conditions to the bank’s license; with the agreement of the supervisory board, appointing an advisor with the duties and responsibilities prescribed by the FBA; appointing an external auditor paid by the bank aiming at conducting financial or operational audit; appointing a temporary administrator; and suspending the license. Corrective measures are issued in writing and submitted to the bank, and the bank must report in kind to the FBA, within established deadlines and in writing, on the implementation of corrective action and submitting evidence thereof. An appeal is permitted on the decision to require corrective measures, but the same does not delay carrying out the decision. The bank may also institute administrative disputes according to the Administrative Procedure Law, but instituting the dispute also does not postpone carrying out the corrective measures. In the event the bank does not carry out the corrective measures required by a written order or if the violations/deficiencies recurr within 6 months, the FBA may issue a written order in accordance with Article 67 of the Banking Law whereby the controlling owners are prohibited from exercizing their rights and require disposal of shares; in the event they 57 BOSNIA AND HERZEGOVINA commit the same violation for the third time within six months of the second recurrence; suspend the bank’s license. In accordance with article 65 of the Banking Law, penal sanctions applied against the bank are also applied towards the responsible person who has committed the violation. However, such authority is not clearly stated towards members of the supervisory board. The FBA is authorized under article 67, paragraph 2, item 3b of the Banking Law to intervene at an early stage, in terms of imposing prudential requirements that differ from those normally required. The goal is to impose early requirements to avoid breaching regulatory limits. Comments The banking law provides a listing of the tools available to the FBA to require remedial/corrective action from banks to address deficiencies and violations. Although the enforcement tools are listed in the banking law, and various benchmarks are evidently used to support enforcement, neither the law nor an attendant decision establishes a coherent enforcement action program; such program would provide transparency to banks, the courts and the consumer on the FBA processes. Neither the banking law nor FBA decisions provide adequate detailed standards to support the possibility of fines related to grievous safety and soundness concerns based on the expert judgment of the supervisor. Additionally, the banking law has not been amended to increase the powers of the agency to fine individual supervisory board members in significant amounts under its administrative powers. Corporate governance and risk management decisions emphasize the direct responsibility of the supervisory board and failure to uphold these decisions must subject the individual supervisory board members to personal liability. The current banking law is being re-drafted. The current process should be adjusted to increase the consequences of subsequent requests for correction, and increase the level of fines and direct action on supervisory board members. Amendments to the banking law will be required to enhance the ability of the FBA to make more effective use of enforcement action. The personal liability (including fines) of individual supervisory board members should be clearly delineated in a remedial action program. An appropriate remedial action program must have well defined enforcement tools that enable the regulator to apply a wide range of penalties or restrictions that can be adapted to the gravity of the situation. The program must be transparent: the FBA should publish the situations under which it is likely to take supervisory action, describe the supervisory action and the subsequent response should the institution fail to act. Internal operating procedures at the FBA should be detailed and prescriptive, describing the officials responsible for initiating the action, the process to be followed starting at the field inspector level, the review process, and establishing processing timeframes. In its annual report, the FBA should publish the remedial actions taken even if the name of the institution is withheld. Having a transparent, well-defined process with benchmarks and reporting will enhance supervisory accountability. The remedial action program would help bring together in a coherent fashion the graduated application of remedial measures. Some of these elements are in place but should be brought together in a well-defined program and expanded. The published guidelines should establish that banks can expect an action when: 58 BOSNIA AND HERZEGOVINA  Capital falls below a certain level. The action can vary depending on the trigger points and management response. The contingency plan under review introduces enforcement action options at varying capital levels.  Recurring inaccurate filings of regulatory reports or delinquencies should result in daily fines until situation is corrected. Currently there are fines but these could be increased based on recurrence and significance of inaccuracy.  Bank operating policies and processes are inadequate and may lead to a deteriorating financial condition. For example specifically defining inadequate policies and procedures concerning corporate governance and risk management as unsafe and unsound practices and based on supervisory judgment imposing sanctions and fines.  Violations of law are identified. Depending on their gravity, some violations, such as related party dealings, should have automatic fines on the bank and the individual.  Bank soundness falls below acceptable levels established by the FBA (based on CAMELS rating). In addition to enhanced supervision, banks should have recovery and resolution plans with strict timeframes to avoid being placed for extended periods in categories 4 and 5. Banks in the latter stages of deterioration have adverse impacts on the banking system even if not systemic. Financial penalties in significant amounts should be applied by the FBA to not only management but also supervisory board members and controlling owners. This will require amendments to the law. Strict guidelines for ending temporary administration that may include requirements for clearing problem assets, injecting capital before ending administration and avoid approvals based on future commitments by acquirers/investors. A detailed remedial action program will enhance accountability, as those involved will need to document why action was or was not taken in the presence of apparent unsafe and unsound situations. The FBA internal audit or internal control system should monitor the remedial action program and its implementation. Examples of enforcement action reviewed during the mission included the following:  in two small institutions that received poor CAMELS rating, the FBA required replacement of management.  supervisory board members were replaced in two cases dating back to 2005.  other actions on “4” rated banks include for Bank A: a rehabilitation and recovery plan was required, capital ratio of 14.5 percent and a plan NPLs and risk management improvements. Bank’s condition is improving. Bank B was placed under interim administration and sold to investor group. Fines are imposed on banks filing late reports. Principle 12 Consolidated supervision. An essential element of banking supervision is that the supervisor supervises the banking group on a consolidated basis, adequately monitoring and, as appropriate, applying prudential standards to all aspects of the business conducted by the banking group worldwide.19 19 Please refer to footnote 19 under Principle 1. 59 BOSNIA AND HERZEGOVINA Description and Consolidated supervision as a concept and practice has not been implemented by FBA. Findings There are no definitions and no prudential requirements, neither quantitative nor qualitative, for the supervision of consolidated supervision. Neither is FBA empowered to review overseas activities, visit foreign offices and meet with host supervisors, and limit the activities of the consolidated group and the location of the activities if necessary. The FBiH has 17 banks of which 10 are owned by foreign banks (9 foreign banking groups and 1 non-banking group). FBA is for these banks (including four D-SIBs) host supervisor. For the seven domestic banks it is not fully clear what kind of groups they are part of because of not transparent group structures. Further, banks in the FBiH are permitted to conduct different kind of activities, such as leasing, micro finance or insurance and hold to a certain extent non-financial participations. Therefore it is important to define consolidated supervision, identify the ultimate beneficiary owner and apply consolidated supervision. FBA does to a certain extent review the main activities of parent and uses for this purpose information received from the home supervisor (see CP 13 Home-host relations). Comments Consolidated supervision as a concept and practice has not been implemented in FBA. There are no prudential requirements both quantitative and qualitative for the supervision of consolidated supervision. FBA is planned to adopt consolidated supervision in the new LOB and also to adopt supervisory power, including having the power require banks to submit information on consolidated basis, the power to request and receive information from any entity in a group, the power to review the parent and associated companies, and the power to intervene in a group. Recommendation: - Define type of entities that will fall under consolidated supervision such as banking groups, financial conglomerates and financial holdings. - Determine quantitative prudential requirements such as capital adequacy on consolidated basis, large exposure limits, related party limits and liquidity requirements. - Determine qualitative prudential requirements such as prudential reporting (ad- hoc and regularly), fit-and-properness of the owners, board members and senior managers, and risk management. - Establish the powers to intervene in governance, risk management, capital, liquidity and the group structure of a group. Principle 13 Home-host relationships. Home and host supervisors of cross-border banking groups share information and cooperate for effective supervision of the group and group entities, and effective handling of crisis situations. Supervisors require the local operations of foreign banks to be conducted to the same standards as those required of domestic banks. Description and Currently, FBA is not home supervisor because there are no international active banks Findings operating from the FBiH. The FBiH has 17 banks of which 10 are owned by foreign banks (9 foreign banking groups and 1 non-banking group). FBA is for these banks (including four D-SIBs) host supervisor. These 9 foreign banking groups include the following countries: Slovenia, Turkey, Austria, Italy and Russia. FBA (and also BARS) have formal (signed) arrangements with the Bank of Slovenia and the Supervisor of Turkey. The following arrangements exists: 60 BOSNIA AND HERZEGOVINA - Slovenia: Memorandum of Understanding; Bank of Slovenia, FBiH Banking Agency, RS Banking Agency, CBBH; November, 2001 - Turkey: Memorandum of Understanding Agency for Regulation and Supervision of Turkey; FBiH Banking Agency, RS Banking Agency, CBBH, June, 2009. Law on Banks These arrangements arrange cooperation (such as joint on-site inspection, participation in supervisory colleges) and exchange of information (see also CP 3 on confidential information). These arrangements don’t address cross border cooperation and coordination in times of crisis. There are no formal arrangements with Austria and Italy because the Law on Banking Agency not aligned with the EU Directives regarding the protection of confidential information until recently. This seem to be resolved (see CP 3 Cooperation). There are also no arrangements with Russia. See further CP 3. Comments FBA currently doesn’t have formal MOU’ with Austria, Italy and Russia. It also does not have any arrangements to address cross border cooperation and coordination in times of crisis. Although MOUs with Austria and Italy are close to formalization, this doe sn’t mean that FBA has optimal cooperation and information exchange in place; nor is it being involved in crisis situations, partly because BiH is for these home supervisors of less importance. FBA should therefore, on a continuous basis, assess whether this risk is acceptable or should be mitigated. Furthermore, because there are several foreign banks systemically important. Recommendation - Renew MOU’s with home supervisors of foreign banks in order to address cross border cooperation and coordination in times of crisis. - Address Home / host issue beyond the MOU for the SCFS and prepare strategic action plans (assess and mitigate the net risk) See further CP 3. B. Prudential Regulations and Requirements Principle 14 Corporate governance. The supervisor determines that banks and banking groups have robust corporate governance policies and processes covering, for example, strategic direction, group and organizational structure, control environment, responsibilities of the banks’ Boards and senior management,20 and compensation. These policies and processes are commensurate with the risk profile and systemic importance of the bank. Description and The provisions of Chapter III (a) of the Law on Banks define the responsibilities of the Findings supervisory board and the Management of the bank. Provisions of article 31j define the competences of the bank’s supervisory board, as follows: supervision of business operation of the bank and the work of the management, adoption of reports of management on business operation, internal and external audit reports, submission of annual report to the general meeting of shareholders on business operation of the bank, which includes internal and external audit reports, report on the work of the supervisory board and the audit board, as well as a plan of business operation for the following business year, appointment of management of the bank, appointment of external auditor, appointment of chairmen and members of the remuneration committee and the 20 Please refer to footnote 27 under Principle 5. 61 BOSNIA AND HERZEGOVINA nomination committee, proposal for distribution and manner of use of profit and manner of loss coverage, approval of transactions with assets ranging from 15 percent to 33 percent of the accounting value of the entire assets of the bank, establishment and implementation of adequate internal control, internal and external audits, establishment of provisions for loan losses, convening the general meeting of shareholders, approval for issuance of new shares of the existing class in the amount up to one third of the sum of nominal value of the existing shares, approval of internal acts, business and other policies and procedures, establishment of temporary committees as needed and deciding on issues not specifically directed under the law or its articles of association to some other decision making body of the bank. In addition to the legal provisions, the following decisions were issued in 2013: - Decision on Diligent Behavior of Members of Bank’s Bodies regulates, among other, the rules of conduct of the members of bank’s bodies when exercising their powers, including conflict of interest prevention/management, establishment of specialized committees for professional assistance and support to the supervisory board of the bank, implementation of professional, ethical standards and principles of corporate social responsibility, etc. - Decision on Suitability Assessment of Members of Bank’s Bodies (related to good reputation and professional experience) emphasizes the obligations of the bank to adopt and implement fit and proper requirements for the members of bank’s bodies, performs initial and continuous evaluation, ensures continuous fulfillment of fit and proper requirements by the members of bank’s bodies, etc. - Decision on the Remuneration Policy and Practices for Bank Employees regulates, among other, the structure of compensations that should be harmonized with the risk taking strategy, corporate values and long-term interest of the bank and should include all components of compensation (salaries, discrete retirement and similar benefits on individual and discrete basis) for the key categories of employees whose professional actions have significant effect on the risk profile of the bank. In addition, the responsibilities of the supervisory board and management of the bank regarding specific risks are more precisely regulated in separate FBA decisions (for example capital management, credit risk management and asset classification, risk concentration management, liquidity risk management, exchange risk management) The review of corporate governance is accomplished through offsite and onsite activities, including targeted inspections. Supervisory actions are taken if deficiencies are identified. Procedures, actions and procedures for supervisory examinations of the work of the management bodies in banks are defined in the Instructions for onsite supervisors. In the banking system the higher frequency of corporate governance problems occur in banks without a majority shareholder, e.g., where there is a widely held ownership by domestic shareholders with weak financial powers to strengthen the bank capital. In these banks there are also frequent violations of the capital-related regulations, failures to implement or significant delay in implementation of measures ordered by FBA, weak and improper practices for loan approval. The decisions on corporate governance became effective on January 1, 2014; therefore their implementation is still in the initial stage. The banks are in the process of adopting internal procedures to achieve of implementation of the new requirements. 62 BOSNIA AND HERZEGOVINA Comments In July 2013, the FBA issued decisions addressing corporate governance, fit-and-proper and remuneration aspects of regulations. These decisions are comprehensive and address the major requirements of the BCPs. However, to enhance enforcement and compliance it is important to clarify in the banking law and regulation the personal liability of supervisory board members and to provide additional training to FBA staff on reviewing compliance with the governance decisions and how to develop enforcement recommendations involving the supervisory board members. The following recommendations address areas where banks would benefit by understanding FBA expectations.  Guidance for a risk appetite statement may include: quantitative metrics such as value- at-risk, leverage ratio, range of tolerance for problem loan levels, and acceptable stress test losses.  The strategic plan guidance may include a comprehensive assessment of current and expected risks, state the business objectives of the bank and express how achieving the objectives will affect the risk profile of the bank. The strategic plan and the risk appetite statement should balance and be supported by a robust risk management framework. Principle 15 Risk management process. The supervisor determines that banks21 have comprehensive risk management processes (including effective board and senior management oversight) to identify, measure, evaluate, monitor, report and control or mitigate 22 all material risks on a timely basis and to assess the adequacy of their capital and liquidity in relation to their risk profile and market and macroeconomic conditions. This extends to development and review of contingency arrangements (including robust and credible recovery plans where warranted) that take into account the specific circumstances of the bank. The risk management process is commensurate with the risk profile and systemic importance of the bank.23 Description and Risk management is addressed for individual risk areas in the banking law and in a number Findings of decisions. Details on individual risk areas are addressed in the relevant sections of this report. The provisions of the existing FBA decisions that encompass risk management (credit risk, liquidity risk, market risk, operational risk, information system management risk, outsourcing risk, prevention of money laundering and terrorism financing) define the 21 For the purposes of assessing risk management by banks in the context of Principles 15 to 25, a bank’s risk management framework should take an integrated “bank-wide” perspective of the bank’s risk exposure, encompassing the bank’s individual business lines and business units. Where a bank is a member of a group of companies, the risk management framework should in addition cover the risk exposure across and within the “banking group” (see footnote 19 under Principle 1) and should also take account of risks posed to the bank or members of the banking group through other entities in the wider group. 22 To some extent the precise requirements may vary from risk type to risk type (Principles 15 to 25) as reflected by the underlying reference documents. 23 It should be noted that while, in this and other Principles, the supervisor is required to determine that banks’ risk management policies and processes are being adhered to, the responsibility for ensuring adherence remains with a bank’s Board and senior management. 63 BOSNIA AND HERZEGOVINA obligation for the supervisory board to adopt an adequate risk program with policies for each risk segment of the operations, in line with the contents and objectives of its business policy and the economic environment where the bank performs its activities. Risk management procedures must be proportionate to the size and complexity of the bank and must be compliant with the adopted policies. The bank is required to periodically analyze, update (annually or semiannually) and adjust the adopted risk management programs, policies and procedures to the risk profile, market needs and changes in the macroeconomic environment. Based on the provisions of the existing decisions that include risk management, the bank is required to develop policies in writing, as a basis for exposure to each risk individually, which should at least define the risk appetite, the general areas where the bank is willing to assume risk, clearly defined authority levels for risk exposure, adequate/reasonable and conservative concentration risk limits, at least in line with the law and the limits set by FBA (for individual clients/depositors, group of related clients, individual industry branch, individual geographic region, individual bank of group of banks according to its/their investment rating, individual foreign country or class of countries, individual type of securities, maturity and type of instruments). Risk management procedures must be comprehensive (detailed), commensurate to the size and complexity of the bank, and in compliance with the adopted policies; and as such they should be clear guidelines for all bank employees regarding the risk management activities. Based on the above-mentioned regulations and adopted internal policies and processes, the supervisor oversees their compliance and implementation. Article 33 of the Law on Banks defines the responsibility of the bank management to implement the adopted business policy. The supervisor (through onsite inspections) evaluates whether the bank’s management implements the adopted strategic plan, policies and procedures and whether the supervisory board effectively oversees the work of management. Depending on the risk profile and the importance of the bank in the banking sector, the FBA assesses whether the bank’s internal policies and procedures are: - Sufficiently comprehensive so as to include all important risks and to be compliant with the strategic plan of the bank; - Adjusted to the risk appetite and whether the bank capital supports the assumed operating risk; - Including the risk that results from the macroeconomic environment and whether they are timely updated in line with the changes in the macroeconomic environment. At the beginning of the year, banks submit their capital adequacy maintenance plan, which covers the coming three-year period and contains detailed trends of the capital in the first year. The FBA examines and analyzes the submitted capital adequacy maintenance plans, their plausibility and compliance with the business plan submitted by banks, as well as the existing risk exposure level (especially credit risk) and whether the capital adequacy maintenance plans can support their current and future risk profile. Stress testing requirements have not been issued by FBA, but there is a liquidity stress requirement. Comments The FBA has adopted risk guidance for a number of risks, such as; credit, market, liquidity and capital. However; the FBA has not issued detailed regulations or adopted supervisory 64 BOSNIA AND HERZEGOVINA procedures concerning interest rate risk in the banking book, market risk and country risk or to apply capital requirements to those risks. A decision addressing the establishment of risk management governance for the bank as a whole has been drafted but has not been issued as it needs to go through industry consultation. The duties and responsibilities of said function would reflect the size, complexity and risk profile of the bank. In general the risk management function identifies, assesses and measures risk, monitors whether risk decisions are in line with risk appetite statement, is involved in capital planning and reports to senior management or supervisory board or committee thereof. The function must be independent from risk-taking functions. The FBA has drafted a risk management decision that will address most of the issues listed above. Principle 16 Capital adequacy.24 The supervisor sets prudent and appropriate capital adequacy requirements for banks that reflect the risks undertaken by, and presented by, a bank in the context of the markets and macroeconomic conditions in which it operates. The supervisor defines the components of capital, bearing in mind their ability to absorb losses. At least for internationally active banks, capital requirements are not less than the applicable Basel standards. Laws and regulations define the components of regulatory capital, qualifying elements of Description and capital, and calculation of capital requirements. Article 20 in Chapter III (Capital and Findings Ownership of a Bank) prescribes the minimum amount of shareholders' and net capital which the banks must keep (15 million KM), and the right of the FBA to review retained earnings to ensure compliance with paid-in capital requirements. Article 41 sets the minimum net capital at 12 percent of risk-weighted assets, whereby not less than 1/2 of its capital must consist of core capital. Main risk-weight differences between Basel I and current FBA weights are listed in Appendix III. The Decision on Minimum Standards for Capital Management of Banks and Capital Hedge includes some elements of BASEL III, maintains minimum capital adequacy ratio at 12 percent and introduces additional capital requirements. Article 4 of the Decision requires banks to adopt a capital maintenance program to ensure that capital levels remain adequate and adjusted for changing conditions. Article 6 requires the bank’s board to develop procedures to manage the level and composition of the capital structure. It also requires management to develop capital projections for three years, identify internal sources of capital generation, evaluate possible external sources of capital, and identify factors that may cause a need to raise capital funds. Articles 8 through 11 establish items that may be included in core capital and those that must be deducted; supplementary capital items are also defined. Article 12 defines the leverage ratio, risk assets and off- balance sheet, conversion ratios for calculation of loan equivalent of off-balance liabilities are identified in articles 13 and 14, and the method of calculation of capital adequacy is provided in article 18. The decision introduces some elements of BASEL III, mostly through introduction of capital buffers, limiting the profit distribution if the bank does not have the required buffer, introduction of financial leverage ratio as an additional protective measure, and more stringent conditions for recognition of certain capital items. 24 The Core Principles do not require a jurisdiction to comply with the capital adequacy regimes of Basel I, Basel II and/or Basel III. The Committee does not consider implementation of the Basel-based framework a prerequisite for compliance with the Core Principles, and compliance with one of the regimes is only required of those jurisdictions that have declared that they have voluntarily implemented it. 65 BOSNIA AND HERZEGOVINA Additional requirements introduced include: (a) Capital conservation buffer at the rate of 2.5 percent of risk-weighted assets; (b) Countercyclical capital buffer which, if necessary, may be prescribed under a special FBA decision; and (c) Buffer for systemic risk that, if necessary, may be prescribed by FBA under a special decision. The banks should meet the requirements for capital buffers with the balance as of December 31, 2016, at the latest, which will not be shown by the bank as special category of core capital, but it will be taken into account as part of the calculation of regulatory capital. In addition, an additional simple capital buffer is introduced by prescribing a regulatory financial leverage ratio, as a ratio of the core capital and total assets. The decision requires the bank to maintain the leverage ratio at least 6 percent, starting on December 31, 2015. Taking into account the market and macroeconomic environment where banks operate, FBA, in order to preserve the capital of banks, decided in 2013 to introduce temporary limitations for payment of dividends and bonuses. The provisions of this temporary decision are also included in the new Decision, which came into force in 2014. Based on article 11 of the new Decision, the bank may not pay dividends in cash for common shares to its shareholders, bonuses from the bank's profit, nor purchase own shares, unless own funds are at least 14.5 percent and if core capital of the bank in article 8 is at least 8.5 percent of risk-weighted assets. The FBA rates capital adequacy based on a number of factors outlined under the CAMELS rating system. Factors reviewed are quality of capital, risk profile, risk management systems, trend in problem assets, compliance with laws and regulations, quality of earnings and access to capital markets. FBA has authority to impose additional capital requirements for banks, higher than the regulatory minimum, depending on the assessment of their risk profile and/or the effectiveness of their established risk management process. Banks file quarterly reports that are reviewed offsite on the capital structure, total risk- weighted assets and capital ratios, the reports are reviewed to determine compliance with FBA requirements and implementation of internal capital adequacy programs. Onsite supervision focuses on: whether the policies and procedures are adequate and whether they are implemented; the capital level and review of accuracy of the calculation of capital and compliance with the minimum capital requirements; the level, structure and quality of capital of the bank and assessment of capital strength and adequacy in relation to the existing risks and future plans; scope and adequacy of the audit function in relation to the capital of the bank, and compliance with the law, decisions and other regulations. FBA gives recommendations or remedial measures in cases when there are deficiencies in the policies, practices, procedures or the internal control and internal audit system, or if violations of rules and regulations are identified. 66 BOSNIA AND HERZEGOVINA Comments A capital charge for market risk is not in place. The capital adequacy regime currently in place is a hybrid of Basel I and incorporates the definitions of core capital elements from Basel III. Implementation of other adjustments is as follows: a) Implementation of the capital conservation buffer as of December 31, 2016; b) reducing the amount of loan loss reserves included in supplemental capital to 1.625 percent by December 31, 2015, and 1.25 percent by December 31, 2016; c) allowable revaluation reserves to be amortized and extinguished by December 31, 2016; d) implementation of requirement to depreciate subordinated debt in the last 5 years to maturity date (December 31, 2015); e) amount of bank’s supplementary capital cannot be: - more than one-half of the core capital, beginning on December 31, 2015, whereby the core capital referred to in Article 8 is at least 8 percent of total risk of assets, - more than one third of the core capital, beginning as of December 31, 2016, whereby the core capital is at least 9 percent of total risk of assets, f) ensuring and maintaining leverage ratio, of at least 6 percent, starting on December 31, 2015; g) banks which, due to changes in the structure of the core and supplementary capital become noncompliant with concentration limits will need to correct the violation by December 31, 2015; h) calculation of capital requirements for market risk will apply when the secondary regulations (1/1/2017) that prescribe capital requirements and methodology for calculating capital requirements for market risk enter into force. Overall, the capital standard retains differences from Basel I, such as; fixed assets carrying a risk weight of 0. Principle 17 Credit risk.25 The supervisor determines that banks have adequate credit risk management processes that take into account their risk appetite, risk profile and market and macroeconomic conditions. This includes prudent policies and processes to identify, measures, and evaluate, monitor, report and control or mitigate credit risk 26 (including counterparty credit risk)27 on a timely basis. The full credit lifecycle is covered including credit underwriting, credit evaluation, and the ongoing management of the bank’s loan and investment portfolios. 25 Principle 17 covers the evaluation of assets in greater detail; Principle 18 covers the management of problem assets. 26 Credit risk may result from the following: on-balance sheet and off-balance sheet exposures, including loans and advances, investments, inter-bank lending, derivative transactions, securities financing transactions and trading activities. 27 Counterparty credit risk includes credit risk exposures arising from OTC derivative and other financial instruments. 67 BOSNIA AND HERZEGOVINA Description and The Decision on Minimum Standards for Credit Risk and Asset Classification Management Findings in Banks sets standards and criteria for banks to follow in credit risk management activities. Supervisors determine compliance through onsite/offsite activities and if needed may require a re-classification of assets. Information provided during the assessment showed examples of revaluations and citing of inadequate risk practices. Pursuant to Articles 3 and 4 of the decision, the responsibilities of management and the supervisory board are defined to include the development and implementation of programs, policies and procedures for credit risk management (lending, portfolio management, and collateral management). The bank’s supervisory board is responsible for: completeness, continuity, and effectiveness of the credit risk management function in the bank, management and maintenance of prudent practices in determining acceptable risk levels, and to ensure implementation of adequate monitoring and audit. The same decision defines the contents of the program, depending on the nature and complexity of the precise credit risk functions and the established portfolio: -policies for identifying credit risk and managing that risk; -procedures for evaluation of loan applications and/or proposals for other placements, i.e., investments and applications that expose the bank to contingent off-balance sheet liabilities; -loan underwriting procedures, other placements, investments and contingent off-balance sheet liabilities, required documentation, monitoring and/or follow up supervision, as well as reporting and collection. Depending on the level of complexity, the volume of its activities, its risk profile, risk appetite and capital strength to support such risk, the bank is required to develop written policies, as a basis for underwriting, other placements, investment and taking off-balance sheet contingent liabilities (hereinafter: loan policies), which should at least contain: 1. the approach and/or the philosophy of credit risk which defines (manages) the entire scope of risk that the bank is assuming; 2.the types of loans the bank will fund; 3. a decision-making authority for lending and creating reserves and managing write-offs; and 4. adequate (reasonable) and prudent portfolio concentration limits, in compliance with FBA regulations and at least for: individual clients, group of related clients, single industry branch, geographic regions, foreign countries and group of countries, types of securities, maturity and form of instruments. Based on quarterly reports, credit risk is assessed. The offsite supervisor focuses on: asset quality and adequacy of loan loss provisioning, impaired assets, credit risk concentration, sector exposure, impact of the credit risk on other segments of operations, compliance with 68 BOSNIA AND HERZEGOVINA the legislation, decisions. The objective of offsite supervision is early detection of problems or potential risks, and taking corrective action. The scope and frequency of onsite credit reviews is based on the risk profile of the individual bank, its risk appetite, systemic importance and capital strength. During the onsite supervision, the supervisor conducts an independent assessment of the relevant policies, practices and procedures that are related to the credit risk management, and determines the following: If policies are adequate in relation to the risk profile, compliance established policies and procedures and regulations, whether bank officers adhere to the established instructions and authorizations, adequacy of internal control systems and the internal audit function in the bank, overall asset quality, adequacy of loan loss provisioning and credit risk concentration, compliance with the legislation, decisions and other regulations. Where appropriate, the supervisor initiates corrective actions. Comment A detailed decision has been issued covering credit risk management and the duties of the Board to develop policies and procedures to manage credit, setting the focus of lending and the acceptable risk levels, internal loan review and reporting to the Board, responsibility of internal audit, and lending limits. Compliance with the decision is monitored through onsite and offsite supervision. Principle 18 Problem assets, provisions and reserves.28 The supervisor determines that banks have adequate policies and processes for the early identification and management of problem assets, and the maintenance of adequate provisions and reserves. 29 Description and Article 3 of the Decision on Minimum Standards for Credit Risk and Asset Classification Findings Management requires the supervisory board to adopt a comprehensive credit risk management program with adequate policies. Article 4, Paragraph 1, Item 4 requires management to monitor the mix and quality of assets and to ensure that it is professionally and conservatively assessed, and provisions are adequate to cover, partially or fully, unrecoverable debts and/or that such debt are written off. FBA requires banks to establish their own asset classification system (article 12 of the Decision on Minimum Standards for Credit Risk and Asset Classification Management) and classify loans in accordance with the provisions of articles 15, 16 and 22 of the same Decision. Article 15 requires that loans be classified into five categories: performing, special mention, substandard, doubtful and loss. Article 16 provides the factors to be considered by the bank in classifying the loans in each category. Article 22 specifies the level of provisioning required for each loan classification category. The FBA requires banks to establish specialized units for problem loan restructuring, collection and resolution (Article 3, Item 6 and Article 9, Paragraphs 4 and 5 of the Decision on Minimum Standards for Credit Risk and Asset Classification Management). 28 Principle 17 covers the evaluation of assets in greater detail; Principle 18 covers the management of problem assets. 29 Reserves for the purposes of this Principle are “below the line” non -distributable appropriations of profit required by a supervisor in addition to provisions (“above the line” charges to profit). 69 BOSNIA AND HERZEGOVINA Article 14 Paragraph 5 of the Decision on Minimum Standards for Credit Risk and Asset Classification Management defines, in details, impaired assets: the principal and/or interest are past due for over 90 days (classified in categories C, D, and E). Article 13, Paragraph 3 defines requires that small loans (10,000 KM or less) that are not individually classified must be reported on a timely basis to monitor performance, delinquencies, restructuring and write-off. Article 13, (paragraphs 6 and 7) require detailed records be maintained on classified and nonperforming loans and reviewed, at a minimum, on a quarterly basis. In accordance with article 1 of the Decision on Minimum Standards for Credit Risk and Asset Classification Management, banks must adopt and implement adequate internal methodology for identifying impaired loans in compliance with the implementation of IAS/IFRS and the accounting and auditing regulations. Minimum standards for the internal methodology are defined in the Instructions on the Amended Manner for Creating, Recording and Reporting on Loan Loss Provisions. Chapter III of the Instructions on the Amended Manner for Creating, Recording and Reporting on Loan Loss Provisions defines the criteria for determining default status. Default status exists when any of the following conditions are met:  The bank believes that the borrower is unlikely to fully settle his liabilities towards the bank, regardless of the ability to collect on the collateral, and particularly in cases of: partial or full loan write-off, loan refinancing due to financial hardship of the debtor and the borrower's liquidation or bankruptcy.  The borrower is overdue more than 90 days. Pursuant to article 11 of the Decision on Minimum Standards for Credit Risk and Asset Classification Management in Banks, the bank must develop comprehensive procedures for monitoring asset quality, credit portfolio features, and reporting procedures. The bank must establish an internal asset classification system (article 12 of the same decision). The bank must, periodically, i.e., at least quarterly, classify the assets exposed to credit risk in the following categories: - category A - good assets: 2 percent; - category B – special mention assets: 5-15 percent; - category C – substandard assets: 16 - 40 percent; - category D – doubtful assets: 41- 60 percent; and - category E – loss: 100 percent Category B includes loans 90 days delinquent, Category C includes loans up to 180 days delinquent and Category D up to 270 days. As was highlighted in the 2006 BCP review, the terms of delinquency are too long. Such terms of delinquency are more appropriate of impaired loans. In addition to the assessment of asset quality in line with the regulatory requirements, the bank assesses the value of financial resources (including loans) and contingent liabilities under IAS 39 and 37. Provisions and reserves are expenses in the income statement, while the assessment of potential loan losses, under the regulatory requirements, is of accounting nature. The difference between these two assessments, if it is a higher amount under the regulatory requirement, is recognized in the calculation of capital as missing provisions for loan losses, and if it is determined that they are insufficient the supervisor takes corrective 70 BOSNIA AND HERZEGOVINA actions. In addition, onsite supervisors oversee the actions of banks in line with the Instructions on the Amended Manner for Creating, Recording and Reporting on Loan Loss Provisions (establishment and application of the internal methodology for measurement of loan impairment and impairment of other financial assets, IAS 39/37). During onsite examinations, and in line with the inspections manual, the supervisors determine the adequacy of policies, procedures and practices for credit risk management, which includes the assessment of loan classification. Based on a pre-determined sample, individual exposures are examined in detail and the adequacy of reserves is determined; and corrective actions are ordered if irregularities are identified. If a significant increase of impaired assets is identified, the bank must develop a plan for impaired asset management and submission of regular reports about its implementation. As needed, banks meet at the FBA to discuss the implementation of the plan and possible deviations from the projected amounts, organization of collection units. Pursuant to article 6, paragraph 1, item 1 of the Decision on Minimum Scope, Form and Contents of the Program and Report on Economic-Financial Audit in Banks, the external auditor must give an assessment of the bank’s asset quality, in line with the Decision on Minimum Standards for Credit Risk and Asset Classification Management. Once a year, following the completion of external audit, the supervisor is furnished with a report on the economic-financial audit and other accompanying findings of the auditor, such as a letter to the management that may be taken into account by the FBA when assessing the adequacy of policies and procedures of the bank, although the final FBA assessment of the adequacy of policies and procedures is based on results of its onsite supervision. In 2013, FBA adopted decisions for detailed examinations of assets of 4 banks, which were conducted by foreign audit companies. This special audit was aimed at increasing the level of reliability and caution. The review resulted in the banks increasing their reserves for loan losses. Comments Based on inspection reports and outside party reviews, there is concern that provisioning levels at some banks are inadequate, particularly as estimated by banks for impaired loans under IAS. Currently banks are required to provision based on both IAS and prudential standards. Loan loss provisioning for prudential requirements is based on defined categories: Category B includes loans 90 days delinquent, Category C includes loans up to 180 days delinquent and Category D up to 270 days. As was highlighted in the 2006 BCP review, the terms of delinquency are too long and the provisioning ranges too wide but provide a floor and cross-check to reinforce provision levels established under IAS. Adjustments to capital for inadequate prudential provisions are not transparent in IAS published financial statements. Enhancing prudential angle with enhanced conservatism in defining impaired loans would require issuing supervisory standards to ensure banks use conservative assumptions (objective evidence and triggers). Also providing training to the FBA staff on IAS to aid in discussing with bank management would be useful. The trainings should cover assumptions on impairment, discounting to present value methods employed and reviewing collateral valuations as real estate appraisers lack expertise and the market is not deep enough to provide reliable market valuations. Additionally, the law on guarantor protection greatly reduces the value of third party guarantees. FBA standards would detail its expectations on factors to be considered in establishing discount rates, loss rates, 71 BOSNIA AND HERZEGOVINA considering macroeconomic events that may alter historic loss levels; issuing guidance on standards for real estate valuations, haircuts based on: selling and foreclosure costs, current market situation and factors to be included in the instructions to the appraiser. Impact of guarantor protection law must also be considered in setting provisions as the law limits access to the guarantee. Principle 19 Concentration risk and large exposure limits. The supervisor determines that banks have adequate policies and processes to identify, measure, evaluate, monitor, report and control or mitigate concentrations of risk on a timely basis. Supervisors set prudential limits to restrict bank exposures to single counterparties or groups of connected counterparties. 30 Description and The FBA adopted the Decision on Minimum Standards for Risk Concentration Management findings in Banks, setting standards for banks to implement policies for minimizing the credit risk in its operations (article 2 of the decision). Article 4 of the decision states that bank management is responsible to ensure the implementation of limits on credit risk concentrations in line with the law, the decision, the program and policies adopted by the supervisory board. The management of the bank is responsible, as a minimum, to: 1. create and propose program, policies, plans and procedures to the supervisory board; 2. implement the program, policies, procedures and other regulations of a bank related to credit risk concentration and ensure that their implementation is monitored and controlled within the Law, this Decision, the program and policies; 3. ensure the implementation and development of specific reporting systems on credit risk concentration of the bank following the elements approved by the supervisory board; 4. maintain systems providing overview and classification of information regarding credit risk exposure of a bank to single counterparties or group of connected counterparties, by type of loan, industrial concentration, geographical regions, type of collateral and financial guarantors. 5. at least every three months, report to the board and FBA in detail about significant risk concentrations, that is about VIKR, their components and form. Concentrations and limits for large credit exposure to single counterparties or group of connected counterparties are regulated by articles 42 and 43-a (limits of credit risk exposure) and articles 46 and 2-a (grounds of relationship of the counterparty with the bank) of the Law on Banks, Decision on Minimum Standards for Bank's Risk Concentration, Decision on Minimum Standards for Operations with Bank Related parties, as well as the Decision on Minimum Standards for Credit Risk and Asset classification Management in Banks. The Law on Banks and the Decision on Minimum Standards for Bank s’ Risk Concentration define the basic credit limit of 40 percent of total core capital of the bank. All amounts of 5 percent up to maximum of 25 percent of core capital of the bank have to be collateralized, while those over 25 percent of core capital of the bank have to be covered with cash 30 Connected counterparties may include natural persons as well as a group of companies related financially or by common ownership, management or any combination thereof. 72 BOSNIA AND HERZEGOVINA deposits and immediately marketable collateral of high quality (first-class collateral). Limit for unsecured loans is 5 percent of core capital?. Article 14 of the Decision on Minimum Standards for Credit Risk and Asset classification Management in Banks defines first-class collateral as cash, government securities or precious metals (20 percent margin) pledged to and under the control of the lending bank. Article 42, Paragraph 3 of the Law on Banks states that two or more borrowers shall be considered a “group of connected counterparties” where their interrelations make it likely that exposure to the group poses a single risk to the bank. Article 6, paragraph (1) of the decision on concentrations states that two or more beneficiaries represent “group of connected counterparties”, if, due to their interrelations, bank’s exposure toward them represents a single exposure to credit risk, that is if one of them, or all of them have direct or indirect possibility of control, i.e., influence over another, in case of financial difficulties of one of them or several of them, it caused or could cause financial problems for the others. The following are grounds for identification of groups of connected counterparties: 1. same owner and/or co-ownership of the legal entity; 2. ownership and/or co-ownership of a spouse or persons who live in the same household, or have related or mutual investments; 3. mutual members of the supervisory board and/or management; 4. cross guarantees; 5. direct production and/or commercial and/or financial (directly business) relation and interrelation. Article 3, paragraph 2, item 2 of the Decision on Minimum Standards for Risk Concentration Management in Banks stipulates that the supervisory board is required to adopt written policies and procedures addressing concentration risk management, and capital needs related to concentrations. Article 4 of the decision defines the obligation of the bank’s management to ensure limitation of credit risk concentrations in accordance with the Law, the program and policies of the supervisory board. Article 5 also defines the total credit exposure of the bank to a single counterparty or group of connected counterparties as the total of outstanding credit and off-balance-sheet commitments to lend. During onsite inspections the following aspects are checked: compliance with legal restrictions, quality of adopted internal policies relating to the management of credit risk concentrations, monitoring and compliance with the adopted internal limits, quality of the records on connected parties and bank related parties, and reports submitted to the management and the supervisory board regarding concentrations. The FBA has the authority to require additional capital to address high concentration risks. Article 4, paragraph 2, item 5 of the Decision on Minimum Standards for Risk Concentration Management in Banks defines that quarterly, the banks must report to the Board and FBA in detail on significant concentrations. Onsite supervision assesses the quality of reports submitted to the supervisory board regarding the existing concentrations. The onsite supervision also examines the mode of operation of the information systems for identifying, managing and reporting in relation to risk concentrations. 73 BOSNIA AND HERZEGOVINA Offsite supervisors assess the risk concentration at the level of individual banks and at the level of banking system, so they can issue warnings to individual banks. Whereas, in case of breach of legal limitations they impose remedial measures on the banks. Banks submit regular quarterly data on sectoral structure of the loans with the amounts of provisioning and reports on the currency structure of loans. Some banks, where increased risk concentrations are found, are obliged to submit to FBA quarterly reports on new exposures exceeding KM 500,000. A large credit exposure is defined as credit to single counterparties or group of connected counterparties amounting to more than 15 percent of the bank’s core capital. The bank’s total aggregate outstanding principal amount of all large credit exposures may not exceed the equivalent of 300 percent of the bank’s core capital . Comments Concentration violations are often encountered in the domestic banks, mostly because of reductions in capital attributed to loan losses and declining profitability and in other instances due to improper recordkeeping and related party borrowing. A review of existing laws and regulations regarding concentrations and large exposures, as well as reconciling existing limits with limits according to international regulatory framework is underway. The amendments to the Law on Banks will bring limits in line with international standards by limiting the maximum exposure to single counterparties or group of counterparties to 25 percent of the core capital of the bank (instead of the current 40 percent). There is also ongoing preparation of a draft Decision on Large Exposures of Banks. Also being developed are regulations that will stipulate an obligation and criteria for implementation of bottom-up stress testing by the banks. Principle 20 Transactions with related parties. In order to prevent abuses arising in transactions with related parties,31 and to address the risk of conflict of interest, the supervisor requires banks to enter into any transactions with related parties32 on an arm’s length basis; to monitor these transactions; to take appropriate steps to control or mitigate the risks; and to write off exposures to related parties in accordance with standard policies and processes. Description and Article 2a of the Law on Banks defines related parties as two or more legal entities and/or Findings natural persons who individually or jointly have: - direct or indirect control of a bank’s supervisory board, management, or a significant ownership interest; or - by mutual agreement act in concert to create a significant ownership Interest in order to affect the operations of a bank. 31 Related parties can include, among other things, the bank’s subsidiaries, affiliates, and any party (including their subsidiaries, affiliates and special purpose entities) that the bank exerts control over or that exerts control over the bank, the bank’s major shareholders, Board members, senior management and key staff, their direct and related interests, and their close family members as well as corresponding persons in affiliated companies. 32 Related party transactions include on-balance sheet and off-balance sheet credit exposures and claims, as well as, dealings such as service contracts, asset purchases and sales, construction contracts, lease agreements, derivative transactions, borrowings, and write-offs. The term transaction should be interpreted broadly to incorporate not only transactions that are entered into with related parties but also situations in which an unrelated party (with whom a bank has an existing exposure) subsequently becomes a related party. 74 BOSNIA AND HERZEGOVINA Article 46, paragraph 2 of the Law on Banks defines that entities related to the bank are the following: 1. Chairman and members of the supervisory board, members of the management, members of the audit board and members of their immediate family within the third degree of consanguinity or marriage, or persons who are living in the same household, or who have interconnected or joint investments; 2. Individuals with significant ownership interest in the bank and members of their immediate family within the third degree of consanguinity or marriage, or persons who are living in the same household, or who have interconnected or joint investments; 3. Legal entities holding any common shares, preferred shares or any voting rights in the bank; 4. Legal entities in which the bank holds significant ownership interest; 5. Legal entities in which significant ownership interest is held by same legal or natural person holding significant ownership interest in the bank; 6. Legal entities in which the holder of significant ownership interest, a member of the supervisory board or management is one of the persons mentioned under items 1 through 5 of this paragraph; 7. Related parties as defined in article 1, paragraph 2 of this Law, and the related parties of all shareholders of the bank. Loans to related parties are subject to restrictions. According to Article 3 of the Decision on Minimum Standards for Operations with Bank Related Parties, transactions with individuals (natural person) are restricted to up to 1 percent of a bank’s core capital and with all individuals in total of up to 10 percent of bank’s core capital. Related legal person limit is 25 percent. Both limits are in the aggregate. Article 6 of the Decision on Minimum Standards for Risk Concentration Management in Banks with Bank Related Parties, stipulates that, in a group of related parties, a total credit exposure to single counterparties is a sum of credit exposures to all of the bank related parties. Stipulated limits (Article 42 of the Law on Banks) which apply to exposures to individuals and groups of interrelated parties apply also to bank related parties. Article 10 of the Decision on Minimum Standards for Capital Management of Banks and Capital Hedge defines that in calculating the bank's capital adequacy, the deduction items comprise of all receivables from the shareholders with significant ownership interest in the bank (over 10 percent of voting shares) that was approved by the bank contrary to the provisions of the Law, FBA regulations and business policy of the bank well as all large exposures of the bank to a credit risk (over 15 percent of the amount of the bank’s core capital) to the shareholders with significant ownership interest in the bank, made without prior consent of FBA in writing. Article 46, Paragraph 1 of the Law on Banks states that in conducting operations with parties related to the bank and in the name and in behalf of parties related to the bank, the bank cannot offer to that party more favorable conditions than to any other party that is not related to the bank. According to Article 3 of the decision, it is stipulated that the bank may perform business transactions with related parties only with the approval granted by the supervisory board or other officials in charge of approving such transactions, appointed by the supervisory 75 BOSNIA AND HERZEGOVINA board, without the right to participate in the voting of the members of related parties, and with access to all the relevant information when making decisions on transactions. Article 31-k of the Law on Banks defines that the chairman and members of the supervisory board may not make decisions on issues that concern relationships of the bank and other legal entities in which chairman and member of supervisory board shall have direct or indirect financial interest. Comments Related party lending, similarly to concentration risk is an issue of concern at many domestic banks. The ability of the FBA to enforce compliance with the related party regulation is hampered by the fact that supervisory board members are not subject to fines from the FBA. Currently, the banking law does not provide the FBA with sufficient power to fine and sanction supervisory board members and controlling owners. Principle 21 Country and transfer risks. The supervisor determines that banks have adequate policies and processes to identify, measure, evaluate, monitor, report and control or mitigate country risk33 and transfer risk34 in their international lending and investment activities on a timely basis. Description and The existing regulatory framework does not explicitly set requirements concerning banks in Findings terms of country and transfer risk. There is no obligation for banks to adopt policies and procedures in this area. The requirement concerning country risk is partially incorporated into the existing Decision on Minimum Standards for Bank Capital Management and Capital Hedge (when using risk-weighted assets in the process of calculating the capital adequacy of banks), as well as the current Decision on Minimum Standards for Credit Risk Management and Asset Classification in Banks (relating to treatment of first-class secured assets and liabilities of the bank to establish reasonable and operational limits on concentration of bank's exposure and according to the criterion of geographical region, country of origin or groups of countries, as well as to establish a system that allows grouping of asset items in such a manner). Compliance with the provisions of the decisions is regularly monitored within the supervisory process (onsite and offsite supervision) as part of the process to assess capital adequacy. As part of the project to draft regulations on Pillar 2 the FBA is reviewing options for regulatory requirements for country risk and transfer risk, such as incorporating it into the new Decision on Risk Management or alternatively through amendments to the existing Decision on Minimum Standards for Credit Risk and Asset Classification Management in Banks, which is planned to be completed by the end of 2014. The FBA monitors and banks report on concentrations. Comments Due to the fact that existing regulatory requirements only partially treat the management of country risk and transfer risk, in the process determining compliance with capital 33 Country risk is the risk of exposure to loss caused by events in a foreign country. The concept is broader than sovereign risk as all forms of lending or investment activity whether to/with individuals, corporates, banks or governments are covered. 34 Transfer risk is the risk that a borrower will not be able to convert local currency into foreign exchange and so will be unable to make debt service payments in foreign currency. The risk normally arises from exchange restrictions imposed by the government in the borrower’s country. (Reference document: IMF paper on External Debt Statistics – Guide for compilers and users, 2003.) 76 BOSNIA AND HERZEGOVINA requirements, regulations have been drafted to address country and transfer risk management. Principle 22 Market risk. The supervisor determines that banks have an adequate market risk management process that takes into account their risk appetite, risk profile, and market and macroeconomic conditions and the risk of a significant deterioration in market liquidity. This includes prudent policies and processes to identify, measure, evaluate, monitor, report and control or mitigate market risks on a timely basis. Description and The Decision on Minimum Standards for Market Risk Management in Banks of 2007 defines Findings minimum standards for market risk management in banks. This decision was created in accordance with the Amendment for Capital Requirements that Include Market Risk, of November 2005. Compliance with the concerned decision, i.e., its implementation deadline was extended several times, and at the end, taking into account that there were changes in the international regulatory framework and the fact that there is no significant level of market risk in FBiH banks, it was decided to extend the implementation of this decision. A decision was adopted to include the regulatory market risk requirements in the implementation of the FBA Strategy, and this is already contained in the prepared draft Decision for Calculating Capital of Banks, the implementation of which would begin on January 1, 2017. In line with the strategic commitments, capital requirements will be calculated by applying a standardized approach. Comments The particular decision which regulates the minimum standards for market risk management in banks, adopted in 2007, has not yet been implemented, taking into account the need for compliance with the international regulations and the fact that the market risk exposure in the banking sector is not significant. Thus within the implementation of the FBA Strategies, necessary actions have been taken to prepare a new decision on the bank capital calculation, which is currently being drafted, and its implementation is planned to start from January 1, 2017. Principle 23 Interest rate risk in the banking book. The supervisor determines that banks have adequate systems to identify, measure, evaluate, monitor, report and control or mitigate interest rate risk35 in the banking book on a timely basis. These systems take into account the bank’s risk appetite, risk profile and market and macroeconomic conditions. Description and The existing regulatory framework does not explicitly establish requirements concerning Findings interest rate risk management in the banking book. The existing Decision on Minimum Standards for Market Risk Management in Banks includes also the obligations of the bank for measuring the risk related to changes in interest rates, but it is not binding for the banks. A team was established to draft a decision on interest rate risk management in the banking book, which will establish minimum requirements for the establishment of an interest rate risk management and reporting system as well as stress testing programs. Comments Work is underway to develop regulatory requirements interest rate risk management in the banking book, to harmonize with international standards and Pillar 2. A draft risk management regulation will address IRRBB. 35 Wherever “interest rate risk” is used in this Principle the term refers to interest rate risk in the banki ng book. Interest rate risk in the trading book is covered under Principle 22. 77 BOSNIA AND HERZEGOVINA Principle 24 Liquidity risk. The supervisor sets prudent and appropriate liquidity requirements (which can include either quantitative or qualitative requirements or both) for banks that reflect the liquidity needs of the bank. The supervisor determines that banks have a strategy that enables prudent management of liquidity risk and compliance with liquidity requirements. The strategy takes into account the bank’s risk profile as well as market and macroeconomic conditions and includes prudent policies and processes, consistent with the bank’s risk appetite, to identify, measure, evaluate, monitor, report and control or mitigate liquidity risk over an appropriate set of time horizons. At least for internationally active banks, liquidity requirements are not lower than the applicable Basel standards. Description and The Decision on Minimum Standards for Bank’s Liquidity Risk Management establishes Findings bank requirements for managing liquidity: - Bank’s supervisory board is responsible to ensure that a bank has and implements an adequate program for liquidity risk management, that also includes liquidity policy, and is obliged to analyze it periodically and adapt it to the changes in economy and market conditions, - Bank management prepares and proposes to the supervisory board a program and policy concerning liquidity risk management; determines appropriate method for accurate evaluation of current and prospective future liquidity; assures establishment and implementation of adequate information systems, and at least quarterly reports to the supervisory board regarding overall condition and bank’s liquidity prospects; - Bank’s management prepares regular plans concerning contingency situations and shocks that can endanger bank’s liquidity; - Its policies should identify sources and volume of liquidity funds, necessary to ensure its continuous and stable operations; - Defines, applies and continuously develops effective and detailed procedures for monitoring, control and managing bank’s liquidity which should be proportional to the size and complexity of the bank and its liquidity and placements policies; - Appoints person responsible for liquidity management at the level of the bank, and promptly informs FBA about the appointment; - Implements information system that is adequate for the liquidity management requirements of the bank; - Bank’s liquidity management system should be continuous and supervised by bank’s the internal control system and internal audit. Article 6 of the aforementioned Decision defines the limits for:  Maintaining maturity matching of financial assets and financial liabilities, according to the remaining maturity, invest at least 85 percent of funds with maturity date of up to 30 days in placements with maturity date of up to 30 days; invest at least 80 percent of funds with maturities of up to 90 days in placements with maturity date of up to 90 days; and to include at least 75 percent of sources of funds with maturity of up to 180 days in placements with maturity date of up to 180 days; 78 BOSNIA AND HERZEGOVINA  Maintaining average ten-day minimum liquidity in cash funds of at least 10 percent of short term liabilities, taking into account that the level of cash funds cannot be less than 5 percent. The FBA can mandate corrective action for failure to meet regulatory requirements. The FBA could introduce additional limitations; order the bank stricter limits on maturity matching of financial assets and liabilities. The decision also stipulates the submission of reports to FBA: - Reports on its liquidity position every ten-day period; - Maturity matching of assets and liabilities (monthly report). In the banking sector of FBiH there are no banks that have their bank subsidiaries in other countries. Some of the banks in FBiH are members of groups of international banks, and complying with the standards of their parent bank, they apply the existing Basel principles. In line with the Decision on Minimum Standards for Bank’s Liquidity Risk Management , Articles 5, 6 and 9, the bank is required to create, implement and maintain policies which include: (1) structure (type) of bank’s assets and liabilities; (2) large liabilities items, especially bank’s deposits and depositors; (3) structure of stable and unstable liabilities items, especially bank’s deposits and depositors; (4) bank’s liabilities items with renegotiated maturity date and items where there is a basis to expect further possibility of renegotiation; (5) structure of prices and stability of prices of liabilities, especially bank’s depositors; (6) currency structure of bank’s assets and liabilities; (7) available (potential) regional and global market sources for the bank; (8) identify sources and volume of liquid funds that are necessary for ensuring continuous and stable operations of the bank, when, for regulating its bad debts, the bank cannot rely solely on the amount of reserve requirements held at the Central Bank, which is treated as extraordinary and temporary short-term measure; (9) rely on stable sources of funds, or contractual maturity dates; (10) provide diversified sources of funds by maturity, type and number of clients, market and instruments; (11) appoint competent and responsible persons concerning matters of liquidity, establishment of effective control of liquidity management by the internal control or internal audit, as well as matters of subsidiary entities; (12) define business policy including planning of safe, i.e., reliable sources for development plans and minimization of any structural mismatch between maturity dates of assets and liabilities; (13) regularly prepare plans for emergency (unexpected) situations and shocks that could endanger the liquidity of banks, including the main guidelines on operations of the bank, 79 BOSNIA AND HERZEGOVINA its activities, liquidity reserves and possible activities for ensuring liquidity funds in different situations. The FBA monitors liquidity risk management through offsite and onsite supervision. Offsite supervision analyzes the liquidity position of the bank on the basis of regularly submitted reports (daily, ten-day, monthly). If the analysis of reports submitted identifies negative trends and reduction of liquidity level before breaching regulatory limits, offsite supervisors issue warning letters to the bank and meet with management at the premises of FBA. If regulatory limits are breached, the offsite department prepares a report and orders the bank to correct deficiencies and imposes more frequent reporting. If negative trends continue a targeted onsite inspection may be scheduled. The onsite inspection reviews: internal documents, accounting documents, contract documents relating to funding sources, internal audit findings, management reports, minutes from meetings of the management bodies, ALCO Committee and other committees, plans and projections, manner of preparation and accuracy of reports, IT support, in accordance with the Onsite Supervision Manual. The CAMELS rating system provides factors to assess liquidity risk management:  Adequacy of sources of liquidity of banks for current and future needs, as well as the ability of banks to meet their liquidity needs without negative consequences on its normal operations and conditions for the operations;  Availability of assets suitable for conversion into cash, without delay and without excessive (unacceptable) losses;  Access to money markets and cash markets and other sources of cash;  Degree of diversification of sources of funds, and balance sheet and off-balance sheet items (various contracts for providing security for the cash at some future point);  Degree of reliance on short-term volatile sources of funds, including short-term loans and brokerage deposits;  Trend and stability of deposits;  Ability, possibility to sell securities and certain "buckets" of assets items;  Ability of the supervisory board and the management to properly (accurately and timely) identify, measure, monitor and keep under control the liquidity position of banks, including the effectiveness of the strategy to manage sources of funds, liquidity policy, a system for reporting to supervisory board and the management as well as plans for emergency situations;  Compliance with relevant laws and regulations;  Impact of other risks (credit, legal, market, operational, etc.) Comments As part of implementing Basel III, the FBA will analyze the existing regulatory framework and adopt: the liquidity coverage ratio - LCR, and the Net Stable Funding Ratio, NSFR, as an obligation for regularly conducting liquidity stress tests by banks. 80 BOSNIA AND HERZEGOVINA Principle 25 Operational risk. The supervisor determines that banks have an adequate operational risk management framework that takes into account their risk appetite, risk profile and market and macroeconomic conditions. This includes prudent policies and processes to identify, assess, evaluate, monitor, report and control or mitigate operational risk 36 on a timely basis. Description and The Decision on Minimum Standards for Operational Risk (OR) Management in Banks, Findings prescribes minimum standards and criteria which a bank is required to apply. In accordance with Article 3, a bank must establish a system for operational risk management, that, as a minimum, includes: 1. policies and procedures for OR management which will provide: (a) identification of the existing OR potential sources and sources that may arise from introducing new business products, systems, or activities; (b) measurement of OR, by accurate and timely assessment of that risk; (c) continuous control of OR which provides maintenance to a level that is acceptable to the bank's risk profile, its reduction and its reduction to a minimum; (d) continuous monitoring of OR by analysis of the situation, and of changes and trends in the bank's exposure to that risk, and (e) establishment of minimum capital adequacy for the protection of losses arising from OR (hereinafter. 2. clearly defined lines of authority and responsibility in the process of assuming and managing OR; 3. a system that ensures that all bank employees are familiar with their responsibilities in the process of OR management; 4. a system for regular reporting to the supervisory board (and the bank's management Board on the functioning of the system for managing OR; and 5. the obligation of a periodic review and the duty of the bank's supervisory board (NO) that, at least annually carries-out an analysis and assessment of the adequacy of the established system for managing OR. In addition, in accordance with Article 4 a bank is required to identify particular risks arising from: 1. inadequate information and other systems in the bank; 2. disruption in operations and malfunctions in systems such as failures related to information technology, telecommunication problems, work disruptions, etc.; 3. problems of adequate integration or sustainability of information and other systems in circumstance of developing a network of different organizational units and/or status changes of the bank; 4. illegal and inappropriate conduct of bank employees, such as fraud and unauthorized access to accounts of the clients, misuse of confidential information, giving false or 36 The Committee has defined operational risk as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. The definition includes legal risk but excludes strategic and reputational risk. 81 BOSNIA AND HERZEGOVINA inaccurate information about the condition of the bank, non-prompt performance, errors in data entry, non-compliance with good business work practices, etc.; 5. actions or inaction that may or have caused court and other legal actions against the bank; 6. external illegal acts, such as robbery, unauthorized entry into the database of the bank, including unauthorized use of ATM machines, unauthorized transfer of funds, illegally obtaining bank documents, etc.; 7. damage to physical assets and events that cannot be predicted, such as natural and other disasters, terrorism, etc. The Bank is allocate capital for operational risk based on the basic indicator approach (BIA), and to record all losses and create a data base pertaining to that. Through onsite inspections, the FBA determines whether banks have an appropriate framework for operational risk management that includes the banks' appetite for risk, its risk profile, and market and macro-prudential conditions, specifically: assessment and application of bank policies and procedures for the identifying, measuring, managing and monitoring of exposure to operational risk, defined organizational lines of authority and responsibility in the process of taking over and managing OR, the existence and work of an appropriate body monitoring OR indicators, methods of collection and classification of data, functioning of information support for this segment, database of damages - historical data, maturity and scope, analyses of scenarios, quality, frequency and content of communication with competent authorities, method of management - reduction, alleviation and prevention of OR, new products and risk assessment, capital requests for the OR budget and reporting, employees' training, role of internal auditing, impact and reporting to groups. The Decision on Minimum Standards of Management of Outsourcing, minimum standards are determined whereby the bank is required to provide a procedure for conducting and managing outsourcing and risks which may arise from outsourcing. The decision, defines the following:  Concept of outsourcing;  Outsourcing conditions;  Internal regulations;  System of risk management related to outsourcing;  Responsibilities of the supervisory board;  Responsibilities of management of the bank;  Program and policies for risk management of outsourcing;  Contractual relation of the bank and service providers;  Data access;  Quality management;  Notifications to the FBA, and  Auditing of outsourced activities. 82 BOSNIA AND HERZEGOVINA In accordance with article 6 of the decision, ex-ante the bank is obligated to evaluate the impact of outsourcing on: financial results, expenses, solvency, liquidity and the bank's capital, the bank's risk profile, quality of service and the bank's reputation, continuity of business, level of difficulties and time necessary for choosing an alternate service provider or returning outsourced services to within the bank. A decision on outsourcing should be in conformity with the business strategy and goals of the bank and should contain a rationale that includes a detailed description of activities that are intended to be outsourced and reasons for making a decision on outsourcing. Structuring outsourcing arrangements is defined in Article 14. Management and monitoring of risks related to outsourcing arrangements are defined in Articles 9, 10, and 11 of the above mentioned Decision. Providing a system of effective control is defined in Articles 16 and 23 of the above mentioned Decision. Elements of an emergency plan are defined in Article 18, Item 11, and Article 22 of the above mentioned Decision, and the Decision on Minimum Standards of Information System Management in Banks, in Articles 28-30. Mandatory elements of agreement with a service provider (service level agreement) are defined in Article 14 of the Decision on Minimum Standards for Management of Outsourcing. Through targeted onsite inspections of risk management, as a separate subject of inspection, the bank's outsourced activities are inspected as to whether they are in compliance with the regulatory requirements determined in the Decision on Minimum Standards for Managing Outsourcing, and the Decision on Minimum Standards of Information System Management in Banks. In the event that minor irregularities have been determined after the inspection is carried out, recommendations are issued, whereas in case of major non-compliance with regulatory requirements, orders that include deadlines for execution are issued. Comments A draft of the Decision on Calculating Bank Capital includes capital requirements for operational risk, which will use the standard approach in addition to the basic indicator approach. The above mentioned draft of the Decision is in compliance with a regulatory package of the EU in terms of capital requirements, or CRR/CRD, as much as possible, but taking into consideration specificity of the market in the B&H. A draft of the above mentioned Decision will start to be effective from January 1, 2017. Principle 26 Internal control and audit. The supervisor determines that banks have adequate internal control frameworks to establish and maintain a properly controlled operating environment for the conduct of their business taking into account their risk profile. These include clear arrangements for delegating authority and responsibility; separation of the functions that involve committing the bank, paying away its funds, and accounting for its assets and liabilities; reconciliation of these processes; safeguarding the bank’s assets; and appropriate independent37 internal audit and compliance functions to test adherence to these controls as well as applicable laws and regulations. 37 In assessing independence, supervisors give due regard to the control systems designed to avoid conflicts of interest in the performance measurement of staff in the compliance, control and internal audit functions. For example, the remuneration of such staff should be determined independently of the business lines that they oversee. 83 BOSNIA AND HERZEGOVINA Description and The LOB article 31 j assigns the responsibility to the supervisory board for establishing and Findings conducting a system of internal controls and conducting internal auditing. In order to guide this, the FBA made a Decision on Minimum Standards for Internal Control in Banks and a Decision on Minimum Standards for Internal and External Auditing in Banks. The Decision on Minimum Standards for Internal and External Auditing in Banks, articles 3 and 5, and the Decision on Minimum Standards for Internal Control in Banks, article 2 requires that a system of internal control and an independent internal audit be established in all organizational parts of the bank. The Decision on Minimum Standards for Internal Control in Banks defines obligations of the supervisory board of a bank for minimum standards for establishing and conducting procedures and checking the performance of business activities and operations at all business levels and all areas of bank operations. Based on review of the supervisory manual on internal audit and internal control, and of review of several inspection reports, it is stated that the FBA assesses the framework of internal control and the functioning of an independent internal auditor. This includes elements as delegating authorities, separation of certain functions, reconciliation of certain processes and safeguarding the bank’s assets. Comments No comments with regard to internal control and internal audit. Principle 27 Financial reporting and external audit. The supervisor determines that banks and banking groups maintain adequate and reliable records, prepare financial statements in accordance with accounting policies and practices that are widely accepted internationally and annually publish information that fairly reflects their financial condition and performance and bears an independent external auditor’s opinion. The supervisor also determines that banks and parent companies of banking groups have adequate governance and oversight of the external audit function. Description and In the LOB article 48 it is stated that the bank and its subsidiary shall maintain at all times Findings accounts and records, and prepare annual financial statements, adequate to reflect their respective operations and financial condition, in such form and with such content that it is in accordance with the law, international standards, and the regulation of the FBA. The international standards referred to are the International Financial Reporting Standards (IFRS) and accompanying instructions, explanations and guidelines issued by the International Accounting Standard Board (IASB) (see article 33 of the Law on Accounting and Auditing. It is stated in article 37 of the Law on accounting and auditing that the person authorized to represent the legal person, registered in the court register, is held responsible for the financial statement. This is in practice the management board. In the Law on Accounting and Audit article 53 it is also stipulated that the external auditor shall give an opinion about whether the financial statements based on its audit fairly present the financial situation of the bank and whether the statements are prepared in accordance with IAS and IFRS. Further, article 2 of the Decision on minimum scope, form and content of the program and report on economic – financial audit of banks state that an audit should be performed in accordance with the law, accounting standards, and other regulations determining banks’ operations. In practice, the banks started implementing IFRS in 2010 after the Commission of Accounting and Auditing translated IFRS 2009 into the Bosnian language. But, since 2009 there has not been an update of the translation of IFRS. This could be the reason that 84 BOSNIA AND HERZEGOVINA several banks (mostly domestic) only implemented IFRS 2009 and not the actual IFRS 2014. Some foreign banks did implement the actual IFRS because they are part of a larger group that implemented the actual IFRS and therefor had the resources and the technical capacity. The smaller domestic banks didn’t have this opportunity and seem to be dependent on the Bosnian translation of the IFRS, although there were no major changes in IFRS after 2010. Further, in 2013 two external auditors of three domestically owned banks had based their opinion on the Law on accounting and auditing, instead of IFRS; whereas four external auditors of 14 banks base their audit opinion on IFRS. This makes it difficult to compare different financial statements across the banking sector. FBA is not sure what this means for the quality of the audit opinion. Noted is that in the banking sector there are only 6 auditor firms that have permission to audit banks (big four plus two domestic audit firms) out of a total of 102 audit firms. All audit firms need to be registered at the Ministry of Finance and the audit firms that audit the financial statements of banks need consent from the FBA (article 11 of Decision on minimum standards for banks’ internal and external audit function). In practice, the FBA appoints the auditor on a yearly basis with a maximum term of five year whereas article 23 of the LOBA state that the FBA may reject the audited financial statements. In the last few years the FBA didn’t use this power. The FBA does not have the power to refuse or rescind an external auditor. Also noted is that detailed asset quality reviews of five domestic banks that are under enhanced supervision have revealed material under-provisioning of which only two have been corrected (including impact on capital). The results of the AQRs for two domestic banks are long overdue. Comments In the FBiH only the IFRS 2009 has been translated into the local language. The consequence of this is that most (domestic) banks only implemented IFRS 2009. Only the foreign banks that are part of a larger group have implemented the latest IFRS with support of their parent company. Because of this most external auditor base their opinion on the law on accounting and auditing instead of IFRS. This makes it difficult to compare different financial statements in the banking sector. The appointment of external auditor takes place on a yearly base with a maximum term of 5 years. FBA does not have the power to reject or rescind an external auditor (they can only refuse the financial statement). The risk exist that yearly appointment has an adverse effect on the continuity. Most important, the recent AQRs for five domestic banks revealed material under- provisioning. This raises questions on the quality of the financial audits. Furthermore, the work of auditors is not reviewed externally as the audit quality assurance systems are in their infancy, with little capacity and no in-depth review of auditors’ work. Recommendation - Translate IFRS upon a continuous basis. - Provide training to supervisors on IFRS. - Establish the power under which conditions FBA can reject and rescind an external auditor’s. - Change the yearly appointment of an external auditor into the power to rescind an external auditor. 85 BOSNIA AND HERZEGOVINA Precondition (see paragraph 29) - Evaluate the quality of the external audit and the quality assurance system in relation to the outcomes of the AQR. Principle 28 Disclosure and transparency. The supervisor determines that banks and banking groups regularly publish information on a consolidated and, where appropriate, on a solo basis that is easily accessible and fairly reflects their financial condition, performance, risk exposures, risk management strategies and corporate governance policies and processes. Description and In article 50 of LOB it is stipulated that ‘banks shall, within 75 days after the end of the Findings preceding financial year, submit to the FBA its financial statement and its external auditor’s report for the preceding financial year within 5 month after the end of the preceding financial year.’ It continues: ‘Each bank shall publish the external auditor’s report in abbreviated form in one or more of the daily newspapers in BiH within 15 days after receiving it. Each bank should submit a copy of the abbreviated form of the external auditor’s report to the FBA.’ In addition, ‘at the end of each six months, banks are required to publish non audited semi- annual reports which includes a balance sheet, as well as information containing names of members of the supervisory and management board and each bank’s shareholders owning 5 percent or more of voting right.’ Further, ‘Banks are required to publish the non-audited semi- annual report within 30 days after the expiration of the first six month period in one or more local newspapers available to the clients throughout BiH and must continuously make copies available to the client at each location.’ Next, in article 8 of the decision on the minimum scope, form and content of the program and the statement on the economic and financial audit of banks the obligation is prescribed to publish a shorter version of the auditor’s report, as well as its content and form. Minimum elements the report must contain are as follows:  basic bank information, such as: the title of the bank, bank address, bank phone number, bank fax number and swift code of the bank; the composition of the SB and the bank’s auditing board; the names of the bank’s management; the name of the bank’s internal auditor; the number of the bank’s subsidiary; number of the bank’s employees; the name of the external bank’s auditor; the names of all the shareholders that have 5 percent or more shares with voting rights;  auditor’s opinion and comments;  the bank’s balance sheet;  the bank’s income statement. Further, the FBA publishes on its website a report which, among other things, contains regulatory statements of each individual bank – balance sheet and income statement, as well as the opinion of the external auditor. In practice, it is the off-site department of FBA that checks whether the banks publish data that faithfully reflect the financial status. In practice, only some annual reports (including audit opinion) were found by the assessors on the FBA website. . It is observed by the assessors that the disclosed information is both quantitative (balance sheet, profit and loss statement, cash flow statement) as qualitative (information on business model, risk management, related parties, accounting policies, audit opinion). Some banks also implemented IFRS 7 on disclosure. These are mostly foreign banks that have instruction from the parent bank to implement the most recent IFRS (see CP 27). More 86 BOSNIA AND HERZEGOVINA information could be disclosed on the group structure, such as the ultimate beneficiary owner (see also CP 6 Transfer of significant ownership). FBA did not yet implement pillar 3 of Basel II that requires disclosing information on the relation between risk profile and capital. Comments According to law and regulation banks are obliged to disclosure periodically their financial status among other information. The off-site department of the FBA verifies whether this information is disclosed. However, during the time of the assessment not all (by FBA) required information was disclosed. More effort could be invested to disclose the group structure of banks, including the ultimate beneficiary owners and the insider lending. Recommendation - Disclose information the group structure including ultimate beneficiary owners and the insiders lending. Principle 29 Abuse of financial services. The supervisor determines that banks have adequate policies and processes, including strict customer due diligence (CDD) rules to promote high ethical and professional standards in the financial sector and prevent the bank from being used, intentionally or unintentionally, for criminal activities.38 Description and FBA has the authority to supervise and evaluate compliance of banks to AML/TF standards Findings based on article 4 of the LOBA. It is prescribed in article 47 of the LOB (including the amendments of 2013) that banks: - Must not acquire, perform conversions or transfers, nor mediate during the acquisition, conversion or the transfer of money or other assets of which it knows or about which it could reasonably assume that it was acquired by committing a criminal offense; - Must not initiate a transaction of which it knows or about which it could reasonably assume that it is intended for money laundry and it must not make conversions or transfers, nor mediate during the acquisition, conversion or the transfer of money or other assets of which it knows or about which it could reasonably assume that it could be used for the financing of terrorist activities; - Have obligation to establish internal control and internal audit, as well as the policies and procedures aiming at discovering and preventing the transactions involving criminal activities, money laundry, and the activities supporting terrorism; - Has an obligation to take measures so as to satisfactorily establish the true identity of any person who wishes to establish business relations with the bank, who performs a transaction or series of transactions in the bank or establishes any other kind of business relations; - Have obligation to submit to the FBA a monthly report on the transactions about which it informed the Financial Intelligent Department. 38 The Committee is aware that, in some jurisdictions, other authorities, such as a financial intelligence unit (FIU), rather than a banking supervisor, may have primary responsibility for assessing compliance with laws and regulations regarding criminal activities in banks, such as fraud, money laundering and the financing of terrorism. Thus, in the context of this Principle, “the supervisor” might refer to such other authorities, in particular in Essential Criteria 7, 8 and 10. In such jurisdictions, the banking supervisor cooperates with such authorities to achieve adherence with the criteria mentioned in this Principle. 87 BOSNIA AND HERZEGOVINA The prevention of money laundering and financing of terrorist activities is regulated on a state level by the recently in 2014 adopted ‘Law on prevention of money laundering and financing of terrorist activities’ (47/14) which replaces the Law on AML/TF (53/09). This law establishes the roles and responsibilities of the different bodies involved in the prevention of ML/TF such as the Financial Intelligent Department (FID) of the State Investigation and Protection Agency (SIPA), the FMA, the banks, and others. Further, the Decision on the minimum standard for prevention of ML/TF (48/12) prescribes in more detail the minimum scope, form and content of activities of banks on prevention of ML/TF. The following roles and responsibilities are prescribed by the Law on AML/TF (47/14) and the Decision on AML/TF (48/12): - The banks are required to have appropriate policies and procedures (article 5 – 47 of Law on AML/TF) such as client acceptance policy (Decision on AML/TF article 5- 8), client identification policy (Decision on AML/TF article 9-24), continuous monitoring of accounts and transactions policy (Decision on AML/TF article 25 - 30), risk management policy (Decision on AML/TF article 31 - 42). These policies address high risk accounts, politically exposed persons and corresponding banking. The objective of the law and regulation is to prevent criminal activities or recognize suspicious clients and transactions. Each suspicious client and transaction shall be reported to the FID before the transaction is made. At the end of each month the banks report to the FBA all suspicious transaction about which the banks have informed the FID. - The FBA also reports to the FID if he has become aware of additional suspicious clients or transactions (article 81 Law on AML/TF). - The FID receives, collects, records, investigates and analyzes the information and submits it to the Prosecutor’s Office when prescribed by law, and give feedback to FBA on measures taken (article 82 Law on AML/TF). In practice, the supervisors have a comprehensive manual for AML that addresses all key elements of ML/TF. According to a fixed cycle of inspections supervisors conduct every two years a comprehensive AML/TF inspection and in case of suspicious transaction whenever is necessary. The inspection is conducted by a specialist unit with FBA that consists of persons (director, three senior inspectors and two inspectors). The assessors observed through interviews and review of several inspection reports that all key elements are being adequately assessed by FBA, including the assessment of internal audit, compliance officers, screening, training programs and used IT technology for transaction and account monitoring. After every inspection FBA could use if necessary all corrective actions available in the LOB (article 67 of LOB; and article 83 and 84 of Law on AML/TF ). First remark is about the extent to which the supervisor is aware of the inherent risk profile of the banks. The assessors have the impression that more attention could be paid to understanding the inherent ML/TF risk profile of a bank in terms understanding themselves to what extent bank engagement with certain client, products or locations could increase the ML/TF risk profile, and following that make banks aware of it. Currently the focus is more on the quality of risk management (in its broadest sense). The supervisor was not aware of increased ML/TF risks in the banking sector and mostly discussed the deficiencies in the quality of risk management of banks. A meeting with the FID learned that currently the real estate sector seems most vulnerable to ML activities. Although, the FID didn’t connect these risks (without reason) to the banking sector. It could help the supervisors to make a distinction between inherent risk, quality of risk management and net risk. 88 BOSNIA AND HERZEGOVINA Second remark is about the follow-up of findings. Deficiencies in the quality of risk management follow the regular procedure: reporting the finding, receiving comments from the banks and then issuing a written order (with specific deadlines). Different is that the FBA in case of suspicious transactions also sends a report to the FID that could be sent on to the Prosecutors office. The difference with the regular procedure. Regarding the follow-up of the deficiencies in the quality of risk management, it was observed that FBA, in practice, conducts the follow-up of deficiencies in the quality of risk management not shortly after the initial inspection but during the next inspection of the next supervisory cycle (see also CP 11 corrective actions). Third remark is about the cooperation between the FBA and the FID which is arranged in the Law on prevention of money laundering and financing of terrorist activities’ (47/14) . Noticed is that the feedback loop between FID and FMA could be enhanced by sharing knowledge on both sides. The FBA has not only knowledge on suspicious transactions, but also on the inherent risk profile of a bank. The FID has knowledge on the sensitive sectors that could be related with the banking sector such as the real estate sector. Furthermore, feedback from FID on what the nature is of suspicious transactions could help the FBA understanding the inherent risk profile of a bank and completes the feedback loop. Fourth remark is that FBA does not conduct on-site inspection on ML/TF activities at branches of FBiH. However, these branches are required to comply fully to the law and regulation on AML/CTF (such as reporting of suspicious transactions and taking adequate control measures). Comments The FBA puts reasonable effort in determining that banks have adequate policies and processes, to prevent the bank from being used, intentionally or unintentionally, for criminal activities. Recently, a new law on AML/TF (2014) was adopted as well as a Decision on AML/TF (2012) that covers all the key elements of preventing, detecting and reporting suspicious activities such as client acceptance, client identification, continuous monitoring of transactions and accounts and risk management. This is the result of the increased attention of Moneyvall on BiH. Also the supervisory processes are aligned with these law and regulation. There are a few remarks. First, more attention could be paid to understanding the inherent ML/TF risk profile of banks and accordingly make the supervisory intensity risk based (see CP 8 Supervisory approach). Second, the follow-up of findings could be strengthened in practice (see also CP 11 Corrective actions). Third, there seems not to be a good feedback loop between the FBA and the FID. Fourth, it seems that supervision of branches outside the FBiH, with head-quarters inside the FBiH, are not being inspected on-site for on ML/TF activities. Recommendation - Put more effort in identifying the inherent ML/TF risk profiles of banks. - Conduct risk based inspections instead of inspections according to fixed cycle. - Enhance the follow-up of findings - Enhance the cooperation between FBA and FID - Discuss with BARS who conducts on-site inspections in the cross entity branches in the area of ML/TF. See also precondition on AML/TF paragraph 40 and 41. 89 BOSNIA AND HERZEGOVINA Appendix II. Republika Srpska: Principle-by-Principle Implementation Review A. Supervisory Powers, Responsibilities, and Functions Principle 1 Responsibilities, objectives and powers. An effective system of banking supervision has clear responsibilities and objectives for each authority involved in the supervision of banks and banking groups.39 A suitable legal framework for banking supervision is in place to provide each responsible authority with the necessary legal powers to authorize banks, conduct ongoing supervision, address compliance with laws and undertake timely corrective actions to address safety and soundness concerns.40 Description and The legal framework for banking supervision from a narrow perspective consists of three Findings laws: - Law on the Central Bank - Law on the Banking agency - Law on Banks The Law on the Central Bank stipulate that its objective is to achieve and maintain the stability of the domestic currency (article 2). It does not have an explicit objective to achieve and maintain financial stability in BiH. One of the basic tasks of the Central Bank of BiH (CBBH) is to coordinate the activities of the agencies responsible for bank licensing and supervision in both the FBiH and RS in ways to be determined by the Governing Board of the CBBH, including monthly meetings and submission of monthly reports (article 2). To this date, the role of the CBBH remains that of coordination without any interference in the everyday supervisory responsibilities and objectives of the RS Banking Agency. The cooperation and coordination of the CBBH and the two supervisory agencies is discussed in detail in CP 3. The Law on the Banking Agency (adopted in 1998) stipulates that the main objective of BARS is to safeguard and strengthen the banking system stability, as well as to improve its safe, good quality and lawful operations in the RS (article 3). The main tasks of the BARS are: issuing and revoking licenses, supervising and undertaking appropriate measures. There have been three amendments of the LOBA since the last BCP review in 2006. The first amendment was in 2006 when the provision prescribing that the BARS is responsible for supervision of other financial organizations (such as micro credit organisations, saving and credit organizations, and leasing companies) when such is stipulated by the LOBA and other laws, was introduced. The second amendment was in 2011 when the Ombudsman was established as independent organizational unit within the BARS with aim to promote and protect the rights and interests of the consumers (article 10-17). The third amendment was in 2013 when the articles of confidentiality of information were harmonized with the EU 39 In this document, “banking group” includes the holding company, the bank and its offices, subsidiaries, affiliates and joint ventures, both domestic and foreign. Risks from other entities in the wider group, for example non-bank (including non-financial) entities, may also be relevant. This group-wide approach to supervision goes beyond accounting consolidation. 40The activities of authorising banks, ongoing supervision and corrective actions are elaborated in the subsequent Principles. 90 BOSNIA AND HERZEGOVINA directive (article 29-32). There are currently no plans to revise the LOBA in near future unless this would be necessary as a result of adopting the new Law on Banks. The Law on Banks (adopted in 2003) and secondary regulations issued by the BARS stipulates the minimum prudential standards that banks have to meet. It broadly covers licensing and authorizations, capital and ownership, management of bank, operational requirements, accounting, auditing and inspection, bankruptcy and liquidation, liabilities, penalties, and violations. There have been several substantive amendments since the last BCP review in 2006. First, in 2011 the LOB was amended to include consumer protection (article 98). Second, in 2013 the LOB was amended with regard to AML (article 101), voluntary liquidation and provisional administrator (article 107 - 119). The details on both primary and secondary law are described in the following CPs. In 2014 a work group with key players (such as Ministry of Finance, Banking Agency) in both the FBiH and RS are working on a new LOB. BARS has many supervisory powers (see details in other CPs), but lack some key powers in such as: - The supervisory power to do consolidated supervision (see CP 12). - The supervisory power to impose prudential conditions on licenses and other approvals (see CP 5-7). - The supervisory power to sanction and fine supervisory board members and significant owners and take away their ownership rights if necessary (see CP 11). - The supervisory power to rescind the external auditor (see CP 27) - The supervisory power to launch resolution of a bank (see CP 8). - The supervisory power to share information and cooperate with foreign authorities (see CP 3 and 13). BARS has several prudential requirement stipulated in secondary regulation instead of primary law such as prudential requirements for capital, related lending, large exposures, major acquisitions and transfer of significant ownership. See for details the respective CP’s. Comments The system of banking supervision in BiH has a reasonable set-up with reasonable clear responsibilities for the banking agencies (FBA and RS) and the CBBH. Although responsibility for financial stability is not aligned across the three institutions. BARS has an explicit mandate to safeguard financial stability whereas CBBH and FBA do not have explicit mandates for financial stability (see further CP 3). Next, both FBA and RS are in the process of adopting a new Law on Banks. This new law should address some deficiencies in the supervisory powers that should be used to enforce harmful situations of non-compliance (identifying the ultimate beneficiary owners, their holdings and insider lending). This will also impact the Law on the Banking Agency that should give the BARS the supervisory powers that are currently missing (see list above). Furthermore, the prudential requirements could be more stipulated in the primary law instead of the secondary regulation. This will increase the legal certainty and the enforcement power. Recommendation - Strengthen the supervisory powers. - Adopt new LOBA (as a consequence of the new LOB) - Adopt new LOB 91 BOSNIA AND HERZEGOVINA Principle 2 Independence, accountability, resourcing and legal protection for supervisors . The supervisor possesses operational independence, transparent processes, sound governance, budgetary processes that do not undermine autonomy and adequate resources, and is accountable for the discharge of its duties and use of its resources. The legal framework for banking supervision includes legal protection for the supervisor. Description and The independence of BARS is described in article 7 of the LOBA. It says ‘the BARS shall be Findings autonomous and independent’. In terms of governance the managing board (MB) is the managing body of BARS and consists of five members, appointed for a period of five years (article 19). It is the responsibility of the MB to supervise the BARS’s operations. Further, it passes the statute of the BARS, passes general acts and adopts the financial plan en the financial reports of the BARS (article 20). There is an extra provision on changing the statute. It is determined that the statute shall be passed by the MB and be approved by the government. The Statute particularly establishes the organization, operational procedures, authorizations and rights and obligations of individuals (article 36). The director performs the following duties: issuing and revoking licenses, undertaking prescribed measures towards banks and other financial institutions, appointing staff of the BARS and advocating the BARS in court proceedings (article 22). Both the director and the deputy director participate in the MB but have no voting right (article 21). The five members of the managing board, the director and the deputy director are appointed by the parliament of the RS for a period of five years proposed by the government of RS and appointed by the National Assembly of RS (article 19). The procedure is as following. First a selection committee of five members is appointed by the government. They offer the position in a public announcement. Then the selection committee selects candidates for interviews. Based on this, the selection committee ranks the candidates and submit the list to the government. The LOBA has prescribed the following qualification criteria: ‘members of the board are citizens of the RS holding a university degree in economy or law, may not own, directly or indirectly, shares, stocks or debt securities in a bank or any other financial organization (article 25). In addition, the selection committee has qualification criteria which are not known to the assessors. Based on this list the government sends a proposal to the parliament. Different sources state that the political background seems to be important. In the BCP of 2006 a remark was made that the government has chosen not to appoint the acting director in that time that was proposed by the appointment committee, but has appointed another person as director. According to BARS, the appointment procedure was executed in compliance with the Law on Ministry, government and other appointments of the RS. Noticed is that this person is currently still acting as Director. The assessors could therefore not test the current working of this procedure. Further, it is noticed that in the previous period (2007 – 2009) one member of the MB was also simultaneous working as Assistant Minister of Finance. Members of the MB, the director and the deputy director may be dismissed from their duties if they do not comply with law or regulations of the BARS, if they misuse their position, if they cease to meet the requirements for appointment, if they significantly impair the reputation of the Agency with their actions, or if they submit a written resignation offering reasons (article 26). In practice, there have not been cases in the last five years were members of the MB, a director or a deputy director have been dismissed. The director and the deputy director are responsible for their work to the MB, and to the National Assembly (article 21). The MB is also responsible for its work to the National 92 BOSNIA AND HERZEGOVINA Assembly (article 20). Annually the BARS are obliged to submit a report on its business operations to the National Assembly of RS not later than June 30 of the current year for the previous year. It is a report on the condition of the banking system, including a report on the operations and results together with the financial statement of BARS. In addition, BARS shall deliver the same reports to the government on a semi-annual basis, not later than three month after expiration of the reporting period. The MB shall review the reports before their being submitted to the National Assembly (article 39). The legal protection of the banking agency is described in article 7 of the LOBA as well as in article 110 of the Law on Banks for temporary administrators. It says that members of the MB, the director, the deputy director and the employees of the agency shall not be held liable for any damage arising from the performance of duties under this Law and other regulations governing the banking system, unless proved that a certain action was done or failed to be done intentionally or with negligence. This provision has been substantively weaker since 2000 and has since then been changed seven times. Missing is the legal protection for persons appointed by the BARS such liquidators. Also missing is a provision that stipulate that employees will be reimbursed for legal processes initiated against the employees for actions conducted in good faith while implementing their duties within their authorities. In practice, there are neither court proceedings, nor disciplinary proceedings, being held against employees of the agency. Further, there is no provision in the LOB that banks can appeal against a decision made by BARS nor is it stipulated that the court cannot suspend the decision easily. . According to BARS this is stipulated in the Law on Administrative procedures. In practice, there seem not been cases where the court suspended the BARS’ decisions. The BARS is directly finance by the financial sector through a fixed and variable fees structure. The fixed fee constitutes a lump sum per bank (KM 20.000) together with a percentage of total assets (0.015 percent). The variable fees constitute a fee per approval such as license, appointment, transfer of ownership. The fees are based on article 33 of the LOBA that stipulate that the management board of the BARS passes regulation regarding the level of issuance of licenses. The ‘Decision on fees for work performed by the banking agency’ determines the level of fees. There are no additional resources coming from the government or elsewhere. The salaries and other income from the employees of the BARS are regulated by the LOBA and secondary regulation such as the rule book on salaries and other income of the BARS. BARS’s employees are not subject to provisions of the Law on Civil Services. The level of salary seems to be satisfactory. Salary is between public sector and banking sector, but closer to public sector (this difference is less for staff than for management). The staff turnover is not a high. Nevertheless, the budget of the agency seems to be under pressure and there are not many variables the BARS could use. The last couple of years the agency got more responsibilities such as supervision of other financial institutions. Furthermore, there is a need for training staff in different areas in supervision such as IFRS, Basel, corporate governance, risk management, enforcement and ICT. Comments Under the legal framework the BARS possesses operational independence. First, the independence is explicitly stipulated in the Law on the Banking Agency. Second, the appointment procedure of the member of the MB, the director and the deputy director is given the context reasonably transparent (with a selection committee, open tender, proposal of government, adoption through Parliament). Although it could be strengthened by eliminating as much as possible the political influence during the 93 BOSNIA AND HERZEGOVINA appointments as a result of an almost simultaneous appointment of the MB, the director and the deputy director. And also by making the qualification criteria of the selection committee transparent. The current director (now in her third term) was in 2005 appointed by direct interference of the government (by passing the appointment committee). In addition, in 2007 – 2009 a board member was appointed that worked simultaneously for the Minister of Finance. Third, the governance structure of the agency is fairly balanced and effective with clear responsibilities for the MB (adopting regulation, adopting financial plan) and the Director (issuance and revocation of licenses, undertaking measures against banks). Fourth, the budget is also clearly structured and supports independence of BARS. Although the budget is under pressure because of an increase in responsibilities (supervision of foreign exchange operations, MCO and leasing) and a need for training in different areas. Further, the accountability is reasonably organized. The director and the deputy director are responsible for their work to the MB, and to the National Assembly. And also the MB is responsible for its work to the parliament. Annually the BARS is obliged to submit a report on its business operations to the National Assembly and semi-annual to government. However, appeals by financial institutions could be improved by adopting a specific provision in the LOB (and not only in the Law on Administrative procedures) to prevent that the court could too easily suspend the decision of the BARS. This could be very damaging for the banking sector that is sensitive to early and timely intervention. In practice, there have not been such cases in RS (although there was a case in FBiH). Although the legal framework supports operational independence, the context in which the BARS operates could become very difficult. There is a substantive interdependence between the government and the domestic banking sector (see precondition paragraph 38 and 39). That is, the government has large amount of deposits, credit lines and capital instruments in the domestic banking sector (see further preconditions). This means that in case BARS faces a domestic bank with non-viability problems, the government has a substantive interest in how the problem ought to be solved. It appears that in such a case not only the interest of depositors, the bondholders and the shareholders are important, but also the interests of the government. This could put pressure on BARS how to deal with non-viability in her pursue of save and soundness of the banks. Recommendations - Adopt a staggered appointment of the members of the managing board, the director and the deputy director. - Develop more granular qualification criteria and make it transparent by adopting it in the LOBA. - Strengthen the legal protection by expanding the scope and include indemnification. - Adopt a provision in the LOB that prevent the court of suspending too easily a decision from the BARS - Implement risk based supervision to save resources and build capacity - Invest in the quality of staff in particular in corporate governance, risk management, enforcement, IFRS, Basel and ICT. 94 BOSNIA AND HERZEGOVINA Principle 3 Cooperation and collaboration. Laws, regulations or other arrangements provide a framework for cooperation and collaboration with relevant domestic authorities and foreign supervisors. These arrangements reflect the need to protect confidential information.41 Description and Different laws, regulations and arrangements form together a framework for cooperation Findings and collaboration with domestic and foreign supervisors. Domestic There are various bodies on different levels the BARS cooperates with: - State level: Fiscal Council of BiH (FCBiH), CBBH, Deposit Insurance of BiH (DIA), Association of Banks (ABBiH), Financial Intelligent Unit as part of the SIPA (FIUBiH). There is no resolution authority established yet. FBiH: Minister of Finance (FMOF), Insurance Agency (FIA), Securities Exchange Commission (FSEC). RS: Minister of Finance (RSMOF), Insurance Agency (RSIA), Securities Exchange Commission (RSSEC) The following laws (both on state and entity level) govern these bodies: - Law on Central Bank: CBBH coordinates of the agencies responsible for licensing and supervision, including monthly meetings and monthly reporting (See article 2.3e of the Law on Central Banking). It does not have a mandate for financial stability. - Law on Banking Agency: Article 9.2-3 stipulates that BARS shall cooperate with authorities (international and national in both RSBA and FBiH) responsible for supervision of banks and other financial institutions. Article 29-32 prescribes provision on confidential information such as a definition of confidential information, or the terms and conditions under which BARS can disclose confidential information, and to which bodies. BARS can only sign agreements with authorities that are subject to maintaining confidential information. - ‘Law on RS Financial sector supervision coordination committee’ (May 14, 2009) regulates the cooperation and coordination of RS Securities Exchange Commission, RS Insurance Agency and BARS by establishment of the RS Financial sector coordination committee (hereafter: the Committee). Members of the Committee are RS Minister of Finance, RS President of Securities Exchange Commission, Director BARS and Director IARS. According to article 2. it coordinates on matters related to preserving financial stability. The Commission meets at least quarterly and is in charge of adopting a unified strategy and guidelines financial sector development. It also identifies potential problems and (article 6). Yearly it reports to RS National Assembly on the condition of the overall financial sector. In case of any disturbances in the financial market, the Committee informs the RS Government and the RS National Assembly. There are no arrangements on informing the SCFS. 41 Principle 3 is developed further in the Principles dealing with “Consolidated supervision” (12), “Home-host relationships” (13) and “Abuse of financial services” (29). 95 BOSNIA AND HERZEGOVINA The following arrangements govern the cooperation and information exchange between: FBA, BARS, CBBH, DIA, and FCBiH: - FBA – BARS (June 2003): ‘Agreement on Cooperation in the Area of Supervision over Bank Operations’ - FBA – BARS (2006, March 3): ‘Cooperation Agreement’*. This arrangement encompasses direct and indirect supervision of all banks in BiH in order to apply prudential standards. This cooperation is illustrated by a number of joint efforts to establish and enhance a stable and efficient banking system, the realization of joint on-site examinations, the development of changes to the legal framework of banking supervision and the exchange of information. A joint working group of the two banking agencies prepared the BCP self-assessments of FBA and RSBA. - FBA – BARS – CBBH (2008, June 12): ‘Memorandum and Principles of Cooperation of Bank Supervision and Cooperation and Exchange of Data and Information.’ This memorandum has the objective of conducting activities pertaining to strengthen financial stability (article 2). Further, based on this memorandum, BARS may exchange information on individual banks and supervisory issues (such as licensing or issues of financial stability), such as the information on individual banks and the banking sector, and supervisory issues (article 7). This includes serious weaknesses in a bank’s operations as observed, which may have detrimental effects and/or undermine the future survival of the bank and impact on the financial sector, and data on capital and shareholders (article 9). - FBA – BARS – CBBH (2013, March): ‘Internal guidelines for preparation of stress test and use of prudential instruments’. - FBA – BARS – CBBH (2013, June 30) ‘Memorandum on Establishment of Methodology for Determination of List of SIB in BiH’ - FBA – BARS – DIA (2003, October 7): ’Letter of Agreement.’ This agreement defines that information in continuation are to be provided to the DIA upon request. It is also stipulated that FBA and BARS share their rating system that DIA can use for its own purposes, including eligibility assessment. According to Law on DI a prerequisite to membership in DIA for any bank is minimum rating of 3 on composite basis, with no individual rating component of 5. In practice, on-site inspection reports are being shared on basis of unofficial agreement. However, DIA is of the opinion that they don’t have sufficient information. For instance, because DIA doesn’t receive CAMEL ratings on a continuous basis , they have set up their own rating methodology. - FBA – BARS – DIA – FCBiH (2009, December 22): ‘Memorandum of Understanding and Establishment of the Standing Committee for Financial Stability’*. It is stated that: ‘It is the principle forum for assessing threats to financial stability, and where appropriate, coordinating or agreeing action between the parties’ (article 3). - FBA, BARS, DIA, CBBH, FCBiH (2014): ‘Contingency plan’. This plan is work in progress. The plan’s main objective is to safeguard and strengthen stability of the banking system by defining measures and procedures that the bank shall take independently or in cooperation with other members of the SCFS. It is stated that CBBH has to make written request to get information from BARS (page 4). The following arrangements govern the cooperation and information exchange between FBA and FIA, SIPA, FSEC, and ABBiH, 96 BOSNIA AND HERZEGOVINA - FBA – FIA: (2004, July 19): ‘Memorandum of Understanding’ - FBA – BARS – CBBH – ABBiH (2007, April 12): ‘Memorandum of Cooperation’ - FBA – SIPA (2007, October 1): Memorandum of Understanding’ - FBA – FSEC (2014, October 7): ‘Cooperation and information exchange agreement’*. The assessors have observed that in practice there is to a certain extent regular cooperation and information exchange. For instance, the assessors observed that the FBA and BARS don’t share their actual CAMEL rating with CBBH and only partly with DIA. Foreign banks RS has 10 banks of which 6 are owned by foreign banks, including from Slovenia, Serbia, Austria, Italy and Russia. BARS (and also FBA) have formal (signed) arrangements with the Bank of Slovenia and the Bank of Serbia. There are no formal arrangements with Austria and Italy because the aspects of protection of confidential information in the Law on Banks was not aligned with EU Directives. In September 2012, the National Assembly of the FBiH amended the LOB to align it with the EU standards. The expectation is that the LOB is now in line with the EU Directive. This is informally confirmed both by EBA and the FMA. Therefore, it is expected that the Memorandum of Understanding with Austria shall be formalized soon. It is expected that BARS and FBA will contact the supervisors of Italy to formalize their cooperation and information exchange. There are no formal relations established with the supervisor of Russia, because Russia does not have a policy of information exchange with foreign supervisors, according to the FBA. In practice, information exchange with Bank of Slovenia, National Bank of Serbia and the supervisors in Austria are relatively good. There are bilateral meetings of the highest management, participation in multilateral meetings, exchanges of quarterly supervisory letters and communication of changes in the group structure on a regular basis. Further, BARS participates in supervisory colleges in both Slovenia and Serbia, but (for several years) not in Austria and Italy. The following arrangements exists: - Slovenia: Memorandum of Understanding; Bank of Slovenia, FBA, BARS, CBBH; November, 2001 - Serbia: Memorandum of Understanding and Cooperation in the Area of Supervision over Banks; National Bank of Serbia, FBA, BARS, CBBH; July, 2004 - Turkey: Memorandum of Understanding Agency for Regulation and Supervision of Turkey; FBA, BARS, CBBH, June, 2009. Further, the FBiH set up arrangement with the following countries partly: - Croatia: Memorandum of Cooperation, Croatian National Bank, FBA, BARS, CBBH; November, 2003 - Montenegro: Memorandum of Understanding and Cooperation in the Area of Supervision over Banks; Central Bank of Montenegro, FBA, BARS, CBBH; March, 2007 - SEE: Memorandum of Understanding for the Principle of High Level Cooperation and Coordination between Supervisors of South-East Europe; Banka of Albania, Banka of Greece, National Bank of Bulgaria, Central Bank of Cyprus, Central Bank of 97 BOSNIA AND HERZEGOVINA Montenegro, National Bank of Republic of Macedonia, National Bank of Romania National Bank of Serbia, FBA, BARS, CBBH; February, 2008. The following banks are systemically important in RS: NLB (Slovenia), Sberbank (Austria, Russia), Hypo (Austria), Nova (domestic) and UniCredit (Austria and Italy). It is therefore important to establish arrangements with Austria, Italy and Russia, Protection of confidential information The protection of confidential information is arranged in articles 29 – 32 of the LOBA. It is written that the BARS will not disclose information only to those stipulated in the LOBA. This list includes both domestic and foreign supervisory authorities, courts, auditors, ministries of finance and supervisory colleges. The condition for exchange of information is a signed agreement on the cooperation and the mutual exchange of information where there is a specific provision that stipulate the obligation of maintaining confidentiality, and the information is only be used for supervisory purpose or administrative and court proceedings. However, in practice confidential information should be better protected with bodies such as prosecutors office. In 2011, an incident happened after the prosecutor asked for minutes of inspection. These were given by BARS based on a formal order. However, before the minutes reached the prosecutor’s office they were given to natural person that showed these minutes on television. It could be very damaging for BARS if banks cannot trust that confidential information is found in public space. Comments Domestic cooperation Cooperation and coordination in BiH is very complex due to the administrative setup of the country. Different laws and arrangements govern these cooperation and information exchange. In general, BARS shares information with FBA, CBBH and DIA to certain extent guided by the mentioned laws and arrangements. However, the cooperation and information exchange could be strengthened. For instance, with regard to the CAMEL rating, crucial information for understanding the risk profile of a bank, it is noticed that BARS only shares the CAMEL ratings with DIA when they issue a report of a comprehensive inspection (together with other prudential information the DIA receives from both the banks and the BARS). This means that the DIA does not have an actual understanding of the risk profile of a bank. Despite the fact that in the MOU of October 7, 2003 it is stated that the aim is to have a joint rating system for all banks in BiH together with FBA and BARS (article 3.2.2), DIA developed its own rating system, because it doesn’t receive actual ratings from BARS (nor FBA). BARS also doesn’t share the CAMEL ratings with FBA (although several foreign banks operate both under FBA’s and in BARS’ jurisdictions). This seems to be crucial information in understanding the risk profile of the different banks and in developing a common understanding of risks across BiH. In article 7 (MOU June 12, 2008), it is even stated that the exchange of information include: the situation in individual banks and the situation in the banking sector and supervisory issues. This includes serious weaknesses in a bank’s operations as observed, which may have detrimental effects and/or undermine the future survival of the bank and impact on the financial sector, and data on capital and shareholders (article 9). BARS also doesn’t share CAMEL ratings with the CBBH, although the CBBH receives financial indicators and other information. However, it is stated in the contingency plan that the CBBiH has to submit a written request to BARS in order to receive certain data on 98 BOSNIA AND HERZEGOVINA business operation which could negatively impact the financial system as a whole. Threfeore, the CBBH may miss important early indicators. In addition, BARS doesn’t have provision when to share granular information (such as CAMEL ratings) with SCFS. Although it is not explicitly agreed that CAMEL ratings should be shared between different parties, it is stated that the party who becomes aware of the emergence of a potentially serious financial disturbance will inform the SCFS coordinator as soon as possible (MOU article 4.1). In addition, “all members of SCFS shall be kept fully informed of assessing systemic nature of financial crisis” (MOU article 4.3). This could be better defined. FIU does not give feedback on the suspicious transactions reported by either banks or BARS. Hence, BARS doesn’t know what the nature of the AML risks is in the RS. (see further CP 29 AML/TF). Lastly, there is no clear coordination mechanism in times of crisis. For instance, there is no institution responsible for financial stability and taking leadership in crisis. Also, there seem to be several committees that have overlapping mandates. Financial stability is mentioned in the MoU between FBA, BARS and CBBH; in the MOU governing the SCFS, and in the Law on RS Financial sector supervision coordination committee. There is also no free flow of information between the key players: CBBH, FBA, BARS and DIA (see above). It is encouraging that the authorities attempt to set up a state-level contingency plan for BiH. See also precondition on macro prudential policy paragraph 21 and 22. Foreign cooperation BARS (and FBA) are close to formalizing the cooperation through a MoU with Austria and Italy. These countries are both important because the parent company of several domestically systemic important banks is seated in these countries. Nevertheless, it is important to determine whether these arrangements will ascertain that BARS receives sufficient information on the parent companies of several D-SIB’s. There are no possibilities for arrangements with Russia. It is not clear to what extent the risk of not having a MoU with the supervisor of Russia is acceptable or should be mitigated. Protection confidential information In BCP of 2006 it was stated that the MOF of RS pressured BARS to disclose information on individual banks. RSBA managed to protect information. The assessors did not learn about new cases. However, there has been an incident with the prosecutors office when BARS provided confidential information after an official request. This confidential information became public. Recommendation - Simplify the arrangements between the different bodies in order to enhance effectiveness of cooperation especially during crisis situations. - Conduct a crisis simulation exercise in order to test the cooperation I times of crisis with events both on a state level and entity level. - BARS should share CAMEL rating with FBA, CBBH and DIA and should determine when to share it with SCFS, and should set-up a joint rating system together with BARS and DIA. - BARS should address the lack of information feedback from the FIU. - Formalize the MoU with the supervisors of Austria and Italy. 99 BOSNIA AND HERZEGOVINA - Determine whether the risk of having a parent company of a D-SIB, without having arrangements with home supervisor, is acceptable or should be mitigated. Principle 4 Permissible activities The permissible activities of institutions that are licensed and subject to supervision as banks are clearly defined and the use of the word “bank” in names is controlled. Description and The term bank is defined as a legal entity performing deposit taking and credit extending Findings activities (article 1 of the LOB). There is no definition in the LOB of a branch, a representative office, or other operational units. Although it is stated that a branch and a representative office shall be established only upon a written authorization (article 17, 84 of LOB) and requirements for establishing branches, representative offices ai are stipulated in the Decision on Licensing. Currently, there are no foreign branches in RS only subsidiaries of foreign banks. In addition there are branches, representative offices and other operational units from the banks in the RS and of the FBiH. The use of the word “bank” and any derivations such as “banking” in a name is limited to licensed and supervised institutions (article 2 of the LOB). Currently only the Investment and Development Bank uses the name “bank” but does not take deposits. It manages six investment funds set up to stimulate investment and development in Republica Srpska. It has an exposure of approximately USD 1 billion. This bank is not governed by Law on Banks of RS but by the Law on the Investment and Development Bank. It is prescribed that the a bank shall obtain the legal status upon entry into the Court Registry (article 15 of LOB) and that BARS shall maintain a separate registration of each bank that has a license and publish it (article 18 of LOB). A list of the licensed banks can be found on the website of the BARS and the CBBH. List of activities a bank can engage are is following: receiving money deposits or other repayable funds, making and purchasing of loans, participating, buying and selling for its own account or for account of customers, issuing and managing payment instruments, purchase and sale of securities and other activities (see article 87 of LOB). These activities are required to be explicitly specified in the banking license (see article 16 of LOB). In 2011 article 87 of the LOB (Official Gazette of RS number 116/11) was amended to give banks permission to also do insurance brokerage. It is not explicitly stated that a bank may engage factoring or forfeiting (as is stated in the FBiH). The activities a branch can engage is limited to receive money deposits and extend credits (article 7 of the LOB). It is not defines what kind of activities representative offices or other operational units can engage in. Comments The LOB does not have clear distinctions between bank branches, representative offices and other operational offices and the activities they can engage. There are different articles that give some kind of direction but these are not comprehensive. Recommendation - Define bank branches, representative offices and other operational units within RS and outside the RS (including FBiH, Brcko District and outside BH). Harmonize these definitions in the LOB with the FBiH and the EU Directives. - Clearly define the kind of activities the different operational units (such as branched) can engage and their (prudential) requirements (see CP 5 on licensing). 100 BOSNIA AND HERZEGOVINA This is important for accessing the EU that uses a single passport. That means that having an approval of a bank license in another EU country will make it relatively easy to open a branch in another EU country. - Add a provision in the LOB that stipulate that the license of a bank shall specify the banking activities that a bank is authorized to engage in. Principle 5 Licensing criteria. The licensing authority has the power to set criteria and reject applications for establishments that do not meet the criteria. At a minimum, the licensing process consists of an assessment of the ownership structure and governance (including the fitness and propriety of Board members and senior management) 42 of the bank and its wider group, and its strategic and operating plan, internal controls, risk management and projected financial condition (including capital base). Where the proposed owner or parent organization is a foreign bank, the prior consent of its home supervisor is obtained. Description and License authority Findings BARS is the licensing authority. In article 5 of the LOBA it is stated that the BARS shall issue license for foundation and operation of banks. However, it is not explicitly stated that the BARS has the power to set criteria and impose prudential conditions or limitations on newly licensed banks. License criteria The LOB requires for issuing a bank license to let the application be accompanied by the following documents: founding contract, qualification and experience of Board members, amount of capital, business list of owners and data to assess soundness of founders (article 8). A detailed description of what the different document should contain is elaborated upon in the ‘Decision on licensing and other approvals’ (article 2 – 15) recently strengthened (May 2014). It covers not only issuing bank licenses but also approving a subsidiary, branch, representative office and other operational units in the RS, the FBiH, the Brcko District or outside BiH. Further, it is stated in article 10 of the LOB that a license shall be granted once the amount KM 15 million has been paid, the BARS is confident that the bank will comply with law and regulations, and the projections for the future financial condition of the bank are documented. In addition, a license concerning the founding of a subsidiary of a bank whose headquarters are outside the RS shall only be granted if that bank has a banking license issued by the institutions that is in charge of issuing licenses, after consultations with those authorities, after receipt of an inspection report of the founder bank. The BARS will refuse the banking license if law, regulation or supervision hinders BARS to conduct effective supervision (article 11, 12 and 14 of the LOB). 42 This document refers to a governance structure composed of a board and senior management. The Committee recognizes that there are significant differences in the legislative and regulatory frameworks across countries regarding these functions. Some countries use a two-tier board structure, where the supervisory function of the board is performed by a separate entity known as a supervisory board, which has no executive functions. Other countries, in contrast, use a one-tier board structure in which the board has a broader role. Owing to these differences, this document does not advocate a specific board structure. Consequently, in this document, the terms “board” and “senior management” are only used as a way to refer to the oversight function and the management function in general and should be interpreted throughout the document in accordance with the applicable law within each jurisdiction. 101 BOSNIA AND HERZEGOVINA In article 10 of the LOB, it is stated that the board members have a university decree and appropriate experience (i.e., fit-and-proper). The ‘Decision on licensing and other approvals’ (article 21, 22) stipulate in detail the documents to be submitted to the BARS. However, it does not elaborate on criteria of suitability such as good reputation, adequate theoretical and practical experience, no conflict of interest, and independence. These are described in the ‘Decision on suitability assessment bank’s bodies’ (article 4 -11) and the ‘Decision on diligent behavior of members of bank’s bodies’ (article 3-14). Article 10 of the LOB also stipulates that the holders of significant ownership are of sufficient financial capability and suitable business background. The “Decision on licensing and other approvals” prescribes in detail the documents to be submitted to BARS (article 17) for both natural and legal persons. License assessment The assessment of the license application is in practice mostly conducted by the legal affairs and general administration sector but the supervision sector also performs analysis and presents its opinion. However, this assessment is mostly compliance based and describes the content of the submitted documents rather than conducting a substantial assessment. For instance, the last assessment of a license application in 2005 was mostly a light touch analysis of the projected financial condition (including capital base). The assessment of the suitability of the board members is also conducted by the legal affairs and general administration sector. For this purpose, this department verifies all the information received from the bank by checking criminal records (including tax violations and fraud), calling for references, seeking contact with other regulatory bodies, using open information sources,and reviewing credit history at the credit registry. The essential preconditions necessary to do an adequate review of the fit and proper documents received are not optimal as the BARS is mostly dependent on the due diligence of the banks and the quality of the information the bank sent. It is banks themselves that are obliged to assess (on a continuous base) the fitness-and-propriety of board members. This means that the burden of proof is upon the respective banks. It is very difficult and time consuming to get information from different authorities (e.g., from the different cantons, entities, neighboring countries, or region). There is no connection to Interpol to track possible international criminal activities nor is there a database on a regional level where all the supervisory antecedents of board members are recorded such as suspensions, fines and orders. Lastly, the legal affairs and general administration sector assesses the suitability of the significant shareholders. This means that the License Department mostly verifies the documents they receive based on the LOB and the”Decision on Licensing and other approvals” and conducts a light touch analysis of the credit worthiness of shareholder. The assessment of the significant owners in 2005 was also done more compliance based than substantive. There was barely an assessment of the suitability of the ownership structure, including transparency of the group structure, identification of the ultimate beneficiary owner, the origins of his capital, his capacity to put additional capital in the bank, assessment of his plans. Nor was there an assessment whether the group structure won’t hinder effective implementation of corrective measures in the future. Comments License authority The LOBA does not give BARS explicitly the power to set criteria and impose prudential conditions or limitations on a newly licensed bank. 102 BOSNIA AND HERZEGOVINA License criteria The licensing criteria for newly established banks are not comprehensive and focus mostly on documents submitted rather than criteria of safety and soundness of such that covers suitability ownership structure, (group) governance (including fit-and-proper of board members and senior management), strategic and operational plans, internal control, risk management and projected financial conditions (including capital base). The same is applicable for suitability of board members and significant shareholders. It is advised to separate the license criteria from the documentation. Furthermore, the provision that the parent bank in a foreign country should be adequate and should not hinder supervision by BARS could be strengthened by requiring a formal MoU between the home supervisor and BARS. License assessment The assessment of a license application, suitability of board members and significant shareholders is mostly compliance based and could be enhanced by making it more substantial by focusing on the criteria instead of dominantly checking the documents. Recommendation - Initiate an amendment on the LOBA in order to give BARS explicitly the power to set criteria and impose prudential conditions or limitations on a newly licensed bank. - Expand the license criteria in the LOB and connect these criteria to detailed procedures in the decision for licensing and other approvals where it is prescribed how to assess these criteria including listing the minimal level and quality of documents banks are required to submit. - Expand the fit-and-proper criteria of board members in the LOB and align these with the decision on licensing and other approvals, the decision on the suitability assessment of board members and the decision on diligent behavior of board members. - Expand the suitability criteria of significant shareholders and address transparency of the ownership structure, the fitness-and-propriety of the shareholders and their capacity to provide additional capital. - Enhance the assessment of the bank license and suitability of shareholders and make it more qualitative rather than formal. - Include on and off site supervisors in the substantive assessment of a license. Precondition - Set up a regional database to record supervisory antecedents and criminal activities of board members. Principle 6 Transfer of significant ownership. The supervisor43 has the power to review, reject and impose prudential conditions on any proposals to transfer significant ownership or controlling interests held directly or indirectly in existing banks to other parties. 43 While the term “supervisor” is used throughout Principle 6, the Committee recognizes that in a few countries these issues might be addressed by a separate licensing authority. 103 BOSNIA AND HERZEGOVINA Description and Article 1 of LOB defines significant ownership as an interest of at least 10 percent of the Findings aggregate voting right of another legal entity or bank. Importantly, the term “controlling interest” is not defined. However, article 23 stipulates that ‘ no physical or legal person alone or acting in concert with one or more other persons, may acquire significant voting right in a bank, or increase the amount of his ownership of the bank’s voting shares or capital in such a way that the thresholds of 10,, 33, 50, and 66.7 percent are reached or exceeded without obtaining approval from the agency’. In addition, article 23 also stipulates that a person must submit to the BARS a request for transfer of significant ownership together with information specified in the Instruction for licensing and other approvals. This implies that BARS has the power to review a proposal of significant ownership. In the instruction on licensing and other approvals (article 17) it is specified which documents shall be submitted by legal persons and by natural persons. Legal persons shall submit their registration certificate, audited financial statements, evidence of ownership in other legal entities and outstanding debt. Natural persons shall submit passport, ownership in other legal companies, outstanding debt and evidence on competence and experience in order to not jeopardize the interest of the bank and its depositors. BARS may reject the application to acquire or increase significant ownership on the following grounds: uncertain financial condition of the applicant, lack of competence and experience of the applicants that may jeopardize the interest of the bank and its depositors, unfair competition, unreliable information. These grounds are specified in article 25 of the LOB and article 17 of the Instruction for licensing and other approvals. This implies that BARS has the power to reject an application. BARS does not have the power to impose prudential conditions on transfer of significant ownership such as ring-fencing nor does it has the power to modify, reverse or address otherwise a change in control that has taken place without the necessary notification or approval from BARS (except during a receivership, article 125 of LOB). Ring-fencing means that the supervisor could take measures to minimalize the risk of shareholders misusing their influence. BARS has information on all major shareholders holding over 10 percent of shares. This information is based on a quarterly report wherein banks report their 15 largest shareholders (except the real identity of owners of shares kept by third parties such as custodians). In addition, BARS receives a complete extract from the RS Securities Central Registry with information on all bank shareholders. Although BARS receives information on the ownership structure on a regular basis, this has proven to be insufficient in order to identify the ultimate beneficiary owners and their holdings.The assessors assessed two domestically owned banks in the RS and find that these banks have opaque ownership structures, as a result of which,the BARS cannot readily identify related party lending and group exposures. In practice, the assessment is mostly formal instead of substantially focused. It should focus on the suitability of the shareholders (transparency, significance influence, ability). An assessment of the processing of an application to acquire 36 percent of the shares in a domestically systemic important bank could strongly be improved. There was no adequate assessment of suitability of shareholder (no assessment of transparency of ultimate beneficiary owners and their holdings, no assessment of significant influence, no assessment of ability to inject additional capital). There was only a letter of intent for two years where the capital injection was done to support the existing capitalization given the 104 BOSNIA AND HERZEGOVINA risk profile of the bank that was not an adequate assessment. The assessors understand that this is still the current practice. Comments The BARS has implicitly the authority to review and reject a proposal of transfer of significant ownership, but does not have the power to impose prudential conditions to natural or legal persons that hold either direct or indirect significant ownership. Although the LOB and the Instruction for licensing and other approvals specify the information that has to be submitted. These requirements are not sufficient to identify the ultimate beneficiary owner (including its holdings and origins of capital) and assess its suitability. Furthermore, the prudential reports BARS receives quarterly only contain a list of the 15 largest shareholders (quarterly) and an extract from the RS Security Central Registry with information of all shareholders, BARS does not have a clear picture of the ownership structure of two domestically owned banks (including ultimate beneficiary owner and its holdings) which were part of the sample. This deeply effects the identification of related party lending and group exposures, undermining the efficacy of a cornerstone of the prudential regime. Lastly, the assessment of the transfer of significant ownership is more formal than substantial. Recommendation - Expand the definition on significant ownership and d efine “controlling interest”. - Address the difference between direct and indirect control in article 23 of the LOB. - Increase the information requirements necessary to identify the ultimate beneficiary owner and its holdings in order to assess the suitability of the shareholders. This includes the ownership structure of the legal person up to the level of the ultimate beneficiary owner including all their holdings, the strategic orientation of the significant shareholders and possible convictions. - Adapt changes in requirements of significant ownership in prudential reporting requirements. - Change the threshold of 10, 33, 50 and 66 percent to 10, 20, 30, 50 percent in order to align it with EU requirements. - Establish the power to change the ownership structure and impose prudential conditions - Establish the supervisory powers to obtain periodic reporting and on-site inspections information on: 1) names and holdings of significant shareholders; 2) the names and holdings of persons who exert controlling influence; and 3) the identity of beneficiary owners of shares held by nominees, custodians or other vehicles persons who exert controlling influence. - Implement requirements on ownership structure risk based (through targeted inspection). That means: identify those banks that have an opaque ownership structures, make the ownership structure transparent including identifying the ultimate beneficiary owners and its holdings, identify the related parties and group exposures, and mitigate the risks by intervening if necessary. Principle 7 Major acquisitions. The supervisor has the power to approve or reject (or recommend to the responsible authority the approval or rejection of), and impose prudential conditions on, major acquisitions or investments by a bank, against prescribed criteria, including the 105 BOSNIA AND HERZEGOVINA establishment of cross-border operations, and to determine that corporate affiliations or structures do not expose the bank to undue risks or hinder effective supervision. Description and BARS has in practice the power to approve or reject major acquisitions by a bank. Article 24 Findings of LOB stipulates that BARS must approve all significant ownership share of a bank in another legal entity. It is stated that banks are required to ask approval for acquiring ownership shares (direct or indirect) in a legal entity that exceed 5 percent of the bank’s core capital or that the sum of all participations exceed 20 percent of the bank’s core capital. It does not have a similar requirement for major investments other than an equity investment. Article 24 also stipulates that BARS may determine restrictions on investments. It is determined that a bank cannot (directly or indirectly) have a participation in a legal entity that exceeds 15 percent of the bank’s core capital, and the sum of the participations cannot exceed 50 percent of the bank’s core capital. In addition, it is determined that a participation in a non-financial legal entity cannot exceed 10 percent of the bank’ core capital, the sum of the participation in a non-financial legal entity cannot exceed 25 percent, and the participation in a non-financial legal entity cannot exceed 49 percent of the ownership of a non-financial legal entity. Lastly, loans granted to these legal entities shall be considered as participations and are bound to the mentioned participation rules. There are no definitions of types and amounts of acquisitions or investments that need notification. The decision for licensing and other approvals (article 18) determines that the following documents should be submitted: court registration of legal entity, financial indicators for the legal entity, decision of the bank how the investment shall be reflected in the bank’s net capital position. Besides these documents requirements there are no criteria for assessments of individual proposals determined by law or regulation. The assessment prior to approval, executed by both legal affairs and general administration sector and the supervision sector, focus mostly on the documents to be received and the impact on the capital position. The assessors did not observe explicit assessments on whether the new acquisition or investment expose the bank to unnecessary risk (besides its impact on the capital position), impede efficient supervision, nor whether the bank has sufficient resources to manage the acquisition (or investment). Further, there are also no criteria or assessment for cross border acquisitions (or investments) such as adequate flow of information necessary for consolidated supervision, efficacy of supervision in host country; and the ability to exercise supervision on a consolidated basis (see also CP 12 and 13). See also CP 16 Capital for the way these participations are deducted for regulatory capital purposes. It is stipulated that banks not have to deduct participations of less than 5 percent. There is also no limit of the sum of these participations in terms of deduction. It is determined in article 28 of the LOB that status changes in a bank, mergers, acquisitions or divisions of a bank shall require prior authorization of the BARS. In addition, to obtain authorization the bank must submit to the BARS an economic justification and a plan of operations. In article 19 of the decision for licensing and other approvals it is determined which documents shall be submitted. BARS may refuse an proposal for status change of a bank based on article 29 of the LOB (and article 19.4 of the decision for licensing and other approvals) on the ground that the resulting bank would not meet the requirements regarding its capital, board members and depositors protection. Comments BARS has, in practice, the authority to review or reject a proposal, but this is not explicitly mentioned in the LOBA or LOB. Further, BARS has, according to the LOB, the power to determine restrictions on investment, but this is not explicitly mentioned in the LOBA. In 106 BOSNIA AND HERZEGOVINA addition, neither the LOB nor the decision for licensing and other approvals do not stipulate explicitly criteria that should be used to assess the proposal for an acquisition or an investment. However, the LOB does limit participations in legal entities (including non-financial legal entities) and require banks to ask for approval. Though it is not defined when banks have to notify the BARS of relatively small participations. Both the LOB and the decision for licensing and other approvals require banks to submit a set of documents. The assessment prior to approval focus mostly on the documents to be received and the impact on the capital position. There seems to be no explicit assessment whether the new acquisition or investment expose the bank to unnecessary risk (besides its impact on the capital position), impede efficient supervision, nor whether the bank has sufficient resources to manage the acquisition or investment. Recommendation - Establish approval criteria for major assessment (similar to major acquisitions). - Establish definitions of types and amounts of acquisitions and investments that need notification. - Establish explicitly the power to approve and reject and to impose prudential conditions on major acquisitions or investments by a bank against prescribed criteria in both the LOBA and the LOB. - Prescribe in the LOB criteria for approving and rejecting a major acquisition such as the criteria that an acquisition may not expose the bank to unnecessary risks or impede efficient supervision. - Prescribe in the LOB criteria for cross border acquisitions and investments such as adequate flow of information necessary for consolidated supervision, efficacy of supervision in host country, and the ability to exercise supervision on a consolidated basis - Make a provision that define that a bank is required to notify the BARS of acquisitions and investments when it is not necessary to ask for approval. Principle 8 Supervisory approach. An effective system of banking supervision requires the supervisor to develop and maintain a forward-looking assessment of the risk profile of individual banks and banking groups, proportionate to their systemic importance; identify, assess and address risks emanating from banks and the banking system as a whole; have a framework in place for early intervention; and have plans in place, in partnership with other relevant authorities, to take action to resolve banks in an orderly manner if they become non-viable. Description and The BARS supervision approach includes a mix of onsite and offsite supervision activities. Findings There is close coordination between the two areas. Stress testing to develop a forward looking perspective is not regularly used by BARS on bank specific supervision and analysis. Although some work is coordinated with the central bank on a systemic view. In a contingency plan for further enhancements for supervision, an early warning system is envisioned that will aid in developing a forward looking perspective through trend analysis. The views of BARS on the financial condition of a bank are summarized in a risk rating assigned based on an evaluation of capital, asset quality, management, earnings, liquidity and sensitivity to market risk (CAMELS). However, currently market risk is not rated due to the lack of BARS imposed requirements on banks, other than open foreign exchange 107 BOSNIA AND HERZEGOVINA position limits. Standards addressing market risk are drafted but implementation is not anticipated until January 2017. The Banking Law (article 86) defines the bank’s obligation to perform its operations in line with the banking law, BARS’ regulations, terms and conditions and restrictions defined by its license, as well as appropriate business and accounting principles and standards. It also requires that the bank to maintain adequate capital, the necessary level of liquid assets, and diversification of its assets. Article 105a requires BARS to develop procedures to monitor banks’ safety and soundness (offsite and onsite manuals). Offsite supervision and analysis, together with onsite inspections, provide for the continuous supervision of banks. Offsite analysis enables the identification and oversight of operating risks on an individual bank basis and system-wide. The ongoing analysis is based on the CAMELS rating system. For each bank all components and risk level and trend are assessed, and an overall grade assigned. Key risks are also identified for each bank, and based on the results of such analysis, the scope of future supervision and measures to be taken are planned. Also reviewed is information received from “home” country supervisor, with particular emphasis on changes in group structure in terms of impact on the business and position of the local bank. Banks are required to submit to BARS an annual business plan, budget, and a capital plan. For foreign group members, future financial and capital support by parent banks is also analyzed. BARS has developed supervisory manuals to direct its supervisory activities. The offsite manual includes: objectives, cooperation with other organizational parts, as well as detailed offsite procedures for banks and other financing organizations (MCO, saving and credit organizations, leasing companies). Banks are analyzed based on quantitative data, ratio- indicators, and by comparative analysis of individual banks to peer group. Offsite analysis also takes into account qualitative factors, all available information, data, and documentation. A CAMELS grade for each component is assigned for each bank, including assignment of a composite ranking. Each CAMELS component and composite rating is rated on a scale of 1 through 5; the risk level and trend is identified, key risks are specified for each bank. Based on the result of the analysis, the scope of future offsite supervision and priorities are defined for each bank. The onsite inspections manual contains detailed: planning procedures: includes objective, scope (comprehensive/targeted), activity planning and preparation, organization and task assignment to team of supervisors, inspection plan, as well as review of financial data from earlier inspections and their update by data from current inspection. Inspection procedures cover capital, asset quality, bank management and administration, profitability, asset management, sources of funding and liquidity maintenance, foreign exchange, interest and price risks, audit and operating risk. During the risk assessment of banks and banking groups, BARS takes into account the macroeconomic environment, as well as inter-sectorial developments in non-banking financing institutions through frequent contacts with their regulators. CBBH, FBA, and BARS’ internal guidelines for stress-testing development describes the stress-test implementation process for the banking system in BiH, using “top-down” approach, and defines obligations and responsibilities of all institutions involved in the stress-test implementation process. BARS uses stress-tests results, provided by CBBH, as an additional instrument for more efficient bank supervision, in terms of bank-recapitalization and financing needs. 108 BOSNIA AND HERZEGOVINA BARS provides quarterly data on individual banks to the CBBH using a standard format and factors in its supervision various scenarios and assumptions provided by the CBBH, provides comments on assumptions of the banking sector and provides comments on the stress-test results provided by the CBBH. Comments The onsite and offsite activities provide BARS with an in-depth view of the banks it supervises. The information generated is adequate to document enforcement action and the quality of the loan portfolio. Increase use of stress testing would improve the development of forward looking view of risk in the system. The current regulatory framework ensures access to the banks, its management and records to facilitate the work of BARS. Principle 9 Supervisory techniques and tools. The supervisor uses an appropriate range of techniques and tools to implement the supervisory approach and deploys supervisory resources on a proportionate basis, taking into account the risk profile and systemic importance of banks. Description and Annually a coordinated supervisory plan for onsite and offsite work is developed and Findings adopted by the BARS management board. The supervisory plan is based on the following: the financial and operational position and operations of banks, particularly banks exhibiting unsafe and unsound business operations – problem banks, which are subjected to enhanced supervision. Coordination and information exchange between onsite and offsite supervision is reflected in the following:  Offsite analyses presents the basic elements for planning the type, scope, period, frequency, and predominant risk which would be subject of review by onsite supervision;  Regular quarterly offsite supervision reports;  Regular ex-post briefing upon completion of a supervisory activity by onsite and offsite departments;  Offsite submits information and analysis to supervision team for the onsite inspection preparation phase. Onsite presents findings at internal meeting after completed activity, and submits reports and documents specifying corrective measures imposed on the bank, Results of inspections are discussed with bank management during the inspections and some corrective actions are effected by the bank. Subsequently, BARS will send the bank a report of inspection that addresses corrective action still required. If corrections are not effected on a timely basis, enforcement action is pursued. Based on data from regulatory reports bank reports. The report contains detailed balance sheet and income information. Comments Assessors were provided with and reviewed, examples of the various supervisory tools employed. These included reports of inspection (full scope, targeted and consumer protection), offsite analysis, CAMELS rating calculations and corrective actions. Additionally, the authorities walked the assessors through the planning, execution and follow-up phases of the supervisory cycle. Plans are being developed to implement an early warning system. 109 BOSNIA AND HERZEGOVINA Principle 10 Supervisory reporting. The supervisor collects, reviews and analyses prudential reports and statistical returns44 from banks on both a solo and a consolidated basis, and independently verifies these reports through either onsite examinations or use of external experts. Description and The LOBA article 38 requires banks to submit to the BARS their reports and other data Findings observing type, scope and deadline as defined by legal provisions of the BARS. In article 106 of LOB it continues that banks are obliged to prepare and submit reports on business operations, liquidity, solvency and profitability, for its self and for subsidiaries individually and on consolidated basis., in form, contents and at such intervals as prescribed by BARS. The prudential reports are prescribed in the ‘Decision on the form of reports which banks submit to the banking agency’. According to these decisions banks are obliged to submit prudential reports on capital, assets classification, non-performing assets, credit risk concentrations, the 15 largest shareholders of the bank, transactions with related parties, liquidity, foreign currency risk, and effective interest rate. The form of the prudential reports and their time-limits for their submission are prescribed. BARS does not require banks to submit prudential reports on consolidated basis (see further CP 12 Consolidated supervision). There are also no requirements to submit prudential returns for country risk, market risk (except foreign exchange positions) and pillar 2 of Basel 2 (see further CP 16 Capital, CP 22 Market risk, CP 19 Country risk). FBA would like to develop a prudential report on restructured loans. BARS state that the report with the list of the supervisory board members is submitted in original (in paper form) and with the signature of the chairman of the supervisory board which proves that the reports are accepted by the supervisory board. And the internal auditor certifies by his/her signature that the reports are complete and accurate. Noticed is that there is no fine attached to not filing an accurate prudential reports. To determine the accuracy several controls are conducted. First, after data entry a cross table control is built in programmatically to check formal accuracy and to ensure the consistency of data in the prudential reports. Second, off-site supervisor performs a substantive control. When inaccuracies are found, the supervisor requests corrections from the bank. When there are significant mistakes in reports or repeated mistakes, the off-site supervisor could use corrective measures. This is rarely used. Third, on-site supervisors test the accuracy of the prudential reports on site by doing cross checks between for instance between the credit file, the general ledger and the credit registry. They compare this information with the off-site prudential reports. Fourth, recently IT supervisors joined the inspection teams to assess the general IT controls. This boosted the quality of the prudential reports. This was also a follow-up of the BCP of 2006. Fifth, the external auditor reviews annually the long form and declares that the long form is in accordance with the Law on Banks, other applicable laws and regulations determining banks’ business operations (‘Decision on the minimum scope, form and contents of the 44 In the context of this Principle, “prudential reports and statistical returns” are distinct from and in addition to required accounting reports. The former are addressed by this Principle, and the latter are addressed in Principle 27. 110 BOSNIA AND HERZEGOVINA program and report on economic – financial audit of banks’). This is not the same standard as an audit opinion of a financial statement. The prudential reports (together with other special reports) are being analyzed on regular base. This could be daily, weekly, monthly, quarterly, semi-annually or annually (see further CP 9). For an assessment of IAS 39 see further CP 18 Non-performing assets. Comments BARS conducts, collects, reviews and analyzes prudential reports and conduct several controls to ascertain the accuracy of the information. Noticed is that the prudential reports are not comprehensive yet. BARS does not receive prudential reports on consolidated basis (see CP 12 Consolidated supervision) nor does she receive reports on pillar 2 capital (see CP 16 Capital), country risk exposure (see CP 21 Country risk) or market risk except foreign exchange positions (see CP 22 Market risk). Recommendation - Develop prudential report on consolidated basis (see CP 12 Consolidated supervision) - Develop several prudential reports aligned with the development of the regulation on pillar 2 Basel 2, country risk exposures, market risk and restructured loans. Principle 11 Corrective and sanctioning powers of supervisors. The supervisor acts at an early stage to address unsafe and unsound practices or activities that could pose risks to banks or to the banking system. The supervisor has at its disposal an adequate range of supervisory tools to bring about timely corrective actions. This includes the ability to revoke the banking license or to recommend its revocation. Description and Through a blend of onsite and offsite activities BARS performs ongoing monitoring of the Findings banks that aids in the early detection of developing negative trends and the implementation of corrective action. Depending on results of the analysis:  banks may be required to submit additional data and information for further measurement and analysis of risks;  if necessary, meetings are held with bank management and other officials/employees that have responsibility for supervising areas of concern and that will undertake measures promptly to resolve the problems and weaknesses in bank operations;  when more serious problems and inconsistencies are ascertained in business operations, the bank, in compliance with article 125 of the Banking Law, is issued written warnings listing violations, areas in need of improvement, required corrective action and, if necessary, provide additional for additional reporting. Deficiencies and violations noted during an onsite inspection (for example: internal controls weaknesses, inadequate policies and procedures or risk management or unsafe practices) are discussed with responsible persons in the bank, and in the course of the inspection recommendations are provided for correction. For those weaknesses and deficiencies that the bank is unable to address during the inspection, the decision provides written recommendations or formal orders, depending on the severity of deficiencies determined. 111 BOSNIA AND HERZEGOVINA In the post-inspection procedure, bank compliance with corrective measures is monitored continuously, and information compiled periodically on the status of corrective action by the bank. BARS has a number of enforcement tools to require banks to effect corrective action and address a lack of compliance with laws and/or regulations, unsafe and unsound operating practices. BARS authority is prescribed in articles 125 and 125a of the Law on Banks and provides the authority to undertake one measure or a combination of measures prescribed against the bank and/or members of the supervisory board and bank management and persons with significant ownership shares), specifically:  a written warning,  demanding that the supervisory board convene or organize a shareholders’ meeting to discuss rehabilitation measures;  issuing a written order to correct violations of law and/or decisions (regulations) or with the objective of imposing special requirements (restrictions) for example, restriction of new exposures to credit risk, restriction of interest rates or deposit growth, suspension of members of the management and of the supervisory board;  prohibiting the bank to conclude contracts on services with depositors (if it is determined that the contracts do not ensure protection of the rights and interests of users of financial services – Article 98 of the Law on Banks);  cash fines (Articles 123 and 123a of the Law on Banks);  appointing an advisor for the bank with authorities set by the Agency;  appointing an external auditor at the expense of the bank in order to perform audit under conditions set by BARS;  appointing a temporary manager;  revoking the banking license (article 19 of the Law on Banks). Corrective measures are imposed through orders for execution, and the bank may lodge an objection with the director of BARS, which does not postpone the execution of the decision. In the continued administrative procedure, the bank may initiate an administrative dispute that also, in compliance with the Law on Administrative Proceedings, does not postpone the execution of the decision (in the last five years no bank has utilized this option). Minutes of onsite inspections performed, containing decisions (orders – corrective measures) are forwarded to the supervisory board and management of banks, including a clause that each member of the supervisory board, director and member of the management, and the management, should be informed of the contents of the minutes in compliance with their responsibilities. The internal auditor is, by the decision on the issuance of the order (corrective measure), put in charge of performing the audit of the execution of orders and submitting a written report on that to the BARS within 30 days. Normally the initial step in requiring corrective action starts with written warnings (in offsite inspections) demanding the banks to adjust their operations with prescribed minimum standards. Additional measures used at an early stage involve written orders (decisions) that emanate from onsite inspections. BARS has imposed financial penalties on banks that failed to comply with orders (the BARS Committee for Imposing Sanction Orders, and for more 112 BOSNIA AND HERZEGOVINA severe violations, reports to the competent court). In cases involving abuse, criminal referrals have been forwarded to the appropriate prosecutors’ office. On several occasions , the BARS has appointed advisors and/or temporary managers for individual banks, and for two problem banks an external auditor was appointed with to perform an asset quality audit. In the framework of offsite supervision, BARS issues written warnings to banks (violations of the Law on Banks and/or decisions of the BARS are listed, and the banks are required to adjust their operations), and in the framework of onsite supervision, after ascertaining irregularities and inconsistencies stated in the minutes/report (comprehensive or targeted inspection), a draft decision, including written orders and deadlines for execution, is submitted to the Board of Supervision and Corrective Measures of the BARS, which prepares the final documents including deadlines. Orders have been issued for injections of capital, increase in loan loss provisioning, correcting violations, dividend prohibition, improvements in the system of internal controls, reduction of investments in fixed assets, ensuring compliance of bank policies, procedures, rulebooks with decisions of the BARS. BARS also has authority to impose temporary operational requirements (this corrective measure is most often used for banks under special supervision – composite ranking 4 or 5), such as for example:  Prohibiting the bank extending additional credit to related parties;  Prohibiting payments of bonuses to members of the supervisory board and management. Comments The banking law provides a listing of the tools available to BARS to require corrective action from banks to address deficiencies and violations. Although the enforcement tools are listed in the banking law, neither the law nor an attendant Decision establishes a coherent enforcement action program; such program would enhance transparency to banks, the courts and consumers on the BARS processes. Issuance of a corrective/remedial action decision would provide greater certainty to banks regarding application of enforcement action and improve BARS’ staff ability to assess appropriate corrective actions or sanctions depending on the gravity of the situation. An appropriate remedial action program has well defined enforcement tools that enable the regulator to apply a wide range of penalties or restrictions that can be adapted to the gravity of the situation. The program should be transparent: BARS should publish the situations under which it is likely to take supervisory action, describe the supervisory action and the subsequent response should the institution fail to act. Internal operating procedures at BARS should be detailed and prescriptive, describing the officials responsible for initiating the action, the process to be followed starting at the field inspector level, the review process, and establishing processing timeframes. In its annual report, BARS should publish the remedial actions taken even if the name of the institution is withheld. Having a transparent, well-defined process with benchmarks and reporting will also enhance supervisory accountability. Drafting the Decision would provide an opportunity to review existing authority and assess the need for additional powers and enforcement options. Issues to be considered include:  Additional enforcement tools. For example: 1. Ability to impose significant fines and sanctions administratively to individual supervisory board members and controlling owners. 2. Increase amounts of fines applicable to banks and individuals. 3. Agency administrative powers to directly impose fines. 4. Provide an 113 BOSNIA AND HERZEGOVINA escalating application of instruments that increase pressure gradually to achieve corrective action by publishing actions, earlier use of fines, restricting new activities/products.  Benchmarks and mandatory fines. Having benchmarks provides transparency to banks and facilitates the application of enforcement action by the supervisor. However, mandatory application of fines or enforcement action and sanctions because the benchmark is reached limits the ability of the supervisor to use judgment in weighing the causes and gravity of the situation. For grave violations, such as related party abuses, mandatory action may be justified as related party abuse is a common cause of bank failures. Possible benchmarks as to when enforcement action should be considered include CAMELS rating, level of capital, repeat violations of law, inaccurate or late reporting.  Reinforce applicability of remedial action based on supervisory judgment. Enforcement action is applicable when the bank is experiencing serious problems or weaknesses in its systems, internal controls, operating policies, methods of operations or management information systems, even if those problems have not yet resulted in a change in CAMELS rating or have not been reflected in the bank’s financial performance or caused violations of law.  Systemic contingency planning. In coordination with other system supervisors, deposit insurance fund, central bank and finance ministry develop contingency plans on additional measures to implement if application of the remedial action program in times of economic stress would result in a systemic impact. Bank- specific recovery and resolution plans should start being discussed no later than by the time the bank is rated “4.” Plans would address costs of liquidation, insured funds, related party liabilities and any possible recovery options. Principle 12 Consolidated supervision. An essential element of banking supervision is that the supervisor supervises banking groups on a consolidated basis, adequately monitoring and, as appropriate, applying prudential standards to all aspects of the business conducted by the banking group worldwide.45 Description and Consolidated supervision as a concept and practice has not been implemented yet in BARS. Findings There are no definitions and no prudential requirements both quantitative and qualitative for the supervision of consolidated supervision. Neither is BARS empowered to review overseas activities, visit foreign offices and meet with host supervisors, and limit the activities of the consolidated group and the location of the activities if necessary. The RS has 10 banks of which 6 are owned by foreign banks from Slovenia, Serbia, Austria, Italy and Russia. BARS is for these banks (including four D-SIBs) host supervisor. For the four domestic banks it is not fully clear what kind of groups they are (in terms of being a particular kind of financial or non-financial group). Further, banks in the RS are permitted to conduct different kind of activities, such as leasing, micro finance or insurance and hold to a certain extent non-financial participations. Therefore it is important to define consolidated supervision, identify the ultimate beneficiary owner, and apply consolidated supervision. 45 Please refer to footnote 19 under Principle 1. 114 BOSNIA AND HERZEGOVINA BARS does to a certain extent review the main activities of parent and uses for this purpose information received from the home supervisor (see CP 13 Home-host relations). Comments Consolidated supervision as a concept and practice has not been implemented in BARS. There are no prudential requirements both quantitative and qualitative for the supervision of consolidated supervision. Furthermore, BARS does not have the supervisory power to intervene in groups , including the power require banks to submit information on consolidated basis, the power to request and receive information from any entity in a group, the power to review the parent and associated companies, and the power to intervene in a group. BARS is planned to adopt consolidated supervision in the new LOB. Recommendation: - Define type of entities that will fall under consolidated supervision such as banking groups, financial conglomerates and financial holdings. - Determine quantitative prudential requirements such as capital adequacy on consolidated basis, large exposure limits, related party limits and liquidity requirements. - Determine qualitative prudential requirements such as prudential reporting (ad- hoc and regularly), fit-and-properness owners, board members and senior managers, and risk management. - Establish supervisory powers to intervene in groups on issues of governance, risk management, capital, liquidity and group structure. Principle 13 Home-host relationships. Home and host supervisors of cross-border banking groups share information and cooperate for effective supervision of the group and group entities, and effective handling of crisis situations. Supervisors require the local operations of foreign banks to be conducted to the same standards as those required of domestic banks. Description and Currently, BARS is not home supervisor because there are no international active banks Findings operating from the RS. The RS has 10 banks of which 6 are owned by foreign banks. These ownerships involve several countries: Slovenia, Serbia, Austria, Italy and Russia. BARS (and also FBA) have formal (signed) arrangements with the Bank of Slovenia, the National Bank of Srebia, and the supervisor in Turkey. The following arrangements exists: - Slovenia: Memorandum of Understanding; Bank of Slovenia, FBA, BARS, CBBH November, 2001 - Serbia: Memorandum of Understanding and Cooperation in the Area of Supervision over Banks; National Bank of Serbia, FBA, BARS, CBBH; July, 2004 - Turkey: Memorandum of Understanding Agency for Regulation and Supervision of Turkey; FBA, BARS, CBBH, June, 2009. These arrangements arrange cooperation (such as joint on-site inspection, participation in supervisory colleges) and exchange of information (see also CP 3 on confidential information). These arrangements don’t address cross border cooperation and coordination in times of crisis. However, BARS attends colleges in Serbia (regarding Group of Komercijalna Banka) and in Slovenia (regarding NLB Group). Although BARS is not invited to participate in college in Austria because provisions on data confidentiality in Law on Banks were previously assessed as not satisfactory by CEBS. Therefore, FMA (Austria) stopped sending invitations 115 BOSNIA AND HERZEGOVINA for attending colleges. This will be most likely solved in the near future since the issue of confidentiality is solved (see CP 3). Untill 2010, BARS participated in colleges of Hypo Group and Sberbank Group. Comments BARS currently doesn’t have formal MOUs with Austria, Italy and Russia. It also has no arrangement to address cross border cooperation and coordination in times of crisis. Although MOUs with Austria and Italy are close to formalization, this doesn’t mean that BARS has optimal cooperation, information exchange and is being involved in crisis situations as BiH is for these home supervisors of less importance. BARS should therefore on a continuous basis assess whether this risk is acceptable or should be mitigated. Furthermore, because there are several foreign banks systemically important. Recommendation - Renew MOU’s with home supervisors of foreign banks in order to address cross border cooperation and coordination in times of crisis. - Address Home / host issue beyond MOU in SCFS and make strategic action plan (assess and mitigate the net risk) - See further CP 3. B. Prudential Regulations and Requirements Principle 14 Corporate governance. The supervisor determines that banks and banking groups have robust corporate governance policies and processes covering, for example, strategic direction, group and organizational structure, control environment, responsibilities of the banks’ Boards and senior management, 46 and compensation. These policies and processes are commensurate with the risk profile and systemic importance of the bank. Description and Article 63 of the Law on Banks prescribes the responsibilities and competencies of the Findings supervisory board and bank management. The supervisory board of the bank is responsible for the following:  overseeing bank operations and the work of the management;  approving the financial statements of the management on operations upon semi- annual accounts including the balance sheet and the income statement, annual accounts including balance sheet and the income statement, as well as reports of internal and external auditor;  appointing the management of the bank;  appointing external auditor;  ensuring that appropriate internal controls of the bank are established and that they are being implemented correctly;  ensuring that appropriate internal and external audits are being performed;  establishing necessary loan provisioning from net profits of the bank, and determining dividends; 46 Please refer to footnote 27 under Principle 5. 116 BOSNIA AND HERZEGOVINA Decisions on Corporate Governance were issued in 2013: 1. The Decision on Diligence of Members of Bank Bodies regulates the rules of conduct of members of bank bodies in the course of the performance of their authorities, including the prevention / management of the conflict of interest, establishment of specialized boards for professional assistance and support to the supervisory board of the bank, application of professional, ethical standards and principles of corporate and social responsibility etc. 2. Decision on Assessment of Members of Bodies (fit-and-proper) puts an emphasis on obligations of the bank to prescribe and apply criteria for the assessment of suitability of members of bank’ bodies, perform initial and continuous assessment, ensure continuous fulfillment of criteria for suitability of members of bank’s bodies . 3. The Decision on Policy and Practice of Remuneration to Employees in the Bank regulates, inter alia, the structure of remuneration that should be harmonized with the strategy of assuming risk, corporate values and long-term interests of the bank, and should cover all components of remuneration (salaries, discretionary pension and similar benefits on individual and discretionary basis) for key categories of employees whose professional actions have a significant effect on the risk profile of the bank. Compliance reviews on corporate governance requirements is performed through onsite and offsite supervision. In the course of comprehensive or targeted inspections of management practices, corporate governance is inspected and corrective measures are undertaken if any deficiencies are identified. Procedures, processes, and checklists for supervisory reviews of inspections of operations of management bodies in banks are part of the Manual for Onsite Supervisors. Based on results from onsite inspections, inspectors assess the “M” in CAMELS and assign a grade reflecting any weaknesses in operations. Corrective action is required when deficiencies are noted. Comments In 2013, BARS issued decisions concerning corporate governance to align with the future implementation of Pillar 2 principles and BCP requirements. The decisions issued are comprehensive and address the major requirements of the BCPs. Providing additional guidance to banks on BARS’s expectations would aid bank compliance and effectiveness; for example, on the inclusion of independent directors, performance assessment, formulation of corporate governance statements and disclosure by banks, and establishing personnel management programs to ensure appropriate staffing levels and orderly succession. Requirements have been established for the supervisory board to define its risk appetite and establish business plans but the expectations of BARS on the issues to be addressed by the banks is limited. Guidance for a risk appetite statement may include: quantitative metrics such as value-at-risk, leverage ratio, range of tolerance for problem loan levels, and acceptable stress test losses. The strategic (business) plan guidance may include a comprehensive assessment of current and expected risks, state the business objectives of the bank and express how achieving the objectives will affect the risk profile of the bank. The strategic plan and the risk appetite statement should balance and be supported by a robust risk management framework. 117 BOSNIA AND HERZEGOVINA Principle 15 Risk management process. The supervisor determines that banks47 have a comprehensive risk management process (including effective Board and senior management oversight) to identify, measure, evaluate, monitor, report and control or mitigate 48 all material risks on a timely basis and to assess the adequacy of their capital and liquidity in relation to their risk profile and market and macroeconomic conditions. This extends to development and review of contingency arrangements (including robust and credible recovery plans where warranted) that take into account the specific circumstances of the bank. The risk management process is commensurate with the risk profile and systemic importance of the bank.49 Description and Article 63 of the Law on Banks and Article 3 of the Decision on Minimum Standards for Findings Internal Controls Systems in Banks, describe the obligations of the supervisory board of the bank:  adopt and ensure the establishment of an efficient organizational structure of the bank, adopt the business plan of the bank, with clear objectives and business policy of the bank that also covers the definition (stipulation) of acceptable and unacceptable risks with responsibilities of bank management for ensuring the preconditions for identification, monitoring, and control of those risks;  ensure that the business plan of the bank contains strategic and operational plans;  ensure that the business plan of the bank is clear and precise in defining the lines of competencies and responsibilities, as well as the system, i.e., lines of reporting;  ensure that the governance levels of the bank are continuously monitoring and controlling the execution of functions of lower levels of the bank. Provisions of current decisions on risk management (credit, liquidity risk, operational and other risks), establish the obligation of the supervisory board to adopt an adequate risk management program for each area of operations. The program must include policies in line with the contents and objectives of the business policy, as well as conditions in the economic environment. Procedures for risk management have to be proportional to the size and the complexity of the bank. Banks must analyze, update and adjust their program, policies and procedures periodically to the risk profile and market demands. Decisions addressing risk management require banks to develop written policies that define the level of risk that the bank is willing to assume, set levels of authority for risk assumption approval, limits for concentration of risk exposure, at least in compliance with the law and the limits prescribed by BARS (for individual clients / depositors, a group of 47 For the purposes of assessing risk management by banks in the context of Principles 15 to 25, a bank’s risk management framework should take an integrated “bank -wide” perspective of the bank’s risk exposure, encompassing the bank’s individual business lines and business units. Where a bank is a member of a group of companies, the risk management framework should in addition cover the risk exposure across and within the “banking group” (see footnote 19 under Principle 1) and should also take account of risks posed to the bank or members of the banking group through other entities in the wider group. 48 To some extent the precise requirements may vary from risk type to risk type (Principles 15 to 25) as reflected by the underlying reference documents. 49 It should be noted that while, in this and other Principles, the supervisor is required to determine that banks’ risk management policies and processes are being adhered to, the responsibility for ensuring adherence remains with a bank’s Board and senior management. 118 BOSNIA AND HERZEGOVINA connected counterparties, individual branch of industry, individual geographic region, individual bank or group of banks in line with its / their investment ranking, individual foreign country or class of countries, individual type of securities, maturity and form of instruments). Article 80 of the Law on Banks defines the responsibility of the director of the bank to implement the program and the policies of the bank, establish lines of communication that ensure timely information of lower levels of management and bank executives on policies and procedures for risk management, and to supervise, control, and ensure their application. Each of the current decisions individually (depending on the risk covered) also defines the obligation of management to ensure development and establishment of appropriate reporting systems (with appropriate information technology support) that facilitate efficient analyses, cautious and successful management, as well as control of existing and potential exposures of the bank to risks (i.e., each risk individually). Supervisors assess whether internal policies and procedures of the bank are:  sufficiently comprehensive (covering all the risks of the bank);  adjusted to the risk appetite and whether the capital of the bank is supporting the risk assumed in operations;  inclusive of the risk that results from the macroeconomic environment and whether they are updated in a timely manner in compliance with changes in the macroeconomic environment; In the course of onsite inspections it is assessed whether the bank management is implementing the adopted strategic plan, policies and procedures, and whether the supervisory board of the bank is efficient in supervising the operations of the management. Comments BARS has not issued detailed regulations concerning interest rate risk in the banking book, market risk and country risk or apply capital requirements to those risks. While BARS has issued risk management decisions for many specific risk areas, it has not issued an overarching decision on risk management for the bank as a whole. The planned implementation of Basel II and Pillar 2 provides an opportunity to, in a holistic way, address risk management, corporate governance and incorporate requirements into the Internal Capital Adequacy Assessment Program (ICAAP) requirements. Work is already underway to address these areas. The risk management standards should address the roles of the “three pillars of defense”, internal controls, internal audit and independent risk management. Internal risk management should identify and assess on an ongoing basis, the bank’s material aggregate risk, for example, an internal loan review system that reviews, evaluates and confirms risk rating of loans. Work is independent of the credit granting function. Establishing risk limits that reflect the supervisory board’s risk appetite. Ensure that operating policies limit aggregate risk within the bank’s established framework. Report to the supervisory board on risk assuming units that are not adhering with Board policy. BARS should differentiate between the role of risk management and internal audit. Internal audit is not a permanent function and its activities and scope will vary annually. Internal risk management is an ongoing function that reviews risk taking functions to ensure that they are in compliance with supervisory board policies. 119 BOSNIA AND HERZEGOVINA Principle 16 Capital adequacy.50 The supervisor sets prudent and appropriate capital adequacy requirements for banks that reflect the risks undertaken by, and presented by, a bank in the context of the markets and macroeconomic conditions in which it operates. The supervisor defines the components of capital, bearing in mind their ability to absorb losses. At least for internationally active banks, capital requirements are not less than the applicable Basel standards. Description and Article 90 of the Law on Banks requires banks to maintain shareholders’ capital and net Findings capital at least at the level of KM 15 million, and, a 12 percent of total risk-weighted assets. The law also establishes that:  if the amount of capital is lower than the minimum levels prescribed by the Law , BARS may revoke the license of the bank (Article 19); and  if capital declines below 6 percent of risk weighted assets, BARS may introduce temporary management in the bank (Article 108). Additionally, if the bank receives a rating of 4 “C” in CAMELS, the bank is placed under continuous oversight, and subject to formal enforcement action. Under Article 17 of the Decision on Capital BARS may impose capital requirements that exceed the minimum prescribed under the Law, depending on the assessment of risks present in the bank operations, as well as the assessment of management of that risk. The structure of capital in banks is defined under the Decision on Capital, as follows:  Articles 7 and 10 define net capital as the sum of core capital and supplemental capital, reduced by items deducted from capital;  Article 8 defines core capital as the sum of items in capital that are, unconditionally, fully, and without restrictions, at any moment in time, at the disposal for absorbing losses, and are subordinated to all other liabilities of the bank, reduced by regulatory adjustments, i.e., items being deducted from core capital;  Article 9 defines the items that meet conditions for being allocated into supplemental capital of the bank. Articles 11 and 17 of the Decision on Capital require banks to maintain net capital at the level of 12 percent of risk-weighted assets. For operational risk the basic indicator method is in place. Although a decision on market risk has been adopted to determine capital requirements, it has not been implemented. On the basis of quarterly offsite reports, BARS monitors compliance with the law and decision on capital adequacy. BARS has adopted a strategy for the implementation of Basel II/III. Currently credit risk weighted assets are mostly in compliance with Basel I (differences between current risk- weights and Basel II are listed in Appendix III) Weighted operational risk is being calculated according to the basic indicator approach, which is to a significant extent, in compliance with Basel II. In 2014, amendments and addenda were executed to the Decision on Capital, 50The Core Principles do not require a jurisdiction to comply with the capital adequacy regimes of Basel I, Basel II and/or Basel III. The Committee does not consider implementation of the Basel-based framework a prerequisite for compliance with the Core Principles, and compliance with one of the regimes is only required of those jurisdictions that have declared that they have voluntarily implemented it. 120 BOSNIA AND HERZEGOVINA with the objective of strengthening the structure of capital, introducing protective layers for capital conservation, restraining the rate of financial leverage, and the highest possible level of convergence with the requirements of Basel III (and adoption of deadlines for harmonization with new requirements). Adoption of this Decision is a transitional solution until full implementation of Basel II/III, in compliance with the Strategy. Article 17 of the Decision on Capital establishes BARS authority to impose special requirements on capital that exceed the minimum stipulated under the Law, depending on the bank risk profile and risk management. Comments Since the last assessment, BARS has been conducting an implementation of Basel capital standards. A plan for the full implementation of Pillar 2 and ICAAP is being developed and expected to be completed in late 2014. A capital charge for market risk is not currently in place. The capital adequacy regime currently in place is a hybrid of Basel I and incorporates the definitions of core capital elements from Basel III. Implementation of other adjustments is as follows: Under the provisions of the Decision, harmonization periods by individual items are as follows: i) Implementation of the capital conservation buffer as of December 31, 2016, and counter-cyclical buffer for systemic risk within the deadline which would be introduced, as necessary, and the period of harmonization prescribed by a special decision of the FBA; j) reducing the amount of loan loss reserves included in supplemental capital to 1.625 percent by December 31, 2015, and 1.25 percent by December 31, 2016; k) allowable revaluation reserves to be amortized and extinguished by December 31, 2016; l) implementation of requirement to depreciate subordinated debt in the last 5 years to maturity date - December 31, 2015; m) amount of bank’s supplementary capital cannot be: - more than one-half of the core capital, beginning on December 31, 2015, whereby the core capital referred to in Article 8 of this decision is at least 8 percent of total risk of assets, - more than one third of the core capital, beginning as at December 31, 2016, whereby the core capital referred to in Article 8 of this decision is at least 9 percent of total risk of assets, n) ensuring and maintaining a leverage ratio, at least 6 percent, starting on December 31, 2015; o) banks which, due to changes in the structure of the core and supplementary capital, in the process of harmonization, become noncompliant with concentration limits will need to correct the violation by December 31, 2015; p) calculation of capital requirements for market risk will apply when the secondary regulations that prescribe capital requirements and methodology for calculating capital requirements for market risk enter into force. 121 BOSNIA AND HERZEGOVINA Principle 17 Credit risk.51 The supervisor determines that banks have an adequate credit risk management process that takes into account their risk appetite, risk profile and market and macroeconomic conditions. This includes prudent policies and processes to identify, measure, evaluate, monitor, report and control or mitigate credit risk52 (including counterparty credit risk)53 on a timely basis. The full credit lifecycle is covered including credit underwriting, credit evaluation, and the ongoing management of the bank’s loan and investment portfolios. Description and Articles 3 and 4 of the Decision on Minimum Standards for Credit Risk Management and Findings Classification of Assets (revised 2013) defines the obligation of the supervisory board and bank management to adopt, maintain, and develop a comprehensive program including appropriate policies and procedures for credit risk management. The supervisory board must ensure full compliance with the program and to manage the maintenance of an acceptable level of credit risk for the bank, and ensure the implementation of adequate control and audit in that area. Bank management is under obligation to design, develop, and present to the supervisory board in a timely manner proposals for the implementation of the programs including policies and procedures for credit risk management. The decision also sets requirements for reporting to the supervisory board and BARS on significant credit activities, structure, and quality of the credit portfolio, as well as on performance in implementation of the program for credit risk management in the bank. Pursuant to article 5 of the Decision on Minimum Standards for Credit Risk Management and Classification of Assets in Banks, depending on the nature and complexity of the loan portfolio, the program for credit risk management has to contain the following:  defined policies for identification of credit risk and the management of that risk;  procedures for assessment of credit applications;  procedures for approvals of credits, including necessary documentation, monitoring, subsequent inspection, as well as reporting and collection. Article 6 of the same decision prescribes that the program for credit risk management has to reflect the bank’s loan portfolio mix and risk level and must establish risk limit controlling parameters, and establish written policies. The policies must address:  the risk appetite and management of that risk;  loan portfolio mix;  lending approval authority levels and provisioning requirements; and  concentration limits for individuals, connected lending, geographic regions, industries, country risk and collateral. On the basis of quarterly reports submitted, continuous offsite supervision of asset quality is performed, with special emphasis on the credit risk of each individual bank, as well as of 51 Principle 17 covers the evaluation of assets in greater detail; Principle 18 covers the management of problem assets. 52 Credit risk may result from the following: on-balance sheet and off-balance sheet exposures, including loans and advances, investments, inter-bank lending, derivative transactions, securities financing transactions and trading activities. 53 Counterparty credit risk includes credit risk exposures arising from OTC derivative and other financial instruments. 122 BOSNIA AND HERZEGOVINA the banking sector. The offsite inspector focuses on the most significant items specific for individual banks, which represent the basis for assessing levels and trends: quality of assets and adequacy of loan loss provisioning, nonperforming assets, credit risk concentration, and exposures by sector, contagion risk, compliance with laws, and decisions. One of the basic aims of offsite supervision is the early detection of problems or potential risks, as well as issuance of written warnings, including deadlines for addressing noncompliance. Onsite inspections include an assessment of relevant policies, practices, and procedures and compliance with the decision. Comment A detailed decision has been issued covering credit risk management and the duties of the Board to develop policies and procedures to manage credit, setting the focus of lending and the acceptable risk levels, internal loan review and reporting to the Board, responsibility of internal audit, and lending limits. Compliance with the decision is monitored through onsite and offsite supervision. Copies of reviews of banks’ loan portfolio were shared with assessors. Principle 18 Problem assets, provisions and reserves.54 The supervisor determines that banks have adequate policies and processes for the early identification and management of problem assets, and the maintenance of adequate provisions and reserves. 55 Description and The supervisory board is required to adopt written policies and procedures to measure, Findings monitor and establish risk parameters for the loan portfolio (Article 63 of the Law on Banks). The Decision on Minimum Standards for Credit Risk Management and Classification of Assets in Banks (articles 3 and 4) defines the obligation of the supervisory board and management to adopt, maintain, and develop programs, policies, and procedures for credit risk management. Article 14 defines nonperforming assets as: past due principal and/or interest for longer than 90 days from the date of their initially contracted maturity (classified in categories C, D, or E). Pursuant to article 1 the bank must also, regarding the implementation of IAS and IFRS, as well as other accounting and audit standards in RS, adopt and apply adequate internal methodologies for valuing loans and other financial assets. Minimum requirements for risk management are stipulated in the Instructions on Amended Method for Forming, Recording, and Reporting Disclosure of Loan Loss Provisioning. The supervisory board is responsible for ensuring the structure to support the separation of credit granting functions and the collection, restructuring and write-off of uncollectible loans. Management is required to implement loan review systems to monitor and control the mix and quality of the portfolio, ensure the proper classification and provisioning of the loans, and ensure proper reporting to the supervisory board and BARS on the quality of the loan portfolio (at least quarterly). Articles 13, 15, and 16 of the Decision on Minimum Standards for Credit Risk Management and Classification of Assets in Banks requires that banks perform regular reviews, careful assessment, as well as classification of each individual credit, and, maintain a list of 54 Principle 17 covers the evaluation of assets in greater detail; Principle 18 covers the management of problem assets. 55 Reserves for the purposes of this Principle are “below the line” non -distributable appropriations of profit required by a supervisor in addition to provisions (“above the line” charges to profit). 123 BOSNIA AND HERZEGOVINA individual nonperforming loans. Loans must be classified, at least on a quarterly basis, into the corresponding risk category. The supervisory board is under obligation to ensure that the bank management forms the necessary provisioning depending on the risk assessment of the loan quality (article 22 of the aforementioned decision). Pursuant to the Instructions on Amended Method for Forming, Recording, and Reporting Disclosure of Loan Loss Provisioning, banks are under obligation to establish and apply an internal methodology for measuring and grading the value of credits. Loans in excess of 10,000 must be reviewed individually, and smaller loans may be reviewed on a portfolio basis. The inspection assessment of bank policies and procedures for classification and provisioning, as well as making a determination on the adequate level of loan loss provisioning, is performed by onsite inspections and by external audit. Procedures for assessing the loan portfolio are detailed in the manual for onsite Inspection. The manual provides procedures for evaluating the adequacy of policies, procedures, and practices in credit risk management, which includes the assessment of asset classification. BARS takes into account the opinion of the external auditor, but the final assessment on the policies and procedures of the bank, as well as on the adequate level of provisioning is made on the basis of the review performed in the course of the onsite inspection. On the basis of a specified sample selected in advance, a detailed review is performed of individual loans and the adequacy of provisioning on the part of the bank is ascertained, and if any deficiencies are identified, corrective measures are ordered. Pursuant to Article 6 of the Decision on Minimum Scope, Form, and Contents of Programs and Reports on Economic and Financial Audit of Banks the external auditor is under obligation to make an assessment of the quality of bank assets in compliance with the Decision on Minimum Standards for Credit Risk Management and Classification of Assets in Banks. Annually, after the external audit is performed, the BARS receives a report on the audit of the financial statements of the bank and other supporting documentation from the auditor, such as, the management letter, which may be taken into account when providing assessments on the adequacy of policies and procedures of the bank. Comments Based on a review of onsite inspection reports and other independent reviews deficiencies in provisioning were identified. Currently banks are required to provision based on both IAS and prudential standards. Loan loss provisioning for prudential requirements is based on defined categories: Category B includes loans 90 days delinquent, Category C includes loans up to 180 days delinquent and Category D up to 270 days. As was highlighted in the 2006 BCP review, the threshold of delinquency for each category is too long. Additionally, provisioning ranges were considered too broad. Examples were provided to the assessors of cases where BARS required banks to increase the level of provisions. Training, as needed, should be provided for BARS staff on IAS to aid in discussing with bank management: their assumptions on impairment, discounting to present value methods employed and to review the valuation of collateral. BARS standards detailing its expectations on factors to be considered in establishing discount rates, loss rates, considering macroeconomic events that may alter history loss levels; issuing guidance on standards for real estate valuations, haircuts based on: selling and foreclosure costs, current market situation and factors to be included in the instructions to the appraiser would enhance provisioning under IAS. 124 BOSNIA AND HERZEGOVINA Under the current scheme, the prudential standard serves as a floor and if IAS yields a lower provision, banks must deduct the difference from regulatory capital. However, this is not a transparent process since it is not reflected in the banks’ published financial statements. Principle 19 Concentration risk and large exposure limits. The supervisor determines that banks have adequate policies and processes to identify, measure, evaluate, monitor, report and control or mitigate concentrations of risk on a timely basis. Supervisors set prudential limits to restrict bank exposures to single counterparties or groups of connected counterparties. 56 Description and Articles 3, 4 and 13 of the Decision on Minimum Standards for Managing Risk findings Concentration in Banks prescribes the obligation of banks to adopt procedures including policies for risk concentration management in banks, procedures for risk concentration monitoring in banks, as well as plans for current and future needs for capital relating to such concentrations. Article 5 defines all balance sheet and out of balance sheet items that are included in total exposure to credit risk in the bank towards one beneficiary or a group of connected counterparties. Pursuant to article 12 banks must establish adequate information systems for monitoring and managing risk concentrations. The information management systems, monitoring, and reporting in connection with concentration risk, as well as compliance with prescribed regulations, are reviewed in the course of onsite inspections of banks. Articles 3, 4 and 13 require banks to have in place procedures, and policies addressing risk concentration management and establishing limits that at a minimum comply with regulatory requirements. The supervisory board and management must regularly review and update at appropriate intervals, at a minimum semi-annually, the policies and procedures. Quarterly, the banks report to BARS on significant concentrations of risk, i.e., large exposures to credit risk, their composition, and form. Assessment of compliance of adopted internal enactments with legislated restrictions, quality of adopted internal enactments relating to credit risk concentration management, compliance and application of adopted internal limits, quality of records on mutually connected persons and persons affiliated with the bank, and reports that are submitted to the management and the supervisory board of the bank relating to risk concentrations, are all inspected in the course of onsite inspection. If the risk profile of the bank is such that significant risk concentrations are present, the agency may demand from the bank to introduce more strict limits as well as to increase of capital in order to reduce risk concentrations. Article 10 of this decision restricts the sum of all large exposures to credit risk (sum of exposures that exceed 15 percent of core capital - pursuant to Article 91 of the Law on Banks and this Decision) to 300 percent of core capital. Comments The banking law is in process of revision by which the maximum exposure to single counterparties or group of counterparties would be 25 percent of the core capital of the bank (instead of the current 40 percent), and there is also ongoing preparation of a draft decision - Decision on Large Exposures of Banks, which would also enable compliance within the implementation of the strategy. Also, under consideration are criteria for implementation of bottom-up stress testing by the banks. 56 Connected counterparties may include natural persons as well as a group of companies related financially or by common ownership, management or any combination thereof. 125 BOSNIA AND HERZEGOVINA Concentration of assets is a recurring issue at domestic banks. It is recommended that enforcement be increased in this area to encourage banks to correct violations and establish adequate monitoring procedures and proper identification of connected parties. Principle 20 Transactions with related parties. In order to prevent abuses arising in transactions with related parties57 and to address the risk of conflict of interest, the supervisor requires banks to enter into any transactions with related parties58 on an arm’s length basis; to monitor these transactions; to take appropriate steps to control or mitigate the risks; and to write off exposures to related parties in accordance with standard policies and processes. Description and Article 1 of the Law on Banks provides the definitions: Findings Related parties are two or more legal and/or physical persons who individually or jointly have: direct or indirect control over the supervisory board, bank management, or a significant ownership interest, or who act together on establishing a significant ownership interest with the objective of exerting influence over bank operations; Related banks: one or more banks that share one of more members of the supervisory boards or have ownership in common in one and the same legal or physical person at least 10 percent of their common shares in the ownership of the shareholders. Article 100 of the Law on Banks defines that the following persons are treated as related parties: president and members of the supervisory board, members of the management, members of the audit committee, and members of their immediate families up to the third degree of kin or by marriage, or persons living in the same household or have mutually connected or joint investments; persons with significant ownership interest in the bank and members of their immediate families up to the third degree of kin or by marriage, or persons living in the same household or have mutually connected or joint investments; legal persons with common shares, preferential shares, and voting rights in the bank; legal persons in which the bank holds significant ownership interests; legal persons in which significant ownership interests are held by the same legal or physical persons who hold significant ownership interest in the bank; legal persons in which the holder of a significant ownership interest, a member of the supervisory board or management are one of the persons referred to under items 1 to 5 of this paragraph; related persons, as well as related persons of shareholders of the bank. The agency has adopted the Decision on Minimum Standards for Bank Operations with Persons Affiliated with Banks. Pursuant to article 6 of the Decision on Minimum Standards for Managing Risk Concentration in Banks, two or more beneficiaries comprise a group of connected counterparties when due to their mutual relations the exposure of the bank 57 Related parties can include, among other things, the bank’s subsidiaries, affiliates, and any party (including their subsidiaries, affiliates and special purpose entities) that the bank exerts control over or that exerts control over the bank, the bank’s major shareholders, Board members, senior management and key staff, their direct and related interests, and their close family members as well as corresponding persons in affiliated companies. 58 Related party transactions include on-balance sheet and off-balance sheet credit exposures and claims, as well as, dealings such as service contracts, asset purchases and sales, construction contracts, lease agreements, derivative transactions, borrowings, and write-offs. The term transaction should be interpreted broadly to incorporate not only transactions that are entered into with related parties but also situations in which an unrelated party (with whom a bank has an existing exposure) subsequently becomes a related party. 126 BOSNIA AND HERZEGOVINA towards them represents a single exposure to credit risk, i.e., when one of them has, or more of them, mutually, have direct or indirect control, and when financial difficulties with one of them or more of them may cause financial difficulties with the others, too. Relations that represent grounds for identification of a group of connected counterparties are the following: common and/or mutual ownership and/or co-ownership; ownership or co-ownership with members of immediate family; common members of the supervisory board or the management; mutual crossed guarantees provided; direct manufacturing and/or commercial and/or financial links and inter-dependencies. Banks must treat the following as the total exposure to credit risk towards one beneficiary: sum of individual exposures to a group of connected counterparties; sum of exposures of credit risk towards related parties taking into account that legal persons with at least 5 percent of the total number of shares (common and/or preferential), persons referred to in Article 1 of the Law on Banks, and related parties of shareholders with at least 5 percent of the total number of shares shall be treated as persons affiliated with the bank. The definition of related parties is provided very broadly and BARS makes a final formal assessment and determination on related parties, and corrective action required to ensure full identification of related parties. Article 100 of the Law on Banks states that in the course of executing operations with related parties, a bank cannot offer more favorable terms than those offered to those not related to the bank. Article 3 of the decision states that banks may perform transactions with related parties only pending prior approval of the supervisory board or another body appointed by the supervisory board, and that a related party that is a member of the supervisory board cannot participate in the voting in the course of decision making on business transactions between the bank and itself or another person affiliated with it. Article 64 of the Law on Banks states that the president and members of the supervisory board cannot decide on issues that concern relations between the bank and other legal persons in which they have a direct or indirect financial interest. Limits for exposure towards related parties (physical persons) are stipulated in the decision (1 percent of core capital towards a related physical person and 10 percent towards all related physical persons). Article 96 of the Law on Banks prescribes that banks must neither deposit funds, grant credits, or perform investments in one related bank is the total amount exceeding 25 percent of core capital, nor in all related banks in an amount exceeding 40 percent of its core capital. Total exposure to credit risk towards all persons related to the bank is treated as total exposure towards one beneficiary, for which the maximum exposure is up to 25 percent of the amount of core capital (has to be covered with collateral for amounts exceeding 5 percent of core capital), while for exposure secured with high quality collectable collateral, i.e., first rate collateral the limit is up to 40 percent of the amount of core capital (Article 91 of the Law on Banks and article 8 of the Decision on Minimum Standards for Managing Risk Concentration in Banks). Article 10 of the Decision on Capital defines that in the course of calculation of net capital, items deducted from capital are also all receivables from shareholders who own a 127 BOSNIA AND HERZEGOVINA significant ownership interest in the bank (exceeding 10 percent of shares with voting rights) approved by the bank in contravention with the Law on Banks, decisions of the Agency, or operational policies of the bank, and all exposures of the bank to credit risk (exceeding 15 percent of core capital) towards shareholders with a significant ownership interest approved in the absence of prior consent of the Agency. Limits for exposure to related parties are prescribed at the same level or are more stringent compared to other beneficiaries, and minimum standards for required collateral are equal for all beneficiaries. Comments Related party violations are often addressed in reports of inspection. The causes for violations include improper recordkeeping, failing to identify related parties, and exceeding borrowing limits and non performing related party loans. Related party violations are serious and stricter penalties should be considered when violations are identified and particularly when they recur. Principle 21 Country and transfer risks. The supervisor determines that banks have adequate policies and processes to identify, measure, evaluate, monitor, report and control or mitigate country risk59 and transfer risk60 in their international lending and investment activities on a timely basis. Description and The existing regulatory framework does not stipulate, in detail, requirements for banks Findings regarding country and transfer risk. There are no obligations banks to adopt policies and procedures on this risk. Elements of country and transfer risk management are partially covered under the Decision on Minimum Standards for Credit Risk Management and Asset Classification, and the Decision on Minimum Standards for Foreign Currency Risk Management. In addition, the requirement concerning country risk is partially incorporated through the existing Decision on Capital (in the course of calculation of risk weighted assets). Article 6 of the Decision on Minimum Standards for Credit Risk Management and Asset Classification defines that banks are under obligation to adopt and implement policies, and procedures for credit risk management that, inter alia, have to cover reasonable and conservative limits for concentration of bank exposure towards individual geographic regions and individual countries or classes of countries. Internal limits established cannot be lower than the ones prescribed under laws or bylaws of BARS. The agency is, on the basis of available offsite reports and additional reviews submitted by banks, monitoring banks’ exposures on nonresidents and on securities bought from foreign central governments. In the course of all comprehensive or individual targeted onsite inspections, all contracts on bank investments abroad are reviewed in detail, as well as files of all purchased securities of central governments of other states, and more significant exposures under credits and out of balance sheet exposures towards nonresidents. 59 Country risk is the risk of exposure to loss caused by events in a foreign country. The concept is broader than sovereign risk as all forms of lending or investment activity whether to/with individuals, corporates, banks or governments are covered. 60 Transfer risk is the risk that a borrower will not be able to convert local currency into foreign exchange and so will be unable to make debt service payments in foreign currency. The risk normally arises from exchange restrictions imposed by the government in the borrower’s country. (Reference do cument: IMF paper on External Debt Statistics – Guide for compilers and users, 2003.) 128 BOSNIA AND HERZEGOVINA BARS plans to adopt requirements for country risk as part of implementing of the Strategy. Comments There are no issued standards for provisioning for country risk and existing regulatory requirements only partially treat the management of country and transfer risk, in the process of compliance with international regulatory requirements, activities have been initiated to draft decisions regulating the requirements for country and transfer risk management by the banks. The target date to complete these activities is the end of 2014. Principle 22 Market risk. The supervisor determines that banks have an adequate market risk management process that takes into account their risk appetite, risk profile, and market and macroeconomic conditions and the risk of a significant deterioration in market liquidity. This includes prudent policies and processes to identify, measure, evaluate, monitor, report and control or mitigate market risks on a timely basis. Description and The Decision on Minimum Standards for Market Risk Management in Banks dating from Findings 2007 prescribes minimum standards for market risk management in banks. The subject decision was drafted in line with the Amendment for Capital Requirements that Include Market Risks dating from November of 2005. Harmonization with the subject decision, i.e., the deadline for its implementation has been postponed several times, and, at the end, in view of the fact that there have been changes in the international regulatory framework, as well as the fact that banks in RS do not have a significant level of market risk exhibited, it was decided, in coordination with FBA, to postpone the implementation of the subject decision and incorporate implementation into the framework of the capital strategy. Pursuant to the draft Decision on Calculation on Capital Requirements for Market Risk (which, according to the plan, enters into force on January 1, 2017) capital requirements for market risk shall be calculated by applying the standardized approach. Comments The particular decision which regulates the minimum standards for market risk management in banks, adopted in 2007, has not yet been implemented, taking into account the need for compliance with the international regulations and the fact that the market risk exposure in the banking sector is not significant. Within the implementation of the BARS strategies, necessary actions have been taken to prepare a new decision on the bank capital calculation, which is currently being drafted, and its implementation is planned to start from January 1, 2017. Principle 23 Interest rate risk in the banking book. The supervisor determines whether all banks have adequate systems to identify, measure, evaluate, monitor, report and control, or mitigate, interest rate risk61 in the banking book on a timely basis. These systems take into account the bank’s risk appetite, risk profile and market and macroeconomic conditions. Description and The existing regulatory framework does not establish any regulatory requirements for Findings interest rate risk management in the banking book nor is there an obligation for banks to adopt policies and procedures. The Decision on Minimum Standards for Market Risk Management in Banks covers the obligations of banks regarding the measurement of interest rate risk, but that decision has not been implemented. BARS, within the framework of implementation of the Strategy, will 61 Wherever “interest rate risk” is used in this Principle the term refers to interest rate risk in the banking book. Interest rate risk in the trading book is covered under Principle 22. 129 BOSNIA AND HERZEGOVINA draft the regulatory framework regarding Pillar 2 that will incorporate interest rate risk in the banking book. The decision will require establishing a system for the management of interest rate risk in the banking book which would be appropriate for the type, scope, and complexity of operations and in compliance with the risk profile of the bank, and which would cover significant sources of interest rate risk. The decision would also establish the system of reporting on exposures to interest rate risk in the banking book, as well as the obligation of the bank to perform stress testing. Comments Work is underway to develop regulatory requirements interest rate risk management in the banking book, to harmonize with international standards and Pillar 2. It is anticipated activities on preparing the Pillar 2 requirements will be completed by the end of 2014. Principle 24 Liquidity risk. The supervisor sets prudent and appropriate liquidity requirements (which can include either quantitative or qualitative requirements or both) for banks that reflect the liquidity needs of the bank. The supervisor determines that banks have a strategy that enables prudent management of liquidity risk and compliance with liquidity requirements. The strategy takes into account the bank’s risk profile as well as market and macroeconomic conditions and includes prudent policies and processes, consistent with the bank’s risk appetite, to identify, measure, evaluate, monitor, report and control or mitigate liquidity risk over an appropriate set of time horizons. At least for internationally active banks, liquidity requirements are not lower than the applicable Basel standards. Description and Procedures for monitoring liquidity risk are outlined in the manuals for onsite and offsite Findings supervision. The supervisor determines whether the bank has implemented a strategy that aids in the prudential management of liquidity risk and compliance with liquidity requirements. Offsite supervision monitors and analyzes financial and other reports that are submitted by the banks. Banks submit reports electronically and the department performs prior inspections of accuracy of contents of the reports, which are then placed in the information database of the BARS. Pursuant to the Law on Banks, article 90, and Decision on Minimum Standards for Liquidity Risk Management in Banks, article 6, banks are under obligation to comply with requirements for liquidity: 1. maturity matching of assets and liabilities, where banks have to:  invest at least 85 percent of assets with maturities of up to 30 days into investments with maturities of up to 30 days;  invest at least 80 percent of assets with maturities of up to 90 days into investments with maturities of up to 90 days;  invest at least 75 percent of sources of assets with maturities of up to 180 days into investments (asset instruments) with maturities of up to 180 days. 2. Pursuant to the decision on liquidity, bank policies should address the diversification of funding sources, and stability of those sources. BARS monitors, through reporting, the 15 largest depositors of the bank on the quarterly basis. 130 BOSNIA AND HERZEGOVINA 3. Maintenance average ten days of liquidity in cash assets at the level of at least 10 percent of the amount of short-term funds but not less than 5 percent on any given day. Pursuant to the provisions of the Decision on Minimum Standards for Liquidity Risk Management, banks must meet the following regulatory requirements:  supervisory board of the bank has to ensure that the bank has, and that it implements, an appropriate program for liquidity risk management, which also includes liquidity policies, which it is under obligation to analyze periodically and adjust to changes in economic and market related conditions;  bank management has to prepare and submit to the supervisory board proposals for programs and policies for liquidity risk management;  procedures to assess current and projected liquidity needs;  design and establish reporting systems for supervisory board;  bank management plans for contingent situations and shocks that may pose a threat on bank liquidity;  bank policies have to identify sources and scope of liquid assets that are necessary for ensuring continuous and stable operations;  the bank has to define, apply, and continuously develop detailed and efficient procedures for monitoring, inspection, and management of bank liquidity, which have to correspond to the size and complexity of the bank, policies for liquidity management, and information management system, as well as to investment policy;  the bank has to appoint a person responsible for liquidity management and inform the BARS on his appointment;  the bank has to establish an information management system that is adequate for the needs of the bank in liquidity management;  the system of liquidity management of the bank has to be subject to continuous and periodic inspections by internal controls and internal audit of the bank; The banking sector in RS does not contain any banks that have their banking subsidiaries in other states. Some of the banks in RS are members of groups of international banks, however the banks are under obligation to apply local regulations, and international banks support them from the aspect of maintaining their liquidity positions. Comments As part of implementing Basel III, the FBA will analyze the existing regulatory framework and adopt: the liquidity coverage ratio - LCR, and the Net Stable Funding Ratio, NSFR, as an obligation for regularly conducting liquidity stress tests by banks. Principle 25 Operational risk. The supervisor determines that banks have adequate operational risk management frameworks that takes into account their risk appetite, risk profile and market 131 BOSNIA AND HERZEGOVINA and macroeconomic conditions. This includes prudent policies and processes to identify, assess, evaluate, monitor, report and control or mitigate operational risk 62 on a timely basis. Description and Article 3 of the Decision on Minimum Standards for Operational Risk Management in Findings Banks, requires banks to establish: 1. policies and procedures for operational risk management that:  identify existing potential sources of operational risk (OR) and sources that may onset upon introducing new operating products, systems, or activities;  measure OR, by performing accurate and timely assessment of that risk;  continuous control of OR with the objective of maintaining this risk on a level acceptable for the risk profile of the bank;  ensure continuous monitoring of OR by analyzing the stock, changes, and trends of exposure of the bank to that risk; and  establishment of the amount of the minimum adequate capital for protection from onset of losses on the basis of OR; 2. clearly defined authorities and lines of responsibilities in the process of assuming and managing OR; 3. a system that ensures that all employees of the bank are informed of their obligations in the process of OR management; 4. a system for regular reporting of the supervisory board and bank management on the functioning of the system for OR management; and 5. obligation of periodic reexamination, as well as the obligation of the supervisory board of the bank to perform, at least once a year, analysis and adequacy assessment of the system established for OR management. Article 4 on identification of potential sources of OR, banks must identify risks that result from: 1. inadequate information management and other systems in the bank; 2. disturbances in operations and malfunctioning in the systems, such as malfunctions related to information technology, telecommunication problems, interruptions in work; 3. problems with the adequate integration or sustainability of information technology and other systems, in case of development of a network of different organizational parts and/or status changes in the bank; 4. illegal and inadequate conduct of employees of the bank, such as fraud and unauthorized access to client accounts, abuse of confidential information, provision of false or incorrect information on the condition of the bank, tardiness in performing tasks, errors in data entry, failure to comply with good business practices in work, etc; 5. acting or failing to act that may cause or have caused court and other disputes against the bank; 62 The Committee has defined operational risk as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. The definition includes legal risk but excludes strategic and reputational risk. 132 BOSNIA AND HERZEGOVINA 6. external illegal actions, such as robberies, unauthorized entry into the database of the bank, including unauthorized utilization of ATMs, unauthorized transfer of assets, illegal acquisition of bank documents, etc; 7. damages to physical assets and events that cannot be anticipated, such as natural and other disasters, terrorism, etc. In addition, banks are under obligation to determine capital requirements for operational risk according to the basic indicator approach and to record all losses and form a database on that. In regards to capital requirements for coverage of losses, BARS, since 2009, has been implementing minimum standards for operational risk management – basic indicator approach (bylaws – decision and regulatory reporting). Additional upgrading and introduction of a more advanced approach – standardized approach for calculation of capital requirements for operational risk - are planned under the Strategy. The BARS determines whether the banks have an adequate framework for operational risk management, which includes their appetite for risk, risk profile, and market related and macro-prudential conditions. That implies prudential policies and processes for timely identification, assessment, appraisal, monitoring, reporting, and control or mitigation of operational risk. In the course of a comprehensive (scope) onsite inspection operational risk management in banks is being inspected, i.e., assessment and application of policies and procedures of the bank for identification, measurement, management, and control of exposure to operational risk; organization and defined authorities and lines of responsibilities in the process of taking over and management of OR; existence and operations of the corresponding body; monitoring of OR indicators; method of collection and classification of data; functioning of information technology support for this segment; database on harmful events, historical data – age and comprehensiveness; scenario analyses; quality and frequency and contents of information to competent bodies; method of management – reduction, mitigation, and prevention of OR; new products and risk assessment; capital requirement for OR calculation and reporting; training of employees; role of internal audit; influence and reporting of the group (if the bank is a member of a group) etc. With the objective of more adequate management of operational risk, the Agency had, in the beginning of 2014, adopted the Decision on Minimum Standards of Information Systems Management in Banks and the Decision on Minimum Standards for Outsourcing Management. When a bank intends to outsource a materially significant activity, it is under obligation to inform the BARS 90 days before concluding the contract and submit the decision on intended outsourcing adopted by the supervisory board of the bank. At that time, the bank is under obligation to submit documentation, also, in compliance with Article 18 of the Decision on Outsourcing. That documentation comprises the following:  assessment of risks connected with intended outsourcing;  results of in-depth analysis of the service provider;  exit strategy of the bank for intended outsourcing;  responsible persons and departments that shall be in charge of supervision and management of the contractual relation; 133 BOSNIA AND HERZEGOVINA  internal enactments (program and policies for risk management that are connected with outsourcing, assessment of material significance etc);  draft contract etc. Outsourcing contracts have to be in compliance with Article 14 of the Decision on Outsourcing. In the course of concluding contracts, banks are under obligation to take care of ensuring that contractual provisions, according to their scope and contents, match the risks that are connected with outsourcing. Banks are under obligation to stipulate in the contract the description of expected quality and level of services, as well as the method of supervision, while outsourced activities have to be at the same or a higher level of quality than they would be if they were performed in the bank (Article 16 of the Decision on Outsourcing). In case the BARS determines that a bank under the intended and/or existing outsourcing will not be able to manage the risks in an adequate manner, the BARS will retain the right to order specific conditions or prohibit the outsourcing. Thus far the outsourced activities of the banks have been inspected in the course of comprehensive onsite inspections, and from September of 2014 this segment of operations will be subject to targeted inspections performed by the Department for Information Technology Systems. Comments A draft of the Decision on Calculating Bank Capital includes, among other things, capital requirements for operational risk, which anticipates an application of the standard approach in addition to the basic indicator approach. The above mentioned draft of the decision is in compliance with a regulatory package of the EU in terms of capital requirements, or CRR/CRD, as much as possible, but taking into consideration specificity of the market in the BiH. A draft decision will become effective on January 1, 2017. Principle 26 Internal control and audit. The supervisor determines that banks have adequate internal control frameworks to establish and maintain a properly controlled operating environment for the conduct of their business taking into account their risk profile. These include clear arrangements for delegating authority and responsibility; separation of the functions that involve committing the bank, paying away its funds, and accounting for its assets and liabilities; reconciliation of these process es; safeguarding the bank’s assets; and appropriate independent63 internal audit and compliance functions to test adherence to these controls as well as applicable laws and regulations. Description and The LOB article 63 assigns the responsibility for establishing and conducting a system of Findings internal controls and conducting internal auditing to the supervisory board. In order to guide this, the BARSmade a Decision on Minimum Standards for Internal Control in Banks and a Decision on Minimum Standards for Internal and External Auditing in Banks. The Decision on Minimum Standards for Internal and External Auditing in Banks, articles 3 and 5, and the Decision on Minimum Standards for Internal Control in Banks, article 2 requires that a system of internal control and an independent internal audit be established in all organizational parts of the bank. 63 In assessing independence, supervisors give due regard to the control systems designed to avoid conflicts of interest in the performance measurement of staff in the compliance, control and internal audit functions. For example, the remuneration of such staff should be determined independently of the business lines that they oversee. 134 BOSNIA AND HERZEGOVINA The Decision on Minimum Standards for Internal Control in Banks defines obligations of the supervisory board of a bank for minimum standards for establishing and conducting procedures and checking the performance of business activities and operations at all business levels and all areas of bank operations. Based on review of the supervisory manual on internal audit and internal control, and of review of several inspection reports, it is stated that the BARSassesses the framework of internal control and the functioning of an independent internal auditor. This includes elements as delegating authorities, separation of certain functions, reconciliation of certain processes and safeguarding the bank’s assets. Comments No comments with regard to internal control and internal audit. Principle 27 Financial reporting and external audit. The supervisor determines that banks and banking groups maintain adequate and reliable records, prepare financial statements in accordance with accounting policies and practices that are widely accepted internationally and annually publish information that fairly reflects their financial condition and performance and bears an independent external auditor’s opinion. The supervisor also determines that banks and parent companies of banking groups have adequate governance and oversight of the external audit function. Description and The LOB article 103 states that banks and their subsidiaries shall maintain accounts and Findings records at all times. The banks shall also prepare annual financial statements which adequately reflect their respective operations and financial condition. The statements shall be presented in a form and with a content corresponding to the law, international standards, and the regulation of the BARS. The international standards referred to are the International Financial Reporting Standards (IFRS) and accompanying instructions, explanations and guidelines issued by the International Accounting Standard Board (IASB) (see article 2 of the Law on Accounting and Auditing). In LOB article 104 it is also stipulated that the external auditor shall give an opinion about whether the financial statements based on its audit fairly present the financial situation of the bank and whether the statements are prepared in accordance with IAS and IFRS. Further, article 2 of the Decision on minimum scope, form and content of the program and report on economic – financial audit of banks state that an audit should be performed in accordance with the law, accounting standards, and other regulations determining banks’ operations. In practice, the banks started implementing IFRS in 2010 after the Commission of Accounting and Auditing translated IFRS 2009 into the Serbian language. Since 2009, however, the newer IFRS versions have not been translated. This means that banks (mostly domestic) implemented IFRS 2009 and not the the most recent IFRS 2014. However, some foreign banks do follow IFRS 2014 as parts of larger banking group who are obliged to be in compliance with IFRS 2014 and, therefore, have the resources and the technical capacity. The smaller domestic banks do not have this opportunity and are dependent on the translation of 2009 IFRS in Serb Although, there were no major changes of IFRS after 2010. Different external auditor dealt differently with this situation. Some auditors of which the bank implemented actual IFRS declared in their audit opinion that the financial statement presents fairly the financial position of the bank, in accordance with IFRS. Other auditors refer to the Law on Accounting and Auditing. This creates confusion on the actual level of implementation of IFRS. 135 BOSNIA AND HERZEGOVINA Noted is that in the banking sector there are only 6 audit firms that have permissions to audit banks (“Big Four” and two domestic audit firms). All audit firms need to be registered with the Ministry of Finance and the audit firms auditing the banks’ financial statements need consent from the BARS (article 11 of Decision on minimum standards for banks’ internal and external audit function). In practice, BARS appoints the auditor on a yearly basis with a maximum term of five year, whereas article 38 of the LOBA states that the BARS may reject the financial statements and request new financial statements and audit opinion given by an external auditor appointed by the BARS. In practice, there have been many renewed appointments. BARS does not have the power to rescind an external auditor. Also noted is that there has been several qualified audit opinions in the last five years. In addition, noted is that detailed asset quality reviews of five domestic banks that are under enhanced supervision have revealed material under-provisioning of which only two have been corrected (including impact on capital). The results of the AQRs for two domestic banks are long overdue. Comments In the RS only the IFRS 2009 was translated into the local language. The consequence of this is that most (domestic) banks only implemented IFRS 2009. Only the foreign banks that are part of a larger group implemented the actual IFRS with support of their parent company. Because of this most external auditor base their opinion on the law on accounting and auditing instead of IFRS. This makes it difficult to compare different financial statements in the banking sector. Although the external auditor list in their report which IAS or IFRS is not consistently or fully implemented. Further, the appointment of external auditor takes place on a yearly base with maximum term of 5 years. BARS does not have the power to reject or rescind an external auditor (they can only refuse the financial statement). In practice this has led to frequent turnover. The risk exist that the yearly change of an auditor has an adverse effect on the continuity. Next, there is room to improve the cooperation between BARS and the external auditor by formalizing it. There are no periodic meetings with the external auditor (besides some ad hoc informal meetings) and in practice the external auditor does not notify the BARS of material events. Most importantly, the AQRs for five domestic banks revealed material under-provisioning. This raises questions on the quality of financial audits. Also, unanswered questions on the financial statement of one SIB raise questions on the quality of the financial audit. Furthermore, the work of auditors is not reviewed externally as the audit quality assurance systems are in their infancy, with little capacity and no in-depth review of auditors’ work. Recommendation - Address implementation IFRS at MOF (full translation of IFRS). - Change law so auditor is not appointed one year, and can be send away - Change law so auditor audit compliance with IFRS (not with local law) - Improve interaction with external auditor (tripartite, notification) - Invest in IFRS (Don’t leave old system before ready) Precondition (see paragraph 29) 136 BOSNIA AND HERZEGOVINA - Evaluate the quality of the external audit and the quality assurance system in relation to the outcomes of the AQR. Principle 28 Disclosure and transparency. The supervisor determines that banks and banking groups regularly publish information on a consolidated and, where appropriate, solo basis that is easily accessible and fairly reflects their financial condition, performance, risk exposures, risk management strategies and corporate governance policies and processes. Description and In article 105 of LOB it is stipulated that ‘banks shall, within 75 days after the end of the Findings preceding financial year, submit to BARS its financial statement and its external auditor’s report for the preceding financial year within 5 month after the end of the preceding financial year.’ It continues: ‘Each bank shall publish the external auditor’s report in abbreviated form in one or more of the daily newspapers in BiH within 15 days after receiving it. Each bank should submit a copy of the abbreviated form of the external auditor’s report to the BARS.’ In addition, ‘at the end of each six months, banks are required to publish non audited semi- annual reports which includes a balance sheet, as well as information containing names of members of the supervisory and management board and each bank’s shareholders owning 5 percent or more of voting right.’ Further, ‘Banks are required to publish the non-audited semi- annual report within 30 days after the expiration of the first six month period in one or more local newspapers available to the clients throughout BiH and must continuously make copies available to the client at each location.’ Next, in article 8 of the decision on the minimum scope, form and content of the program and the statement on the economic and financial audit of banks the obligation is prescribed to publish a shorter version of the auditor’s report, as well as its content and form. Minimum elements the report must contain are as follows:  basic bank information, such as: the title of the bank, bank address, bank phone number, bank fax number and swift code of the bank; the composition of the SB and the bank’s auditing board; the names of the bank’s management; the name of the bank’s internal auditor; the number of the bank’s subsidiary; number of the bank’s employees; the name of the external bank’s auditor; the names of all the shareholders that have 5 percent or more shares with voting rights;  auditor’s opinion and comments;  the bank’s balance sheet;  the bank’s income statement. The Banja Luka Stock Exchange publishes on its website the financial statement as well as the opinion of the external auditor. In addition, all 10 banks in RS published their summary audit reports of 2013 in two daily newspapers on the territory of BiH and have submitted BARS evidence thereof (was not available in English). Also, on BARS’ homepage summarized audit reports for all banks are being published since 2000. In practice, it is the stock exchange that verifies whether the banks publish data that faithfully reflect the financial status. In the samples inspected, all financial statements and auditors’ opinions were observed. However, the information is not easily accessible. You need to know where you could find the information is posted otherwise you won’t find it easily. It is observed by the assessors that the disclosed information is both quantitative (balance sheet, profit and loss statement, cash flow statement) as qualitative (information on business model, risk management, related parties, accounting policies, audit opinion). 137 BOSNIA AND HERZEGOVINA Some banks also implemented IFRS 7 on disclosure. These are mostly foreign banks that have instruction from the parent bank in EU to implement the most recent IFRS (see CP 27). More information could be disclosed on the group structure such as the ultimate beneficiary owner (see also CP 6 Transfer of significant ownership). BARS did not yet implement Pillar 3 of Basel II that requires disclosing information on the relation between risk profile and capital. Comments According to law and regulation banks are obliged to disclosure periodically among other their financial status. It is the Banja Luka Stock Exchange that publishes on its website the financial statement as well as the opinion of the external auditor. They also verify whether the bank publish data faithfully reflect the financial status of a bank. Noticed is that the information on the website of the stock exchange is not easily accessible. More effort could be invested to disclose the group structure of banks including the ultimate beneficiary owners and the insider lending. Recommendation - Disclose information the group structure including ultimate beneficiary owners and the insiders lending. - Address the accessibility on the website of the stock exchange at the stock exchange. Principle 29 Abuse of financial services. The supervisor determines that banks have adequate policies and processes, including strict customer due diligence (CDD) rules to promote high ethical and professional standards in the financial sector and prevent the bank from being used, intentionally or unintentionally, for criminal activities.64 Description and BARS has the authority to supervise and undertake necessary activities regarding AML/TF Findings related to banks based on article 5g of the LOBA. It is prescribed in article 101 of the LOB (including the amendments of 2011) that banks: - Must not acquire, perform conversions or transfers, nor mediate during the acquisition, conversion or the transfer of money or other assets of which it knows or about which it could reasonably assume that it was acquired by committing a criminal offense; - Must not initiate a transaction of which it knows or about which it could reasonably assume that it is intended for money laundry and it must not make conversions or transfers, nor mediate during the acquisition, conversion or the transfer of money or other assets of which it knows or about which it could reasonably assume that it could be used for the financing of terrorist activities; - Has an obligation to establish internal control and internal audit, as well as the policies and procedures aiming at discovering and preventing the transactions involving criminal activities, money laundry, and the activities supporting terrorism; 64 The Committee is aware that, in some jurisdictions, other authorities, such as a financial intelligence unit (FIU), rather than a banking supervisor, may have primary responsibility for assessing compliance with laws and regulations regarding criminal activities in banks, such as fraud, money laundering and the financing of terrorism. Thus, in the context of this Principle, “the supervisor” might refer to such other authorities, in particular in Essential Criteria 7, 8 and 10. In such jurisdictions, the banking supervisor cooperates with such authorities to achieve adherence with the criteria mentioned in this Principle. 138 BOSNIA AND HERZEGOVINA - Has an obligation to take measures so as to satisfactorily establish the true identity of any person who wishes to establish business relations with the bank, who performs a transaction or series of transactions in the bank or establishes any other kind of business relations; - Has an obligation to submit to the BARS a monthly report on the transactions about which it informed the Financial Intelligent Department. The prevention of money laundering and financing of terrorist activities is regulated on a state level by the recently in 2014 adopted ‘Law on prevention of money laundering and financing of terrorist activities’ (47/14) which replaces the Law on AML/TF (53/09). This law establishes the roles and responsibilities of the different bodies involved in the prevention of ML/TF such as the Financial Intelligent Department (FID) of the State Investigation and Protection Agency (SIPA), the FMA, the banks, and others. Further, the Decision on the minimum standard for prevention of ML/TF (289/12) prescribes in more detail the minimum scope, form and content of activities of banks on prevention of ML/TF. The following roles and responsibilities are prescribed by the Law on AML/TF (47/14) and the Decision on AML/TF (289/12): - The banks are required to have appropriate policies and procedures (article 5 – 47 of Law on AML/TF) such as client acceptance policy (Decision on AML/TF article 5- 8), client identification policy (Decision on AML/TF article 9-24), continuous monitoring of accounts and transactions policy (Decision on AML/TF article 25 - 30), risk management policy (Decision on AML/TF article 31 - 42). These policies address high risk accounts, politically exposed persons and corresponding banking. The objective of the law and regulation is to prevent criminal activities or recognize suspicious clients and transactions. Each suspicious client and transaction shall be reported to the FID before the transaction is made. At the end of each month the banks report to the BARS all suspicious transaction about which the banks have informed the FID. - The BARS also reports to the FID if he has become aware of additional suspicious clients or transactions (article 81 Law on AML/TF). - The FID receives, collects, records, investigates and analyzes the information and submits it to the Prosecutor’s Office when prescribed by law, and give feedback to BARS on measures taken (article 82 Law on AML/TF). In practice, the supervisors have a comprehensive manual for AML that addresses all key elements of ML/TF. According to a fixed cycle of inspections supervisors conduct every two years a comprehensive AML/TF inspection and in case of suspicious transaction whenever is necessary. The inspection is conducted by a specialist unit with BARS that consists of specialist persons. The assessors observed through interviews and review of several inspection reports that all key elements are being adequately assessed by BARS, including the assessment of internal audit, compliance officers, screening, training programs and used IT technology for transaction and account monitoring. After every inspection BARS could use if necessary all corrective actions available in the LOB (article 125 of LOB; and article 83 and 84 of Law on AML/TF ). First remark is about the extent to which the supervisor is aware of the inherent risk profile of the banks. The assessors have the impression that more attention could be paid to understanding the inherent ML/TF risk profile of a bank in terms understanding themselves to what extent bank engagement with certain client, products, or locations could increase the ML/TF risk profile, and make banks aware of it. Currently, the focus is more on the 139 BOSNIA AND HERZEGOVINA quality of risk management in its broadest sense. The supervisor was not aware of increased ML/TF risks in the banking sector and mostly discussed the deficiencies in the quality of risk management of banks. A meeting with the FID learned that currently the real estate sector seems most vulnerable to ML activities. Although the FID didn’t connect these risks (without reason) to the banking sector. It could help the supervisors to make a distinction between inherent risk, quality of risk management and net risk. Second remark is about the follow-up of findings. Deficiencies in the quality of risk management follow regular procedureS: reporting the finding, receiving comments from the banks and then issuing a written order (with specific deadlines). The difference between the two entities is that BARS, in case of suspicious transactions, sends a report to the FID that could be sent on to the Prosecutors office. Regarding the follow-up of deficiencies in the quality of risk management, it has been observed that BARS in practice conducts the follow-up of deficiencies in the quality of risk management. This, however, happens not right after the initial inspection but during the next inspection of the next supervisory cycle (see also CP 11 corrective actions). Third remark is about the cooperation between the BARS and the FID which is arranged in a MOU. Noticed is that the feedback loop between FID and BARS could be enhanced by sharing knowledge on both sides. The BARS has not only knowledge on suspicious transactions, but also on the inherent risk profile of a bank. The FID has knowledge on the sensitive sectors that could be related with the banking sector such as the real estate sector. Furthermore, feedback from FID on what the nature is of suspicious transactions could help the BARS understanding the inherent risk profile of a bank and completes the feedback loop. Fourth remark is that it seems that BARS does not conduct on-site inspection of ML/TF activities at branches outside the RS, but with head-quarters inside the RS. However, these branches are required to comply fully with the law and regulation on AML/CTF (such as reporting of suspicious transactions and taking adequate control measures). Comments The BARS puts reasonable effort in determining that banks have adequate policies and processes, to prevent the bank from being used, intentionally or unintentionally, for criminal activities. Recently, a new law on AML/TF (2014) was adopted as well as a Decision on AML/TF (2012) that covers all the key elements of preventing, detecting and reporting suspicious activities such as client acceptance, client identification, continuous monitoring of transactions and accounts and risk management. This is the result of the increased attention of Moneyval on BiH. Also the supervisory processes are aligned with these law and regulation. There are a few remarks. First, more attention could be paid to understanding the inherent ML/TF risk profile of banks and accordingly make the supervisory intensity risk based (see CP 8 Supervisory approach). Second, the follow-up of findings could be strengthened in practise (see also CP 11 Corrective actions). Third, there seems not to be a good feedback loop between the BARS and the FID. Fourth, it seems that supervision of branches outside the FBiH but with head-quarters inside the FBiH are not being inspected on on-site ML/TF activities. Recommendation - Put more effort in identifying the inherent ML/TF risk profiles of banks. - Conduct risk based inspections instead of inspections according to fixed cycle. - Enhance the follow-up of findings 140 BOSNIA AND HERZEGOVINA - Enhance the cooperation between BARSand FID - Discuss with FBA who executes the onsite inspection of AML/TF in the cross entity branches See also precondition on AML/TF paragraph 40 and 41. 141 BOSNIA AND HERZEGOVINA Appendix III. Differences Between Basel II Weights and FBA/RS Weights Assets and Out-of-Balance Sheet Credit Equivalents Rate Basel II (Weight of Risk) 1. cash assets 0 percent cash; 20 percent demand deposits and termed deposits with maturity of up to 30 days in accounts of banks that are, according to the most recent ranking performed by Standard&Poor’s, Fitch – IBCA, Thompson Bank, ranked BBB at least, or Baa3 at least id the ranking was performed by Moody’s. receivables from central governments of countries in zone A (OECD 0 percent for members); country members of EU For other countries, depending on the credit rating receivables on the basis of direct and indirect debt from RS 0 percent (if government, FBiH government, and Council of Ministers of BiH; 0 percent national securities issued by those persons and receivables secured by their discretion is unconditional guarantees payable on first call; applied) receivables from CBBH 0 percent (if national discretion is applied) and central banks of countries in zone A and receivables 0 percent for secured by their unconditional guarantees payable on first call; country members of EU For other countries, depending on the credit rating fixed assets insured in full amount (buildings, equipment, and 100 percent land); investments or portion of investments of the bank that are 0 percent secured with collateral in the form of cash deposits with the same bank, under the condition that the contract regulates 142 BOSNIA AND HERZEGOVINA Assets and Out-of-Balance Sheet Credit Equivalents Rate Basel II (Weight of Risk) that right until the collection of the receivable of the bank, the cash deposit is, as collateral, tied to the specific credit relation; 2. receivables from banks from countries in zone A, except on Depending on the basis of subordinated debts; the credit rating receivables from banks with headquarters in countries of zone Depending on B with current maturity of up to 1 year, except on the basis of the credit subordinated debts; rating receivables from international development banks; 20 percent 0 percent receivables from regional governments 7 lower level Depending on governments from countries in zone A; the credit rating receivables from institutions that are financed from the Depending on budgets of BiH, FBiH, and RS, and from the budgets of central the credit governments of countries in zone A; rating financial instruments in the process of collection; 20 percent 3. receivables from banks in BiH; 50 percent 4. all remaining assets and credit equivalents of out-of-balance 75 percent - liabilities referred to in Article 15 of this decision exposure class - retail 50 percent- operating real 100 estate percent 35 percent - housing real estate 100 percent - other exposures 150 percent - high risk exposures 143