On approval of the Rules for formation of risk management and internal control system for second-tier banks

New Unofficial translation

Resolution of the Board of the National Bank of the Republic of Kazakhstan dated November 12, 2019 No. 188. Registered with the Ministry of Justice of the Republic of Kazakhstan on November 21, 2019 No. 19632

      Resolution of the Board of the National Bank of the Republic of Kazakhstan dated November 12, 2019 No. 188. Registered with the Ministry of Justice of the Republic of Kazakhstan on November 21, 2019 No. 19632

      Unofficial translation

      In accordance with the Law of the Republic of Kazakhstan dated August 31, 1995 “On Banks and Banking Activities in the Republic of Kazakhstan”, the Board of the National Bank of the Republic of Kazakhstan RESOLVES:

      1. To approve the attached Rules for formation of risk management and internal control system for second-tier banks.

      2. To recognize as terminated the regulatory legal acts of the Republic of Kazakhstan, as well as the structural elements of some regulatory legal acts of the Republic of Kazakhstan according to the list in accordance with the Annex to this Resolution.

      3. The Department of Methodology and Regulation of Financial Organizations in the manner prescribed by the legislation of the Republic of Kazakhstan shall ensure:

      1) together with the Legal Department, the state registration of this Resolution with the Ministry of Justice of the Republic of Kazakhstan;

      2) placement of this Resolution on the official Internet resource of the National Bank of the Republic of Kazakhstan after its official publication;

      3) within ten working days after the state registration of this Resolution, submission the information on the implementation of measures, provided for in subparagraph 2) of this paragraph and paragraph 4 of this Resolution, to the Legal Department.

      4. Within ten calendar days after the state registration of this Resolution the Department of External Communications - the press service of the National Bank of the Republic of Kazakhstan shall ensure the direction of copy hereof to periodicals for official publication.

      5. Control over execution of this resolution shall be entrusted to Deputy Chairman of the National Bank of the Republic of Kazakhstan O. A. Smolyakova.

      6. This Resolution shall come into effect upon expiry calendar days after the day of its first official publication.

      7. Second-tier banks, by July 1, 2020, shall bring their activities in accordance with requirements of this Resolution.

      Chairman of the
      National Bank Ye. Dossayev

  Approved by the
Resolution of the Board of the
National Bank of the
Republic of Kazakhstan
dated November 12, 2019 No. 188

Rules for formation of risk management and internal control system for second-tier banks

Chapter 1. General Provisions

      1. These Rules for formation of risk management and internal control system for second-tier banks (hereinafter referred to as the Rules), developed in accordance with the Law of the Republic of Kazakhstan dated August 31, 1995 “On Banks and Banking Activities in the Republic of Kazakhstan” (hereinafter referred to as the Law on Banks) and establish the procedure for the formation of a risk management system and internal control of second-tier banks (hereinafter referred to as the Bank).

      2. The following concepts shall be used in the Rules:

      1) information technology risk - the possibility of damage due to a failure (malfunction) of the information and communication technologies operated by the bank;

      2) information security risk - the possibility of occurrence of damage due to a breach of confidentiality, a deliberate violation of the integrity or availability of information assets of the bank;

      3) authorized collegial body of the bank - the board of directors, committee under the board of directors, management board, committee under the board;

      4) reputational risk - the possibility of losses, non-receipt of planned revenues as a result of narrowing the client base, lowering other development indicators due to the formation in the company of a negative idea about the reliability of the bank, the quality of its services or the nature of the bank as a whole;

      5) legal risk - the probability of losses due to non-compliance by a bank or counterparty with the requirements of the civil, tax, banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and currency control, payments and payment systems, on pension provision, on the securities market, on accounting and financial reporting on credit bureaus and the formation of credit records, on debt collection activities, on mandatory guarantee of deposits, on counteracting the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint-stock companies and, in relations with non-residents of the Republic of Kazakhstan, the laws of the country of their origin, as well as the terms of concluded contracts;

      6) internal process of assessing capital adequacy - a set of processes in managing significant risks, taking into account the volume of assets, the nature and level of complexity of the activity, organizational structure, strategic plans, the bank risk profile, regulatory framework, assessment and aggregation of such risks in order to determine the target the bank capital adequacy level to maintain a stable financial position and solvency;

      7) unsecured consumer loan - a bank loan without a pledge condition at the time of issue, granted to an individual for purposes not related to entrepreneurial activity;

      8) compliance risk - the probability of losses due to non-compliance by the bank and its employees with the requirements of the civil, tax, banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and currency control, payments and payment systems, on pension provision, on the securities market, on accounting and financial reporting on credit bureaus and the formation of credit records, on debt collection activities, on mandatory guarantee of deposits, on counteracting the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint-stock companies, internal documents of the bank governing the procedure for the bank to provide services and operations in the financial market, as well as the laws of foreign countries that affect the activities of the bank;

      9) corporate governance - a system of relationships between the board of the bank, board of directors, shareholders, executives and auditors, as well as relationships between authorized collegial bodies of the bank.

      The corporate governance system allows to organize the distribution of powers and responsibilities, as well as to build a corporate decision-making process;

      10) credit risk - the probability of losses arising as a result of default by the borrower or counterparty of its obligations in accordance with the terms of the bank loan agreement;

      11) repayment ability - a complex legal and financial characteristic of a borrower, presented by financial and non-financial indicators, which allows assessing its ability in the future to fully and timely fulfill obligations under a bank loan agreement;

      12) loan agreement - an agreement between the bank and the borrower on the provision of financing (including conditional financing), as a result of which the bank has (or will have in the future) requirements for the borrower;

      13) contingency financing plan - a set of procedures and an action plan for responding to a decrease in the bank ability to timely respond to its obligations;

      14) unit - owner of the protected information - a bank unit, the owner of the information, violation of the confidentiality, integrity or availability of which will lead to losses for the bank;

      15) critical information asset - an information asset determined in accordance with Resolution of the Board of the National Bank of the Republic of Kazakhstan dated March 27, 2018 No. 48 “On approval of Requirements for ensuring the information security of banks and organizations carrying out certain types of banking operations, Rules and Terms for submission information on information security incidents, including information systems failure information on violations”, registered in the State Register of Normative Legal Acts under the number 16772;

      16) significant risk - a risk, the implementation of which will lead to a deterioration in the financial stability of the bank;

      17) conflict of interests - a situation in which there is a contradiction between the personal interest of the bank officials, its shareholders and (or) its employees and their proper exercise of their official powers or property and other interests of the bank and (or) its employees and (or) customers, which will entail adverse consequences for the bank and (or) its customers;

      18) market risk - the probability of financial losses on balance sheet and off-balance sheet items, due to adverse changes in the market situation, expressed in changes in market interest rates, foreign exchange rates, market value of financial instruments, goods;

      19) operational risk - the probability of losses resulting from inadequate and insufficient internal processes, human resources and systems, or the impact of external events, with the exception of strategic risk and reputation risk;

      20) internal liquidity sufficiency assessment process - a set of liquidity risk management processes, in order to maintain a bank with an adequate liquidity level and implement an appropriate system for managing liquidity risk at various time intervals depending on the types of activity and currency;

      21) liquidity risk - the possibility of financial losses resulting from the inability of the bank to fulfill its obligations on time without significant losses;

      22) policy - an internal document approved by the board of directors of the bank that defines the main quantitative and qualitative parameters, principles, standards that ensure the effective functioning of the bank and its compliance with the strategy, risk profile, and risk appetite. Within the framework of the policy, the board of directors of the bank shall ensure the availability of relevant internal documents describing individual procedures, processes, instructions;

      23) strategic risk - the probability of losses as a result of errors (deficiencies) made when making decisions determining the strategic development of the bank and expressed in insufficient consideration of possible dangers inherent in the bank's activity, incorrect or insufficiently well-defined determination of promising areas of activity in which the bank will achieve an advantage over competitors, the absence or partial supply of the necessary resources and organizational measures ensuring achievement of strategic goals of the bank;

      24) stress testing - a method of assessing the potential impact of exceptional, but possible events on the financial condition of the bank;

      25) risk - the probability that expected or unforeseen events will negatively affect the financial stability of the bank, its capital and (or) income;

      26) risk culture - processes, procedures, internal rules of the bank aimed at understanding, accepting, managing and controlling risks in order to minimize their impact on the financial condition of the bank, as well as ethical norms and standards of professional activity of all participants in the organizational structure. Risk culture supplements the existing approved procedures, processes and mechanisms of the bank and is an integral component of the risk management system;

      27) risk profile - a set of types of risk and other information characterizing the degree of exposure of the bank to risks inherent in all types of bank activities to identify weaknesses and prioritize subsequent actions within the risk management system;

      28) statement on risk appetite - a document approved by the board of directors of the bank that describes the aggregated level(s) of significant risks (limits for the acceptable risk level) that the bank is ready to accept or intends to exclude when implementing the strategy. The statement of risk appetite shall contain a statement of a qualitative nature, as well as a quantitative one, including indicators in relation to profitability, capital, liquidity, risks, and other applicable indicators;

      29) risk treatment - the process of selecting and implementing measures to change risks;

      30) risk register - a structured list of risks containing criteria and causes of risks, their possibility, impact (damage), priority and risk treatment methods;

      31) authorized body - a state body that exercises state regulation, control and supervision of the financial market and financial organizations;

      32) organizational structure - an internal document and (or) a set of internal documents establishing the quantitative composition and system of governing bodies, leading employees and structural units of the bank, reflecting the structure of subordination, accountability.

      3. The purpose of the Rules is to determine the requirements for the formation of risk management systems and internal control by the bank by ensuring:

      1) effective management of the bank risks through their timely identification, measurement, control and monitoring to ensure that the bank equity is consistent with the level of risks taken by it and that there is an appropriate level of liquidity;

      2) good corporate governance practices and an appropriate level of business ethics and risk culture;

      3) compliance by the bank and its employees with the requirements of the civil, tax, banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and currency control, payments and payment systems, on pension provision, on the securities market, on accounting and financial reporting on credit bureaus and the formation of credit records, on debt collection activities, on mandatory guarantee of deposits, on counteracting the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint-stock companies, internal policies, procedures and other internal documents of a bank;

      4) timely detection and elimination of deficiencies in the activities of the bank and its employees;

      5) creation of adequate mechanisms in the bank to deal with unforeseen or emergency situations.

      4. The board of directors of the bank shall ensure that a risk management system is in place that matches the selected business model, scale of activity, in terms of types and complexity of operations, and shall provide an appropriate process for identifying, measuring and evaluating, monitoring, controlling and minimizing significant bank risks in order to determine the bank’s equity and liquidity necessary to cover significant risks inherent in the bank business.

      The risk management system is a set of components established by the Rules, which shall provide a mechanism for the interaction of internal procedures developed, regulated by the bank, processes, policies, structural units of the bank in order to timely identify, measure, control and monitor the risks of the bank, as well as minimize them to ensure its financial stability and stable functioning.

      5. The risk management system shall provide:

      1) optimal ratio between the profitability of the main activities of the bank and the level of risks taken, based on the choice of a viable and sustainable business model, an effective process of planning the strategy and budget, taking into account the risk appetite strategy;

      2) objective assessment of the size of the bank risks, the completeness and documentation of risk management processes, their preventive identification, measurement and assessment, monitoring and control, minimization of significant types of risks at each level of the organizational structure with the optimal use of financial resources, personnel and information systems in order to maintain sufficient bank equity and liquidity;

      3) coverage of all types of the bank’s activities subject to significant risks at all levels of the organizational structure, the completeness of the assessment of certain significant types of risks, their mutual influence in order to determine the bank’s risk profile and build a risk appetite strategy;

      4) availability of risk appetite levels for all types of significant risks and an algorithm of actions in cases of violation of the established levels, including responsibility for accepting risks, the level of which is defined as high, procedures for informing the board of directors, committees under the board of directors and the bank's management within risk appetite strategies;

      5) awareness of the authorized collegial bodies of the bank making decisions that carry risks, through the construction of an effective corporate governance system, the availability of complete, reliable and its own management information about the significant risks inherent in the bank's activities;

      6) rational decision-making and acting in the interests of the bank on the basis of a comprehensive assessment of the information provided in good faith, with appropriate diligence and duty (duty of care). The obligation to exercise discretion and care does not extend to errors in the process of making business decisions, unless bank employees and officials have shown gross negligence;

      7) decision-making by employees and officials of the bank and acting in good faith in the interests of the bank, not taking into account personal benefits, the interests of executives connected with the bank by special relations, to the detriment of the interests of the bank (duty of loyalty);

      8) clear distribution of the functions, duties and powers of risk management between all structural units and employees of the bank, and their responsibility, taking into account the minimization of conflicts of interest;

      9) separation of the risk management and internal control functions from the bank’s operations by means of building a system of three lines of defense, which includes:

      the first line - at the level of structural units of the bank;

      the second line - at the level of risk management units and performing control functions;

      the third line - at the level of the internal audit unit in terms of assessing the effectiveness of the functioning of the risk management system;

      10) availability of documents designed to regulate the activities of the bank, the creation and operation of effective risk management and internal control systems in the bank and the relevant strategies, organizational structure, bank risk profile and the requirements of the civil, tax, banking legislation of the Republic of Kazakhstan, the legislation of the Republic of Kazakhstan on state regulation, control and supervision of financial market and financial organizations of the Republic of Kazakhstan legislation on currency regulation and currency control, billing and payment systems, on pensions, on the securities market, on accounting and financial reporting, credit bureaus and formation of credit records of collection activity, the mandatory guaranteeing of the deposits on counteraction to legalization (laundering) proceeds from crime and the financing of terrorism, about joint-stock companies, as well as their periodic review and updating;

      11) compliance with the requirements of the civil, tax, banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and currency control, payments and payment systems, on pension provision, on the securities market, on accounting and financial reporting on credit bureaus and the formation of credit records, on debt collection activities, on mandatory guarantee of deposits, on counteracting the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint-stock companies;

      12) compliance with existing procedures, processes, policies and other internal documents of the bank on risk management through the construction of an effective system of internal control.

      6. The authorized body, in the framework of evaluating the effectiveness of the bank’s risk management system, shall be guided by the following principles:

      1) ensuring the financial stability of banks, preventing deterioration of the financial situation of banks and increasing risks associated with the activities of banks, protecting the legitimate interests of depositors, creditors, customers and correspondents of banks;

      2) prevalence of the essence over the form, expressed in the assessment of the bank’s risk management system as a mechanism for measuring and evaluating, monitoring, controlling, and minimizing the bank’s significant risks, rather than formally regulated bank procedures and compliance with the civil, tax, banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and currency control, payments and payment systems, on pension provision, on the securities market, on accounting and financial reporting on credit bureaus and the formation of credit records, on debt collection activities, on mandatory guarantee of deposits, on counteracting the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint-stock companies, internal documents of the bank;

      3) proportionality in the exercise of control and supervision functions, as well as when applying the results of control and supervision, measures provided for by the laws of the Republic of Kazakhstan, based on the business model adopted by the bank, the scale of activity, types and complexity of operations and the materiality of the bank's risks;

      4) application of a uniform approach to the assessment of the risk management system and supervisory response measures;

      5) identification of significant risks in the activities of the bank.

      7. The authorized body shall evaluate:

      1) the effect of corporate governance system;

      2) significant risks inherent in the bank's activities, taking into account the types and complexity of the bank's operations;

      3) compliance of the risk management systems with the selected business model, the scope of activities, types and complexity of the bank's operations;

      4) financial condition of large participants of the bank in order to determine the possibility of maintaining the financial stability of the bank;

      5) impact of the financial condition of the participants of the banking conglomerate on the financial stability of the bank;

      6) the effectiveness of the application of preventive measures in order to prevent the deterioration of the financial stability of the bank by adjusting risk management systems based on the scale of activity and the level of risks taken;

      7) application of a system of quantitative and qualitative indicators in the framework of assessing the activities of the bank and the effectiveness of modeling methods.

Chapter 2. Business Model

      8. Business model of a bank is a combination of the chosen strategy, products, and planning processes that ensure competitiveness and a sufficient level of profitability. The main principles in the formation of a business model of a bank shall be:

      1) viability, expressed in the bank's ability to provide a sufficient level of profitability in the next 12 (twelve) months and based on budget planning and forecasting of financial indicators;

      2) sustainability, expressed in the ability of the bank to provide a sufficient level of profitability for a period of at least 3 (three) years and based on strategic planning and forecasting of financial indicators.

      Bank shall conduct regular analysis of the business model in order to assess the impact on it of strategic risks and the risks inherent in the activities of the bank.

      Banking activities shall be carried out within the framework of the chosen business model taking into account the volume of assets, the nature and level of complexity of the activity, organizational structure, and risk profile.

      9. The strategy of the bank shall be approved by the board of directors of the bank for a period of at least 3 (three) years and shall contain:

      1) the mission and goals of development of the bank. Goals shall be measurable, achievable, realistic, and have precise timelines for implementation;

      2) target market segments by sectors of the economy and geographical distribution of the development of the bank;

      3) analysis of the strengths and weaknesses of the selected bank strategy, taking into account key sources of income;

      4) quantitative indicators of the loan portfolio, liquid assets, customer deposits and other borrowed funds, taking into account the established levels of risk appetite. At the same time, realistic assumptions shall be used that take into account available and accessible resources, current and potential economic conditions;

      5) analysis of key sources of income;

      6) key types of investments, their structure and planned changes, including the introduction and development of new products and services, taking into account the assessment of risks and processes associated with their implementation and development, as well as assessing the current capabilities of the bank to introduce and develop such products;

      7) scenarios of the strategic development of the bank's activity (negative, and the most possible scenarios).

      10. The budget of the bank shall be approved annually by the board of directors of the bank and shall contain a monthly forecast of financial indicators (assets and liabilities, income and expenses, information on the loan portfolio, customer deposits and other borrowed funds, by currency (national and foreign currencies in total), categories of customers).

      The budget shall correspond to the strategy of the bank. Therewith, the assumptions used shall be realistic and take into account available and accessible resources, current and potential economic conditions and possible risks.

      One of the components of effective budget planning shall be the tariff policy, which minimally includes the following components:

      internal procedures and procedures for conducting market analysis of demand and prices for banking services;

      internal procedure and procedures for the formation of the structure of interest rates and tariffs;

      acceptable lower and upper limits for interest rates and tariffs for the bank, as well as requirements for the internal procedure for their approval, taking into account the requirements of the civil and banking legislation of the Republic of Kazakhstan, on payments and payment systems, on mandatory guarantee of deposits, their application and periodic review;

      criteria for choosing a method for determining prices for banking services, as well as requirements for methods based on assessing the nature and level of complexity of the bank's activities and the risks inherent in the bank;

      participants in the pricing process and the order of interaction between them, including the exchange of information;

      the internal procedure and procedures for timely informing bank customers about the conditions for the provision of banking services, as well as informing about changes.

      Bank shall monthly analyze the budget to ensure that the predicted indicators are consistent with the actual values; the reasons for the deviations detected, followed by the development of corrective corrective measures, if necessary, and shall make reasonable adjustments with their further documentation.

      11. In the process of strategic and budget planning, the bank shall analyze the key sources of profitability in order to identify potential risks.

      In order to keep the strategy and budget of the bank up to date, the bank shall annually analyze the target markets where it operates, evaluate the competitive environment, the adequacy of resources and the ability to generate short and long term returns.

      Strategic and budget planning shall be carried out within the framework of accepted and approved levels of risk appetite.

Chapter 3. Risk Appetite Strategy

      12. In order to build an effective risk management system, the board of directors of the bank shall approve the risk appetite strategy as a separate document, or as an integral part of the strategy of the bank. The risk appetite strategy shall define clear boundaries of the volume of accepted risks where the bank operates as part of the implementation of the bank’s general strategy, and shall also determine the risk profile of the bank’s activities in order to prevent risks or minimize their negative impact on the financial position of the bank. The risk appetite strategy shall be taken into account:

      1) in strategic and budget planning defined by Chapter 2 of the Rules;

      2) in internal processes for assessing capital adequacy and liquidity, as defined by Chapters 5 and 6 of the Rules;

      3) in formation of the organizational structure of the bank and the wage policy defined by Chapter 4 of the Rules.

      13. Effective risk appetite strategy shall:

      1) contain a description of the risk profile of the bank;

      2) contain the process of disseminating the strategy to all structural units and is brought to the attention of bank employees;

      3) be aimed at introducing a risk culture at all levels of the bank's organizational structure, as well as at disseminating the practice of observing risk appetite levels within the risk culture;

      4) provide protection from the bank taking excessive risks when making decisions;

      5) be the basis for the formation of a statement of risk appetite;

      6) change in case of significant changes in market conditions and (or) the level of financial stability of the bank.

      14. Within the framework of the risk appetite strategy, the board of directors of the bank shall form a risk appetite statement that sets the general direction with respect to the risks accepted by the bank in the framework of budget planning and operational activities of the bank. Effective statement of risk appetite shall:

      1) be formed taking into account the strategy of the bank;

      2) determine for each significant type of risk the aggregated level (levels) of risk appetite, which the bank accepts in its activities taking into account the risk profile;

      3) include quantitative indicators that are used to determine the aggregated level(s) of risk appetite for each significant type of risk;

      4) include a statement of a qualitative nature that describes the grounds for taking risks by the bank, or their exclusion, including reputational and (or) other risks, a quantitative assessment of which is not feasible, and also establishes approaches to control them;

      5) imply a prognostic approach, shall take into account the results of stress testing in order to identify potential events leading to a violation of risk appetite levels.

      15. In order to determine risk appetite, the board of directors of the bank shall set the aggregated level(s) of risk appetite and levels of risk appetite for each type of significant risk.

      The applicable levels of risk appetite shall meet the following requirements:

      have a clear definition;

      be relevant;

      measurable;

      calculated on a periodic basis;

      information on the actual values ​​of risk appetite levels and their performance shall be provided to the board of directors and the committee of the bank risk management;

      developed taking into account the prognostic approach.

      16. Effective levels of risk appetite shall:

      1) be set at a level that facilitates the bank's compliance with the aggregated level(s) of risk appetite;

      2) take into account available capital, liquidity, profitability, development strategy;

      3) take into account all significant concentration risks (concentration on the client, on currency, on country risk, on market segments and other types of concentration);

      4) be based not only on the application of best practices and (or) the requirements of the authorized body, but shall also take into account the essential risks inherent to the bank;

      5) be developed using objective and clear assessments, are not ambiguous;

      6) be regularly reviewed for relevance;

      7) take into account reasonable assumptions, supported by the results of stress testing.

      17. The procedure for determining risk appetite levels shall include, but shall not be limited to, the following components:

      1) the internal procedure for calculating and determining quantitative and qualitative parameters characterizing the levels of risk appetite of the bank;

      2) information and materials, methods and tools used to calculate and determine risk appetite levels;

      3) responsible executives and (or) departments of the bank involved in calculating and determining the risk appetite levels of the bank and responsible for monitoring and monitoring the established levels of risk appetite;

      4) the conditions under which an adjustment is made to the risk appetite approved at the level.

      Quantitative methods used to establish risk appetite levels shall a high degree of reliability in assessing the level of risk.

      18. Risk appetite levels shall include the following risk level limits:

      1) the level that does not require the application of corrective measures;

      2) the level defined as permissible, but requiring separate corrective measures in the existing procedures of the risk management system in order to reduce the risk level;

      3) the level defined as high, requiring the application of appropriate measures to prevent the deterioration of the financial stability of the bank and its solvency.

      When determining risk appetite, the bank shall assess the acceptability of the established risk appetite in the current time period and to what extend it will be acceptable in the future by means of stress testing (scenario analysis and sensitivity analysis).

      If significant risks are identified that are not described in the risk profile, the bank shall assess the level of risk, finalize appropriate procedures to include such risks in the risk profile, determine the level of risk appetite and develop measures to prevent and (or) minimize the identified risk.

      Aggregated level(s) of risk appetite shall be established and reviewed (revised) on a periodic basis. The levels of risk appetite for certain types of risk shall be reviewed during the year when the situation on the market changes and (or) changes in the requirements of the authorized body, but within the aggregated level of risk appetite.

Chapter 4. Corporate Governance

      19. The main elements of an effective corporate governance system shall be:

      1) organizational structure;

      2) corporate values;

      3) strategy of the bank;

      4) distribution of duties and powers regarding decision-making between authorized bodies of the bank;

      5) mechanisms of interaction and cooperation between members of the board of directors, management board, external and internal auditors of the bank;

      6) procedures and methods of risk management;

      7) internal control system;

      8) remuneration system;

      9) availability of an adequate management reporting system;

      10) transparency of corporate governance.

      20. The organizational structure of the bank shall correspond to the chosen business model, the scale of activity, types and complexity of operations, shall minimize the conflict of interests and distributes risk management powers between collegial bodies and structural units, including, but not limited to:

      1) the board of directors of the bank;

      2) committees under the board of directors of the bank;

      3) management board of the bank;

      4) risk management unit(s);

      5) compliance control unit;

      6) internal audit unit.

      21. The basic principles and responsibilities of board of directors of the bank shall include:

      1) rational decision-making and acting in the interests of the bank on the basis of a comprehensive assessment of the information provided in good faith, with due diligence and care (duty of care). The obligation to exercise caution and care does not extend to errors in the process of making business decisions, unless members of the board of directors have shown gross negligence;

      2) making decisions and acting in good faith in the interests of the bank, not taking into account personal benefits, interests of executives connected with the bank by special relations, to the detriment of the interests of the bank (duty of loyalty);

      3) active involvement in the activities of the bank and awareness of significant changes in the activities of the bank and external conditions, as well as the adoption of timely decisions aimed at protecting the interests of the bank in the long term;

      4) preliminary consideration of the draft code of corporate governance and (or) amendments to it.

      As part of the corporate governance code, a procedure shall be developed to manage the conflict of interests and mechanisms for its implementation, as well as control over implementation. The procedure shall contain the following components:

      mechanism for minimizing a conflict of interest in a bank;

      the approval process that a member of the board of directors goes under before taking up the functions of an official in another organization in order to prevent a conflict of interest;

      obligation of members of the board of directors to immediately provide information on any issue that creates a conflict of interest or is a potential reason for its occurrence;

      obligation of members of the board of directors to abstain from voting on issues within which a member of the board of directors has a conflict of interest;

      the mechanism for the board of directors to respond to violations of the provisions of the procedure.

      Within the framework of the corporate governance code, the procedures shall be developed via which bank employees confidentially report violations related to the activities of the bank;

      5) ensuring compliance of the corporate governance system of the bank with the following principles:

      compliance with the scale and nature of activities of the bank, its structure, risk profile, and bank’s business model;

      protection of shareholders' rights provided for in accordance with the civil, banking legislation of the Republic of Kazakhstan, the legislation of the Republic of Kazakhstan on joint-stock companies and support for the implementation of these rights;

      ensuring timely and reliable disclosure of information in accordance with the banking legislation of the Republic of Kazakhstan, the legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, the legislation of the Republic of Kazakhstan, on currency regulation and currency control, on payments and payment systems, on the market securities on combating the legalization (laundering) of proceeds of crime and the financing of terrorism, on joint-stock companies;

      to fulfill their duties, members of the board of directors shall have access to complete, relevant and timely information;

      6) approval of the following internal documents and control of their implementation:

      organizational structure of the bank;

      bank development strategies;

      bank profitability management policies;

      stress testing procedures and scenarios;

      contingency financing plan;

      business continuity management policies;

      its internal procedure for the payment of remuneration to bank executives and bank employees directly reporting to the board of directors of the bank;

      personnel policy;

      pay policies;

      accounting policies;

      tariff policy;

      credit policy;

      policy on problem assets;

      the document regulating the main approaches and principles of internal capital adequacy assessment process (hereinafter referred to as the ICAAP);

      the document regulating the main approaches and principles of the       internal liquidity adequacy assessment process (hereinafter referred to as the ILAAP);

      policies (policy) of risk management of information technology and information security of the bank;

      internal control policies;

      credit risk management policies;

      market risk management policies;

      operational risk management policies;

      compliance risk management policies;

      risk management policies for the legalization (laundering) of proceeds from crime and the financing of terrorism (hereinafter referred to as the ML/FT);

      collateral policy;

      liquidity management policies;

      internal audit policies, code of ethics for the internal auditor, regulations on the internal audit unit, internal audit procedures, annual internal audit plan;

      policies (procedures) for engaging an external auditor;

      7) approval of the risk appetite strategy and levels of risk appetite of the bank;

      8) monitoring compliance with the risk appetite strategy, risk appetite levels and risk management policies;

      9) ensuring the availability of a financial service responsible for accounting and the quality of financial reporting;

      10) preliminary approval of the annual financial statements certified by an audit organization, as well as sending a request for periodic independent audits as necessary;

      11) elect members of the board of the bank, appoint the head of risk management, the head of the internal audit and the chief compliance controller;

      12) consideration of reports sent by the audit committee, with subsequent monitoring of the elimination of identified violations;

      13) control over effective compliance with bank procedures, via which bank employees shall confidentially report violations related to the activities of the bank and civil, tax, banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and currency control, payments and payment systems, on pension provision, on the securities market, on accounting and financial reporting on credit bureaus and the formation of credit records, on debt collection activities, on mandatory guarantee of deposits, on counteracting the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint-stock companies, as well as on abuse;

      14) the formation of three lines of protection in the bank:

      the first line of defense shall be provided by the structural units of the bank responsible for timely identification, risk assessment, communication of information about them to the second line of defense units, as well as risk management. The first line of defense performs operations within the approved risk appetite levels of the bank and operates within the framework of adopted risk management policies;

      the second line of defense shall be provided by independent units of risk management, compliance control and other units that exercise control functions (including, within its competence, units that perform the functions of security, financial control, human resources, legal risk management, operational risk). The risk management unit(s) shall conduct a comprehensive risk analysis of the bank's activities, generate the necessary reports to the board of directors of the bank and the risk management committee, and contribute to the critical assessment and identification of risks by board members and business units.

      The compliance control unit shall organize procedures to comply with the requirements of the civil, tax, banking legislation of the Republic of Kazakhstan, the legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, the legislation of the Republic of Kazakhstan on currency regulation and currency control, on payments and payment systems, on pension provision, on the securities market, on accounting and financial reporting, on credit bureaus and and credit records, on debt collection activity, an obligatory deposit, countering legalization (laundering) of proceeds from crime and terrorist financing, on joint stock companies, the legislation of foreign countries that affect the activity of the bank and the bank's internal documents, then regulating the core of the bank's provision of services and conducting operations in the financial market, and provides complete and reliable information to the board of directors about the existence of compliance risks;

      the third line of defense shall be provided by an independent internal audit unit responsible for assessing the quality and effectiveness of the risk management and internal control system, the first and second lines of defense;

      15) exercising control over the activities of the board of the bank by:

      monitoring the implementation by the bank's board of the strategy and policies approved by the board of directors of decisions of the general meeting of shareholders;

      approval of internal documents regulating the activities of the board of the bank in accordance with the Rules;

      ensuring the implementation of the internal control system;

      holding regular meetings with members and the board of the bank;

      analysis and critical assessment of information provided by the board;

      establishing the necessary performance standards and a remuneration system for board members that meet the long-term goals defined by the strategy of the bank and aimed at financial stability;

      16) interaction and control over the work of the head of risk management;

      17) periodic (at least once a year) performance assessment of each member of the board of directors of the bank;

      18) maintaining records of decisions made (minutes of meetings, brief information on issues considered, recommendations, if any, as well as special opinions of members of the board of directors of the bank). Such documents and (or) materials shall be provided to the authorized body upon request in accordance with the legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations;

      19) providing a developed infrastructure of information technologies for the purpose of collecting and analyzing complete, reliable, temporary information for risk management purposes. Awareness of the limitations of information technology infrastructure in determining appetite risk levels;

      20) making a decision on granting a loan, the amount of which exceeds 5 (five) percent of the bank’s own capital on the basis of analysis and assessment of the advisability of issuing a loan;

      21) making a decision on issuing an unsecured consumer loan, the amount of which exceeds 20,000,000 (twenty million) KZT on the basis of analysis and assessment of the feasibility of issuing a bank loan. This paragraph shall not include cases of issuing unsecured consumer loans when refinancing mortgage loans.

      22. The composition of the board of directors of the bank and qualification requirements for its members shall meet the following requirements:

      1) the composition of the board of directors of the bank and its powers shall be sufficient to exercise effective control;

      2) the board of directors of the bank shall consist of executives with the necessary qualifications, impeccable business reputation and experience, all of which shall be sufficient for the general management of the bank, in accordance with the chosen business model, scale of activity, type and complexity of operations;

      3) members of the board of directors of the bank shall be focused on interaction, cooperation and critical discussion in the decision - making process;

      4) members of the board of directors of the bank shall conscientiously fulfill their duties and make decisions, minimize conflicts of interest.

      23. In order to increase the efficiency and more detailed work in certain areas of the bank’s activities and based on the selected business model, scale of operations, types and complexity of operations, risk profile, the board of directors of the bank creates special committees under the board of directors of the bank.

      Each committee shall carry out its activities within the framework of a document defining its powers, competence, as well as principles of work, the internal procedure for submitting reports to the board of directors of the bank, the tasks facing the members of the committee and restrictions on the duration of work of members of the board of directors of the bank in the committee. The board of directors of the bank shall provide for periodic rotation of members (with the exception of experts) of such committees in order to avoid concentration of powers and to promote the new views.

      The committees shall keep records of decisions made (minutes of meetings, brief information on the issues discussed, recommendations, if any, as well as special opinions of committee members). The chairman of the committee under the board of directors shall be a member of the board of directors who is not a head or member of the executive body.

      24. As part of the risk management system, committees of the board of directors of the bank shall consider the following issues:

      1) strategic planning;

      2) staff and remuneration;

      3) audit;

      4) risk management;

      5) other issues stipulated by internal documents of the bank.

      The consideration of the list of issues shall be carried out by one or several committees of the board of directors of the bank, with the exception of audit issues considered by a separate committee of the board of directors.

      25. The main requirements for the composition of the audit committee:

      1) the audit committee shall include only members of the board of directors of the bank;

      2) the chairman of the audit committee shall be an independent director of the bank;

      3) the audit committee shall include at least one member of the board of directors of the bank with experience in the field of audit and (or) accounting and financial reporting and (or) risk management.

      26. The audit committee shall be responsible for:

      1) ensuring the development of an internal audit policy, code of ethics for the internal auditor, the provisions of the internal audit unit, internal audit procedures and the management information system in accordance with the requirements established by Chapter 12 of the Rules for further submission for approval by the board of directors of the bank;

      2) interaction with the external auditor on the quality of the information provided on the activities of the bank, consideration of the recommendations of external auditors, monitoring the elimination of identified comments, as well as reviewing the annual financial statements certified by the audit organization for further submission for preliminary approval by the board of directors of the bank;

      3) ensuring the development of policies (procedures) for attracting an external auditor for further submission for approval by the board of directors of the bank, including determining:

      criteria and conditions for the selection of an external auditor;

      payment systems for the audit of financial statements, as well as for the provision of advisory services to the bank on audit matters;

      4) consideration of the amount of payment for the services of an external auditor;

      5) preliminary review of the annual internal audit plan;

      6) preliminary consideration of the results of internal and external audit reports, monitoring the timely implementation by the bank's board of actions to eliminate violations and the implementation of recommendations of internal and external audit, discrepancies activities of the policy of the bank, the requirements of civil, tax, banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and currency control, payments and payment systems, on pension provision, on the securities market, on accounting and financial reporting on credit bureaus and the formation of credit records, on debt collection activities, on mandatory guarantee of deposits, on counteracting the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint-stock companies, and international financial reporting standards;

      7) consideration of acts of inspections of the authorized body and opinions of other experts regarding the structure and effectiveness of the overall risk management system and internal morning control at the bank;

      8) consideration of the results of evaluating the effectiveness of internal audit.

      27. The main requirements for the composition of the risk management committee:

      1) the chairman of the risk management committee shall be an independent director of the bank, or the chairman of the board of directors;

      2) the composition shall include at least one member of the bank committee with experience in the field of risk management or internal control.

      28. The Risk Management Committee shall be responsible for:

      1) ensuring the development of a risk appetite strategy, determining the risk profile of a bank;

      2) determination of the size of the aggregated level(s) of the bank’s risk appetite and the bank’s risk appetite levels for each significant type of risk for further submission for approval by the board of directors of the bank;

      3) ensuring the development of a document regulating the basic approaches and principles of ICAAP, taking into account the requirements established by Chapter 5 of the Rules, for further submission for approval by the board of directors of the bank and for monitoring compliance with the approved document;

      4) ensuring the development of a document regulating the basic approaches and principles of the ILAAP, taking into account the requirements established by Chapter 6 of the Rules, for further submission for approval by the board of directors of the bank and for monitoring compliance with the approved document;

      5) ensuring the development of stress testing procedures and stress testing scenarios for further submission for approval by the board of directors of the bank;

      6) ensuring the development of a bank continuity management policy, taking into account the requirements established by Chapter 7 of the Rules, for further submission for approval by the board of directors of the bank and for monitoring compliance with the bank specified in this subparagraph of the policy;

      7) ensuring the development of a contingency financing plan for further submission to the board of directors of the bank for approval;

      8) ensuring the development of policy of risk management of information technology and information security of the bank to meet the requirements established by Chapter 8 of the Rules, for further submission to the approval of the board of directors of the bank and for monitoring compliance by the bank specified in this subparagraph of the policies (policy);

      9) ensuring the development of a compliance risk management policy, taking into account the requirements established by Chapter 9 of the Rules, for further submission for approval by the board of directors of the bank and for monitoring compliance with the bank specified in this subparagraph of the policy;

      10) ensuring the development of an internal procedure that shall determine the functioning of the management information system, which ensures that the board of directors of the bank is provided on a regular basis with complete, reliable and timely information about the level of risks taken. The decree described in this subparagraph shall include the criteria, composition, frequency of formation and form of submission to the board of directors of the bank of management information on the level of risks taken by the bank and its subsidiaries, indicating the structural units and bank agencies responsible for the timely preparation and submission of information to the board of directors of the bank. The management reporting forms contain information taking into account the requirements established by Chapters 5, 6, 7, 8 and 9 of the Rules, as well as information:

      according to the results of stress testing and other tools for assessing and identifying the interconnectedness of bank risks among themselves;

      by assessing the impact of risks on the financial condition of the bank, including assessing changes in income and expenses of the bank, assessing the size and sufficiency and equity, identifying the main factors and causes that caused the changes and affecting key performance indicators;

      11) monitoring the observance by the bank board of risk appetite levels;

      12) the availability of internal models and information systems for risk management of the bank, as well as in order to provide complete, reliable and timely financial, regulatory and managerial information;

      13) consideration of the results of assessing the quality and effectiveness of functioning with the risk management and internal control systems, corporate governance in general, aimed at ensuring the protection of the bank and its reputation for further submission for approval by the board of directors of the bank.

      The Risk Management Committee shall regularly receive the data and reports from the risk management unit(s) and other responsible departments on the current risk level of the bank, violations of risk appetite levels and risk mitigation mechanisms.

      29. The main requirements for the composition of the committee on personnel and remuneration:

      1) the chairman of the personnel and remuneration committee shall be an independent member of the board of directors of the bank;

      2) the committee on personnel and remuneration shall include at least one member of the committee with experience in the field of personnel management.

      30. The HR and Remuneration Committee shall be responsible for ensuring the development of:

      1) taking into account the minimization of the conflict of interests, the draft organizational structure of the bank for further approval by the board of directors of the bank;

      2) procedures for managing a conflict of interests and mechanisms for its implementation for further approval by the relevant authority of the bank;

      3) policies for remuneration of labor, accrual of monetary rewards, as well as other types of material incentives for bank executives for further submission for approval by the board of directors of the bank in accordance with the Resolution of the National Bank of the Republic of Kazakhstan dated February 24, 2012 No. 74 “On establishing requirements for internal policy on remuneration, accrual of monetary rewards, as well as other types of material incentives for senior employees of second-tier banks, insurance (reinsurance) organizations and reporting forms of income paid to all executives of commercial banks and insurance (reinsurance) organizations”, registered in the Register of state registration of normative legal acts under the number 7525.

      The amount of remuneration shall directly depend on the ratio of risk to result. Ways to pay remuneration for future income, the timing and probability of which are uncertain, shall be carefully weighed based on accepted qualitative and quantitative indicators. The remuneration system shall provide for the possibility of changing the amount of non-fixed remuneration taking into account all risks, including violation of risk appetite limits, internal procedures or requirements of the authorized body.

      31. The main requirements for the composition of the strategic planning committee are:

      1) the chairman of the strategic planning committee shall be an independent member of the board of directors of the bank;

      2) the composition of the strategic planning committee shall include at least one member of the committee who has experience in one of the following areas:

      development of information technology;

      development and provision of banking services;

      risk management;

      budget planning.

      32. The Strategic Planning Committee shall be responsible for the preliminary review of:

      1) the draft on the strategy of the bank for further submission for approval by the board of directors of the bank, as well as for monitoring the implementation of the strategy and assessing the compliance of the strategy of the bank with the current market and economic situation, risk profile and financial potential, as well as the requirements of the civil, tax, banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and currency control, payments and payment systems, on pension provision, on the securities market, on accounting and financial reporting on credit bureaus and the formation of credit records, on debt collection activities, on mandatory guarantee of deposits, on counteracting the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint-stock companies;

      2) the draft budget of the bank for the corresponding year for further submission for approval by the board of directors of the bank, as well as for exercising control over its implementation;

      3) the draft of bank profitability management policy for further submission for approval by the board of directors of the bank, as well as monitoring and controlling compliance by the bank and its employees with this policy;

      4) the documents submitted for consideration by the board of directors of the bank containing information on the implementation of the strategy, development plans, achievement of target values ​​of the strategic key indicators of the bank.

      33. The board of the bank shall manage the current activities of the bank in accordance with the selected business model, scale of operations, types and complexity of operations, risk profile, and internal documents approved by the board of directors of the bank. The board of the bank shall be responsible for:

      1) ensuring the implementation of the strategy of the bank, compliance with the procedures, processes and policies approved by the board of directors of the bank;

      2) development of a draft strategy of the bank for further submission for approval by the board of directors of the bank, as well as for monitoring the implementation of the strategy and assessing the compliance of the strategy of the bank with the current market and economic situation, risk profile and financial potential, as well as the requirements of civil, tax, banking legislation of the Republic of Kazakhstan, the legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, the legislation of Republic of Kazakhstan on currency regulation and currency control, payments and payment systems, on pensions, on the securities market, accounting and financial reporting, credit bureaus and formation of credit records, on debt collection activity, on obligatory deposit insurance, on combating the legalization (laundering) of proceeds of crime and the financing of terrorism, on joint-stock companies;

      3) development of the draft budget of the bank for the corresponding year for further submission for approval by the board of directors of the bank;

      4) development of a draft bank profitability management policy for further submission for approval by the board of directors of the bank, as well as for monitoring compliance with the said policy by the bank and its employees;

      5) development of an internal procedure that defines the communication of the strategy of the bank, policies and other internal documents within 10 (ten) business days from the date of approval and (or) introduction of amendments and additions to the employees of the bank in the areas of activity assigned to it, and monitoring compliance by the bank and its employees with the requirements of the Rules;

      6) development of the personnel policy of the bank for further approval by the board of directors of the bank, as well as for monitoring it in accordance with the strategy, organizational structure, risk profile of the bank, the results achieved and the requirements of the labor, banking legislation of the Republic of Kazakhstan, the legislation of the Republic of Kazakhstan on joint stock companies. The personnel policy shall set standards, conditions and mechanisms to ensure the involvement of competent senior employees in banking and ensure:

      the availability of personnel with the necessary experience, qualifications and impeccable business reputation, capable of managing the processes and risks associated with the activities of the bank;

      maintaining sufficient resources for the effective implementation of functions and responsibilities;

      minimization of the conflict of interests in the course of fulfilling their duties;

      minimizing the risk of concentration of powers on one employee;

      the internal procedure for remuneration of employees, including the procedure for paying remuneration, as well as other types of material incentives;

      assessment of the performance of bank employees;

      7) development of a tariff policy for further submission for approval by the board of directors, as well as for monitoring compliance by the bank and its employees with the tariff policy;

      8) development of the bank’s credit policy for further submission to the risk management committee and for approval by the board of directors of the bank;

      9) approval of the plan(s) to ensure continuity and (or) restoration of activities;

      10) providing the board of directors of the bank with the necessary information to monitor and evaluate the quality of the work of the board in accordance with the established internal documents of the bank and the Rules, which shall include:

      achievement by the board of the bank of the goals established in the strategy of the bank, indicating, if any, reasons hindering their achievement;

      compliance of the bank's activities with strategies and policies approved by the board of directors of the bank;

      the results of the bank’s activities and its financial situation, including the stability (volatility) of the bank’s profitability;

      inconsistency of decisions made by the bank with procedures, processes and policies approved by the board of directors of the bank;

      exceeding the approved levels of risk appetite and the reasons for their violation;

      information on the timeliness, completeness and quality of elimination by the bank board of violations and deficiencies identified by the departments for compliance control, risk management, internal control, internal audit, and external audit and the authorized body, as well as the implementation of their recommendations;

      the information on the state of internal control, in terms of the timely detection of incorrect, incomplete or unauthorized operations, deficiencies in activities to ensure the safety of assets, errors in the preparation of financial and regulatory reporting, violations of internal documents of the bank, requirements of civil, tax, banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and currency control, payments and payment systems, on pension provision, on the securities market, on accounting and financial reporting on credit bureaus and the formation of credit records, on debt collection activities, on mandatory guarantee of deposits, on counteracting the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint-stock companies, as well as the elimination of conflicts of interest and internal abuse and fraud, including in relation to executives related to the bank with a special relationship;

      11) development of an internal procedure for considering customer requests arising in the process of providing banking services, as well as for monitoring compliance by the bank with the requirements specified in this subparagraph. The internal procedure for considering customer requests shall take into account the requirements of the legislation of the Republic of Kazakhstan on the procedure for considering applications from individuals and legal entities, banking legislation of the Republic of Kazakhstan and determine:

      record keeping procedures for complaints (statements) of clients, including receiving, initial processing, registration of applications received by the bank, and responses to customer requests;

      the structural unit of the bank, which shall be responsible for conducting clerical work on customer requests;

      procedures for bringing (transferring) received applications to responsible structural units or employees who will be instructed to process and prepare a response to a client’s request;

      terms for timely processing of customer requests and preparation of responses to customer requests;

      internal procedure for interaction between structural units of the bank when considering customer requests and preparing responses to customer requests;

      the internal procedure and procedures for maintaining the classifier of received appeals of bank customers;

      12) development of a procedure and (or) an internal procedure for refusing to carry out high-risk operations, including operations with values ​​created and taken into account in a decentralized information system using cryptography and (or) computer calculations, which are not financial instruments in accordance with the civil legislation of the Republic of Kazakhstan or financial assets that do not contain the right to claim against someone, as well as termination of business relations with a client, are developed taking into account the inherent risk factors.

      The board of the bank shall be responsible for the proper execution of duties delegated to collegial bodies or employees of the bank within the approved organizational structure of the bank.

      34. The board of directors of the bank shall ensure that there is a risk management unit(s) supervised and (or) headed by a head of risk management with sufficient authority, independence and resources, interacting with the board of directors. The risk management unit(s) shall perform, but shall not be limited to, the following functions:

      1) development of a risk management system, including risk management policies and procedures, a risk appetite strategy and determination of risk appetite levels;

      2) identification of significant current and potential risks inherent in the activities of the bank;

      3) risk assessment and determination of the aggregated level(s) of risk appetite;

      4) development of a risk management committee for approval and approval by the board of directors of the bank of risk appetite levels, monitoring compliance with risk appetite levels;

      5) development of early warning systems and triggers aimed at identifying violations of risk appetite levels;

      6) provision of management reporting to the board, the risk management committee and the board of directors of the bank.

      35. The qualifications and professional experience of the head of risk management shall correspond to the chosen business model, the scale of activity, types and complexity of operations, and risk profile. The independence of the head of risk management shall be determined by:

      1) regardless of submission, the head of risk management shall be appointed and release from the post by the board of directors of the bank;

      2) shall have unhindered access to the board of directors of the bank, without the participation of the board;

      3) shall have access to any information necessary to fulfill his duties;

      4) shall not combine the position of the chief operating director, financial director, other similar functions of the bank’s operational activities (except for underwriting, collateral service), the head of the internal audit unit.

      The interaction between the head of risk management and the board of directors and (or) the risk management committee shall be carried out on a regular basis. Information on the decision to release the head of risk management from the post shall be passed to the authorized body. At the request of the authorized body, the board of directors of the bank shall provide a justification for the reason for this decision.

      36. Identification, measurement, monitoring and control of risks shall be carried out on an ongoing basis at all levels of the bank's management. Improvement of the risk management and internal control system shall be carried out in accordance with the change in the risk profile of the bank, as well as taking into account changes in the external environment.

      The bank shall identify all significant risks inherent in the bank's activities (including risks on balance sheet and off-balance sheet transactions, by groups, portfolios and certain types of activities of business units). In order to effectively manage significant risks, the board of directors of the bank, the risk management committee and the head of risk management shall regularly assess the risks inherent in the bank’s activities and maintain the relevance of the bank’s risk profile. The risk assessment procedure includes a continuous analysis of current risks, as well as identification of new and potential risks. When assessing risks, the bank shall take into account the degree of concentration of significant risks.

      During identification and measuring risks, both quantitative and qualitative parameters shall be taken into account. The bank shall also consider risks that are difficult to assess, for example, reputational, legal risks.

      In addition to identifying and measuring risk exposure, the risk management unit shall evaluate possible ways to reduce risks and points out the need to reduce the level of risk. In cases where a decision is made to take a risk that exceeds the established risk appetite levels, the head of risk management shall submit a report on such an exception to the board of directors with a proper analysis of the reasons for the excess and subsequently monitors the reduction of the level of accepted risk within the risk management system and level established by it.

      The head of risk management shall inform the board of directors of the bank of the existence of significant discrepancies between the opinion of the risk management unit and the decision of the board of the bank regarding the level of risks taken by the bank.

      Regular reporting on risk issues, including risk management policies and procedures, within the bank shall be a key factor in a high risk management culture. The risk management culture shall facilitate the full exchange of risk information and calls for an open discussion and critical assessment of issues related to risk taking by employees, the board and the board of directors of the bank.

      Significant information on issues related to risks requiring immediate decision-making or urgent measures shall be urgently passed to the board of directors of the bank, the risk management committee and, if necessary, the board of the bank, responsible officials and heads of control units for preventive measures.

      The bank shall exclude the creation of closed groups within separate units that impede the effective exchange of information on risks and lead to decision making by authorized bodies of the bank without taking into account the opinion (expertise) of the bank's units involved. In order to overcome the problems associated with the exchange of information, the board of directors, the management board and units of the bank that exercise control ensure the effectiveness of the internal communications system and, if necessary, make appropriate changes.

      37. The Bank shall ensure the existence of an internal control system that is consistent with the current market situation, strategy, volume of assets, and level of complexity of the bank's operations. The internal control system shall be aimed at achieving the following goals:

      1) ensuring the effectiveness of the bank, including the effectiveness of managing risks, assets and liabilities, ensuring the safety of assets;

      2) ensuring the completeness, reliability and timeliness of financial, regulatory and other reporting for internal and external users;

      3) ensuring information security;

      4) ensuring that the bank complies with the requirements of the civil, tax, banking legislation of the Republic of Kazakhstan, the legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, the legislation of the Republic of Kazakhstan on currency regulation and currency control, on payments and payment systems, on pension security, on the securities market, on accounting and financial reporting, on credit bureaus and the formation of credit records, on debt collection activity, the mandatory guarantee of deposits, on counteraction to legalization (laundering) of proceeds from crime and terrorist financing, on the joint stock companies, on internal documents of the bank.

      Within the framework of internal control, the examination shall be carried out of the bank's processes for carrying out activities for compliance with internal policies and procedures, as well as the requirements of the civil, tax, banking legislation of the Republic of Kazakhstan, the legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, the legislation of the Republic of Kazakhstan on currency regulation and currency control, on payments and payment systems, on pension security, on the securities market, on accounting and financial reporting, on credit bureaus and the formation of credit records, on debt collection activity, the mandatory guarantee of deposits, on counteraction to legalization (laundering) of proceeds from crime and terrorist financing, on the joint stock companies. The bank shall have reliable internal and external information in order to manage risks, make strategic business decisions and determine the adequacy of equity and liquidity. The board of directors of the bank and the relevant committees of the board of directors of the bank shall make decisions related to the adoption of risks based on high-quality, relevant and reliable data.

      Risk measurement and modeling methods shall be used in addition to qualitative risk analysis and monitoring. The head of risk management shall inform the board of directors of the bank and the risk management committee about the methods used and potential shortcomings of risk management models and analytical approaches in the bank.

Chapter 5. Internal Capital Adequacy Assessment Process

      38. The board of directors of the bank shall approve an internal document of the bank that regulates the main approaches and principles of the ICAAP and contains the following sections:

      1) description of the organizational structure of ICAAP;

      2) description of the risk appetite strategy;

      3) organization of credit, market, operational risk management within the framework of ICAAP;

      4) organization of stress testing procedures;

      5) organization of risk management procedures in the framework of new products and activities;

      6) organization of self-assessment procedures for the internal capital adequacy assessment process.

      39. ICAAP shall be an integral part of the management of the bank and is created to:

      1) the identification, assessment, aggregation and control of significant types of risk inherent in the activities of the bank, in order to determine the necessary level of capital sufficient to cover them, including:

      credit risk;

      market risk;

      operational risk;

      as well as other risks to which the bank is exposed;

      2) capital planning, based on the strategy of the bank, the results of a comprehensive assessment of significant risks, stress testing of the bank’s financial stability in relation to internal and external risk factors, as well as requirements for the bank’s own capital adequacy established by Article 42 of the Law on Banking Activities.

      40. The description of the organizational structure of the ICAAP shall contain a list of participants in the ICAAP indicating the responsibility of the collegial bodies of the bank and the units involved in the implementation of capital adequacy management processes, including:

      1) the board of directors of the bank shall be responsible for managing capital adequacy for risk management and determining the level(s) of risk appetite. The board of directors of the bank shall approve the ICAAP compliance report, including information on maintaining the required level of capital adequacy;

      2) the risk management committee shall be responsible for developing risk management policies and procedures in the field of capital management within the risk appetite level established by the board of directors of the bank. The Risk Management Committee periodically shall notify the board of directors of the bank of significant changes in the level of capital;

      3) the unit(s) of the entity that is entrusted with the functions of internal control shall carry out verification of compliance with the ICAAP procedures and brings the results to the attention of the board of directors of the bank;

      4) the unit(s) participating in the risk management process is (are) responsible for the implementation of the capital adequacy management process and shall be responsible for preparing a report on compliance with the ICAAP and conducting stress testing;

      5) the unit responsible for budget development and planning shall carry out investment planning and budget development in all areas of the bank's activities;

      6) the money management unit(s) shall develop and implement measures to increase the level of capitalization and develops a financing plan in case of unforeseen circumstances together with the concerned units;

      7) the internal audit unit shall evaluate the effectiveness of the ICAAP.

      As part of the ICAAP, the board of directors of the bank shall be responsible for complying with the approved risk appetite strategy developed in accordance with Chapter 3 of the Rules.

      41. The bank shall ensure the existence of an effective credit risk management system that meets the current market situation, strategy, volume of assets, the level of complexity of the bank’s operations and ensures the effective identification, measurement, monitoring and control of the bank’s credit risk in order to ensure that its own capital is sufficient to cover it, and including, but not limited to, the following components:

      1) the internal procedure for transactions in which credit risk is inherent and the adoption of relevant decisions;

      2) credit administration procedures;

      3) credit risk assessment procedures;

      4) credit monitoring;

      5) collateral management;

      6) troubled loan management;

      7) assessment of the effectiveness of the credit risk management system.

      42. As part of the credit risk management system, the bank shall be guided by the following principles and requirements:

      1) the board of directors and the bank risk management committee shall ensure:

      maintaining a sufficient level of provisions;

      the control over the credit risk assessment process, which provides the following:

      taking the necessary measures to ensure the completeness and reliability of information in order to make decisions;

      compliance with the requirements of the civil, tax, banking legislation of the Republic of Kazakhstan, the legislation of the Republic of Kazakhstan on accounting and financial reporting, credit bureaus and the formation of credit records, internal policies and procedures for credit risk management;

      taking measures to ensure complete and reliable management, regulatory and financial reporting;

      the existence of a loan assessment procedure independent of business units;

      approval of an adequate system for classifying assets by credit risk level, based on the use of this available information in the process of evaluating loans;

      the availability of detailed and fully regulated procedures for interaction between participants in the credit risk management process;

      building an effective internal control system, including an assessment of the compliance of the level of provisions with expected losses within the framework of the approved methodology for the formation of provisions and the internal process for assessing capital adequacy;

      2) the bank shall carry out lending activities and credit risk management within the framework of the approved credit policy, which includes, but not limited to, the following:

      main areas of credit activities of the bank;

      participants in the lending process and their areas of responsibility;

      the internal procedure for making credit decisions, including the procedure for considering and approving loans, including with respect to lending to persons with a special relationship with the bank, credit limits in order to limit the concentration of credit risk;

      borrower credit analysis procedure.

      In the event that the total amount of loans granted and assumed contingent liabilities to an individual exceeds 0.01 (zero point one hundredth) percent of the bank's own capital, the amount of which is above 100 (one hundred) billion KZT, or exceeds 0.02 (point zero two hundredths) of a percent of the bank’s own capital, the amount of which is up to 100 (one hundred) billion KZT, the bank shall carry out a credit analysis based on the following information and taking into account the following factors (but not limited to):

      the availability of a constant and sufficient income of the borrower;

      the availability of real estate and other property;

      the presence of loan debt, including to other lenders;

      debt load;

      payment discipline (credit record) on loans;

      borrower rating in scoring systems of the bank (if any);

      the presence of a different debt;

      other sources of debt repayment to the bank;

      balances and operations on bank accounts;

      information on education and employment (field of activity);

      socio-demographic characteristics;

      information about the intended use of money;

      additional information about the income of the borrower.

      If the total amount of loans granted and conditional obligations to an individual does not exceed 0.01 (zero point one hundredth) percent of the bank’s own capital, the amount of which is above 100 (one hundred) billion KZT, or more than 0.02 point zero two hundredths) percent of the bank’s own capital, the amount of which is up to 100 (one hundred) billion KZT, the bank shall carry out a credit analysis based on the following information and taking into account the following factors (but not limited to):

      the availability of a constant and sufficient income of the borrower;

      the presence of loan debt, including to other lenders;

      debt load;

      payment discipline (credit record) on loans;

      borrower rating in speedy systems of the bank (if any);

      other sources of debt repayment to the bank;

      balances and operations on bank accounts;

      information about education and employment;

      socio-demographic characteristics;

      information about the intended use of money (if any).

      If the total amount of loans and contingent liabilities granted to a legal entity exceeds 0.1 (zero point one tenth) percent of the bank’s own capital, the amount of which is above 100 (one hundred) billion KZT, or exceeds 0.2 (point zero one tenth) of the bank’s own capital, the amount of which is up to 100 (one hundred) billion KZT, the bank shall carry out a credit analysis based on the following information and taking into account the following factors (but not limited to):

      analysis of financial statements and the main financial ratios of corporate borrowers (profitability, ratio of own and borrowed funds, cash flow plan) and income level;

      the presence of loan debt, including to other loans;

      payment discipline (credit record) on loans;

      level of liquid assets;

      debt load;

      other sources of debt repayment to the bank;

      forecast free cash flows;

      assessment of the external environment of the borrower (the state of the economy, industry, development prospects, diversification of production and sales markets, and characteristics of the borrower's operational activities, such as the market share of the borrower in the relevant market, positioning of the borrower's product, geography of operations, business cycles, changes in consumer preferences, changes in technology, barriers to entry into the economy and other factors affecting the company's ability to generate revenue and maintain prices);

      assessment of management quality (experience, competence, business reputation);

      assessment of the owners of the borrower;

      evidence of involvement in litigation;

      inclusion in the list of unreliable taxpayers.

      If the total amount of loans and contingent liabilities granted to a legal entity does not exceed 0.1 (zero point one tenth) percent of the bank’s own capital, the amount of which is above 100 (one hundred) billion KZT, or exceeds 0.2 (point zero one tenth) of the bank’s own capital, the amount of which is up to 100 (one hundred) billion KZT, the bank shall carry out a credit analysis based on the following information and taking into account the following factors (but not limited to):

      the availability of a constant and sufficient income of the borrower;

      the availability of loan debt, including to other lenders;

      payment discipline (credit record) on loans;

      debt load;

      other sources of debt repayment to the bank;

      development prospects of the relevant industry.

      Depending on the lending industry and the type of borrower, the set of quantitative and qualitative indicators may vary.

      In relation to individuals and legal entities, the credit policy shall determine cases (issuance of bank guarantees, letters of credit, bank guarantees issued under bank counter-guarantees, as well as loans secured by highly liquid assets) in which the borrower's repayment ability analysis is not applied. For banks that are subsidiaries of non-resident banks of the Republic of Kazakhstan with a long-term credit rating in foreign currency of at least “A-” according to the international scale of Standard & Poor's or a rating of a similar level from one of the other rating agencies, it shall be allowed to use a solvency analysis at the parental level organization of the borrower or the organization, including the borrower's consolidated financial statements conducted by the parent bank or affiliated to the face of the bank, When the condition that the analysis carried out not later than 12 months from the date of application of the borrower;

      the internal procedure for making credit decisions in relation to loan restructuring in connection with the financial difficulties of the borrower, which is based on the principles of soundness, appropriateness and independence in deciding on restructuring and includes a description of cases and conditions of loan restructuring. In this case, the bank shall determine the following cases of changes in the terms of the bank loan agreement in connection with the financial difficulties of the borrower as restructuring:

      changing the schedule of loan payments, including the subsequent provision or extension of the grace period for loan payments to repay the main debt and (or) interest;

      subsequent extension of the loan term;

      deferral of one or more loan payments in aggregate for a period of more than 30 (thirty) calendar days;

      remission of part of the main debt and (or) interest on the loan;

      capitalization of overdue aggregate more than 30 (thirty) calendar days of interest payments;

      change (conversion) of the currency of the loan from one currency to another with the capitalization of overdue debts on interest and (or) fixing the exchange rate on loans in foreign currency;

      the provision of a new loan to pay overdue debt on a loan at a bank, including other financial organizations;

      an increase in the credit limit if there is a total of more than thirty (30) calendar days overdue loan debt;

      reduction of the interest rate on the loan, with the exception of changing the size of the base indicator for a loan with a floating interest rate;

      Decrease in loan debt as a result of e repayment of the debt due to the transferred collateral property of the borrower.

      The bank decides on the restructuring of loans for borrowers with financial difficulties, taking into account the availability of prospects for loan repayment after restructuring.

      Decision on the restructuring of loans (for borrowers and (or) a group of interconnected borrowers with financial difficulties, total debt, including contingent liabilities, which exceeds 1 (one) percent of the bank’s own capital, the size of which is above 100 (one hundred) billion KZT, or 2 (two) percent of the bank’s own capital, the amount of which is up to 100 (one hundred) billion KZT), shall be adopted by the board of the bank or an authorized collegial body of the bank, which includes the chairman of the board of the bank. Information on decisions taken on a quarterly basis is sent to members of the board of directors of the bank;

      acceptable methods of credit risk management, taking into account (but not limited to) the following factors:

      own knowledge and experience in using the method;

      economic efficiency;

      type of borrower and (or) counterparties, their financial condition;

      the complexity and degree of risk inherent in a particular type of lending;

      3) the bank shall carry out lending activities in accordance with internal documents governing transactions that are inherent to credit risk, which includes, but is not limited to, the following:

      conditions for granting loans to individuals and legal entities (including executives connected with the bank by special relations and bank employees) for each type of lending, including requirements for potential borrowers and (or) counterparties;

      requirements for information of the borrower and (or) counterparty, including financial and other information necessary for making a decision on granting a loan;

      the internal corporate lending procedure, which includes an analysis of the lending sector, the borrower's credit record, and also a rating system based on quantitative and qualitative factors that allow for a detailed assessment of the quality of loans;

      the methodology of credit scoring or analysis of the solvency and repayment ability of the borrower, based on quantitative and qualitative characteristics, and the internal procedure for its use;

      establishing a minimum acceptable rating level (if any) at which a loan is issued;

      internal procedures and procedures for approval, confirmation, analyzing and monitoring deviations from credit policies, standards, procedures, limits;

      setting credit limits and (or) interest rates on loans taking into account the analysis of borrowers, including taking into account, if available, ratings and (or) scoring of borrowers. Credit limits, including for unsecured loans, shall be set by currency, industry, categories of borrowers (counterparties) (financial institutions, corporate, retail lending), products, groups of related parties and per borrower;

      the internal procedure for consideration, approval of applications for the issuance of loans, decision-making on the issuance (refusal to issue), including with respect to lending to executives related to the bank with special relations;

      internal procedure for collateral defining:

      types of collateral and eligibility criteria;

      requirements for collateral structure;

      limits on types of collateral;

      the share of highly liquid collateral in the general structure of collateral, a coefficient characterizing the ratio of the loan amount to the value of the collateral;

      procedures ensuring the validity of collateral;

      rapid assessment of the adequacy of collateral, taking into account changes in the performance of the borrower, cost and security of collateral, including its exposure to other circumstances that significantly affect its assessment;

      procedures for the sale of collateral, including deadlines for the sale;

      objectivity (adequacy) of the assessment of the value of collateral on the part of appraisers.

      When deciding on the issuance of a loan, the pledge of which is real estate, the bank shall consider the results of the assessment. In the event that the market value, determined as of the last valuation date by the appraiser, is more than 100,000 (one hundred thousand) monthly calculation indices, the bank shall provide assessment of pledges (at least 1 (one) time per year) by an appraiser.

      Assessment of decisions made for compliance with the established internal order shall be carried out in accordance with the requirements of Chapter 11 of the Rules. In case of deviations from the established internal procedure, the concerned departments shall bring the information about the revealed deviations to the board of directors of the bank. In order to eliminate significant deviations in the bank’s activities, the board of directors shall establish restrictions on the volume (amount of the loan) and (or) on the number of deviations and exercises control over compliance with the established restrictions;

      4) the availability of an adequate rating model and (or) scoring system.

      The board of directors of the bank shall determine the responsible departments for the development of the rating model and (or) scoring system, their implementation, application and monitoring of their functioning. The rating model and (or) scoring system contain a description of each level of credit risk and the conditions for their assignment. In the process of assigning a borrower credit rating and/or scoring point, the bank shall take into account the financial condition of the borrower(s) and other available information on the borrower.

      When assigning a borrower credit rating and (or) a scoring point, the bank shall be guided by up-to-date available information on factors affecting the borrower’s future repayment ability and solvency.

      The credit rating assigned to legal entities is subject to periodic monitoring for relevance. The frequency of revision increases if there is negative information that carries the risk of deterioration of the financial condition of the borrower and (or) the inability to repay obligations to the bank and other available information;

      5) the availability of an adequate system for classifying assets by credit risk level.

      As part of a system for classifying assets by credit risk level, the bank shall implement and use integrated procedures and information systems (in the absence of software) to monitor the quality of the loan portfolio. Procedures and information systems shall include criteria that identify and determine problem loans and ensure proper control.

      A system for classifying assets by credit risk level shall provide the information for the board of directors, committees under the board of directors, management board, other units of the bank involved in the process of managing credit risk and allows to assess the level of credit risk of the bank, both in general and in terms of each asset.

      The system for classifying assets by credit risk level shall be based on a detailed analysis of all assets (except for receivables and non-core activities in an amount not exceeding 2 (two) percent of the bank’s equity), which are inherent in credit risk.

      A detailed analysis of assets shall include an assessment of:

      the probability of default on the obligations of the borrower and (or) the counterparty (PD);

      the amount of losses in the event of default by the borrower and (or) counterparty (LGD);

      amount of obligations subject to default (EAD);

      the period during which the risk position is maintained;

      the cost of collateral and the possibility of its implementation;

      business environment and economic conditions.

      The classification of assets (with the exception of accounts receivable for non-core activities in an amount not exceeding 2 (two) percent of the bank’s equity), which is inherent to credit risk, shall be carried out on the basis of at least 5 (five) categories and provide:

      reliable assessment of capital adequacy in the framework of ICAAP;

      the necessary level of provisions to cover the expected losses.

      Assets for which there is overdue principal debt and (or) accrued interest for a period of more than 90 (ninety) calendar days shall be classified in the worst categories, if there are no good and reasonable grounds for classification into a higher category.

      Assets for which there is overdue principal debt and (or) accrued interest for a period of less than 90 (ninety) calendar days shall be classified in the worst category if there are other factors of insolvency of the borrower determined by internal documents;

      6) existence of a policy for managing distressed assets.

      The board of directors of the bank shall approve a distressed asset management policy that includes:

      identification of distressed assets;

      methods for managing troubled assets (restructuring, selling, writing off, withdrawing collateral, bankruptcy, etc.);

      limits for troubled assets (by portfolio) and the timing of the implementation of the approved methods for managing troubled assets to bring the established limits in violation of them;

      quantitative and qualitative parameters of early response to the risk of an increase in the volume of distressed assets;

      a list of interested departments and the internal order of their interaction when working with distressed assets;

      internal procedure for the provision of management reporting to the board of directors on losses outside distressed assets;

      assessment procedures used by the bank for problem asset management methods;

      7) the availability of a reliable methodology for the formation of provisions.

      In order to ensure the adequacy of the formed provisions to cover the expected losses, the bank shall annually (if more often if necessary) analyze the methodology for creating provisions by:

      determining the conformity of provisions calculated in accordance with the requirements of the provisions formation methodology to the actual amounts of losses;

      analysis of current market conditions, changes in macroeconomic indicators;

      validation of the provisioning methodology.

      When forming provisions for collective loans, the bank analyzes historical data covering the necessary period of time and most correctly reflects the credit losses of the bank. At the same time, historical data are supplemented by an analysis of the current market and economic situation.

      If the provisioning methodology indicates the absence of signs of increasing credit risk for loans, the provisions for which are formed on an individual basis, such loans are subject to collective credit risk assessment;

      8) the existence of a validation procedure for credit risk assessment models.

      In order to ensure the adequacy of credit risk assessment using models, the bank regulates the processes of validation, back testing, and acceptable levels of deviations from the planned level of risks. In case of deviation from the planned level of risks, the bank develops a plan of corrective measures.

      Validation shall be carried out using one or more of the following methods:

      checking the discriminatory ability of the model;

      assessment of the predicted accuracy of the model;

      ranking migration analysis;

      comparative analysis of ratings.

      Validation shall be carried out at least 1 (one) time in 4 (four) years. The frequency of validation depends on the current market situation, strategy, volume of assets, and the level of complexity of the bank's operations, increases in the event of significant changes in the economy or in the internal processes of bank lending. Validation results shall be presented to the risk management committee;

      9) the use of adequate and reasonable expert assessments in assessing credit risk.

      In situations where the use of expert judgment is necessary, the bank shall provide:

      the regulated process of applying expert assessments, indicating the limits for the use of such assessments;

      a sufficient level of competence of workers conducting an expert assessment;

      uniform approach in applying expert judgment. Under the same conditions, expert assessments shall not have significant deviations;

      expert judgment shall be based on reasonable and documented assumptions, with appropriate care.

      The application of expert estimates by the bank, taking into account historical data, shall be supplemented by an analysis of the current market and economic situation, in particular (as applicable):

      changes in the processes of granting loans, standards and decision-making practices, returns, write-offs;

      changes in external and internal economic factors, the business environment, taking into account the dynamics;

      changes in the level of non-performing and restructured loans;

      the emergence of new market segments and products;

      changes in concentration of credit risk;

      10) the availability of the necessary tools, including a set of data storage tools, providing complete and reliable information about loans (including receivables and contingent liabilities), as well as other transactions inherent to credit risk, which allow to correctly assess the level of credit risk.

      The bank administers credit in accordance with procedures that include, but are not limited to:

      checking compliance of the submitted loan documents with the conditions for granting loans;

      checking compliance of loan agreements with decisions made;

      formation and maintenance of credit of the final dossier.

      It is acceptable to create a credit dossier (part of a credit dossier) in electronic form. The credit dossier shall contain (including, but not limited to):

      borrower identification documents:

      this group shall include documents proving the identity of an individual, documents related to the formation of a legal entity (with the disclosure of ultimate owners-individuals owning directly or indirectly ten or more percent of shares or interests, with the exception of cases established by paragraph 3 of Article 8 -1 of the Law on Banks), confirmation of his legal personality, as well as documents confirming the authority of persons acting on behalf of the borrower and authorized to sign credit and collateral documentation on behalf of the borrower.

      Documentation related to the definition of the intended use (excluding overdrafts, consumer loans without confirmation of the intended use with a total amount of less than 0.2 (zero point two) percent of the bank’s equity and loans for working capital replenishment with a total amount of less than 0.2 (zero point two percent) of the bank’s equity, syndicated loans with the participation of non-resident banks of the Republic of Kazakhstan):

      this group shall include documents and information on a transaction for the purpose of which financing is requested (including the initial objectives of financing in the event of restructuring and (or) refinancing), including for large borrowers:

      documents confirming the purpose of using the loan, including for legal entities - supply, purchase and sale contracts, foreign trade contracts;

      for a legal entity, the amount of loans and contingent liabilities for which exceeds, for banks which equity capital exceeds 100 (one hundred) billion KZT - 0.1 (zero point one per tenth) percent of the bank’s equity, for banks, equity of which does not exceed 100 (one hundred) billion KZT - 0.2 (zero point two percent) of the bank’s own capital - a feasibility study on the issuance of a loan, characterizing the payback period and level of profitability of the credited transaction, or a business plan for the borrower, which reflects information on the description of activities indicating the purposes of using the loan, markets and the marketing strategy of the borrower, risk assessment and management, detailed financial plan by year (financial indicators of the business plan implementation by year, sources and amount of financing of the business plan and repayment of a loan), an estimate of income (expenses) (for loans related to investment objectives, start-up projects or loans, the main source of repayment of which is planned for the proceeds from the sale of goods and (or) services  purchased from credit funds).

      For the purposes of this paragraph:

      loan for working capital replenishment shall be understood as a loan granted to finance current production processes;

      Consumer credit shall be understood as a loan granted to an individual or self-employed entrepreneur without forming a legal entity and meeting the following criteria:

      the issuance of a loan is not related to the purpose of financing business activities and it is assumed that the loan will not be used by the borrower to carry out business activities;

      the loan is planned to be used for the purchase of durable goods (residential real estate, automobiles, household appliances, furniture, etc.) and (or) payment for various services (educational, tourist, medical, repair and construction, etc.) and (or) other purchases and goals (refinancing a loan at another bank (in case the previously received loan is related to consumer goals), mobile phones, foodstuffs, etc.);

      the loan recipient has a constant source of income (salaries, pensions, benefits, dividends from securities, income from the rental of real estate and other income), objectively allowing him to service obligations to the bank on the loan received, confirmed in the manner determined by the bank’s internal documents.

      Documents required for analyzing the financial condition of the client and the quality of collateral:

      this group of documents includes all documents on the basis of which an analysis of the financial condition of the borrower shall be carried out and reflecting the main economic indicators of the borrower, as well as documents confirming the availability, quality, size of the accepted security.

      Documentation required for credit monitoring. This group includes documentation generated by the bank's departments in the course of a loan or necessary to confirm periodic credit monitoring, as well as the procedure for updating information about borrowers (counterparties) for credit risk management purposes;

      11) the availability and functioning of the management information system.

      The bank shall develop management reporting forms that include, but are not limited to, the following information:

      about the loan portfolio and its quality, presented, including in the dynamics of its changes;

      on the amount (level) of exposure to credit risk, including but not limited to assessing the approximation of total exposure to the limits established by the bank for various types of loans (prelimit approach);

      about exposure to credit risk in relation to a group of related borrowers and the dynamics of its change;

      on the concentration of credit risk of the largest borrowers (counterparties) and borrowers (counterparties) related to the bank by special relations, including with the bank's shareholders and the dynamics of its change;

      on the internal ratings of borrowers (counterparties) and the dynamics of their changes, on monitoring the quality of loans according to ratings of borrowers (counterparties) and its frequency;

      the amount of provisions and the assessment of the adequacy of provisions;

      on restructured, refinanced and problem loans;

      on monitoring and control over compliance with limits;

      deviations from policies and limits.

      43. The board of directors shall ensure the existence of a market risk management system that is consistent with the current market situation, development strategy, assets and the level of complexity of the bank’s operations and ensure the effective identification, measurement, monitoring and control of the bank’s market risk, as well as defines a strategy for hedging market risk with the purpose of ensuring the adequacy of equity to cover it.

      The market risk management system shall be integrated into the bank's internal risk management processes, and its results shall be an integral part of the process of monitoring and controlling the level and profile of its market risk, as well as the decision-making process in the implementation of the bank's current activities. Market risk assessment results shall be taken into account in the process of developing a bank development strategy.

      Market risk management shall be carried out on the basis of managing the position of assets and liabilities, forming the value of financial instruments with a positive interest margin and expected profitability, managing an open foreign exchange position, constantly monitoring market risks and monitoring established risk appetite levels for relevant operations.

      The market risk management system shall include the management of securities portfolios and control of open positions in currencies, interest rates, and derivative financial instruments.

      44. In the process of market risk management, the bank shall determine:

      1) the organizational structure of the bank involved in the process of market risk management, including the internal order of subordination and reporting;

      2) the structure of the trading and banking books, as well as the procedures for dividing instruments into instruments of the trading and banking books.

      The trading book shall be a part of a bank’s financial portfolio that presents financial instruments purchased and sold to support trading operations, generate income in the form of the difference between the purchase and sale prices, and hedge the bank’s operations from various types of risk. Trading book positions shall be regularly reevaluated. All other operations shall relate to the bank book;

      3) assets (liabilities) sensitive to changes in interest rates;

      4) ways, methods and models for assessing market risk;

      5) risk orientation, bank approaches to establishing and monitoring risk appetite levels and risk minimization methods.

      45. The functioning of the market risk management system shall be based on the following main components, but is not limited to:

      1) approval and periodic analysis of the bank’s investment strategy, the formation of the optimal structure of assets and liabilities taking into account the specific risk profile of the bank, the level of adequacy of the bank’s equity and liquidity to cover significant market risk.

      The investment strategy shall meet the following basic principles:

      the content corresponds to the general strategy of the bank in terms of goals, directions and terms of implementation;

      the relationship between the tactical and strategic processes of managing the investment activity of the bank;

      maximum profit, ensuring the growth of a high-quality investment portfolio, maintaining a sufficient level of liquid assets in the overall structure of the bank's assets;

      formation of the structure of assets and liabilities taking into account the fulfillment of requirements, methods and procedures for managing market risk;

      2) approval of the procedure for identifying, assessing, monitoring, controlling market risks, taking into account all areas of the bank's business that are inherent in market risk (banking and trading books, balance sheet and off-balance sheet transactions), as well as hedging methods for these risks.

      The bank shall develop a market risk management process that includes, but is not limited to:

      participants in the market risk management process, their authority and responsibility with a clear definition of the accountability structure, as well as the internal procedure for the exchange of information;

      a list of foreign currencies, financial instruments with which it is allowed to carry out operations, indicating the purpose of their use, as well as internal requirements and criteria for financial instruments, including the volume, composition and conditions;

      internal procedures and procedures for identifying, measuring, monitoring and controlling the level of market risk.

      Procedures for identifying, measuring, monitoring and controlling market risk shall:

      cover all types of assets, liabilities, off-balance sheet positions;

      cover all types of market risk and their sources;

      allow regular assessment and monitoring of changes in factors affecting the level of market risk, including rates, prices and other market conditions;

      allow timely identification of market risk and take measures in response to adverse changes in market conditions.

      In order to assess the accepted level of market risk, the bank shall use models that are consistent with the development strategy, the volume of assets and the level of complexity of the bank's operations.

      In relation to financial instruments denominated in foreign currency that are sensitive to changes in interest rates, the total amount of which exceeds 5 (five) percent of the volume of assets (liabilities), the bank shall measure interest rate risk separately for each of the foreign currencies. Assumptions made as part of the methodology for assessing interest rate risk shall be documented in the relevant internal documents of the bank.

      The bank shall periodically conduct a sensitivity analysis for each type of market risk inherent in the bank's business. The sensitivity analysis shows the impact on the bank's profit (loss) and equity of possible changes in variable risk factors.

      The bank periodically shall carry out back-testing of market risk assessment models. The bank shall conduct back testing to verify the reliability and effectiveness of market risk assessment models and, if necessary, improve them. Back-testing results with suggestions, if necessary, to improve market risk management procedures, shall be sent to the risk management committee and the board of directors of the bank.

      The bank shall regularly monitor the level of market risk in order to prevent the possibility of exceeding the established risk appetite levels. The frequency of monitoring market risk is determined by the bank based on its degree of materiality for the respective direction of the bank.

      The information obtained during the monitoring of market risk about a significant change in the level of risk is promptly shall be brought to the information of the board of directors and the bank’s risk management committee to make the necessary decisions.

      In order to minimize market risk, the bank shall establish:

      levels of risk appetite for currency, price and interest rate risks in accordance with Chapter 3 of the Rules;

      constant monitoring of compliance with established levels of risk appetite;

      procedures for immediately informing the board of directors, the risk management committee, the board of the bank and other interested structural units about the achievement of limit values ​​and (or) violations of the established risk appetite levels;

      measures to reduce market risk taken when risk appetite levels are reached;

      3) market risk management procedures for:

      changing the structure of financial instruments, their quantitative and cost indicators;

      development and implementation of new technologies and conditions for banking operations and other transactions, other financial innovations and technologies;

      when entering new markets;

      4) methods and criteria for hedging risks, including establishing criteria for the effectiveness (optimality) and cost of hedging.

      The bank shall develop and implement a hedging strategy for each type of market risk, which contains:

      hedged items;

      a description of the hedging instruments used (use of instruments of the stock exchange and over-the-counter market taking into account the assessment of the counterparty's reliability, terms of hedging instruments);

      internal procedure for determining the required liquidity level for the opening of hedging instruments;

      Description of the procedure and methods for evaluating hedge effectiveness.

      A hedge is considered effective if the change in fair value or cash flow for the hedged item is fully compensated for by the change in fair value or cash flow for the hedging instrument. Hedging shall be carried out in relation to a specific identifiable risk, and not the general risks of the bank;

      5) the internal procedure and procedures for monitoring bank profitability from the use of financial instruments;

      6) procedures for conducting stress testing to assess market risk, including the internal procedure for using their results as part of the risk management process.

      The bank shall conduct stress testing of market risks on a periodic basis in order to identify the level of potential market risks inherent in the bank’s activities and assess the bank’s ability to withstand changes.

      The frequency of stress testing, procedures and methods of conducting shall be established in the relevant internal documents of the bank. The frequency of stress testing will be determined based on the level of exposure of the bank to market risk, the volatility of capital markets and other external factors. The frequency of stress testing is increased in cases of significant changes in external factors.

      When conducting stress testing, the following scenarios shall be used:

      historical;

      providing for changes in foreign exchange rates and (or) precious metals at open positions of the bank;

      providing for change in the market value of financial instruments;

      providing for changes in the general level of interest rates, scenarios for the growth or decrease in the yield of financial instruments sensitive to changes in interest rates;

      providing for changes in profitability;

      providing for a change in the relationship between interest rates on resources attracted and placed by the bank;

      providing for a change in the degree of volatility of market interest rates;

      providing for sharp deterioration of key market, financial and (or) other factors and conditions of the bank.

      The bank shall use the methodology, stress testing scenarios that are appropriate for its business structure and the profile of risks taken.

      The results of stress testing shall be presented to the board of directors, the committee on risk management and the board of the bank and other interested structural units of the bank on a periodic basis. If the results of stress testing indicate the bank's vulnerability to certain risk factors, the bank shall apply measures to reduce the level of accepted risk;

      7) a system of indicators for early detection of exposure to market risk, including one based on prelimit approach;

      8) procedures for amending internal documents and procedures of the bank in the event of changes in market conditions affecting the level of exposure of the bank to market risk;

      9) approval of the internal order of the system of high-quality, detailed, periodic management information that allows timely and fully assessing the level of exposure to market risk, approaching the established levels of risk appetite and timely responding to changes.

      The bank shall provide an effective management information system designed to provide the board of directors of the bank, the risk management committee and other interested structural units of the bank with information about the bank's exposure to market risk.

      Management information shall include, but is not limited to, the following:

      information on the current state of interest rates, exchange rates, market quotes and their dynamics;

      information on significant open positions by currencies and financial instruments;

      information on the level of interest rate risk for aggregated positions in financial instruments sensitive to changes in interest rates;

      information on compliance of positions on financial instruments sensitive to changes in interest rates with established limits;

      market warning early warning indicators;

      expert estimates on changes in interest rates, exchange rates, price indices in the future;

      market risk measurement results;

      10) the existence of an internal procedure for taking measures to reduce market risk;

      11) the existence of procedures for assessing the fair value of financial instruments based on market information.

      46. ​​The board of directors shall ensure the existence of an operational risk management system that is fully integrated into the overall risk management process of the bank at all levels of the bank's organizational structure and in newly created products, activities, processes and systems, and ensures the effective identification, measurement, monitoring and control of operational risk of the bank in order to ensure the adequacy of equity to cover it. The operational risk management system shall include, but is not limited to, the following:

      1) a detailed description of the interaction between all participants involved in the operational risk management process, including the internal order of accountability.

      The bank shall determine the participants in the operational risk management process based on 3 (three) lines of defense.

      The first line of defense is provided by the structural units of the bank. This means that the heads of structural units are responsible for identifying, measuring, monitoring and controlling operational risk inherent in their activities, including those related to personnel, products, processes and systems. Based on the current market situation, strategy, volume of assets, the level of complexity of the bank’s operations, to ensure the effective functioning of the operational risk management system in the first line of defense, risk coordinators for operational risk are appointed in the bank’s structural units, the internal procedure for their interaction with the management units is determined operational risk and internal audit.

      The second line of defense shall be provided by an independent operational risk management unit.

      The third line of defense shall be provided by the internal audit unit through an independent assessment of the effectiveness of the bank's operational risk management system;

      2) a description of operational risk measurement tools;

      3) the internal procedure for establishing the operational risk appetite risk level;

      4) the internal procedure for the exchange of information and the base of internal events of operational risk;

      5) a system for classifying operational risk events to ensure accuracy in identifying risk;

      6) analysis of operational risk and the corresponding revision of the operational risk management policy in the event of a significant change in the level and types of operational risk of the bank.

      47. In order to build an effective operational risk management system, the board of directors shall be responsible for:

      1) approval of the operational risk management policy, which includes, but is not limited to, the following components:

      goals and objectives of operational risk management;

      basic principles of operational risk management;

      classification of types of operational risk events;

      level of risk appetite for operational risk of the bank;

      identification of participants in the operational risk management process based on 3 (three) lines of defense, their authority, responsibility with a clear definition of the accountability structure;

      determination of the internal order and procedures for identifying, measuring, monitoring and controlling operational risk, including:

      definition of key indicators of operational risk;

      definition of procedures and mechanisms for managing operational risk;

      internal procedure for the exchange of information between participants in the operational risk management process along 3 (three) lines of protection, including types, forms and terms of information submission;

      procedures for the approval, confirmation, analysis and monitoring of deviations from policies, procedures, limits;

      the internal procedure and procedures for approving new products, activities, processes and systems and/or making significant changes to existing products, activities, processes and systems;

      requirements for amendments to internal documents and procedures in cases of detection of deficiencies in the management of operational risk and (or) the occurrence of conditions affecting the bank's level of exposure to operational risk;

      2) the formation of a risk culture of operational risk management;

      3) regular analysis of the operational risk management system in order to ensure timely identification and management of operational risk caused by changes in external factors, as well as operational risks associated with new products, activities, processes or systems, including changes in the level and types of risk;

      4) ensuring the appropriate conditions for the application of best operational risk management practices;

      5) approval and control of risk appetite levels in relation to operational risk with regular review. In the process of analyzing the relevance of risk appetite levels, changes in external factors are taken into account, a significant increase in the volume of a bank’s operations, including for certain types of activities, the results of audits of the internal control system (if any), the effectiveness of the operational risk management or risk reduction system, and the volume of incurred losses, as well as the frequency, extent and nature of violations of established levels of risk appetite.

      48. The bank identifies, measures, monitors and controls operational risk through the following (but not limited to):

      1) the use of audit results.

      The results of audits shall be an additional source of information in the process of managing operational risk of a bank;

      2) collection and analysis of internal data on operational risk events.

      The collection and analysis of internal data on operational risk events (maintaining a database of operational risk events) is a process that allows one to assess the exposure to operational risk and the effectiveness of internal control based on information on operating losses.

      Analysis of the occurrence of losses gives an idea of ​​the causes of large losses and information on whether the failures in the control system are episodic or systemic;

      3) analysis of external events on operational risks.

      The external data on operational risk events include (if any) the total operating losses, terms, data on coverage of losses, as well as relevant incidental information on cases of losses in other banks;

      4) conducting a self-assessment of operational risk.

      A tool through which a bank identifies and evaluates operational risks inherent in bank processes and evaluates their impact on processes and the effectiveness of existing control procedures for identified operational risks;

      5) descriptions (regulation) of business processes.

      Description (regulation) of business processes - a process in which the structural units that make up the first line of defense determine the main stages of business processes, types of activities, organizational functions that help identify operational risks, the relationships between risks, deficiencies in control and risk management;

      6) the use of key indicators of operational risk.

      Key indicators of operational risk are the values and (or) statistical data that provide an idea of ​​the operational risk profile to which the bank is exposed. Key indicators of operational risk are used to monitor changes in the level of operational risk in the bank, which, in turn, ensures the identification of shortcomings in the processes, organization, failures and potential losses;

      7) scenario analysis of operational risk.

      Scenario analysis of operational risk is a process of comparing external events of losses with internal processes of a bank and obtaining an expert opinion of the heads of structural units and risk management departments about deficiencies in the control system or risks not previously identified to identify potential cases of operational risk and assess possible consequences.

      The risk management committee shall ensure that there is a process to regularly monitor the level of operational risk.

      49. The bank shall ensure the existence of a management information system, including the establishment of an internal procedure that shall determine the composition and frequency of operational risk management reporting, presented to various recipients of the bank's responsible executives (units) for the preparation and delivery of information to the relevant recipients. The established internal reporting procedure allows for proactive operational risk management. Management reporting on operational risk shall contain:

      1) information on violations of the established risk appetite levels of the bank for operational risk;

      2) information on significant internal events of operational risk and losses, disaggregated by the classification of operational risk, on the amount of damage, indicating the causes, types of events, consequences;

      3) information on significant external events of operational risk for decision making;

      4) information on corrective measures taken on significant events of operational risk occurrence and (or) analysis of the effectiveness of the measures taken;

      5) results of self-assessment of operational risk;

      6) monitoring results of key risk indicators;

      7) the results of scenario analysis;

      8) information about the operational risk map.

      Management reporting shall contain complete, reliable, timely information. The frequency of reporting reflects the degree of exposure of the bank to risks, as well as the pace and nature of changes in its activities.

      The processes for the formation of management reporting on operational risk shall be periodically analyzed in order to continuously improve the management of operational risk and the further development of principles, procedures and processes for managing operational risk.

      50. In order to identify potential risks arising in stressful situations, the bank shall periodically (but at least 1 (once) every six months) conduct stress testing to identify sources of potential threats to capital adequacy. Stress testing shall be carried out by the bank by using the following methods (but not limited to):

      1) scenario analysis;

      2) sensitivity analysis.

      The stress testing process shall include the following:

      stress testing allows the bank to analyze the impact of stress scenarios on the level of capital adequacy, to assess the level of risk when the internal and external environment changes;

      The degree and frequency of stress testing is consistent with the chosen business model, the scale of activity, types and complexity of operations, and the role of the bank in the financial system. The bank has the ability to increase the frequency of stress testing in worsening market conditions or at the request of senior management;

      the board of directors of the bank is actively involved in the stress testing process in terms of approving stress testing procedures, scenarios (including considering conservative scenarios also during periods of economic growth), evaluating the results and, as a result of taking measures to minimize the stress capital risk testing.

      When conducting stress testing, the bank uses, but is not limited to, the following stress testing scenarios:

      general economic scenario, which is based on an assessment of the impact of a decrease in the economic situation in the country, including a decline in economic growth as a whole and in certain sectors of the economy;

      A scenario specific to the bank’s business, which is based on an assessment of the affect of local stress factors, including those related to the peculiarities of the bank’s private activity and the structure of its loan portfolio.

      The bank shall develop stress testing scenarios based on conservative, but potentially implemented negative changes in external and internal indicators that affect the decrease in capital adequacy.

      The board of directors of the bank shall approve stress test scenarios and assumptions made, as well as the results of stress testing. The validity of the choice of scenarios and relevant assumptions of the bank is documented and considered along with the results of the stress test.

      In determining stress scenarios and sensitivity, the bank shall use a wide range of information, including historical and hypothetical stressful situations.

      In addition to the possibility of applying the stress scenarios used by the regulator, the bank seeks to use the most applicable stress situations that correspond to its individual characteristics.

      The board of directors of the bank regularly reviews stress testing scenarios for significant changes. If it is necessary to change stress testing scenarios, an intermediate assessment shall be carried out.

      In developing scenarios and assumptions of stress testing, the bank is guided by the following:

      Scenarios include all significant risks to which the bank is potentially exposed;

      During stress testing, the bank shall consider the relationship of various types of risks;

      the bank takes a conservative approach in determining the assumptions of stress testing. Based on the type and severity of the scenario, the bank shall take into account the appropriateness of a number of assumptions regarding its activities;

      The bank shall consider short-term and protracted, as well as idiosyncratic and market scenarios, regardless of how high the level of capital adequacy is at the moment, including:

      lack of access to capital markets;

      reduction in the cost of energy;

      depreciation of the national currency;

      real estate market crisis;

      change in rates;

      agricultural crisis;

      rising inflation expectations;

      increasing unemployment and lower incomes;

      decrease in market value of assets.

      The results of the stress test and predicted risks, as well as subsequent actions to minimize the negative impact, are communicated and discussed with the board of directors of the bank and departments involved in the liquidity risk management process. The board of directors of the bank shall integrate the results of the stress testing process into the strategic and budget planning process of the bank. The results of stress testing shall be used to establish internal limits.

      The board of directors of the bank shall take into account the results of stress testing in the process of maintaining capital adequacy in the event of unforeseen circumstances, including for eliminating the shortcomings of the process.

      51. The bank shall ensure the existence of procedures for the development, approval and implementation of new products, activities, processes and systems, or significant changes to existing products, activities, processes and systems, ensuring:

      1) an assessment of the risks inherent in new products, activities, processes and systems of sludge and in the case of significant changes to existing products, activities, processes and systems;

      2) analysis of the costs and benefits of implementation;

      3) an assessment of changes in levels of risk appetite of the bank and the introduction of appropriate changes;

      4) the availability of the necessary control mechanisms, the risk management process;

      5) the availability of information on the level of residual risks;

      6) the existence of procedures and methods for identifying, measuring, monitoring and controlling risks inherent in new products, activities, processes and systems or in the case of significant changes to existing products, activities, processes and systems;

      7) an assessment of the bank's ability to invest in human resources and the technological infrastructure of the bank before introducing new products, activities, processes and systems or in the event of significant changes to existing products, activities, processes and systems.

      52. Each year, the board of directors of the bank evaluates capital adequacy based on the results identified in the internal process of assessing the adequacy of equity and other information available to the board of directors of the bank.

      The internal process of assessing capital adequacy is subject to a continuous review of both quantitative and qualitative indicators, including the application of its results, approaches to stress testing, risk identification and information collection, validation of risk assessment models. The review is carried out within 3 (three) lines of defense, based on their role in ICAAP. The review facilitates timely changes when internal and external factors change.

Chapter 6. Internal Liquidity Adequacy Assessment Process

      53. The board of directors shall approve the bank’s internal document that regulates the main approaches and principles of the ILAAP and contains the following sections:

      1) a description of the organizational structure of the ILAAP;

      2) a description of the risk appetite strategy;

      3) organization of liquidity risk and funding management, including daily liquidity risk and liquidity gaps;

      4) a description of the process of integrating liquidity risk management in the process of approving new products and activities;

      5) a review of the funding strategy and contingency plan for liquidity;

      6) organization of management of liquidity buffers and collateral;

      7) organization of stress testing procedures;

      8) the organization of self-assessment procedures for the internal liquidity adequacy assessment process.

      54. A description of the organizational structure of ILAAP shall contain a list of participants in ILAAP indicating the responsibility of the collegial bodies of the bank and units involved in the implementation of liquidity and liquidity risk management processes, including:

      1) the board of directors of the bank shall be responsible for managing liquidity risk and determining the level of risk appetite;

      2) the risk management committee shall be responsible for developing policies and procedures in the field of liquidity management within the framework of the risk appetite level established by the board of directors. In addition, the risk management committee periodically notifies the board of directors of the bank of compliance with the risk appetite and significant changes in the liquidity level;

      3) the unit(s) of the executive who is entrusted with the functions of internal control shall carry out (shall carry out) verification of compliance with the ILAAP procedures and brings (brings) the results to the attention of the board of directors of the bank;

      4) the unit(s) involved (participating) in the risk management process is (are) responsible for the implementation of the liquidity risk management process and shall be responsible (responsible) for the preparation of a report on compliance with the ILAAP and the conduct of stress testing;

      5) the liquidity management unit(s) develops and implements measures for operational liquidity management and, together with the risk management unit, develops a financing plan in case of unforeseen circumstances;

      6) the internal audit unit evaluates the effectiveness of the ILAAP.

      55. As part of the ILAAP, the board of directors of the bank shall be responsible for adhering to the approved risk appetite strategy.

      56. The bank shall develop an effective process for identifying, assessing, monitoring and controlling liquidity risk, which includes detailed forecasting of cash flows by assets, liabilities and off-balance sheet instruments at different time intervals.

      The bank shall evaluate all balance sheet and off-balance sheet items that affect the level of liquidity risk. The bank shall assess the level of liquidity in the market to cover the needs of the bank in attracting funding in order to regulate liquidity risk.

      When managing liquidity risk, the bank shall take into account the decrease in the value of assets and the impact of their sale during stresses on liquidity, profitability and capital.

      The bank shall take into account the interaction between liquidity risk and other types of risks to which it is exposed.

      Measurement of liquidity includes an assessment of the inflows and outflows of cash of the bank to determine the potential shortage of liquid assets in the future. The bank shall measure and predict estimated cash flows from assets and liabilities, including off-balance sheet claims and liabilities, at different time horizons under normal conditions and in a number of scenarios, with varying degrees of stress.

      These time horizons shall include:

      the need for liquidity and the possibility of financing on an intraday basis;

      need for liquidity and the possibility of financing for short and medium-term horizons up to 1 (one) year;

      long-term liquidity of more than 1 (one) year.

      The bank shall develop early warning indicators that identify increased liquidity and limited funding risks. The developed indicators reveal a negative trend in the level of liquidity and funding of the bank and reflect a real assessment in order to take immediate measures to mitigate the impact of emerging risks on the financial position of the bank.

      The bank shall define triggers for qualitative and quantitative indicators of early warning.

      Qualitative or quantitative indicators of early warning include, but are not limited to, the following:

      rapid growth of assets, especially those financed by liabilities with the possibility of early withdrawal, or for which there is no established maturity;

      increase in concentration in individual assets or liabilities;

      widening gaps in currencies;

      decrease in the weighted average maturity of obligations;

      approximation to the values ​​of the bank’s internal limits and (or) prudential standards, defined as permissible, but requiring separate corrective measures in the existing procedures of the risk management system in order to reduce the risk level;

      negative trends or increased risk associated with the activities of the bank;

      a significant decrease in bank income, deterioration in the quality of assets and the general financial condition of the bank

      negative information, including in the media related to the bank;

      lowering the bank's credit rating;

      decrease in stock quotes or increase in the value of the bank's debt;

      increase in the cost of corporate or retail funding;

      an increase in the requirements of counterparties for the provision of additional collateral and (or) refusals for new transactions without collateral and for the extension of terms;

      closing or reducing the established amount of credit lines provided to the bank;

      increased outflow of retail deposits;

      increase in outflow of term corporate deposits;

      difficulties in attracting long-term financing.

      The bank shall actively manage its intraday liquidity position and associated risks in order to timely fulfill payment and settlement obligations, both in normal and stressful situations, thereby contributing to the smooth functioning of payment and settlement systems.

      The bank shall manage intraday liquidity risk through procedures that include, but are not limited to:

      tracking daily liquidity positions taking into account expected cash inflows and outflows, forecasting the size of a potential financing gap arising in different periods of the trading day;

      identification of key customers acting as the main sources of incoming or outgoing liquidity flows, forecasting inflows and outflows by establishing constant communication and awareness of the nearest future large incomes and withdrawals;

      identification of key periods, dates and circumstances in which liquidity flows and possible credit needs are especially high;

      understanding the needs of business units;

      control of the intraday liquidity position in relation to the expected payments in order to determine the size of the necessary additional intraday liquidity or the need to limit the outflow of liquidity to cover priority payments;

      availability of reliable funding sources in order to obtain a sufficient level of required intraday liquidity in a short time;

      management of bank assets that are used as collateral in case of the need to obtain daily borrowed funds;

      the availability of a sufficient amount of such assets, operational mechanisms for collateral;

      monitoring of outflows of funds of key clients in accordance with intraday needs;

      the bank response measures in case of unexpected breaks in daily liquidity flows, including measures to ensure business continuity.

      The bank shall provide an effective system of management information designed to provide the board of directors of the bank, the risk management committee and other interested structural units of the bank with information on the bank's exposure to liquidity risk and the state of liquidity of the bank.

      The bank shall develop a management reporting system that:

      covers all sources of liquidity risk, including contingent liability risks, as well as risks associated with the occurrence of events that entail early repayment of obligations and the need for a certain amount of liquidity from relevant sources;

      provides information on liquidity positions in the context of different time horizons;

      provides a risk measurement for monitoring positions on liquidity, both under normal and stressful conditions, by types of currencies in which the bank has significant positions, both individually and on an aggregated basis;

      allows monitoring and analysis of the dynamics of unencumbered highly liquid assets, with the aim of selling them or using them as collateral to raise funds in the event of stressful situations;

      allows you to monitor and analyze information on factors affecting the level of stock of liquid assets;

      provides assessment and forecasting of future cash flows in the context of different time horizons, including taking into account the results of stress testing in various scenarios;

      involves providing more detailed and relevant information on a more frequent basis during periods of stress.

      The management reporting system includes, but is not limited to, establishing an internal order that shall determine:

      the criteria, composition, internal procedure and frequency of reporting on liquidity risk management to various recipients (for example, daily reporting shall be presented to executives responsible for liquidity risk management, regular reporting to the management board, risk management committee and board of directors, with an increased frequency - to periods of stressful situations);

      compare the current liquidity risk level with the established limits, identify negative factors leading to negative trends in the liquidity level, as well as ways to limit violations;

      reports on violations of liquidity risk limits indicating threshold values, causes of violations and proposals to level out the current situation;

      responsible executives (units) for the preparation and communication of information to the appropriate recipients.

      Information systems ensure the functioning of the liquidity risk management system, including monitoring compliance with the established limits. Information systems correspond to the complexity of the bank’s business, risk profile, areas of activity, assets and the role of the bank in the financial system.

      57. Description of the process of integrating liquidity risk management into the approval process of new products and activities.

      The bank shall take into account the costs, benefits and liquidity risks in the process of approving new products for all important activities.

      The ILAAP of the bank shall take into account the measurement of costs, benefits and liquidity risks inherent in all areas of the bank's business (including activities related to contingent risks that do not have a direct effect at the moment, but have the opportunity to be implemented in the future). This distribution of costs, benefits and liquidity risks includes factors related to the expected maturity of assets and liabilities, their market liquidity risk characteristics and any other relevant factors, including the benefits of access to relatively stable funding sources.

      58. Review of funding strategy and contingency financing plan with liquidity (hereinafter referred to as the financing plan). The bank shall diversify the funding sources and sets internal concentration limits, taking into account the following factors (but not limited to):

      1) types of funding sources in the context of products, tools, markets;

      2) urgency of funding;

      3) characteristics of the issuer, counterparty or creditor, including economic sector, geographical location;

      4) the currency of funding sources.

      The diversification goals are part of financing plans (up to and over a year) and are taken into account in the process of drawing up strategic and budget planning.

      The board of directors, the risk management committee and the management board of the bank shall be informed about the characteristics and diversification of funding sources and periodically review the funding strategy in order to immediately respond to changes in the internal and external environment.

      An important component of ensuring diversification of funding is providing access to financial markets, which is crucial in the efficiency and ability to attract funds from investors and counterparties. Providing access to relevant markets shall take into account, but is not limited to, the following:

      maintaining an availability in financial markets selected for funding purposes;

      the opportunity to strengthen availability in selected financing markets;

      identification, establishment, maintenance of relationships with current and potential lenders providing funds;

      increasing the bank's capitalization in order to ensure the readiness of creditors to maintain relations with the bank.

      The bank identifies alternative funding sources that increase the bank's ability to withstand stressful situations and liquidity crises. Depending on the nature, severity and duration of the liquidity crisis, potential sources of financing include, but are not limited to, the following:

      deposit growth;

      extension of maturities;

      issue of short-term and long-term debt instruments;

      intragroup transfers of funds, sale of subsidiaries or lines of business;

      asset securitization;

      sale of existing highly liquid assets or the conclusion of repo transactions;

      containing the increase in volumes in the main areas of activity (for example, slowing down the issuance of loans).

      The board of directors of the bank, the risk management committee and the management board shall periodically evaluate and monitor the ability to quickly raise funds from each funding source in order to assess the effectiveness of ensuring liquidity in the long term.

      The board of directors of the bank approves a financing plan that clearly defines the process for eliminating liquidity shortages in emergency situations. The financing plan corresponds to the scale of the bank’s activities, risk profile, types and complexity of operations, assets and the role of the bank in the financial system. The financing plan includes a clear description of a diversified set of adequate, affordable, ongoing potential measures to ensure unforeseen expenses to maintain liquidity and reduce the cash deficit in various adverse situations.

      The financing plan shall contain:

      well-defined and accessible sources of financing in case of unforeseen circumstances, with an assessment of the possible amount of funds that are raised from these sources;

      the time required to attract additional funds from each of the sources of contingency financing;

      clear operating procedures governing:

      formation of the composition of executives (bodies, units) of the bank responsible for the development and implementation of the financing plan, indicating the powers and areas of their responsibility in order to ensure internal coordination and communication;

      a detailed algorithm of actions and their prioritization in relation to what actions need to be taken, who is responsible for their adoption, when and how these actions are implemented;

      several options for implementing various stressful situations.

      In order to ensure operational reliability, the financing plan is regularly tested and updated.

      59. The bank shall have a constant stock of unencumbered highly liquid assets that might be used as soon as possible without significant losses and discounts under various stressful scenarios, including events that entail loss of access or reduction in the volume of liquid funds provided by creditors, including against collateral, as well as placed by depositors.

      The required liquidity reserve shall be comparable with the established risk of the bank's appetite for liquidity risk. This requires determining the required size of the stock of unencumbered highly liquid assets to assess liquidity needs under stress. The assessment of liquidity needs under current conditions and during periods of stress shall include:

      both contractual and non-contractual cash outflows (inflows);

      unconditional demand of depositors to withdraw funds;

      and shall take into account the inability to obtain unsecured financing, as well as the loss or reduction of access to liquid funds.

      The necessary liquidity reserve shall mainly be formed from the highest quality liquid assets, such as:

      monetary funds;

      liquid government securities;

      finance marketing tools, possible to implement in most periods of negative stress scenarios and less negative as unencumbered liquid assets sold or used as security without significant loss or discount.

      General characteristics for the determination of highly liquid assets include:

      transparency of its structure and risk profile;

      ease and certainty of the assessment;

      existence of a liquid market for a given asset in all stress scenarios;

      available market volumes for the asset, including bank stocks relative to normal market turnover;

      absence of legal, regulatory or operational barriers to using these assets in order to receive financing at any time to meet liquidity needs.

      Effective management of collateral shall be carried out through the following, but not limited to, procedures that determine:

      assessment of the bank's needs for assets that must be used as collateral, including assets that are currently pledged, taking into account the timing of their release;

      conformity assessment of each type of asset for use as collateral in relation to each type of main counterparties and secured financing markets;

      diversification of assets to be used as collateral by the issuer, volume relative to the capabilities of the financial market and counterparties, price sensitivity to avoid excessive concentration, and also taking into account various market stress scenarios;

      monitoring collateral by issuer, geographical location, currencies, in order to assess how quickly assets are mobilized if necessary.

      60. The stress testing system shall include an analysis of the types of stress testing used, stress testing scenarios, applicable assumptions, and a methodological basis for verifying the stability of the liquidity sufficiency indicator in case of changing market conditions and management measures.

      The bank shall periodically conduct stress testing on various factors of short-term and long-term scenarios, oriented both to the specifics of the bank, and to large-scale market stresses and the combination of both scenarios in order to analyze and quantify their impact on the level of liquidity, on the bank's cash flows profitability and solvency.

      The results of stress tests shall be reviewed by the board of directors of the bank. Based on the results of the review, measures are taken to eliminate or mitigate the consequences to limit the impact on the bank, create the necessary liquidity reserve and adjust the liquidity level.

      The results of stress tests play a key role in formulating a bank financing plan and in determining a strategy and an ILAAP.

      The stress testing process shall include the following:

      the bank shall analyze the impact of stress scenarios on the liquidity position, estimates the level of liquidity risk occurrence when the internal and external environment changes, at different time periods (short-term, long-term), including on an intraday basis;

      the degree and frequency of stress testing is consistent with the chosen business model, the scale of activity, types and complexity of operations, as well as the role of the bank in the financial system. The bank shall have the ability to increase the frequency of stress testing in worsening market conditions or at the request of the board of directors of the bank or risk management committee;

      the board of directors of the bank shall take part in the stress testing process in terms of approving stress testing procedures and scenarios (including considering conservative stress scenarios even during periods of liquidity surplus), evaluating the results and as a result of taking measures to minimize the identified during stress testing the risk of visibility;

      in stress testing, the bank shall take into account the possible behavioral response of other market participants to market stress events and the extent to which the overall result strengthens market movement and aggravates the market load.

      In developing scenarios and additional stress testing, the bank is guided by the following:

      Scenarios include all the main funding and liquidity risks in the market to which the bank is potentially exposed;

      the bank shall consider short-term and protracted, as well as idiosyncratic and market scenarios, regardless of how high the level of liquidity is at the moment, including:

      simultaneous lack of liquidity in several previously highly liquid markets;

      serious difficulties in accessing secured and unsecured funding;

      currency convertibility restrictions;

      serious operational or settlement failures affecting one or more major payment or settlement systems;

      the bank shall take into account the relationship between reduced liquidity in the market and funding restrictions;

      during stress testing, the bank shall consider the relationship of various types of risks;

      the bank shall take into account liquidity requirements in many currencies and several major payment and settlement systems;

      the bank shall take a conservative approach in determining the assumptions of stress testing. Based on the type and severity of the scenario, the bank shall take into account the relevance of a number of assumptions regarding its activities, which include, but are not limited to, the following:

      narrowing market-wide liquidity;

      outflow of retail and corporate funding;

      lack of access to new secured and unsecured sources of funding;

      need for significant discounts for the sale of assets and (or) repos;

      default of counterparties, including on the interbank market;

      possibility of establishing additional margin and collateral;

      possibility of changes in the timing of financing;

      liquidity aimed at fulfilling contingent liabilities for off-balance sheet instruments and operations, including credit lines;

      planned change in the volume of assets;

      non-renewability of interbank deposits;

      inability to use credit lines provided to the bank;

      impact of triggers on a significant decrease in credit ratings;

      conversion of funds of bank customers;

      decrease in the ability to sell liquid assets taking into account legal, regulatory, operational and time constraints;

      limited access to funds of the authorized body, companies of the quasi-public sector;

      limited operational ability of the bank to sell assets;

      significant decrease in the bank's credit rating;

      appearance of negative information about the bank, affecting the level of trust in the bank.

      Stress scenarios shall be analyzed by the bank on a regular basis in order to confirm their relevance. The analyzes shall take into account changes in market conditions, changes in the nature, volume of assets or the complexity of the business model and activities of the bank, and actual experience in situations of stress.

      The board of directors of the bank shall approve stress testing scenarios and assumptions made, as well as the results of stress testing. The validity of the choice of scenarios and relevant assumptions of the bank shall be documented and considered along with the results of the stress test.

      The results of the stress test and predicted risks, as well as subsequent actions to minimize the negative impact, are reported and discussed with the board of directors of the bank and departments involved in the liquidity risk management process. The board of directors of the bank integrates the results of the stress testing process into the strategic and budget planning process of the bank. The results of stress testing shall be used to establish internal limits.

      The board of directors of the bank shall include the results of stress testing in the assessment and planning of the financing plan, including for purposes of correcting deficiencies in the plan.

      61. The bank shall annually conduct a self-assessment of the ILAAP to identify weaknesses in the process in terms of the following:

      1) liquidity management policies;

      2) process organization;

      3) procedures, systems and regulatory actions;

      4) level of liquidity and the availability of funding.

      Based on the results of the self-assessment and in identifying inconsistencies and (or) weaknesses of the process, the bank shall draw up an action plan containing information on corrective actions to be implemented, including information on the responded parties, expected deadlines, and required resources.

Chapter 7. Business Continuity Management

      62. The board of directors of the bank shall ensure the existence of a bank business continuity management system that is consistent with the current market situation, strategy, volume of assets, and complexity of the bank’s operations.

      The bank shall manage business continuity through procedures, but not limited to those listed in paragraphs 63-71 of the Rules.

      63. The bank shall carry out, according to the method defined in the internal document of the bank, an analysis of the impact on activities, through which the assessment shall be carried out of:

      1) impacts, damages or losses on personnel, premises, technologies or information of the bank;

      2) violations of the requirements of civil, tax, banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and currency control, payments and payment systems, on pension provision, on the securities market, on accounting and financial reporting on credit bureaus and the formation of credit records, on debt collection activities, on mandatory guarantee of deposits, on counteracting the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint-stock companies;

      3) loss of reputation.

      An analysis of the impact on the bank's activities shall be carried out to determine the time frame for the restoration of critical activities, as well as to identify the resources necessary to resume and continue key activities in case of unforeseen circumstances (critical resources).

      To analyze the impact on the bank:

      assesses the amount of possible losses in connection with the downtime of providing critical products and services over time;

      sets the maximum acceptable period of downtime for each activity by identifying:

      the maximum period within which activity resumes;

      the period of time within which the normal level of activity is resumed;

      identifies types and levels of performance of activities, assets or other resources that need to be continuously maintained in a minimum working condition and and (or) restored in a timely manner to provide critical products and services;

      shall determine the amount of resources minimally necessary for the restoration and further implementation of critical activities in emergency mode;

      sets a target recovery time for each of the critical activities. The target recovery time is less than the maximum allowable downtime of the corresponding product or service;

      establishes a recovery point between the last data backup and the start of downtime of a critical activity;

      ranks critical activities by target recovery time, prioritizing;

      identifies suppliers, counteragents, other interested parties on whom critical types of the bank’s activities depend and how these executives assist the bank in unforeseen circumstances.

      64. The bank shall identify critical activities. Identified in the process of analysis of the impact on the activities of the bank, the loss of which has the maximum negative impact on the bank in the short term and needs to be restored as soon as possible, is a critical type of activity.

      65. The bank shall determine the resources necessary to support critical activities, which include but are not limited to the following:

      1) personnel.

      In determining personnel as a resource necessary to support critical activities, the bank shall determine:

      the required number of employees;

      necessary skills and competencies;

      2) premises.

      When determining premises as a resource necessary to support critical activities, the bank shall determine:

      main and alternative sites;

      premises requiring increased protection;

      3) technology.

      In determining technologies as a resource necessary to support critical activities, the bank shall determine:

      information technology services supporting critical activities;

      telecommunication services supporting critical activities;

      other technologies supporting critical activities, including perimeter security, collection technologies;

      4) information.

      In determining information as a resource necessary to support critical activities, the bank shall determine:

      information necessary to carry out critical activities, including internal documents of the bank;

      the amount of information that needs to be restored (recovery target point);

      methods for storing, protecting and restoring information;

      5) suppliers, external services and supplies.

      The bank shall determine suppliers, external services and supplies on which the implementation of critical activities depends;

      6) financial resources.

      The bank shall determine the amount of financial resources that is potentially available for the implementation of the plan(s) of ensuring the continuity and restoration of the bank in case of unforeseen circumstances.

      66. The bank shall carry out contingency risk analysis, which allows assessing threats and vulnerabilities in critical activities and the resources they use. As threats that have a negative impact on resources, the bank shall consider, but not limited to, the following:

      1) inaccessibility of employees;

      2) inaccessibility of technologies, including information and communication technologies (computer viruses, computer hardware failure, loss of communication);

      3) inaccessibility of supply (water, electricity);

      4) lack of access to buildings (premises);

      5) inaccessibility of key suppliers, contractors;

      6) inaccessibility of key information;

      7) inaccessibility of financial resources.

      67. The bank shall define contingency risk management measures that cover (but not limited to) the following key resources:

      1) personnel;

      2) premises;

      3) technology;

      4) information;

      5) suppliers, contractors and supply channels.

      When choosing contingency risk management measures, the bank shall take into account the results of the analysis of the impact on the bank’s activities and shall determine, including the internal procedure for interaction with external suppliers involved in restoration work, with external counterparties (depositors, creditors), shareholders of the bank, with the authorized body and other authorities, as well as with the media and other interested parties.

      When choosing measures to manage the risks of unforeseen circumstances, the bank shall take into account, but is not limited to the following factors:

      the most acceptable period of downtime for a critical activity;

      the costs of the implementation of the plan(s) for the continuity and restoration of activities;

      consequences of failure to take action;

      realistic risks and the magnitude of losses from their implementation;

      consistency with the established goals of the business continuity management system;

      consistency with policies and procedures for the management of business continuity.

      The bank shall define measures to maintain key knowledge and competencies to ensure the continuity of its activities. Measures include, but are not limited to, the following:

      regulation of the internal procedure for the implementation of critical activities;

      maintaining a list of additional competencies of personnel not used in daily activities for the redistribution of functions in the face of a shortage of workers;

      personnel training in professional skills, including cross-functional training.

      The bank shall determine measures to reduce the impact on the provision of critical products and services due to the lack of main premises. These measures include, but are not limited to, the following:

      provision of alternative facilities;

      transfer of personnel to other premises of the bank;

      use of workplaces of workers performing non-critical work;

      work at home or in remote premises.

      When choosing alternative premises, the bank shall take into account, but not limited to, the following features:

      security of the premise;

      access to the premises;

      proximity to the main premise;

      availability of necessary communications.

      The bank shall determine measures to maintain the operability of information technology and communication services necessary to ensure business continuity.

      The bank shall determine measures to ensure the integrity, accessibility and confidentiality of information necessary to ensure business continuity in the event of a critical event.

      The bank shall determine the list of resources used (including material supply, financial resources) and measures to ensure their availability, including from external suppliers and contractors and other interested parties in the event of a critical event, which includes:

      storage of additional resources, including technological and telecommunication equipment, in storage facilities;

      agreements with the supplier on the urgent delivery (replacement) of resources in the warehouse;

      availability of alternative resource providers.

      68. The bank shall ensure the development and availability of plan(s) for ensuring continuity and (or) restoration of activities. The plan(s) for ensuring continuity and (or) restoration of activities meets the following principles:

      1) understandable to responsible executives;

      2) available for use by responsible executives;

      3) has goals and scope consistent with the business continuity management policy, including:

      a list of critical activities of the bank, as well as the maximum allowable downtime, including those requiring recovery;

      target recovery time for critical activities, including for information technology and telecommunications;

      measures to minimize the risk of loss of reputation;

      4) consistent with the actions of external organizations;

      5) contains a description of the functions and responsibilities of personnel involved in ensuring the continuity and restoration of activities;

      6) has an activation scheme, including:

      the decision-making procedure for activation, including a list of employees responsible for confirming activation and the conditions under which activation of the plan is required;

      a list of employees informed about the activation of the plan;

      7) contains a diagram of emergency external and internal communications, paying attention to:

      communications within the team of workers involved in the recovery and emergency provision of critical products and services;

      communications with external organizations involved in business continuity;

      communications with the authorized body;

      communications with the mass media and customers;

      communications with counterparties and other interested parties during the restoration work;

      communication methods;

      8) contains requirements for the minimum amount of resources and suppliers needed at various points in time for the restoration and emergency provision of critical activities;

      9) contains a sequence of actions for the restoration and continuous provision of critical activities, including:

      a scheme for involving third-party organizations in the recovery process;

      a scheme for involving counterparties and stakeholders of the bank in the process of restoring the bank's activities;

      the sequence and places of recovery of critical activities of the bank;

      the timing and place of restoration of critical information technology services, as well as the sequence of actions for their restoration, including restoration of network infrastructure in a new building, restoration of basic functionality, applications and databases, synchronization, backup, telecommunications;

      dates and places for mobilizing the necessary resources;

      10) contains all the necessary details, including the location of the reserve premises, routes, contacts of the authorized body and other authorities, organizations involved in the restoration of the bank, as well as ways to contact them;

      11) contains a method for documenting key information on the progress of work, decisions made and measures taken;

      12) has a circuit:

      cancellation of emergency operation, including criteria to decide on completion of emergency operation;

      transition to a daily functioning mode;

      recovery on damaged domestic banking processes after liquidation of consequences of unforeseen circumstances;

      13) has the sole owner of the plan responsible for maintaining and reviewing.

      69. The bank shall test a plan (plans) to ensure continuity and (or) restoration of activities in order to determine that:

      1) critical activities are protected regardless of the severity of the critical event;

      2) these plans ensure the activities of the bank in unforeseen circumstances and the transition to daily operation.

      70. The bank shall:

      1) carry out testing in the event of significant changes in the activities of the bank;

      2) carry out testing, as individual elements of the business continuity management system, and in the aggregate, in order to verify the reliability of the system as a whole;

      3) carry out test planning in such a way as to minimize the impact of critical events that arise during the test;

      4) define the goals and objectives of each testing;

      5) determine the group of observers (testing controllers) from the bank employees responsible for the development of the plan (plans) for ensuring continuity and (or) restoration of activities, employees exercising internal control, and, if necessary, independent specialists from organizations specializing in on the provision of advisory services in the field of business continuity and information security of the bank. A group of observers (testing controllers) shall carry out:

      control of each test;

      assessment of test results;

      drawing up a protocol on testing, its results and feedback, including the necessary corrective actions;

      coordination of the protocol with the heads of bank departments involved in testing and the plan (plans) for ensuring continuity and (or) restoration of activities;

      6) draws up and approves a report on the results of testing on the basis of an agreed audit protocol, which includes analysis of the test results, proposals on eliminating identified shortcomings and improving plans and other elements of the bank's business continuity management system.

      A report on the results of testing with proposals, if necessary, to improve the plan (plans) for ensuring continuity and (or) restoration of activities is sent to the risk management committee for review and the board of directors of the bank for approval.

      71. The board of directors of the bank shall ensure that there is a management information system that includes, but is not limited to, information on the status of implementation of procedures and processes for managing business continuity, revealed facts of violations of internal procedures and policies, incidents, results of inspections and plans to increase the bank’s stability and ability restore certain operations.

Chapter 8. Information Technology Risk Management

      72. The board of directors of the bank shall ensure the existence of an information technology risk management system that matches the external operating environment, strategy, organizational structure, volume of assets, the nature and level of complexity of the bank’s operations and ensures the minimization of information technology risks.

      73. The information technology risk management system includes, but is not limited to, the following:

      1) information technology risk management policy;

      2) information technology risk management procedures;

      3) management information system;

      4) assessment of the effectiveness of the risk management system of information technology by the internal audit unit.

      74. The bank shall determine the following participants in the information technology risk management system (but not limited to):

      1) bank risk management unit;

      2) information technology unit.

      75. The bank shall create a structural unit for risk management, which functions include risk management of information technology, including:

      1) development, implementation and development of a risk management system for information technology;

      2) participation in the development and coordination of action plans for the implementation of the strategy of the bank in terms of ensuring the availability of information and communication technologies;

      3) participation in the risk assessment of information technology;

      4) monitoring the level of risk of information technology;

      5) interaction and advice to structural units of the bank on information technology risk management;

      6) planning and analysis of the results of an information technology risk assessment conducted by the information technology unit;

      7) development and formation of a risk register, including information technology risks;

      8) reporting on the implementation of significant risks of information technology and monitoring the implementation of measures to eliminate their consequences to the risk management committee;

      9) provision of reports or other information on information technology risk management to the board of directors;

      10) use of the results of internal audit in terms of information technology risks.

      76. The bank shall create a structural unit for information technology, which functions include:

      1) conducting a risk assessment of information technology;

      2) development of measures for processing information technology risks and reporting on their implementation to the risk management unit;

      3) preparation and submission of reports on the implementation of significant risks of information technology to the risk unit of the bank, as well as on the elimination of their consequences;

      4) development of action plans for the implementation of the strategy of the bank in terms of ensuring the accessibility of information and communication technologies for critical business processes.

      The bank shall ensure the independence of the structural unit for risk management from the structural unit for information technology.

      77. The risk management unit shall develop an internal document that defines the procedure for managing information technology risks, which includes, but is not limited to, the following:

      1) information technology risk identification procedures;

      2) procedures for determining internal and (or) external factors affecting the implementation of each of the risks of information technology;

      3) procedures for assessing the possibility and consequences of all identified risks of information technology, applying qualitative and (or) quantitative methods of assessment, including on the basis of data on their implementation;

      4) procedures for the collection and storage of information on the implementation of significant risks of information technology;

      5) the procedures for the formation of a risk register, including the risks of information technologies;

      6) procedures for developing information technology risk treatment measures;

      7) procedures for monitoring the implementation of measures to handle the risks of information technology.

      78. The information technology unit shall develop an action plan to implement the strategy of the bank in terms of ensuring the availability of information and communication technologies for critical business processes, which discloses, but is not limited to, the following:

      1) determination of resource requirements, including the determination of the budget associated with the development of information and communication technologies;

      2) description of the required measures in the field of information and communication technologies, indicating the timelines and those responsible for their implementation.

      The bank shall ensure the existence of a management information system, including, but not limited to, the establishment of an internal procedure that defines the criteria, composition and frequency of reporting on risk management of information technology of the bank, responsible executives (units) for the preparation and delivery of information to the relevant recipients.

Chapter 9. Information Security Risk Management

      79. The board of directors of the bank shall ensure the existence of an information security risk management system that is consistent with the external operating environment, the strategy of the bank, organizational structure, assets, the nature and complexity of the bank’s operations and is aimed at minimizing information security risks.

      80. The information security risk management system includes, but is not limited to, the following:

      1) information security risk management policy;

      2) information security risk management procedures;

      3) management information system;

      4) assessment of the effectiveness of the information security risk management system by the internal audit unit.

      81. The bank shall determine the following participants in the information security risk management system (but not limited to):

      1) bank risk management unit;

      2) information security unit;

      3) information technology unit;

      4) units-owners of protected information.

      82. The bank shall create a structural unit for risk management, which functions include information security risk management:

      1) development, implementation and development of an information security risk management system;

      2) participation in the development and coordination of action plans for the implementation of the strategy of the bank in terms of ensuring information security;

      3) creation and leadership of a working group on the formation of a list of critical information assets of the bank, including at least units that own information to be protected;

      4) participation in the information security risk assessment;

      5) monitoring the level of information security risks;

      6) interaction and consultation of structural units of the bank on information security risk management;

      7) planning and analysis of the results of the information security risk assessment conducted by the information security unit;

      8) development and formation of a risk register, including information security risks;

      9) reporting on the implementation of significant information security risks and monitoring the implementation of measures to eliminate their consequences to the risk management committee;

      10) provision of reports or other information on information security risk management to the board of directors of the bank;

      11) use of the results of the internal audit in terms of information security risks.

      83. The bank shall create a structural unit for information security, which functions include:

      1) conducting an information security risk assessment;

      2) development of measures for processing information security risks and reporting on their implementation in the risk management unit;

      3) preparation and submission of reports on the implementation of significant information security risks to the risk unit of the bank, as well as on elimination of their consequences;

      4) development of action plans for the implementation of the bank strategy in terms of ensuring information security.

      The bank shall ensure the independence of the structural unit for risk management from the structural unit for information security.

      84. The risk management unit shall develop an internal document that defines the procedure for managing information security risks, which includes, but is not limited to, the following:

      1) procedures for the identification and classification of information assets in order to identify critical information assets;

      2) procedures for identifying vulnerabilities of critical information assets;

      3) procedures for identifying potential threats in relation to critical information assets;

      4) procedures for identifying existing information security risk management measures;

      5) procedures for assessing the possibility and consequences of violation of confidentiality, integrity and accessibility of information assets, using qualitative and (or) quantitative methods of assessment, including on the basis of data on their implementation;

      6) procedures for the collection and storage of information on the implementation of significant information security risks;

      7) procedures for the formation of a risk register, including information security risks;

      8) procedures for monitoring the implementation of measures to handle information security risks and.

      85. The information security unit shall develop an action plan for the implementation of the strategy of the bank regarding information security, which discloses, but is not limited to, the following:

      1) determination of resource requirements, including determination of the budget associated with the implementation of measures aimed at managing information security risks;

      2) description of the required measures in the field of information security with an indication of the time frame and responsible executors for their implementation.

      86. The units-owners of protected information, in the framework of information security risk management, carry out:

      1) providing a description of the protected information to the risk management unit;

      2) formation of a list of critical information assets of the bank as part of a working group on the formation of a list of critical information assets of the bank under the leadership of the risk management unit.

      87. The bank shall ensure the availability of a management information system, including, but not limited to the establishment of an internal procedure that defines the criteria, composition and frequency of reporting on information security risk management of the bank, responsible executives (units) for the preparation and delivery of information to relevant recipients.

Chapter 10. Compliance Risk Management

      88. The board of directors of the bank shall control the compliance risk management process of the bank, create a compliance control unit in the bank, appoint and release from the post the chief compliance controller, and approve the compliance risk management policy.

      The compliance control unit shall organize procedures to comply with the requirements of the civil, tax, banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and currency control, payments and payment systems, on pension provision, on the securities market, on accounting and financial reporting on credit bureaus and the formation of credit records, on debt collection activities, on mandatory guarantee of deposits, on counteracting the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint-stock companies, the legislation of foreign countries that affect the activity of the bank and the bank's internal documents, governing the procedure for the bank to provide services and conduct operations in the financial market, and provides complete and reliable information to the board of directors about the existence of compliance risk.

      The risk management committee shall be responsible for developing a compliance risk management policy to be approved by the board of directors and containing the basic principles of the compliance risk management board, including the principles of creating a compliance culture in the bank, on the basis of which compliance risk is identified and managed at all levels of the structure of the bank.

      89. The compliance control unit shall be responsible for developing a compliance risk management policy, ensuring compliance risk management and coordinating the bank's compliance risk management activities.

      The compliance control unit is a structural unit of the bank, independent of any activities of the structural units of the bank that make up the first line of defense.

      The independence of the compliance control unit is ensured by the following factors:

      compliance control unit has the status of an independent structural unit;

      the employees of the compliance control unit do not hold part-time positions in other structural units of the bank;

      the head and employees of the compliance control unit do not find themselves in a situation where a conflict of interests is possible between their responsibilities for managing compliance risk and any other duties assigned to them;

      the employees of the compliance control unit, within their competence, have access and, if necessary, require any information from the structural units of the bank, subsidiaries of the bank, and also involve employees of the bank and its subsidiaries to facilitate the implementation of the compliance control function.

      90. The compliance control unit performs, but is not limited to, the following functions:

      1) development of the internal order, methods and procedures for identifying, measuring, monitoring and controlling the bank's compliance risk on a consolidated basis;

      2) development, implementation and ensuring the existence of internal control rules for the purpose of combating ML/FT;

      3) formation of a compliance program (plan), which includes among other things:

      verification of compliance by bank units with a compliance risk management policy taking into account the requirements of the civil, tax, banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and currency control, payments and payment systems, on pension provision, on the securities market, on accounting and financial reporting on credit bureaus and the formation of credit records, on debt collection activities, on mandatory guarantee of deposits, on counteracting the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint-stock companies;

      checking compliance by the bank with the requirements of the civil, tax, banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and currency control, payments and payment systems, on pension provision, on the securities market, on accounting and financial reporting on credit bureaus and the formation of credit records, on debt collection activities, on mandatory guarantee of deposits, on counteracting the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint-stock companies, governing the provision of bank services and operations in the financial market, as well as the laws of foreign countries, affecting the activities of the bank in order to determine the degree of exposure of the bank to compliance risk;

      personnel training on compliance risk management;

      4) assistance to the board of the bank in managing the bank’s compliance risk;

      5) advising the management and employees of the bank on the norms of civil, tax, banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and currency control, payments and payment systems, on pension provision, on the securities market, on accounting and financial reporting on credit bureaus and the formation of credit records, on debt collection activities, on mandatory guarantee of deposits, on counteracting the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint-stock companies, rules, policies related to the management of compliance risk, including reporting changes, with the exception of cases when such a function is performed by the legal unit of the bank;

      6) control of the organization of work in the bank to familiarize bank employees with the requirements of the bank’s internal documents governing the procedure for the bank to provide services and conduct operations in the financial market;

      7) coordination of the activities of bank subsidiaries on compliance risk management, including the risk of money laundering and terrorist financing;

      8) mandatory participation in the implementation of new banking products and services;

      9) ensuring the organization of activities in the bank to identify, evaluate and control conflicts of interest;

      10) development, individually or jointly with structural units and officials of the bank, of recommendations for eliminating identified violations and deficiencies in the bank’s work related to compliance risk management and providing relevant information to the board of directors of the bank;

      11) development and maintenance of a compliance risk reporting system and the provision on a periodic basis of information on the management of the compliance risk of the bank to the board of directors of the bank;

      12) development of an internal procedure for interaction and coordination of compliance risk management with the structural units of the bank, including the internal audit unit.

      In accordance with the bank’s internal documents, certain compliance risk management functions are delegated, if necessary, to other structural units of the bank, provided that there is no conflict of interest.

      91. The independence of the chief compliance controller shall be determined by:

      1) regardless of the authority, the chief compliance controller is appointed and dismissed by the board of directors of the bank;

      2) has unhindered access to the board of directors of the bank, without the participation of the board of the bank;

      3) has access to any information necessary for him to fulfill his duties;

      4) does not combine the position of chief operating officer, financial director, other similar functions of the bank’s operations, head of the internal audit unit.

      The combination of the functions of the chief compliance controller and the head of the compliance control unit is allowed.

      Interaction between the chief compliance controller and the board of directors and/or the risk management committee is carried out on a regular basis.

      Information on the appointment and dismissal of the chief compliance controller from office shall be brought to the information of the authorized body.

      At the request of the authorized body, the board of directors of the bank shall provide a justification for the reason for such a decision.

      92. The bank shall identify measure, implement monitoring and control of compliance risk and develops compliance risk management procedures, which include, but are not limited to, the following:

      1) development of internal guidelines (instructions) for bank employees on the management of compliance with the risk, including the risk of money laundering and terrorist financing, by preparing internal documents;

      2) monitoring compliance by the bank and its employees with policies and procedures for managing compliance risk;

      3) collecting data on compliance risk events;

      4) analysis of complaints (applications) of customers for the availability of compliance risk;

      5) development and analysis of quantitative and qualitative indicators characterizing the degree of bank exposure to compliance risk;

      6) conducting investigations (checks), independently or jointly with structural units and (or) bank officials, of facts of violation by the bank employees of the legislation of the Republic of Kazakhstan governing the provision of bank services and operations in the financial market, as well as the laws of foreign countries that affect on the activities of the bank, in accordance with the procedure determined by the internal document of the bank;

      7) providing advice on requests regarding the conformity of a particular transaction (deals) of a bank or part thereof with the legislation of the Republic of Kazakhstan, which regulates the provision of services by the bank and operations in the financial market, as well as the laws of foreign states that affect the bank's activities.

      93. In developing procedures for identifying, measuring monitoring and monitoring compliance risk, the bank shall take into account, but not limited to, the following factors:

      1) the volume of assets, the nature and complexity of the bank's business;

      2) the availability of data for use as source information;

      3) the state of information systems and their capabilities;

      4) the qualifications and experience of the personnel involved in the compliance risk management process.

      94. The bank shall ensure a compliance risk management system that shall take into account:

      1) bank strategy and activities;

      2) the volume of assets, the nature and complexity of the depreciation of the bank;

      3) the complexity of the organizational structure of the bank;

      4) the level and types of risks inherent in the activities of the bank;

      5) the effectiveness of compliance risk management procedures applied by the bank in the past;

      6) potential internal organizational changes and (or) changes in market conditions;

      7) the legislation of the Republic of Kazakhstan governing the provision of services by the bank and conducting operations in the financial market, as well as the legislation of foreign states that affect the activities of the bank.

      95. The compliance risk management system includes, but is not limited to, the following:

      1) compliance risk management policies and procedures;

      2) ML/FT risk management policies and procedures, including a customer acceptance policy. When developing and implementing decision-making procedures for accepting a client for service, the bank shall take into account inherent risk factors;

      3) an assessment of the effectiveness of the compliance risk management system by the internal audit unit.

      The compliance risk management system is based on 3 (three) lines of defense:

      bank employees;

      compliance control unit;

      internal audit unit.

      96. Compliance risk management policies and procedures include, but are not limited to, the following:

      1) goals and objectives of compliance risk management;

      2) principles of compliance risk management, including principles of creating a compliance culture in the bank (culture of compliance by the bank and its employees with the requirements of civil, tax, banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and currency control, payments and payment systems, on pension provision, on the securities market, on accounting and financial reporting on credit bureaus and the formation of credit records, on debt collection activities, on mandatory guarantee of deposits, on counteracting the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint-stock companies, the laws of foreign countries that affect on the activities of the bank and internal documents of the bank governing the procedures for the provision of services by the bank and conducting operations in the financial market);

      3) the internal order, methods and procedures for managing compliance risk, including those based on a risk-based approach;

      4) the internal procedure, methods and procedures for managing the risks of the intentional or unintentional involvement of the bank and (or) its subsidiaries in the money laundering and terrorist financing processes, or other criminal activities (money laundering and terrorist financing risk);

      5) participants in the compliance risk management system based on 3 (three) lines of defense, their authority, responsibility with a clear definition of the accountability structure;

      6) the authority and responsibility of the chief compliance controller, head of the compliance control unit;

      7) requirements for the professional qualities of employees of the compliance control unit;

      8) procedures for monitoring and coordinating the activities of bank subsidiaries on compliance risk management issues;

      9) the internal procedure for interaction and exchange of information between participants in the compliance risk management system.

      97. ML/TF risk management policies and procedures include, but are not limited to, the following:

      1) the development and implementation of internal documents governing the procedure for managing the risk of ML/FT, the implementation of financial monitoring and internal control in order to counter ML/FT;

      2) the methodology for assessing ML/FT risks in accordance with the bank's internal control rules for the purpose of combating ML/FT;

      3) the internal procedure for organizing risk management of the bank in the context of its structural units and (or) employees in terms of ML/FT;

      4) the availability of a program of acceptance and customer service (customer acceptance policy);

      5) the bank, when developing and implementing decision-making procedures for accepting a customer for service, shall take into account risk factors, including those identified and posted on the Internet resource of the authorized body.

      Internal procedures and the procedure for refusing to establish and terminate business relations with a client are developed taking into account risk factors posted on the Internet resource of the authorized body. Information on the facts of refusal to establish and terminate business relations is sent to the authorized body on a quarterly basis, no later than the 5th (fifth) day of the month following the reporting quarter;

      6) the availability of an automated information system and procedures that allow the identification of transactions subject to financial monitoring, as well as the timely sending of relevant information and information to the Committee for Financial Monitoring of the Ministry of Finance of the Republic of Kazakhstan.

Chapter 11. Internal Control

      98. The bank shall ensure the existence of an internal control system that is consistent with the current market situation, strategy, volume of assets, and the level of complexity of bank operations. Internal control is a process that is embedded in daily activities carried out by authorized bodies of the bank, structural units and all employees of the bank in the performance of their duties, and aimed at fulfilling the following goals:

      1) ensuring the effectiveness of the bank, including the effectiveness of managing bank risks, assets and liabilities, ensuring the safety of assets;

      2) ensuring the completeness, reliability and timeliness of financial, regulatory and other reporting for internal and external users, as well as information security;

      3) ensuring compliance with the requirements of the civil, tax, banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and currency control, payments and payment systems, on pension provision, on the securities market, on accounting and financial reporting on credit bureaus and the formation of credit records, on debt collection activities, on mandatory guarantee of deposits, on counteracting the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint-stock companies, the internal documents of the bank;

      4) preventing the bank and its employees from engaging in illegal activities, including fraud, errors, inaccuracies, deceit, legalization (laundering) of proceeds from crime and terrorist financing, in operations related to the territory of the Republic of Kazakhstan quantities created and taken into account in a decentralized information system using cryptography and (or) computer computing tools that are not in accordance with the civil legislation of the Republic and Kazakhstan with financial instruments or financial assets that do not contain a claim to anyone.

      Effective internal control shall be ensured by the formation of appropriate management control and a control culture (control environment).

      Management control and control culture (control environment) characterize the general attitude, awareness and practical actions of the board of directors of the bank and the board of the bank aimed at creating and effective functioning of the internal control system.

      99. Management control and control culture (control environment) shall be formed by the board of directors and the board of the bank on the basis of ethical principles, standards of professional activity and corporate governance, which together with their legislatively established duties and responsibilities ensure adequate control by the bank’s governing bodies including control of:

      1) the organization of the bank’s activities, including the development and implementation of the strategy of the bank, internal bank documents;

      2) the functioning of the banking risk management system and the assessment of banking risks;

      3) the distribution of powers in banking operations and other transactions;

      4) managing information flows (receiving and transmitting information) and ensuring information security;

      5) the creation and functioning of the internal control system.

      100. The bank shall ensure the existence and functioning of the bank’s internal control system, which includes, but is not limited to:

      1) principles of organizing an internal control system;

      2) requirements for the professional qualities of employees;

      3) the internal procedure and procedures for the implementation of internal control;

      4) the definition of participants in the internal control system based on three lines of defense, their authority, responsibility with a clear definition of the structure of accountability;

      5) the internal procedure for interaction and exchange of information between participants in the internal control system along three lines of defense;

      6) the internal procedure for amending internal documents of the bank and in cases of detection of deficiencies in the process of internal control.

      The bank’s internal control system shall be based on the following principles:

      participation in the internal control process of all structural units and employees of the bank and internal control organizations as daily activities at all management levels;

      internal control coverage of all areas of activity and business processes and regulation of internal control procedures in all areas and business processes of the bank;

      implementation the internal control on an ongoing basis (continuity).

      101. The bank shall determine the participants of the internal control system based on three lines of protection:

      1) the first line of defense is provided by the structural units of the bank. The heads of structural units shall be responsible for organizing and implementing internal control in the structural unit;

      2) the second line of defense is provided by risk management, compliance control, a legal unit, a personnel department, a unit(s) performing (performing) financial control functions, and other structural units of the bank that exercise control functions;

      3) the third line of defense shall be provided by the internal audit unit through an independent assessment of the effectiveness of the internal control system.

      102. The bank shall develop internal control procedures based on the following interrelated elements:

      1) control over risk management;

      2) control actions and separation of powers;

      3) information and interaction;

      4) monitoring and correction of deficiencies.

      103. The internal control system shall provide control over the timely identification and assessment on an ongoing basis of the risks inherent to the bank and the adoption of timely measures to minimize significant risks in accordance with the bank's internal documents. The internal control system provides, but is not limited to:

      1) consideration and accounting during risk assessment of internal factors (the complexity of the bank’s organizational structure, the nature of its activities, qualitative characteristics of personnel, organizational changes, personnel turnover), as well as external factors (changes in economic conditions and the situation in the banking sector, technological innovations) which negatively affect the achievement of the goals set by the bank;

      2) risk assessment in certain areas of the bank;

      3) carrying out by the bank of new operations and services, subject to the availability of their regulation in the bank's internal documents;

      4) ensuring timely informing of executives (departments, bodies of the bank), defined in the relevant internal documents of the bank, about the factors affecting the level of exposure of the bank to risks.

      The internal control system is subject to adjustment as any new or uncontrolled material risks are identified, including those related to the introduction of new services and products.

      104. Control activities include, but are not limited to:

      1) control carried out by the board of directors of the bank, committees of the board of directors and the board of the bank in order to identify and eliminate deficiencies in internal control, violations, errors;

      2) control carried out by the heads of structural units;

      3) control of physical availability and access to material assets, ensuring the protection of premises for the storage of material assets;

      4) verification of compliance with the established limits;

      5) a system of coordination and delegation of rights and powers;

      6) verification of the timely and correct reflection of the operations and transactions of the bank in accounting and reporting;

      7) verification of compliance with the policies and procedures of the bank in transactions and transactions.

      Control actions within the framework of the separation of duties contribute to minimizing the conflict of interests and the conditions for its occurrence, committing unlawful actions, as well as preventing the provision of the same structural unit and (or) employee with the opportunity:

      to make banking operations and other transactions and at the same time carry out their reflection in accounting;

      authorize the payment of money and carry out their actual payment, taking into account the limits established by the bank's internal documents;

      conduct operations on bank accounts of customers and accounts reflecting their own financial and economic activities of the bank;

      evaluate the reliability and completeness of the documents presented at the time of loan issuance, and monitor the repayment of the loan;

      perform actions in any other areas of activity in which a conflict of interest arises.

      Depending on the bank's operations, the following control methods shall be used:

      double control (the "four-eye" and "shared access" principles).

      The “four eyes” principle requires that the work of one employee be checked (approved) by another employee in order to involve the second employee in verifying the correctness of calculation, authorization and documentation of the operation.

      The principle of “shared access” implies a procedure in which 2 (two) or more employees are equally responsible for the physical protection of values ​​and documents. Responsibility shall be established by the relevant internal document of the bank and shall be brought to the information of all employees;

      analysis of operations.

      Preliminary analysis of the operation to prevent an incorrect or unauthorized operation.

      Subsequent analysis after its completion in order to reveal the fact of an unauthorized operation.

      To ensure the effectiveness of the subsequent analysis, it is necessary that the executive conducting the subsequent analysis be independent of the workers conducting this operation;

      reports on the results of operations to provide bank management with information on bank performance, financial conditions and deviations from the budget;

      training bank personnel in control techniques and error detection;

      data protection;

      providing protection against personnel errors;

      checking for errors in order to detect them in a timely manner.

      105. From the position of internal control, reliable and detailed financial, operational information and information on compliance with the established requirements of the civil, tax, banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and currency control, payments and payment systems, on pension provision, on the securities market, on accounting and financial reporting on credit bureaus and the formation of credit records, on debt collection activities, on mandatory guarantee of deposits, on counteracting the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint-stock companies, as well as incoming external market information about events and conditions related to decision-making. The collection, analysis of information and its transfer to its intended purpose shall involve ensuring:

      1) the board of directors of the bank, the board of the bank and the executives (units, bodies of the bank) specified in the relevant internal documents with information for making decisions and performing their duties;

      2) the availability of information flows that ensure the integrity, security and accessibility of information inside and outside the bank;

      3) adequate control over the management of information flows and information security of the bank.

      Internal control of the functioning of information systems and technical means provides for the control of information technology systems, which is carried out in order to ensure their security, uninterrupted and continuous operation.

      From the position of internal control, compulsory accounting of all bank operations and transactions is ensured.

      Monitoring the timeliness, reliability and sufficiency of the financial information of the bank requires verification of the following (but not limited to):

      information systems providing accounting in the bank for compliance with the legislation of the Republic of Kazakhstan in the field of accounting and financial reporting and IFRS;

      availability in the bank of internal documents on accounting;

      ensuring chronological and timely registration of operations and events in accounting;

      ability to generate financial statements at the end of each business day;

      correspondence of synthetic (final) accounting to analytical (detailed) accounting;

      regular checks of accounting records by employees who are not involved in the process of authorizing or reporting transactions in the financial statements;

      accounting records based on primary documents and ensuring the proper design and preservation of primary documents.

      106. Monitoring of the internal control system of the bank on an ongoing basis shall be carried out by the first and second line of defense, as well as the board of the bank.

      Significant internal control deficiencies shall be reported to the board of directors of the bank.

      The internal audit unit shall evaluate the effectiveness of internal control.

      The Risk Management Committee shall exercise control the functioning of the internal control system.

      107. The management reporting of the bank on internal control shall include the information on significant violations and deficiencies identified in the process of internal control, as well as on the results of decisions made or measures to eliminate them.

Chapter 12. Internal Audit

      108. The bank shall ensure the functioning of an internal audit taking into account the strategy, organizational structure, and volume of assets, nature and level of complexity of the bank's operations. The internal audit unit shall have clearly defined powers, independently in its activities, accountable to the board of directors of the bank. The internal audit unit shall have sufficient resources and powers to carry out objectively and efficiently its functions and responsibilities.

      The head and employees of the internal audit unit shall not hold a different position, shall not be members of the collegial body of the bank, and shall not combine responsibilities in the bank and (or) subsidiaries.

      The internal audit unit shall be guided in its activities by international standards of internal audit.

      109. The board of directors of the bank and the internal audit committee shall contribute to improving the efficiency of the internal audit unit by:

      1) ensuring unlimited access for employees of the internal audit unit to any documents, information and objects of the bank, including access to systems, records and minutes of meetings of collegial bodies of the bank;

      2) establishing requirements for the internal audit unit to independently evaluate the effectiveness of the system of morning control, risk management system, corporate governance in all areas of the bank's business;

      3) establishing requirements for internal auditors to comply with the code of ethics and requirements of the banking legislation of the Republic of Kazakhstan, the laws of the Republic of Kazakhstan on joint stock companies;

      4) establishing requirements for employees of the internal audit unit to have sufficient knowledge of banking activities and internal audit methods, the skills to collect the necessary and sufficient information, the ability to analyze and evaluate to perform their duties;

      5) establishing requirements for the board of the bank to timely and effectively implement the action plan to eliminate violations and deficiencies identified as a result of the audit;

      6) requirements to conduct a periodic assessment of the effectiveness of the bank's risk management system, internal accounting procedures, preparation and ensuring the integrity of financial and regulatory reporting, the compliance risk management system, and the internal control system.

      The internal audit unit shall carry out an independent, comprehensive assessment of the effectiveness of corporate governance, internal control, and risk management systems.

      The internal audit unit uses a risk-based approach in developing its plans and actions, forms an independent, informed opinion on the risks inherent in the bank's activities, and shall carry out appropriate assessments of internal processes.

      110. The effective activities of the internal audit unit shall be based on the following principles:

      1) independence and objectivity, which are achieved through the following:

      conducting an audit in any units of the bank and in any areas of activity based on a risk- based approach;

      absence of involvement of the internal audit unit in the development, implementation and application of internal control measures;

      absence of a conflict of interest in the activities of employees of the internal audit unit;

      rotation in the duties between employees of the internal audit unit, if possible, without prejudice to the competence and professionalism of employees;

      absence of connection between the remuneration of employees of the internal audit unit and the financial results of the structural units of the bank. The bonus part of the remuneration of the head and employees of the internal audit unit shall be established in such a way as to exclude the occurrence of a conflict of interest and not question the independence and objectivity of the internal audit unit;

      submission of reports of the internal audit unit for consideration by the board of directors and the committee on internal audit issues, for review without the right to adjust such reports to the board of the bank;

      accountability of the head of the internal audit unit directly to the board of directors of the bank, which appoints to the post, controls its activities and, if necessary, makes a decision on dismissal;

      Information on the decision on the release of the head of the internal audit unit of the positions shall be brought to the attention of the authorized body. Upon receipt of a request from an authorized body, the bank shall provide an explanation of the reasons for making this decision;

      2) professional competence and professional discretion, which meet the following characteristics:

      the ability of employees of the internal audit unit to collect and perceive information, verify and evaluate the revealed facts and interact with employees of the internal audit unit;

      responsibility of the head of the internal audit department for staffing, and constant monitoring and assessment of the required level of skills;

      the level of qualifications and skills of employees of the internal audit unit and (or) involved third-party experts that meet the requirements of professional competence, and the ability to conduct an internal audit of the bank's audited areas of activity at the proper level;

      professional development and in order to comply with changes in the internal and external environment;

      3) professional ethics, which meets the following principles:

      conscientious performance of duties by employees of the internal audit unit, their responsibility, decency and honesty;

      maintaining confidentiality of information obtained in the course of the performance of official duties;

      exclusion of a conflict of interest. Employees of the internal audit unit accepted from among bank employees are not allowed for the next 12 (twelve) months from the day they are transferred to the internal audit unit to conduct an audit of the unit in which they worked;

      the employees of the internal audit unit comply with the requirements of internal documents, banking legislation of the Republic of Kazakhstan, the legislation of the Republic of Kazakhstan on joint stock companies.

      111. The bank shall approve the regulation on the internal audit unit in order to ensure operational efficiency. The provision includes, but is not limited to:

      1) the status of the internal audit unit in the bank, the powers, duties and internal procedures for interaction with other units of the bank;

      2) the tasks and scope of the internal audit unit;

      3) the responsibilities of the internal audit unit to inform the board of directors, the management board and other interested departments of the bank about the results of the work performed;

      4) the conditions under which the internal audit unit provides advice;

      5) responsibility and accountability of the hands of the breeder of the internal audit unit;

      6) requirements to be guided by international standards of internal audit;

      7) procedures for the interaction of the internal audit unit with the external auditor of the bank;

      8) the powers of the internal audit unit in the course of business (including verification of any unit and type of activity of the bank and its subsidiaries, unlimited access to bank documents, data, material objects, management reporting, records and minutes of all meetings and meetings adopted decisions).

      112. The scope of activity of the internal audit unit includes the assessment of:

      1) the effectiveness of the risk management system and internal control;

      2) the effectiveness of bank policies and procedures;

      3) the reliability of the accounting system and information;

      4) the reliability, efficiency and integrity of management reporting systems (including relevance, accuracy, completeness, accessibility, confidentiality and the comprehensive data);

      5) the safety of assets and capital.

      113. The activities of the internal audit unit adequately cover all issues of regulation of the bank's activities (based on a risk-based approach), in particular:

      1) risk management, including:

      assessment of the organization of the risk management process, including the responsibilities of structural units;

      assessment of compliance of the bank's activities with a risk appetite strategy and risk appetite determination procedures;

      assessment of the effectiveness of the internal procedure for informing and disseminating issues and decisions adopted in the framework of risk management;

      assessment of the effectiveness of risk management systems, including identification, assessment, monitoring and control, response, reporting on risks arising in the activities of the bank;

      assessment of the process of generating data in information systems, and used in the framework of risk management, with a view to ensuring accuracy, reliability and completeness;

      assessment of the approval process and application of risk assessment models, including verification of the sequence of approaches, relevance, independence and reliability of the data sources used in these models.

      If during inspections the internal audit unit revealed significant facts of decision-making by the bank's management in the presence of a negative opinion of the risk management unit(s), such facts shall be brought by the internal audit unit to the board of directors of the bank notice;

      2) internal control system, including:

      checking the organization of the internal control system;

      assessment of processes and procedures of internal control;

      assessment of management information on internal control for reliability, completeness and timeliness;

      3) capital adequacy and liquidity, including:

      assessment of the effectiveness of internal processes for assessing capital adequacy and liquidity, the adequacy of the ratio of capital, liquidity and risks taken by the bank, compliance with mandatory standards;

      assessment of stress testing processes for capital and liquidity levels, taking into account the frequency of stress tests, testing tasks, realistic scenarios and assumptions made, process reliability;

      4) regulatory and management reporting.

      The internal audit unit shall evaluate the effectiveness of risk management and reporting processes for the bank management and the authorized body;

      5) compliance.

      Assessment of the effectiveness of processes and procedures for managing compliance risk and ML/FT risk;

      6) the activities of the financial unit:

      assessment of the process of generating initial financial data with a view to ensuring their adequacy, accuracy and completeness, and subsequent presentation of key data, including financial results, assessment of financial instruments and reduction of their value;

      assessment of the approval process and application of pricing models, including verification of the sequence of approaches, relevance, independence and reliability of the data sources used in these models;

      assessment of existing control mechanisms to prevent and detect violations of the rules of operations;

      Assessment of bank procedures for measuring and monitoring bank positions in terms of liquidity, currency and interest rate for compliance with the risk profile of the bank, the external environment and minimum regulatory requirements;

      selective testing of bank transactions for their compliance with policies and procedures during the audit and assessment of the effectiveness of internal control measures in relation to these transactions;

      assessment of the effectiveness of accounting processes, including control procedures.

      114. Based on the results of audits, a report shall be generated on the results of the internal audit, which contains, but is not limited to, the following:

      1) general information, including goals, scope, timing of the audit, information on the composition of the audit team;

      2) a list of violations and deficiencies identified during the audit, indicating the reasons for the violations and deficiencies, and their impact on the bank's activities;

      3) recommendations for eliminating identified violations and deficiencies;

      4) a list of executives to whom the audit report is sent.

      The report on the results of the internal audit is sent to the board of the bank for review, the material facts and conclusions drawn are sent to the bank's audit committee and board of directors.

      115. The head of the internal audit department shall be responsible for preparing the annual audit plan based on a risk-based approach, which includes, but is not limited to:

      1) the purpose and scope of the audit;

      2) areas subject to audit;

      3) the timing of the audit;

      4) the necessary personnel and other resources.

      The annual audit plan shall be based on a risk assessment and, if necessary, shall be  reviewed during the year.

Chapter 13. Outsourcing

      116. In the case of outsourcing external contractors to carry out certain operations and (or) business processes, the board of directors of the bank shall ensure the existence of effective principles and practices for managing risks arising from the involvement of external contractors. Activities to attract external contractors shall include:

      1) procedures for determining which functions are transferred to outsourcing g and how;

      2) the process of verifying the reliability of the financial condition of the company when selecting potential counterparties;

      3) reliable principles for concluding contracts with external contractors, taking into account the structure of their property, the conditions of confidentiality and providing for the right to terminate the contracts;

      4) risk management and monitoring programs related to the conclusion of such contracts, taking into account the financial position of the service provider;

      5) creation of conditions for effective control at the bank and in the organization that provides services;

      6) the development of effective plans in case of unforeseen circumstances;

      7) the implementation of complex contracts and (or) contracts for the provision of services with a clear distribution of responsibilities between the organization that provides services and the bank.

  Annex
to the Resolution of
the Board of the
National Bank of the
Republic of Kazakhstan
dated November 12, 2019 No. 188

The list of regulatory legal acts of the Republic of Kazakhstan, as well as structural elements of some regulatory legal acts of the Republic of Kazakhstan, recognized as terminated

      1. Resolution of the Board of the National Bank of the Republic of Kazakhstan dated February 26, 2014 No. 29 “On approval of the Rules for the formation of a risk management and internal control system for second-tier banks” (registered in the State Register of Normative Legal Acts under No. 9322, published on April 17, 2014 in the Legal Information System “Adilet”).

      2. Paragraph 22 of the List of Regulatory Legal Acts of the Republic of Kazakhstan, amended and supplemented, approved by Resolution of the Board of the National Bank of the Republic of Kazakhstan dated August 27, 2014 No. 168 “On amendments and additions to some regulatory legal acts of the Republic of Kazakhstan” (registered in the State Register of Normative Legal Acts under No. 9796, published on November 12, 2014 in the Legal Information System “Adilet”).

      3. Paragraph 4 of the List of some regulatory legal acts of the Republic of Kazakhstan, that amends and supplements on the regulation of the financial market, payments and payment systems, approved by the Resolution of the Board of the National Bank of the Republic of Kazakhstan dated October 29, 2018 No. 267 “On Amendments and Additions” to some regulatory legal acts of the Republic of Kazakhstan on the regulation of the financial market, payments and payment systems ”( registered in the State Register of Normative Legal Acts under No. 18123, published on January 11, 2019 in the Reference Control Bank of normative legal acts of the Republic of Kazakhstan).

If you found any error on the page, please highlight a word or a phrase and then press «Ctrl+Enter» key combination

 

On-page search

Enter text to search

Hint: Browser has internal on-page search. It works faster and is usually activated by pressing ctrl-F.