On approval of the Rules for formation of risk management and internal control system for second-tier banks, branches of non-resident banks of the Republic of Kazakhstan

Updated Unofficial translation

Resolution of the Board of the National Bank of the Republic of Kazakhstan dated November 12, 2019 № 188. Registered with the Ministry of Justice of the Republic of Kazakhstan on November 21, 2019 № 19632.

      Unofficial translation

      On approval of the Rules for formation of risk management and internal control system for second-tier banks, branches of non-resident banks of the Republic of Kazakhstan

      Footnote. The title - as amended by the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated 02/24/2021 No. 43 (shall come into effect ten calendar days after the day of its first official publication).

      In accordance with the Law of the Republic of Kazakhstan dated August 31, 1995 “On Banks and Banking Activities in the Republic of Kazakhstan”, the Board of the National Bank of the Republic of Kazakhstan RESOLVES:

      1. To approve the attached Rules for formation of risk management and internal control system for second-tier banks, and branches of non-resident banks of the Republic of Kazakhstan.

      Footnote. Paragraph 1 - as amended by the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated February 24, 2021 No. 43 (shall come into effect ten calendar days after the day of its first official publication).

      2. To recognize as terminated the regulatory legal acts of the Republic of Kazakhstan, as well as the structural elements of some regulatory legal acts of the Republic of Kazakhstan according to the list in accordance with the Annex to this Resolution.

      3. The Department of Methodology and Regulation of Financial Organizations in the manner prescribed by the legislation of the Republic of Kazakhstan shall ensure:

      1) together with the Legal Department, the state registration of this Resolution with the Ministry of Justice of the Republic of Kazakhstan;

      2) placement of this Resolution on the official Internet resource of the National Bank of the Republic of Kazakhstan after its official publication;

      3) within ten working days after the state registration of this Resolution, submission the information on the implementation of measures, provided for in subparagraph 2) of this paragraph and paragraph 4 of this Resolution, to the Legal Department.

      4. Within ten calendar days after the state registration of this Resolution the Department of External Communications - the press service of the National Bank of the Republic of Kazakhstan shall ensure the direction of copy hereof to periodicals for official publication.

      5. Control over execution of this resolution shall be entrusted to Deputy Chairman of the National Bank of the Republic of Kazakhstan O. A. Smolyakova.

      6. This Resolution shall come into effect upon expiry calendar days after the day of its first official publication.

      7. Second-tier banks, by October 1, 2020, shall bring their activities in accordance with the requirements of this Resolution.

      Footnote. Paragraph 7 is in the wording of the Resolution of the Board of the Agency of the Republic of Kazakhstan on regulation and development of the financial market dated June 18, 2020 No. 66 (shall be enforced from the date of its first official publication).

      Chairman of the
      National Bank Ye. Dossayev

  Approved by the
Resolution of the Board of the
National Bank of the
Republic of Kazakhstan
dated November 12, 2019 No. 188

The Rules for formation of risk management and internal control system for second-tier banks, branches of non-resident banks of the Republic of Kazakhstan

      Footnote. The title - as amended by the resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated 02/24/2021 No. 43 (shall come into effect ten calendar days after the day of its first official publication).

      1. These Rules for formation of risk management and internal control system for second-tier banks, branches of non-resident banks of the Republic of Kazakhstan (hereinafter referred to as the Rules) have been developed in accordance with part two of paragraph 1 of Article 40-5 of the Law of the Republic of Kazakhstan dated August 31, 1995 "On Banks" and banking activities in the Republic of Kazakhstan" (hereinafter referred to as the Law on Banks) and shall establish the procedure for forming risk management system and internal control of second-tier banks, branches of non-resident banks of the Republic of Kazakhstan (hereinafter referred to as the bank).

      Footnote. Paragraph 1 - as amended by the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated February 24, 2021 No. 43 (shall come into effect ten calendar days after the day of its first official publication).

      2. The following concepts shall be used in the Rules:

      1) information security risk - the possibility of damage due to a violation of confidentiality, deliberate violation of the integrity or availability of information assets of the bank;

      2) information technology risk - the possibility of damage due to failure (malfunction) of information and communication technologies operated by the bank;

      3) the authorized collegial body of the bank - the board of directors, a committee under the board of directors, the board, a committee under the board;

      4) reputational risk - the possibility of losses, failure to receive planned income as a result of a narrowing of the client base, a decrease in other development indicators due to the formation in society of a negative image of the bank's reliability, the quality of the services it provides or the nature of the activities of the bank in general;

      5) legal risk - the possibility of losses due to failure by a bank or counterparty to comply with the requirements of civil, tax, banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and currency control, payments and payment systems, on pensions, on the securities market, on accounting and financial reporting, on credit bureaus and the formation of credit histories, on collection activities, on mandatory deposit guarantees, on combating the legalization (laundering) of proceeds from crime, and the financing of terrorism, on joint stock companies, and in relations with non-residents of the Republic of Kazakhstan - the legislation of the country of its origin, as well as the terms of concluded agreements;

      6) internal process for assessing capital adequacy - a set of processes for managing significant risks, taking into account the volume of assets, the nature and level of complexity of activities, organizational structure, strategic plans, the risk profile of the bank, regulatory framework, assessment and aggregation of such risks to determine the target level sufficiency of the bank's capital to maintain a stable financial position and solvency.

      The capital of a branch of a non-resident bank of the Republic of Kazakhstan means the assets of a branch of a non-resident bank of the Republic of Kazakhstan, accepted as a reserve, calculated in accordance with the requirements of the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated February 12, 2021 No. 23 "On the establishment of prudential standards and other mandatory norms and limits for branches of non-resident banks of the Republic of Kazakhstan (including branches of Islamic non-resident banks of the Republic of Kazakhstan), their regulatory values and calculation methods, including the procedure for forming assets of branches of non-resident banks of the Republic of Kazakhstan (including branches Islamic non-resident banks of the Republic of Kazakhstan) accepted as a reserve, and their minimum size", registered in the State Register of Normative Legal Acts under No. 22213;

      7) capital financing plan – a set of procedures and action plan for responding to a critical decrease in the bank’s capital;

      8) statistical journal of the value of collateral - an internal journal of the value of collateral, including a description and characteristics of the collateral, information based on the results of the first and most current assessments of an independent quality assessment (date of assessment, name of the independent quality assessment, cost, assessment method), conclusions of the collateral service (date, cost), reasons for differences in costs, information on sales (if any);

      9) unsecured consumer loan - a bank loan without a collateral condition at the time of issue, provided to an individual for purposes not related to business activities;

      10) compliance risk - the possibility of losses due to non-compliance by the bank and its employees with the requirements of civil, tax, banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and currency control, on payments and payment systems, on pensions, on the securities market, on accounting and financial reporting, on credit bureaus and the formation of credit histories, on collection activities, on mandatory deposit guarantees, on combating the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint stock companies, internal documents of the bank regulating the procedure for the bank to provide services and conduct transactions in the financial market, as well as the legislation of foreign countries that influences the activities of the bank;

      11) corporate governance - a system of relationships between the board of the bank (the corresponding executive body of a non-resident bank of the Republic of Kazakhstan, the branch of which is opened on the territory of the Republic of Kazakhstan, the executive employees of the branch of a non-resident bank of the Republic of Kazakhstan), the board of directors (the corresponding governing body of a non-resident bank of the Republic of Kazakhstan, whose branch is opened on the territory of the Republic of Kazakhstan) by shareholders, managers and auditors, as well as the relationship between the authorized collegial bodies of the bank.

      The corporate governance system shall allow to organize the distribution of powers and responsibilities, as well as build a corporate decision-making process;

      12) credit risk – the possibility of losses arising as a result of the borrower or counterparty’s failure to fulfill its obligations in accordance with the terms of the bank loan agreement;

      13) creditworthiness - a comprehensive legal and financial characteristic of the borrower, represented by financial and non-financial indicators, allowing one to assess his ability in the future to fully and on time fulfill his obligations under a bank loan agreement;

      14) loan agreement - an agreement between the bank and the borrower on the provision of financing (including conditional financing), as a result of which the bank has (or will arise in the future) claims on the borrower;

      15) contingency financing plan - a set of procedures and action plan to respond to a decrease in the bank’s ability to timely meet its obligations;

      16) supervisory stress testing - a tool of an authorized body aimed at assessing the financial stability of banks to hypothetical (stress) scenarios. Banks, based on a methodology and scenarios common to all participants in supervisory stress testing, shall carry out calculations using internal models and provide stress testing results to the authorized body. In this case, banks shall be responsible for the proper quality of the calculations performed and the results of stress testing;

      17) authorized body for financial monitoring - a state body that carries out financial monitoring and takes other measures to combat the legalization (laundering) of proceeds from crime, the financing of terrorism, and the financing of the proliferation of weapons of mass destruction;

      18) unit-owner of protected information - a unit of the bank, owner of the information, violation of the confidentiality, integrity or availability of which will lead to losses for the bank;

      19) critical information asset - an information asset determined in accordance with the Resolution of the Board of the National Bank of the Republic of Kazakhstan dated March 27, 2018 No. 48 "On approval of Requirements for ensuring information security of banks, branches of non-resident banks of the Republic of Kazakhstan and organizations carrying out certain types of banking operations, Rules and terms for providing information about information security incidents, including information about violations, failures in information systems", registered in the State Register of Normative Legal Acts under No. 16772;

      20) significant risk – a risk, the implementation of which will lead to a deterioration in the financial stability of the bank;

      21) conflict of interests - a situation in which a contradiction arises between the personal interests of bank officials (officials of the management body, the executive body of a non-resident bank of the Republic of Kazakhstan, the branch of which is open on the territory of the Republic of Kazakhstan, executive employees of a branch of a non-resident bank of the Republic of Kazakhstan), its shareholders and (or) its employees and their proper performance of their official powers or property and other interests of the bank and (or) its employees and (or) clients, which will entail adverse consequences for the bank and (or) its clients;

      22) market risk - the possibility of financial losses on balance sheet and off-balance sheet items due to unfavourable changes in the market situation, expressed in changes in market interest rates, foreign exchange rates, the market value of financial instruments, goods;

      23) operational risk - the possibility of losses as a result of inadequate and insufficient internal processes, human resources and systems, or the influence of external events, except for strategic risk and reputational risk;

      24) internal process for assessing liquidity adequacy - a set of liquidity risk management processes to maintain the bank at an appropriate level of liquidity and implement an appropriate liquidity risk management system at various time intervals depending on the type of activity and currency;

      25) liquidity risk - the possibility of financial losses as a result of the bank’s inability to fulfil its obligations on time without significant losses;

      26) interest rate risk – the risk of financial expenses (losses) due to unfavourable changes in interest rates on the assets and liabilities of the bank;

      27) policy - an internal document approved by the board of directors of the bank that shall define the main quantitative and qualitative parameters, principles, and standards that ensure the effective functioning of the bank and compliance of its activities with the strategy, risk profile, and risk appetite. As part of the policy, the board of directors of the bank shall ensure the availability of appropriate internal documents describing individual procedures, processes, and instructions;

      28) strategic risk - the possibility of losses as a result of errors (shortcomings) made when making decisions that determine the strategic development of the bank and expressed in insufficient consideration of possible dangers inherent in the activities of the bank, incorrect or insufficiently substantiated determination of promising areas of activity in which the bank will achieve an advantage before competitors, the absence or incomplete provision of the necessary resources and organizational measures to ensure the achievement of the strategic goals of the activities of the bank;

      29) stress testing – a method for assessing the potential impact of exceptional but possible events on the financial condition of the bank;

      30) risk - the possibility that expected or unforeseen events will harm the financial stability of the bank, its capital and (or) income;

      31) risk profile - a set of types of risks and other information characterizing the degree of exposure of the bank to risks inherent in all types of activities of the bank to identify weaknesses and determine the priority of subsequent actions within the risk management system;

      32) risk appetite – aggregated level(s) of significant risks (limits of acceptable risk), which the bank is ready to accept or intends to exclude when implementing the strategy;

      33) risk appetite statement – a document approved by the board of directors of the bank that describes the aggregated level(s) of significant risks (limits of acceptable risk), which the bank is ready to accept or intends to exclude when implementing the strategy. The risk appetite statement shall contain statements of a qualitative nature as well as a quantitative nature, including indicators regarding profitability, capital, liquidity, risks, and other applicable indicators;

      34) risk culture – processes, procedures, internal rules of the bank aimed at understanding, accepting, managing and controlling risks to minimize their impact on the financial condition of the bank, as well as ethical norms and standards of professional activity of all participants in the organizational structure. Risk culture shall complement the existing approved procedures, processes and mechanisms of the activities of the bank and is an integral component of the risk management system;

      35) risk treatment – the process of selecting and implementing measures to change risks;

      36) risk register – a structured list of risks containing the criteria and causes of risks, the possibility of their occurrence, impact (damage), priority and methods of risk treatment;

      37) authorized body - a state body that carries out state regulation, control and supervision of the financial market and financial organizations;

      38) organizational structure - an internal document and (or) a set of internal documents establishing the quantitative composition and system of management bodies, management employees and structural units of the bank, reflecting the structure of subordination and accountability;

      39) a participant of the Astana International Financial Center providing services for managing the digital asset platform - a legal entity registered in accordance with the current law of the Astana International Financial Center and carrying out activities on managing the digital asset platform on the territory of the Astana International Financial Center;

      40) internal (economic) capital - capital necessary to cover significant risks, including potential ones, accepted by the bank, calculated within the bank using its models.

      When applying the requirements of the Rules to a branch of a non-resident bank of the Republic of Kazakhstan:

      the board of directors refers to the relevant governing body of a non-resident bank of the Republic of Kazakhstan;

      the board refers to the management employees of a branch of a non-resident bank of the Republic of Kazakhstan;

      equity capital refers to the assets of a branch of a non-resident bank of the Republic of Kazakhstan, accepted as a reserve, calculated in accordance with the requirements of the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated February 12, 2021 No. 23 "On the establishment of prudential standards and other mandatory requirements norms and limits for branches of non-resident banks of the Republic of Kazakhstan (including branches of Islamic non-resident banks of the Republic of Kazakhstan), their regulatory values and calculation methods, including the procedure for forming assets of branches of non-resident banks of the Republic of Kazakhstan (including branches of Islamic non-resident banks of the Republic Kazakhstan) accepted as a reserve, and their minimum size", registered in the Register of State Registration of Normative Legal Acts under No. 22213;

      financial reporting refers to reporting according to the accounting data of a branch of a non-resident bank of the Republic of Kazakhstan;

      the head of risk management refers to the head of the risk management unit of a branch of a non-resident bank of the Republic of Kazakhstan;

      the chief compliance controller refers to the head of the compliance control unit of a branch of a non-resident bank of the Republic of Kazakhstan.

      Footnote. Paragraph 2 - as amended by the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated December 29, 2022 No. 119(shall come into force ten calendar days after the day of its first official publication).

      3. The purpose of the Rules is to determine the requirements for the formation of risk management systems and internal control by the bank by ensuring:

      1) effective management of the bank risks through their timely identification, measurement, control and monitoring to ensure that the bank equity is consistent with the level of risks taken by it and that there is an appropriate level of liquidity;

      2) good corporate governance practices and an appropriate level of business ethics and risk culture;

      3) compliance by the bank and its employees with the requirements of the civil, tax, banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and currency control, payments and payment systems, on pension provision, on the securities market, on accounting and financial reporting on credit bureaus and the formation of credit records, on debt collection activities, on mandatory guarantee of deposits, on counteracting the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint-stock companies, internal policies, procedures and other internal documents of a bank;

      4) timely detection and elimination of deficiencies in the activities of the bank and its employees;

      5) creation of adequate mechanisms in the bank to deal with unforeseen or emergency situations.

      4. The board of directors of the bank shall ensure that a risk management system is in place that matches the selected business model, scale of activity, in terms of types and complexity of operations, and shall provide an appropriate process for identifying, measuring and evaluating, monitoring, controlling and minimizing significant bank risks in order to determine the bank’s equity and liquidity necessary to cover significant risks inherent in the bank business.

      The risk management system is a set of components established by the Rules, which shall provide a mechanism for the interaction of internal procedures developed, regulated by the bank, processes, policies, structural units of the bank in order to timely identify, measure, control and monitor the risks of the bank, as well as minimize them to ensure its financial stability and stable functioning.

      5. The risk management system shall ensure:

      1) the optimal relationship between the profitability of the main activities of the bank and the level of risks taken, based on the choice of a viable and sustainable business model, an effective strategy and a budget planning process, taking into account the risk appetite strategy;

      2) an objective assessment of the size of the bank’s risks, the completeness and documentation of risk management processes, their preventive identification, measurement and assessment, monitoring and control, and minimization of significant types of risks at each level of the organizational structure with the optimal use of financial resources, personnel and information systems to maintain sufficient the volume of the bank's equity capital and liquidity;

      3) coverage of all types of bank activities exposed to significant risks at all levels of the organizational structure, complete assessment of individual significant types of risks, and their mutual influence to determine the bank’s risk profile and build a risk appetite strategy;

      4) availability of risk appetite levels for all types of significant risks and an algorithm of actions in cases of violation of established levels, including responsibility for accepting risks whose level is determined to be high, procedures for informing the board of directors, committees under the board of directors and the board of the bank (the relevant executive body a non-resident bank of the Republic of Kazakhstan, a branch of which is opened on the territory of the Republic of Kazakhstan) as part of the risk appetite strategy;

      5) awareness of the authorized collegial bodies of the bank making decisions that carry risks, through the construction of an effective corporate governance system, the availability of complete, reliable and timely management information about the significant risks inherent in the activities of the bank;

      6) rational decision-making and action in the interests of the bank based on a comprehensive assessment of the information provided in good faith, with due diligence and care (duty of care). The duty of care and diligence shall not apply to errors in business decision-making unless the employees and officers of the bank were grossly negligent;

      7) making decisions by employees and officials of the bank and acting in good faith in the interests of the bank, without taking into account personal benefits, the interests of persons associated with the bank by special relations, to the detriment of the interests of the bank (duty of loyalty);

      8) clear distribution of functions, responsibilities and powers of risk management between all structural units and employees of the bank, their responsibilities, taking into account minimizing conflicts of interest;

      9) separation of the risk management and internal control functions from the bank’s operating activities by building a system of three lines of defense, which includes:

      the first line - at the level of the bank's structural units;

      the second line - at the level of risk management units and those performing control functions;

      the third line - at the level of the internal audit unit in terms of assessing the effectiveness of the risk management system;

      10) availability of documents developed to regulate the activities of the bank, create and operate effective risk management and internal control systems in the bank and corresponding to the strategy, organizational structure, risk profile of the bank and the requirements of the civil, tax, banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and currency control, on payments and payment systems, on pensions, on the securities market, on accounting and financial reporting, on credit bureaus and the formation of credit histories, on collection activities, on the mandatory guarantee of deposits, on combating the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint stock companies, as well as their periodic review and updating;

      11) compliance with the requirements of civil, tax, and banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and exchange control, on payments and payment systems, on pensions, on the securities market, about accounting and financial reporting, about credit bureaus and the formation of credit histories, about collection activities, about mandatory deposit guarantees, about combating the legalization (laundering) of proceeds from crime and the financing of terrorism, about joint-stock companies;

      12) compliance with current procedures, processes, policies and other internal documents of the bank for risk management through building an effective internal control system.

      Footnote. Paragraph 5 - as amended by the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated 02.24.2021 No. 43 (shall come into force ten calendar days after the day of its first official publication).

      6. The authorized body, in the framework of evaluating the effectiveness of the bank’s risk management system, shall be guided by the following principles:

      1) ensuring the financial stability of banks, preventing deterioration of the financial situation of banks and increasing risks associated with the activities of banks, protecting the legitimate interests of depositors, creditors, customers and correspondents of banks;

      2) prevalence of the essence over the form, expressed in the assessment of the bank’s risk management system as a mechanism for measuring and evaluating, monitoring, controlling, and minimizing the bank’s significant risks, rather than formally regulated bank procedures and compliance with the civil, tax, banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and currency control, payments and payment systems, on pension provision, on the securities market, on accounting and financial reporting on credit bureaus and the formation of credit records, on debt collection activities, on mandatory guarantee of deposits, on counteracting the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint-stock companies, internal documents of the bank;

      3) proportionality in the exercise of control and supervision functions, as well as when applying the results of control and supervision, measures provided for by the laws of the Republic of Kazakhstan, based on the business model adopted by the bank, the scale of activity, types and complexity of operations and the materiality of the bank's risks;

      4) application of a uniform approach to the assessment of the risk management system and supervisory response measures;

      5) identification of significant risks in the activities of the bank.

      7. The authorized body shall evaluate:

      1) the effect of corporate governance system;

      2) significant risks inherent in the bank's activities, taking into account the types and complexity of the bank's operations;

      3) compliance of the risk management systems with the selected business model, the scope of activities, types and complexity of the bank's operations;

      4) financial condition of large participants of the bank in order to determine the possibility of maintaining the financial stability of the bank;

      5) impact of the financial condition of the participants of the banking conglomerate on the financial stability of the bank;

      6) the effectiveness of the application of preventive measures in order to prevent the deterioration of the financial stability of the bank by adjusting risk management systems based on the scale of activity and the level of risks taken;

      7) application of a system of quantitative and qualitative indicators in the framework of assessing the activities of the bank and the effectiveness of modeling methods.

Chapter 2. Business Model

      8. Business model of a bank is a combination of the chosen strategy, products, and planning processes that ensure competitiveness and a sufficient level of profitability. The main principles in the formation of a business model of a bank shall be:

      1) viability, expressed in the bank's ability to provide a sufficient level of profitability in the next 12 (twelve) months and based on budget planning and forecasting of financial indicators;

      2) sustainability, expressed in the ability of the bank to provide a sufficient level of profitability for a period of at least 3 (three) years and based on strategic planning and forecasting of financial indicators.

      Bank shall conduct regular analysis of the business model in order to assess the impact on it of strategic risks and the risks inherent in the activities of the bank.

      Banking activities shall be carried out within the framework of the chosen business model taking into account the volume of assets, the nature and level of complexity of the activity, organizational structure, and risk profile.

      9. The strategy of the bank shall be approved by the board of directors of the bank for a period of at least 3 (three) years and shall contain:

      1) the mission and goals of development of the bank. Goals shall be measurable, achievable, realistic, and have precise timelines for implementation;

      2) target market segments by sectors of the economy and geographical distribution of the development of the bank;

      3) analysis of the strengths and weaknesses of the selected bank strategy, taking into account key sources of income;

      4) quantitative indicators of the loan portfolio, liquid assets, customer deposits and other borrowed funds, taking into account the established levels of risk appetite. At the same time, realistic assumptions shall be used that take into account available and accessible resources, current and potential economic conditions;

      5) analysis of key sources of income;

      6) key types of investments, their structure and planned changes, including the introduction and development of new products and services, taking into account the assessment of risks and processes associated with their implementation and development, as well as assessing the current capabilities of the bank to introduce and develop such products;

      7) scenarios of the strategic development of the bank's activity (negative, and the most possible scenarios).

      10. The budget of the bank shall be approved annually by the board of directors of the bank and shall contain a monthly forecast of financial indicators (assets and liabilities, income and expenses, information on the loan portfolio, customer deposits and other borrowed funds, by currency (national and foreign currencies in total), categories of customers).

      The budget shall correspond to the strategy of the bank. Therewith, the assumptions used shall be realistic and take into account available and accessible resources, current and potential economic conditions and possible risks.

      One of the components of effective budget planning shall be the tariff policy, which minimally includes the following components:

      internal procedures and procedures for conducting market analysis of demand and prices for banking services;

      internal procedure and procedures for the formation of the structure of interest rates and tariffs;

      acceptable lower and upper limits for interest rates and tariffs for the bank, as well as requirements for the internal procedure for their approval, taking into account the requirements of the civil and banking legislation of the Republic of Kazakhstan, on payments and payment systems, on mandatory guarantee of deposits, their application and periodic review;

      criteria for choosing a method for determining prices for banking services, as well as requirements for methods based on assessing the nature and level of complexity of the bank's activities and the risks inherent in the bank;

      participants in the pricing process and the order of interaction between them, including the exchange of information;

      the internal procedure and procedures for timely informing bank customers about the conditions for the provision of banking services, as well as informing about changes.

      Bank shall monthly analyze the budget to ensure that the predicted indicators are consistent with the actual values; the reasons for the deviations detected, followed by the development of corrective corrective measures, if necessary, and shall make reasonable adjustments with their further documentation.

      11. In the process of strategic and budget planning, the bank shall analyze the key sources of profitability in order to identify potential risks.

      In order to keep the strategy and budget of the bank up to date, the bank shall annually analyze the target markets where it operates, evaluate the competitive environment, the adequacy of resources and the ability to generate short and long term returns.

      Strategic and budget planning shall be carried out within the framework of accepted and approved levels of risk appetite.

Chapter 3. Risk Appetite Strategy

      12. In order to build an effective risk management system, the board of directors of the bank shall approve the risk appetite strategy as a separate document, or as an integral part of the strategy of the bank. The risk appetite strategy shall define clear boundaries of the volume of accepted risks where the bank operates as part of the implementation of the bank’s general strategy, and shall also determine the risk profile of the bank’s activities in order to prevent risks or minimize their negative impact on the financial position of the bank. The risk appetite strategy shall be taken into account:

      1) in strategic and budget planning defined by Chapter 2 of the Rules;

      2) in internal processes for assessing capital adequacy and liquidity, as defined by Chapters 5 and 6 of the Rules;

      3) in formation of the organizational structure of the bank and the wage policy defined by Chapter 4 of the Rules.

      13. Effective risk appetite strategy shall:

      1) contain a description of the risk profile of the bank;

      2) contain the process of disseminating the strategy to all structural units and is brought to the attention of bank employees;

      3) be aimed at introducing a risk culture at all levels of the bank's organizational structure, as well as at disseminating the practice of observing risk appetite levels within the risk culture;

      4) provide protection from the bank taking excessive risks when making decisions;

      5) be the basis for the formation of a statement of risk appetite;

      6) change in case of significant changes in market conditions and (or) the level of financial stability of the bank.

      14. Within the framework of the risk appetite strategy, the board of directors of the bank shall form a risk appetite statement that sets the general direction with respect to the risks accepted by the bank in the framework of budget planning and operational activities of the bank. Effective statement of risk appetite shall:

      1) be formed taking into account the strategy of the bank;

      2) determine for each significant type of risk the aggregated level (levels) of risk appetite, which the bank accepts in its activities taking into account the risk profile;

      3) include quantitative indicators that are used to determine the aggregated level(s) of risk appetite for each significant type of risk;

      4) include a statement of a qualitative nature that describes the grounds for taking risks by the bank, or their exclusion, including reputational and (or) other risks, a quantitative assessment of which is not feasible, and also establishes approaches to control them;

      5) imply a prognostic approach, shall take into account the results of stress testing in order to identify potential events leading to a violation of risk appetite levels.

      15. In order to determine risk appetite, the board of directors of the bank shall set the aggregated level(s) of risk appetite and levels of risk appetite for each type of significant risk.

      The applicable levels of risk appetite shall meet the following requirements:

      have a clear definition;

      be relevant;

      measurable;

      calculated on a periodic basis;

      information on the actual values of risk appetite levels and their performance shall be provided to the board of directors and the committee of the bank risk management;

      developed taking into account the prognostic approach.

      16. Effective levels of risk appetite shall:

      1) be set at a level that facilitates the bank's compliance with the aggregated level(s) of risk appetite;

      2) take into account available capital, liquidity, profitability, development strategy;

      3) take into account all significant concentration risks (concentration on the client, on currency, on country risk, on market segments and other types of concentration);

      4) be based not only on the application of best practices and (or) the requirements of the authorized body, but shall also take into account the essential risks inherent to the bank;

      5) be developed using objective and clear assessments, are not ambiguous;

      6) be regularly reviewed for relevance;

      7) take into account reasonable assumptions, supported by the results of stress testing.

      17. The procedure for determining risk appetite levels shall include, but shall not be limited to, the following components:

      1) the internal procedure for calculating and determining quantitative and qualitative parameters characterizing the levels of risk appetite of the bank;

      2) information and materials, methods and tools used to calculate and determine risk appetite levels;

      3) responsible executives and (or) departments of the bank involved in calculating and determining the risk appetite levels of the bank and responsible for monitoring and monitoring the established levels of risk appetite;

      4) the conditions under which an adjustment is made to the risk appetite approved at the level.

      Quantitative methods used to establish risk appetite levels shall a high degree of reliability in assessing the level of risk.

      18. Risk appetite levels shall include the following risk level limits:

      1) the level that does not require the application of corrective measures;

      2) the level defined as permissible, but requiring separate corrective measures in the existing procedures of the risk management system in order to reduce the risk level;

      3) the level defined as high, requiring the application of appropriate measures to prevent the deterioration of the financial stability of the bank and its solvency.

      When determining risk appetite, the bank shall assess the acceptability of the established risk appetite in the current time period and to what extend it will be acceptable in the future by means of stress testing (scenario analysis and sensitivity analysis).

      If significant risks are identified that are not described in the risk profile, the bank shall assess the level of risk, finalize appropriate procedures to include such risks in the risk profile, determine the level of risk appetite and develop measures to prevent and (or) minimize the identified risk.

      Aggregated level(s) of risk appetite shall be established and reviewed (revised) on a periodic basis. The levels of risk appetite for certain types of risk shall be reviewed during the year when the situation on the market changes and (or) changes in the requirements of the authorized body, but within the aggregated level of risk appetite.

Chapter 4. Corporate Governance

      19. The main elements of an effective corporate governance system are:

      1) organizational structure;

      2) corporate values;

      3) strategy of the activities of the bank;

      4) distribution of responsibilities and powers regarding decision-making between the authorized bodies of the bank;

      5) mechanisms of interaction and cooperation between members of the board of directors, the board (the relevant executive body of a non-resident bank of the Republic of Kazakhstan, the branch of which is opened on the territory of the Republic of Kazakhstan, senior employees of a branch of a non-resident bank of the Republic of Kazakhstan), external and internal auditors of the bank;

      6) procedures and techniques for risk management;

      7) internal control system;

      8) reward system;

      9) the presence of an adequate management reporting system;

      10) transparency of corporate governance.

      Footnote. Paragraph 19 - as amended by the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated February 24, 2021 No. 43 (shall come into effect ten calendar days after the day of its first official publication).

      20. The organizational structure of the bank shall correspond to the chosen business model, scale of activity, types and complexity of operations, minimize conflicts of interest and distribute powers for risk management between collegial bodies and structural units, including, but not limited to:

      1) board of directors of the bank;

      2) committees under the board of directors of the bank;

      3) the board of the bank (the relevant executive body of a non-resident bank of the Republic of Kazakhstan, a branch of which is opened on the territory of the Republic of Kazakhstan, senior employees of a branch of a non-resident bank of the Republic of Kazakhstan);

      4) risk management unit(s);

      compliance control unit;

      6) internal audit unit;

      7) unit performing the functions of a collateral service, including an outsourced collateral service (except for cases where the bank’s strategy does not provide for the provision of loans secured by collateral and there are no loans issued against collateral in the bank’s current portfolio) (hereinafter referred to as the Collateral unit services).

      Footnote. Paragraph 20 - as amended by the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated December 29, 2022 No. 119 (the order of enforcement see Paragraph 5).

      21. The basic principles and responsibilities of the board of directors of the bank shall include:

      1) rational decision-making and action in the interests of the bank based on a comprehensive assessment of the information provided in good faith, with due diligence and care (duty of care). The duty of care and care shall not apply to errors in business decision-making unless the board members are grossly negligent;

      2) making decisions and acting in good faith in the interests of the bank, without taking into account personal benefits, the interests of persons associated with the bank by special relations, to the detriment of the interests of the bank (duty of loyalty);

      3) active involvement in the activities of the bank and awareness of significant changes in the activities of the bank and external conditions, as well as making timely decisions aimed at protecting the interests of the bank in the long term;

      4) preliminary consideration of the draft corporate governance code and (or) amendments to it.

      Within the framework of the corporate governance code, a procedure for managing conflicts of interest and mechanisms for its implementation, as well as monitoring execution, shall be developed. The procedure shall contain the following components:

      mechanism for the procedure for minimizing conflicts of interest in the activities of the bank;

      the approval process that a board member undergoes before serving as an officer in another organization to prevent conflicts of interest;

      the obligation of members of the board of directors to immediately provide information on any issue that creates a conflict of interest or is a potential cause of its occurrence;

      the obligation of members of the board of directors to abstain from voting on issues in which a member of the board of directors has a conflict of interest;

      mechanism for the board of directors to respond to violations of the provisions of the procedure.

      Within the framework of the corporate governance code, procedures shall be developed through which bank employees confidentially report violations relating to the bank's activities;

      5) ensuring compliance of the bank’s corporate governance system with the following principles:

      compliance with the scale and nature of the activities of the bank, its structure, risk profile, and business model of the bank;

      protection of the rights of shareholders provided for in accordance with the civil, banking legislation of the Republic of Kazakhstan, the legislation of the Republic of Kazakhstan on joint stock companies and support for the implementation of these rights;

      ensuring timely and reliable disclosure of information in accordance with the banking legislation of the Republic of Kazakhstan, the legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, the legislation of the Republic of Kazakhstan, on currency regulation and exchange control, on payments and payment systems, on the securities market papers on combating the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint stock companies;

      to perform their duties, members of the board of directors have access to complete, current and timely information;

      6) approval of the following internal documents and control of their execution:

      organizational structure of the bank;

      bank development strategies;

      bank profitability management policies;

      stress testing procedures and scenarios;

      contingency financing plan;

      business continuity management policies;

      internal procedure for the payment of remuneration to the bank's executive officers and bank employees directly accountable to the board of directors of the bank;

      personnel policy;

      wage policies;

      accounting policy;

      tariff policy;

      credit policy;

      policy on problem assets;

      a document regulating the main approaches and principles of the internal process of assessing capital adequacy (hereinafter referred to as ICAAP);

      a document regulating the main approaches and principles of the internal process of assessing liquidity adequacy (hereinafter referred to as ILAAP);

      information technology and information security risk management policy(ies) of the bank;

      internal control policies;

      credit risk management policies;

      market risk management policies;

      operational risk management policies;

      compliance risk management policies;

      policies for managing the risk of legalization (laundering) of proceeds from crime and the financing of terrorism (hereinafter referred to as the ML/TF);

      collateral policy;

      liquidity management policies;

      internal audit policy, internal auditor code of ethics, regulations on the internal audit unit, internal audit procedures, annual internal audit plan;

      policies (procedures) for engaging an external auditor;

      7) approval of the risk appetite strategy and risk appetite levels of the bank;

      8) monitoring compliance with the risk appetite strategy, risk appetite levels and risk management policies;

      9) ensuring the availability of a financial service responsible for accounting and high-quality preparation of financial statements;

      10) preliminary approval of annual financial statements certified by an audit organization, as well as sending a request for periodic independent audits as necessary;

      11) elect members of the board of the bank (members of the relevant executive body of a non-resident bank of the Republic of Kazakhstan, a branch of which is open on the territory of the Republic of Kazakhstan), appoint the head of risk management, the head of internal audit and the chief compliance controller;

      12) consideration of reports sent by the audit committee, with subsequent monitoring of the elimination of identified violations;

      13) control over the effective compliance with bank procedures, through which bank employees confidentially report violations relating to the activities of the bank and the civil, tax, banking legislation of the Republic of Kazakhstan, the legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, the legislation of the Republic of Kazakhstan on currency regulation and exchange control, on payments and payment systems, on pensions, on the securities market, on accounting and financial reporting, on credit bureaus and the formation of credit histories, on collection activities, on mandatory deposit guarantees, on counteraction to legalization (laundering) of proceeds from crime and the financing of terrorism, about joint stock companies, as well as about abuses;

      14) formation of three lines of defense in the bank:

      The first line of defense shall be provided by the bank's structural units responsible for the timely identification and assessment of risks, communicating information about them to the second line of defense units, as well as risk management. The first line of defense shall carry out transactions within the approved levels of the bank's risk appetite and operates within the framework of accepted risk management policies;

      the second line of defense shall be provided by independent units for risk management, compliance control and other units performing control functions (including, within their competence, units performing security functions, financial control, human resources, legal risk management, and operational risk). The risk management unit(s) shall conduct a comprehensive analysis of risks in the bank's activities, generate (form) the necessary reports to the board of directors of the bank and the risk management committee, and facilitate critical assessment and identification of risks by members of the board and business units.

      compliance control unit shall organize procedures to comply with the requirements of civil, tax, banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and currency control, on payments and payment systems, on pensions, on the securities market, on accounting and financial reporting, on credit bureaus and the formation of credit histories, on collection activities, on mandatory deposit guarantees, on combating the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint stock companies, legislation of foreign countries that influence the activities of the bank, as well as internal documents of the bank regulating the procedure for the bank to provide services and conduct operations in the financial market, and provide complete and reliable information to the board of directors about the presence of compliance risks;

      the third line of defense shall be provided by an independent internal audit unit responsible for assessing the quality and effectiveness of the risk management and internal control system, the first and second lines of defense;

      15) exercising control over the activities of the board of the bank (the corresponding executive body of a non-resident bank of the Republic of Kazakhstan, the branch of which is opened on the territory of the Republic of Kazakhstan, executive employees of the branch of a non-resident bank of the Republic of Kazakhstan) by:

      monitoring the implementation by the board of the bank (the relevant executive body of a non-resident bank of the Republic of Kazakhstan, the branch of which is opened on the territory of the Republic of Kazakhstan, by the management employees of the branch of a non-resident bank of the Republic of Kazakhstan) of the strategy and policies approved by the board of directors, decisions of the general meeting of shareholders;

      approval of internal documents regulating the activities of the board of the bank (the corresponding executive body of a non-resident bank of the Republic of Kazakhstan, the branch of which is opened on the territory of the Republic of Kazakhstan, executive employees of a branch of a non-resident bank of the Republic of Kazakhstan) in accordance with the Rules;

      ensuring the implementation of the internal control system;

      holding regular meetings with members of the board of the bank (the corresponding executive body of a non-resident bank of the Republic of Kazakhstan, the branch of which is opened on the territory of the Republic of Kazakhstan, senior employees of a branch of a non-resident bank of the Republic of Kazakhstan);

      carrying out analysis and critical assessment of information provided by the board (the relevant executive body of a non-resident bank of the Republic of Kazakhstan, the branch of which is opened on the territory of the Republic of Kazakhstan, by senior employees of a branch of a non-resident bank of the Republic of Kazakhstan);

      establishing the necessary performance standards and remuneration system for members of the board (the corresponding executive body of a non-resident bank of the Republic of Kazakhstan, the branch of which is opened on the territory of the Republic of Kazakhstan, executive employees of a branch of a non-resident bank of the Republic of Kazakhstan), which correspond to the long-term goals defined by the bank’s strategy, and aimed at financial stability;

      16) interaction and control of the work of the head of risk management (the head of risk management of a non-resident bank of the Republic of Kazakhstan, the branch of which is open on the territory of the Republic of Kazakhstan);

      17) periodic (at least once a year) assessment of the activities of each member of the board of directors of the bank;

      18) ensuring the maintenance of records of decisions made (minutes of meetings, brief information on issues considered, recommendations, if any, as well as special opinions of members of the board of directors of the bank). Such documents and (or) materials shall be provided to the authorized body upon request in accordance with the legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations;

      19) ensuring a developed information technology infrastructure to collect and analyze complete, reliable, timely information for risk management purposes. Awareness of the existence of information technology infrastructure limitations in determining appetite risk levels;

      20) deciding on issuing a loan, the amount of which exceeds 5 (five) percent of the bank’s equity capital based on an analysis and assessment of the feasibility of issuing a loan;

      21) making a decision on issuing an unsecured consumer loan, the amount of which exceeds 20,000,000 (twenty million) tenge based on an analysis and assessment of the feasibility of issuing a bank loan. This Paragraph shall not include cases of issuing an unsecured consumer loan when refinancing mortgage loans.

      Footnote. Paragraph 21 - as amended by the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated 02.24.2021 No. 43 (shall be enforced upon the expiration of ten calendar days after the day of its first official publication).

      22. The composition of the board of directors of the bank and qualification requirements for its members shall meet the following requirements:

      1) the composition of the board of directors of the bank and its powers shall be sufficient to exercise effective control;

      2) the board of directors of the bank shall consist of executives with the necessary qualifications, impeccable business reputation and experience, all of which shall be sufficient for the general management of the bank, in accordance with the chosen business model, scale of activity, type and complexity of operations;

      3) members of the board of directors of the bank shall be focused on interaction, cooperation and critical discussion in the decision - making process;

      4) members of the board of directors of the bank shall conscientiously fulfill their duties and make decisions, minimize conflicts of interest.

      23. In order to increase the efficiency and more detailed work in certain areas of the bank’s activities and based on the selected business model, scale of operations, types and complexity of operations, risk profile, the board of directors of the bank creates special committees under the board of directors of the bank.

      Each committee shall carry out its activities within the framework of a document defining its powers, competence, as well as principles of work, the internal procedure for submitting reports to the board of directors of the bank, the tasks facing the members of the committee and restrictions on the duration of work of members of the board of directors of the bank in the committee. The board of directors of the bank shall provide for periodic rotation of members (with the exception of experts) of such committees in order to avoid concentration of powers and to promote the new views.

      The committees shall keep records of decisions made (minutes of meetings, brief information on the issues discussed, recommendations, if any, as well as special opinions of committee members). The chairman of the committee under the board of directors shall be a member of the board of directors who is not a head or member of the executive body.

      24. As part of the risk management system, committees of the board of directors of the bank shall consider the following issues:

      1) strategic planning;

      2) staff and remuneration;

      3) audit;

      4) risk management;

      5) other issues stipulated by internal documents of the bank.

      The consideration of the list of issues shall be carried out by one or several committees of the board of directors of the bank, with the exception of audit issues considered by a separate committee of the board of directors.

      25. The main requirements for the composition of the audit committee:

      1) the audit committee shall include only members of the board of directors of the bank;

      2) the chairman of the audit committee shall be an independent director of the bank;

      3) the audit committee shall include at least one member of the board of directors of the bank with experience in the field of audit and (or) accounting and financial reporting and (or) risk management.

      26. The audit committee shall be responsible for:

      1) ensuring the development of an internal audit policy, code of ethics for the internal auditor, the provisions of the internal audit unit, internal audit procedures and the management information system in accordance with the requirements established by Chapter 12 of the Rules for further submission for approval by the board of directors of the bank;

      2) interaction with the external auditor on the quality of the information provided on the activities of the bank, consideration of the recommendations of external auditors, monitoring the elimination of identified comments, as well as reviewing the annual financial statements certified by the audit organization for further submission for preliminary approval by the board of directors of the bank;

      3) ensuring the development of policies (procedures) for attracting an external auditor for further submission for approval by the board of directors of the bank, including determining:

      criteria and conditions for the selection of an external auditor;

      payment systems for the audit of financial statements, as well as for the provision of advisory services to the bank on audit matters;

      4) consideration of the amount of payment for the services of an external auditor;

      5) preliminary review of the annual internal audit plan;

      6) preliminary consideration of the results of internal and external audit reports, monitoring the timely implementation by the bank's board of actions to eliminate violations and the implementation of recommendations of internal and external audit, discrepancies activities of the policy of the bank, the requirements of civil, tax, banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and currency control, payments and payment systems, on pension provision, on the securities market, on accounting and financial reporting on credit bureaus and the formation of credit records, on debt collection activities, on mandatory guarantee of deposits, on counteracting the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint-stock companies, and international financial reporting standards;

      7) consideration of acts of inspections of the authorized body and opinions of other experts regarding the structure and effectiveness of the overall risk management system and internal morning control at the bank;

      8) consideration of the results of evaluating the effectiveness of internal audit.

      27. The main requirements for the composition of the risk management committee:

      1) the chairman of the risk management committee shall be an independent director of the bank, or the chairman of the board of directors;

      2) the composition shall include at least one member of the bank committee with experience in the field of risk management or internal control.

      28. The Risk Management Committee shall be responsible for:

      1) ensuring the development of a risk appetite strategy, determining the risk profile of a bank;

      2) determination of the size of the aggregated level(s) of the bank’s risk appetite and the bank’s risk appetite levels for each significant type of risk for further submission for approval by the board of directors of the bank;

      3) ensuring the development of a document regulating the basic approaches and principles of ICAAP, taking into account the requirements established by Chapter 5 of the Rules, for further submission for approval by the board of directors of the bank and for monitoring compliance with the approved document;

      4) ensuring the development of a document regulating the basic approaches and principles of the ILAAP, taking into account the requirements established by Chapter 6 of the Rules, for further submission for approval by the board of directors of the bank and for monitoring compliance with the approved document;

      5) ensuring the development of stress testing procedures and stress testing scenarios for further submission for approval by the board of directors of the bank;

      6) ensuring the development of a bank continuity management policy, taking into account the requirements established by Chapter 7 of the Rules, for further submission for approval by the board of directors of the bank and for monitoring compliance with the bank specified in this subparagraph of the policy;

      7) ensuring the development of a contingency financing plan for further submission to the board of directors of the bank for approval;

      8) ensuring the development of policy of risk management of information technology and information security of the bank to meet the requirements established by Chapter 8 of the Rules, for further submission to the approval of the board of directors of the bank and for monitoring compliance by the bank specified in this subparagraph of the policies (policy);

      9) ensuring the development of a compliance risk management policy, taking into account the requirements established by Chapter 9 of the Rules, for further submission for approval by the board of directors of the bank and for monitoring compliance with the bank specified in this subparagraph of the policy;

      10) ensuring the development of an internal procedure that shall determine the functioning of the management information system, which ensures that the board of directors of the bank is provided on a regular basis with complete, reliable and timely information about the level of risks taken. The decree described in this subparagraph shall include the criteria, composition, frequency of formation and form of submission to the board of directors of the bank of management information on the level of risks taken by the bank and its subsidiaries, indicating the structural units and bank agencies responsible for the timely preparation and submission of information to the board of directors of the bank. The management reporting forms contain information taking into account the requirements established by Chapters 5, 6, 7, 8 and 9 of the Rules, as well as information:

      according to the results of stress testing and other tools for assessing and identifying the interconnectedness of bank risks among themselves;

      by assessing the impact of risks on the financial condition of the bank, including assessing changes in income and expenses of the bank, assessing the size and sufficiency and equity, identifying the main factors and causes that caused the changes and affecting key performance indicators;

      11) monitoring the observance by the bank board of risk appetite levels;

      12) the availability of internal models and information systems for risk management of the bank, as well as in order to provide complete, reliable and timely financial, regulatory and managerial information;

      13) consideration of the results of assessing the quality and effectiveness of functioning with the risk management and internal control systems, corporate governance in general, aimed at ensuring the protection of the bank and its reputation for further submission for approval by the board of directors of the bank.

      The Risk Management Committee shall regularly receive the data and reports from the risk management unit(s) and other responsible departments on the current risk level of the bank, violations of risk appetite levels and risk mitigation mechanisms.

      29. The main requirements for the composition of the committee on personnel and remuneration:

      1) the chairman of the personnel and remuneration committee shall be an independent member of the board of directors of the bank;

      2) the committee on personnel and remuneration shall include at least one member of the committee with experience in the field of personnel management.

      30. The Personnel and Remuneration Committee shall be responsible for ensuring the development of:

      1) taking into account the minimization of conflicts of interest, the draft organizational structure of the bank for further approval by the board of directors of the bank;

      2) procedures for managing conflicts of interest and mechanisms for its implementation for further approval by the relevant body of the bank;

      3) policies on remuneration, calculation of monetary rewards, as well as other types of material incentives for the bank’s executive employees for further submission for approval by the board of directors of the bank in accordance with the Resolution of the Board of the National Bank of the Republic of Kazakhstan dated February 24, 2012 No. 74 "On establishing Requirements for internal policy on remuneration, calculation of monetary rewards, as well as other types of material incentives for executive employees of a bank, insurance (reinsurance) organization, insurance broker, the branch of a non-resident bank of the Republic of Kazakhstan, branch of a non-resident insurance (reinsurance) organization of the Republic of Kazakhstan, the branch of an insurance broker - non-resident of the Republic of Kazakhstan", registered in the Register of State Registration of Normative Legal Acts under No. 7525.

      The size of the reward shall directly depend on the risk-to-result ratio. Methods of paying remuneration against future income, the timing and probability of receipt of which are uncertain, shall be carefully weighed based on accepted qualitative and quantitative indicators. The remuneration system shall provide for the possibility of changing the amount of non-fixed remuneration taking into account all risks, including violations of risk appetite limits, internal procedures or requirements of the authorized body.

      Footnote. Paragraph 30 - as amended by the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated December 30, 2021 No. 110 (shall come into effect from January 1, 2022).

      31. The main requirements for the composition of the strategic planning committee are:

      1) the chairman of the strategic planning committee shall be an independent member of the board of directors of the bank;

      2) the composition of the strategic planning committee shall include at least one member of the committee who has experience in one of the following areas:

      development of information technology;

      development and provision of banking services;

      risk management;

      budget planning.

      32. The Strategic Planning Committee shall be responsible for the preliminary review of:

      1) the draft on the strategy of the bank for further submission for approval by the board of directors of the bank, as well as for monitoring the implementation of the strategy and assessing the compliance of the strategy of the bank with the current market and economic situation, risk profile and financial potential, as well as the requirements of the civil, tax, banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and currency control, payments and payment systems, on pension provision, on the securities market, on accounting and financial reporting on credit bureaus and the formation of credit records, on debt collection activities, on mandatory guarantee of deposits, on counteracting the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint-stock companies;

      2) the draft budget of the bank for the corresponding year for further submission for approval by the board of directors of the bank, as well as for exercising control over its implementation;

      3) the draft of bank profitability management policy for further submission for approval by the board of directors of the bank, as well as monitoring and controlling compliance by the bank and its employees with this policy;

      4) the documents submitted for consideration by the board of directors of the bank containing information on the implementation of the strategy, development plans, achievement of target values ​​of the strategic key indicators of the bank.

      33. The board of the bank shall manage the current activities of the bank in accordance with the chosen business model, scale of activity, types and complexity of operations, risk profile, and internal documents approved by the board of directors of the bank. The board of the bank shall be responsible for:

      1) ensuring the execution of the bank’s strategy, and compliance with procedures, processes and policies approved by the board of directors of the bank;

      2) development of a draft bank strategy for further submission to the board of directors of the bank for approval, as well as for monitoring the implementation of the strategy and assessing the compliance of the bank’s strategy with the current market and economic situation, risk profile and financial potential, as well as the requirements of civil, tax, and banking legislation of the Republic Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and currency control, on payments and payment systems, on pensions, on the securities market, on accounting and financial reporting, on credit bureaus and the formation of credit histories, on collection activities, on mandatory deposit guarantees, on combating the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint-stock companies;

      3) development of the bank’s draft budget for the corresponding year for further submission to the board of directors of the bank for approval;

      4) development of a draft bank profitability management policy for further submission to the board of directors of the bank for approval, as well as for monitoring compliance by the bank and its employees with this policy;

      5) development of an internal procedure that determines the communication of the strategy, policies and other internal documents of the bank within 10 (ten) working days from the date of approval and (or) amendments and additions to them to the bank employees in the areas of activity assigned to it, and for the implementation monitoring compliance by the bank and its employees with the requirements of the Rules;

      6) development of the bank’s personnel policy for further approval by the board of directors of the bank, as well as for monitoring its compliance with the strategy, organizational structure, the risk profile of the bank, achieved results and requirements of labor, banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on joint-stock companies. The personnel policy shall establish standards, conditions and mechanisms to ensure the involvement of competent management personnel in banking activities and ensure:

      the presence of personnel with the necessary experience, qualifications and impeccable business reputation, capable of managing the processes and risks associated with the activities of the bank;

      maintaining sufficient resources to effectively carry out functions and responsibilities;

      minimizing conflicts of interest in the performance of their duties;

      minimizing the risk of concentration of powers on one employee;

      internal procedure for remuneration of employees, including the procedure for payment of remuneration, as well as other types of material incentives;

      assessing the performance of bank employees;

      7) development of a tariff policy for further submission to the board of directors for approval, as well as for monitoring compliance by the bank and its employees with the tariff policy;

      8) development of the bank’s credit policy for further submission to the risk management committee and approval of the board of directors of the bank;

      9) approval of the plan (plans) to ensure continuity and (or) restoration of activities;

      10) providing the board of directors of the bank with the necessary information to monitor and evaluate the quality of the work of the board in accordance with the established internal documents of the bank and the Rules, which shall include:

      achievement by the board of directors of the bank of the goals established in the bank's strategy, indicating, if any, the reasons preventing their achievement;

      compliance of the bank's activities with the strategy and policies approved by the board of directors of the bank;

      the results of the activities of the bank and its financial position, including information on the stability (volatility) of the bank’s profitability;

      inconsistency of the bank’s decisions with procedures, processes and policies approved by the board of directors of the bank;

      exceeding the approved levels of risk appetite and the reasons for their violation;

      information on the timeliness, completeness and quality of elimination by the board of the bank of violations and shortcomings identified by the departments of compliance control, risk management, internal control, internal audit, and external audit and the authorized body, as well as the implementation of their recommendations;

      information on the state of internal control, in terms of timely identification of incorrect, incomplete or unauthorized transactions, shortcomings in activities to ensure the safety of assets, errors in the formation of financial and regulatory reporting, violations of internal documents of the bank, requirements of civil, tax, banking legislation of the Republic of Kazakhstan, legislation of the Republic Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and currency control, on payments and payment systems, on pensions, on the securities market, on accounting and financial reporting, on credit bureaus and formation of credit histories, collection activities, mandatory guarantee of deposits, combating legalization (laundering) of proceeds from crime and the financing of terrorism, joint stock companies, as well as the exclusion of conflicts of interest and internal abuses and fraud, including in relation to individuals connected with the bank by special relations;

      11) development of an internal procedure for considering customer requests arising in the process of providing banking services, as well as for monitoring the bank’s compliance with the requirements specified in this subparagraph. The internal procedure for considering customer requests shall take into account the requirements of the banking legislation of the Republic of Kazakhstan and determine:

      procedures for handling customer complaints (applications), including reception, initial processing, registration of requests received by the bank, and responses to customer requests;

      a structural unit of the bank responsible for maintaining records of customer requests;

      procedures for communicating (transferring) received requests to the responsible structural units or employees who will be tasked with processing and preparing a response to the client’s request;

      deadlines for timely processing of customer requests and preparation of responses to customer requests;

      internal procedure for interaction between the bank’s structural units when considering customer requests and preparing responses to customer requests;

      internal order and procedures for maintaining a classifier of received requests from bank clients;

      12) development of a procedure and (or) internal procedure for refusing to carry out transactions with a high risk of ML/TF, as well as terminating business relations with a client, taking into account the inherent risk factors.

      The relevant executive body of a non-resident bank of the Republic of Kazakhstan shall be responsible for:

      1) development of a draft strategy for a branch of a non-resident bank of the Republic of Kazakhstan for further submission for approval by the relevant management body of a non-resident bank of the Republic of Kazakhstan;

      2) development of a draft budget for a branch of a non-resident bank of the Republic of Kazakhstan for the corresponding year for further submission for approval by the relevant management body of a non-resident bank of the Republic of Kazakhstan;

      3) development of a draft policy for managing the profitability of a branch of a non-resident bank of the Republic of Kazakhstan for further submission for approval by the relevant management body of a non-resident bank of the Republic of Kazakhstan;

      4) development of an internal procedure that determines the communication of the strategy, policies and other internal documents of a non-resident bank of the Republic of Kazakhstan within 10 (ten) working days from the date of approval and (or) introduction of changes and additions to them to employees of a branch of a non-resident bank of the Republic of Kazakhstan on areas of activity assigned to it;

      5) development of personnel policy for a branch of a non-resident bank of the Republic of Kazakhstan for further approval by the relevant management body of a non-resident bank of the Republic of Kazakhstan. The personnel policy shall establish standards, conditions and mechanisms to ensure the involvement of competent management personnel in banking activities and ensure:

      the presence of personnel with the necessary experience, qualifications and impeccable business reputation, capable of managing the processes and risks associated with the activities of a branch of a non-resident bank of the Republic of Kazakhstan;

      maintaining sufficient resources to effectively carry out functions and responsibilities;

      minimizing conflicts of interest in the performance of their duties;

      minimizing the risk of concentration of powers on one employee;

      internal procedure for remuneration of employees of a branch of a non-resident bank of the Republic of Kazakhstan, including the procedure for payment of remuneration, as well as other types of material incentives;

      conducting an assessment of the performance of employees of a branch of a non-resident bank of the Republic of Kazakhstan;

      6) development of a tariff policy for further submission to the relevant management body of a non-resident bank of the Republic of Kazakhstan for approval;

      7) development of a credit policy for a branch of a non-resident bank of the Republic of Kazakhstan for further submission to the risk management committee and approval by the relevant management body of a non-resident bank of the Republic of Kazakhstan;

      8) approval of the plan (plans) to ensure continuity and (or) restoration of the activities of a branch of a non-resident bank of the Republic of Kazakhstan;

      9) development of an internal procedure for considering customer requests arising in the process of providing banking services by a branch of a non-resident bank of the Republic of Kazakhstan. The internal procedure for considering customer requests shall take into account the requirements of the banking legislation of the Republic of Kazakhstan and determine:

      procedures for maintaining records of customer complaints (applications), including reception, initial processing, registration of requests received by a branch of a non-resident bank of the Republic of Kazakhstan, and responses to customer requests;

      a structural subunit of a branch of a non-resident bank of the Republic of Kazakhstan responsible for record-keeping on customer requests;

      procedures for communicating (transferring) received requests to the responsible structural units or employees who will be tasked with processing and preparing a response to the client’s request;

      deadlines for timely processing of customer requests and preparation of responses to customer requests;

      internal procedure for interaction between structural units of a branch of a non-resident bank of the Republic of Kazakhstan when considering customer requests and preparing responses to customer requests;

      internal order and procedures for maintaining a classifier of received requests from clients of a branch of a non-resident bank of the Republic of Kazakhstan;

      10) development of a procedure and (or) internal procedure for refusing to carry out transactions with a high risk of ML/TF, as well as terminating business relations with a client, taking into account the inherent risk factors.

      Managers of a branch of a non-resident bank of the Republic of Kazakhstan shall manage the current activities of a branch of a non-resident bank of the Republic of Kazakhstan in accordance with the chosen business model, scale of activity, types and complexity of operations, risk profile and internal documents approved by the relevant management body of the non-resident bank of the Republic of Kazakhstan, and shall be responsible for:

      1) ensuring the execution of the strategy of a branch of a non-resident bank of the Republic of Kazakhstan, compliance with the procedures, processes and policies approved by the non-resident bank of the Republic of Kazakhstan;

      2) monitoring the implementation of the strategy and assessing the compliance of the strategy of a branch of a non-resident bank of the Republic of Kazakhstan with the current market and economic situation, risk profile and financial potential, as well as the requirements of civil, tax, banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and exchange control, on payments and payment systems, on pensions, on the securities market, on accounting and financial reporting, on credit bureaus and the formation of credit histories, on collection activities, on mandatory guarantee of deposits, on combating the legalization (laundering) of proceeds from crime and the financing of terrorism;

      3) monitoring compliance by a branch of a non-resident bank of the Republic of Kazakhstan and its employees with the profitability management policy of a branch of a non-resident bank of the Republic of Kazakhstan;

      4) monitoring the compliance of the personnel policy of a branch of a non-resident bank of the Republic of Kazakhstan with the strategy, organizational structure, and risk profile of a branch of a non-resident bank of the Republic of Kazakhstan, achieved results and the requirements of labor and banking legislation of the Republic of Kazakhstan;

      5) monitoring compliance by a branch of a non-resident bank of the Republic of Kazakhstan and its employees with tariff policy;

      6) providing the relevant management body of a non-resident bank of the Republic of Kazakhstan with the necessary information for monitoring and assessing the quality of work of management employees of a branch of a non-resident bank of the Republic of Kazakhstan in accordance with the established internal documents of a non-resident bank of the Republic of Kazakhstan and the Rules, which shall include:

      achievement by management employees of a branch of a non-resident bank of the Republic of Kazakhstan of the goals established in the strategy of a branch of a non-resident bank of the Republic of Kazakhstan, indicating, if any, the reasons preventing their achievement;

      compliance of the activities of a branch of a non-resident bank of the Republic of Kazakhstan with the strategy and policies approved by the relevant management body of a non-resident bank of the Republic of Kazakhstan;

      the results of the activities of a branch of a non-resident bank of the Republic of Kazakhstan and its financial position, including information on the stability (volatility) of profitability of a branch of a non-resident bank of the Republic of Kazakhstan;

      inconsistency of decisions taken by a branch of a non-resident bank of the Republic of Kazakhstan with procedures, processes and policies approved by the relevant management body of a non-resident bank of the Republic of Kazakhstan;

      exceeding the approved levels of risk appetite and the reasons for their violation;

      information on the timeliness, completeness and quality of elimination by management employees of a branch of a non-resident bank of the Republic of Kazakhstan of violations and shortcomings identified by the departments of compliance control, risk management, internal control, internal audit, external audit and the authorized body, as well as the implementation of their recommendations;

      information on the state of internal control in terms of timely identification of incorrect, incomplete or unauthorized transactions, shortcomings in activities to ensure the safety of assets, errors in the generation of reporting according to the accounting data of a branch of a non-resident bank of the Republic of Kazakhstan and regulatory reporting, violations of internal documents of a branch of a non-resident bank of the Republic Kazakhstan, requirements of civil, tax, banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and currency control, on payments and payment systems, on pensions, on the market securities, on accounting and financial reporting, on credit bureaus and the formation of credit histories, on collection activities, on mandatory deposit guarantees, on combating the legalization (laundering) of proceeds from crime and the financing of terrorism, as well as the exclusion of conflicts of interest and internal abuse and fraud, including in relation to persons associated with a branch of a non-resident bank of the Republic of Kazakhstan by special relations;

      7) monitoring compliance by a branch of a non-resident bank of the Republic of Kazakhstan with the requirements of the internal procedure for considering customer requests arising in the process of providing banking services.

      The relevant executive body of a non-resident bank of the Republic of Kazakhstan shall be responsible for the proper performance of duties delegated to collegial bodies or employees of a non-resident bank of the Republic of Kazakhstan, including employees of a branch of a non-resident bank of the Republic of Kazakhstan within the approved organizational structure of a non-resident bank of the Republic of Kazakhstan and a branch of a non-resident bank Republic of Kazakhstan.

      The board of the bank shall be responsible for the proper performance of duties delegated to collegial bodies or bank employees within the framework of the approved organizational structure of the bank.

      Footnote. Paragraph 33 - as amended by the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market No. 21 dated March 14, 2022 (shall come into effect ten calendar days after the day of its first official publication).

      34. The board of directors of the bank shall ensure the presence of a risk management unit (units), supervised and (or) headed by the head of risk management, who has sufficient authority, independence and resources, interacting with the board of directors. The risk management unit(s) shall perform but not limited to the following functions:

      1) development of a risk management system, including risk management policies and procedures, risk appetite strategy and determination of risk appetite levels;

      2) identification of significant current and potential risks inherent in the activities of the bank, including through supervisory stress testing for banks included in the perimeter of supervisory stress testing, and internal stress testing;

      3) risk assessment and determination of the aggregated level(s) of risk appetite;

      4) development of risk appetite levels for subsequent submission to the risk management committee and approval by the board of directors of the bank, monitoring compliance with risk appetite levels;

      5) development of early warning systems and triggers aimed at identifying violations of risk appetite levels;

      6) provision of management reporting to the board, risk management committee and board of directors of the bank.

      The provisions of subparagraph 1), subparagraph 4) of this paragraph regarding the development and subsequent submission for consideration of the risk management committee, approval by the board of directors of the bank of risk appetite levels, as well as subparagraph 5) of this paragraph shall not apply to a branch of a non-resident bank of the Republic of Kazakhstan.

      Footnote. Paragraph 34 - as amended by the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated December 29, 2022 No. 119 (shall be enforced upon the expiration of ten calendar days after the day of its first official publication).

      35. The qualifications and professional experience of the head of risk management shall correspond to the chosen business model, the scale of activity, types and complexity of operations, and risk profile. The independence of the head of risk management shall be determined by:

      1) regardless of submission, the head of risk management shall be appointed and release from the post by the board of directors of the bank;

      2) shall have unhindered access to the board of directors of the bank, without the participation of the board;

      3) shall have access to any information necessary to fulfill his duties;

      4) shall not combine the position of the chief operating director, financial director, other similar functions of the bank’s operational activities (except for underwriting, collateral service), the head of the internal audit unit.

      The interaction between the head of risk management and the board of directors and (or) the risk management committee shall be carried out on a regular basis. Information on the decision to release the head of risk management from the post shall be passed to the authorized body. At the request of the authorized body, the board of directors of the bank shall provide a justification for the reason for this decision.

      36. Identification, measurement, monitoring and control of risks shall be carried out on an ongoing basis at all levels of the bank's management. Improvement of the risk management and internal control system shall be carried out in accordance with the change in the risk profile of the bank, as well as taking into account changes in the external environment.

      The bank shall identify all significant risks inherent in the bank's activities (including risks on balance sheet and off-balance sheet transactions, by groups, portfolios and certain types of activities of business units). In order to effectively manage significant risks, the board of directors of the bank, the risk management committee and the head of risk management shall regularly assess the risks inherent in the bank’s activities and maintain the relevance of the bank’s risk profile. The risk assessment procedure includes a continuous analysis of current risks, as well as identification of new and potential risks. When assessing risks, the bank shall take into account the degree of concentration of significant risks.

      During identification and measuring risks, both quantitative and qualitative parameters shall be taken into account. The bank shall also consider risks that are difficult to assess, for example, reputational, legal risks.

      In addition to identifying and measuring risk exposure, the risk management unit shall evaluate possible ways to reduce risks and points out the need to reduce the level of risk. In cases where a decision is made to take a risk that exceeds the established risk appetite levels, the head of risk management shall submit a report on such an exception to the board of directors with a proper analysis of the reasons for the excess and subsequently monitors the reduction of the level of accepted risk within the risk management system and level established by it.

      The head of risk management shall inform the board of directors of the bank of the existence of significant discrepancies between the opinion of the risk management unit and the decision of the board of the bank regarding the level of risks taken by the bank.

      Regular reporting on risk issues, including risk management policies and procedures, within the bank shall be a key factor in a high risk management culture. The risk management culture shall facilitate the full exchange of risk information and calls for an open discussion and critical assessment of issues related to risk taking by employees, the board and the board of directors of the bank.

      Significant information on issues related to risks requiring immediate decision-making or urgent measures shall be urgently passed to the board of directors of the bank, the risk management committee and, if necessary, the board of the bank, responsible officials and heads of control units for preventive measures.

      The bank shall exclude the creation of closed groups within separate units that impede the effective exchange of information on risks and lead to decision making by authorized bodies of the bank without taking into account the opinion (expertise) of the bank's units involved. In order to overcome the problems associated with the exchange of information, the board of directors, the management board and units of the bank that exercise control ensure the effectiveness of the internal communications system and, if necessary, make appropriate changes.

      37. The Bank shall ensure the existence of an internal control system that is consistent with the current market situation, strategy, volume of assets, and level of complexity of the bank's operations. The internal control system shall be aimed at achieving the following goals:

      1) ensuring the effectiveness of the bank, including the effectiveness of managing risks, assets and liabilities, ensuring the safety of assets;

      2) ensuring the completeness, reliability and timeliness of financial, regulatory and other reporting for internal and external users;

      3) ensuring information security;

      4) ensuring that the bank complies with the requirements of the civil, tax, banking legislation of the Republic of Kazakhstan, the legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, the legislation of the Republic of Kazakhstan on currency regulation and currency control, on payments and payment systems, on pension security, on the securities market, on accounting and financial reporting, on credit bureaus and the formation of credit records, on debt collection activity, the mandatory guarantee of deposits, on counteraction to legalization (laundering) of proceeds from crime and terrorist financing, on the joint stock companies, on internal documents of the bank.

      Within the framework of internal control, the examination shall be carried out of the bank's processes for carrying out activities for compliance with internal policies and procedures, as well as the requirements of the civil, tax, banking legislation of the Republic of Kazakhstan, the legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, the legislation of the Republic of Kazakhstan on currency regulation and currency control, on payments and payment systems, on pension security, on the securities market, on accounting and financial reporting, on credit bureaus and the formation of credit records, on debt collection activity, the mandatory guarantee of deposits, on counteraction to legalization (laundering) of proceeds from crime and terrorist financing, on the joint stock companies. The bank shall have reliable internal and external information in order to manage risks, make strategic business decisions and determine the adequacy of equity and liquidity. The board of directors of the bank and the relevant committees of the board of directors of the bank shall make decisions related to the adoption of risks based on high-quality, relevant and reliable data.

      Risk measurement and modeling methods shall be used in addition to qualitative risk analysis and monitoring. The head of risk management shall inform the board of directors of the bank and the risk management committee about the methods used and potential shortcomings of risk management models and analytical approaches in the bank.

Chapter 5. Internal Capital Adequacy Assessment Process

      38. The board of directors of the bank shall approve an internal document of the bank that regulates the main approaches and principles of the ICAAP and contains the following sections:

      1) description of the organizational structure of ICAAP;

      2) description of the risk appetite strategy;

      3) organization of credit, market, operational risk management within the framework of ICAAP;

      4) organization of stress testing procedures;

      5) organization of risk management procedures in the framework of new products and activities;

      6) organization of self-assessment procedures for the internal capital adequacy assessment process.

      39. ICAAP shall be an integral part of the management of the bank and is created to:

      1) the identification, assessment, aggregation and control of significant types of risk inherent in the activities of the bank, in order to determine the necessary level of capital sufficient to cover them, including:

      credit risk;

      market risk;

      operational risk;

      as well as other risks to which the bank is exposed;

      2) capital planning, based on the strategy of the bank, the results of a comprehensive assessment of significant risks, stress testing of the bank’s financial stability in relation to internal and external risk factors, as well as requirements for the bank’s own capital adequacy established by Article 42 of the Law on Banking Activities.

      40. The description of the organizational structure of the ICAAP shall contain a list of ICAAP participants indicating the responsibilities of the collegial bodies and units of the bank involved in the implementation of capital adequacy management processes, including:

      1) the board of directors of the bank shall be responsible for managing capital adequacy for risk management purposes and determining the level(s) of risk appetite. The board of directors of the bank shall approve a report on compliance with ICAAP and ILAAP, including information on maintaining the required level of capital adequacy, no later than April 30 of the year following the reporting year;

      2) the risk management committee shall be responsible for developing risk management policies and procedures in the field of capital management within the framework of the risk appetite level established by the board of directors of the bank. The risk management committee shall periodically notify the board of the bank of directors of significant changes in capital levels;

      3) the unit (units) of the person entrusted with the functions of internal control, shall check compliance with ICAAP procedures and bring the results to the attention of the board of directors of the bank;

      4) unit (units) participating in the risk management process:

      shall be responsible for the implementation of the capital adequacy management process;

      shall be responsible for preparing a report on compliance with the ICAAP and ILAAP in accordance with the Structure of the report on compliance with the internal process for assessing capital adequacy and the internal process for assessing liquidity adequacy in accordance with the Appendix to the Rules. The bank shall ensure the availability of supporting documents for the report on compliance with ICAAP and ILAAP, which shall include, but not be limited to, calculations, models used, explanatory notes, analytical reports, self-assessment results, assessment of the effectiveness of ICAAP and results of verification of compliance with ICAAP procedures;

      shall be responsible for preparing the stress testing;

      5) the unit responsible for budget development and planning carries out investment planning and budget development for all areas of the activities of the bank;

      6) the capital management unit (units) shall develop and implement measures to increase the level of capitalization and develop, together with interested units, a capital financing plan;

      7) the internal audit unit shall evaluate the effectiveness of the ICAAP.

      As part of the ICAAP, the board of the bank of directors shall be responsible for compliance with the approved risk appetite strategy developed in accordance with Chapter 3 of the Rules.

      Footnote. Paragraph 40 - as amended by the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated December 29, 2022 No. 119 (shall come into effect ten calendar days after the day of its first official publication).

      41. The bank shall ensure the existence of an effective credit risk management system that meets the current market situation, strategy, volume of assets, the level of complexity of the bank’s operations and ensures the effective identification, measurement, monitoring and control of the bank’s credit risk in order to ensure that its own capital is sufficient to cover it, and including, but not limited to, the following components:

      1) the internal procedure for transactions in which credit risk is inherent and the adoption of relevant decisions;

      2) credit administration procedures;

      3) credit risk assessment procedures;

      4) credit monitoring;

      5) collateral management;

      6) troubled loan management;

      7) assessment of the effectiveness of the credit risk management system.

      42. As part of the credit risk management system, the bank shall be guided by the following principles and requirements:

      1) the board of directors and the risk management committee of the bank shall ensure:

      maintaining a sufficient level of provisions;

      exercising control over the credit risk assessment process, which shall be ensured by the following:

      taking the necessary measures to ensure the completeness and reliability of information for decision-making purposes;

      compliance with the requirements of the Civil Code of the Republic of Kazakhstan, the Code of the Republic of Kazakhstan "On taxes and other obligatory payments to the budget (Tax Code)" (hereinafter referred to as the Tax Code), the Law on Banks, the Law of the Republic of Kazakhstan "On Accounting and Financial Reporting" (hereinafter referred to as the Law on accounting and financial reporting), the Law of the Republic of Kazakhstan "On credit bureaus and the formation of credit histories in the Republic of Kazakhstan", internal policies and procedures for credit risk management;

      taking measures to ensure complete and reliable management, regulatory and financial reporting;

      the presence of a loan assessment procedure independent of business units;

      approval of an adequate system for classifying assets by credit risk level, based on the use of all available information in the loan assessment process;

      the presence of detailed and fully regulated procedures for interaction between participants in the credit risk management process;

      building an effective internal control system, including assessing the compliance of the level of provisions with expected losses within the framework of the approved methodology for forming provisions and the internal process for assessing capital adequacy;

      2) the bank shall carry out lending activities and manage credit risk within the framework of the approved credit policy, which shall include, but not limited to, the following:

      main directions of the lending activities of the bank;

      participants in the credit process and their areas of responsibility;

      internal procedure for making credit decisions, including the procedure for reviewing and approving loans, including concerning lending to persons associated with the bank by special relations, lending limits to limit the concentration of credit risk;

      procedure for analyzing the borrower's creditworthiness.

      If the total amount of loans provided and assumed contingent liabilities to an individual exceeds 0.01 (zero point one) percent of the bank’s equity capital, the size of which is higher than 100 (one hundred) billion tenge, or exceeds 0.02 (zero point two) percentage of the bank’s equity capital, the size of which is up to 100 (one hundred) billion tenge, the bank shall carry out a creditworthiness analysis based on the following information and taking into account the following factors (but not limited to):

      the presence of a constant and sufficient income of the borrower;

      availability of real estate and other property;

      the presence of loan debt, including to other creditors;

      debt load;

      payment discipline (credit history) on loans;

      borrower rating in the bank's scoring systems (if any);

      presence of other debts;

      availability of other sources of repayment of debt to the bank;

      balances and transactions on bank accounts;

      information about education and employment (field of activity);

      socio-demographic characteristics;

      information about the intended use of money;

      additional information about the borrower's income.

      If the total amount of loans provided and assumed contingent liabilities to an individual does not exceed 0.01 (zero point one) percent of the bank’s equity capital, the size of which is higher than 100 (one hundred) billion tenge, or does not exceed 0.02 (zero point two hundredths) percent of the bank’s equity capital, the size of which is up to 100 (one hundred) billion tenge, the bank shall carry out a creditworthiness analysis based on the following information and taking into account the following factors (but not limited to):

      the presence of a constant and sufficient income of the borrower;

      the presence of loan debt, including to other creditors;

      debt load;

      payment discipline (credit history) on loans;

      borrower rating in the bank's scoring systems (if any);

      availability of other sources of repayment of debt to the bank;

      balances and transactions on bank accounts;

      education and employment information;

      socio-demographic characteristics;

      information about the intended use of money (if any).

      If the total amount of loans provided and contingent liabilities to a legal entity exceeds 0.1 (zero point one) percent of the bank’s equity capital, the size of which is higher than 100 (one hundred) billion tenge, or exceeds 0.2 (zero point two tenths) percent of the bank’s equity capital, the size of which is up to 100 (one hundred) billion tenge, the bank shall carry out a creditworthiness analysis based on the following information and taking into account the following factors (but not limited to):

      analysis of financial statements and basic financial ratios of legal entity borrowers (profitability, ratio of own and borrowed funds, cash flow plan (except for cases of issuing loans to financial organizations, placing deposits in financial organizations, opening a credit line for a period of less than 6 (six) months), income level.

      The financial statements of the borrower accepted for analysis (except for cases of financing in the form of overdrafts, credit cards, or credit lines for a period of less than 6 (six) months) whose book value of assets exceeds 0.2 (zero point two) percent of the bank’s equity capital shall correspond to the following requirements:

      the presence of three main reporting forms with breakdowns of accounts for the material (significant) components of the balance sheet (more than 5 (five) percent of the balance sheet currency) and (or) the profit and loss statement (more than 5 (five) percent of revenue). This requirement shall not apply to the joint stock company National Wealth Fund Samruk-Kazyna, the joint stock company National Management Holding Baiterek, public companies that have a long-term credit rating on the international scale of Standard & Poor's, Moody's Investors Service (Moody's Investors Service) or Fitch Ratings Inc. (Fitch Ratings), legal entities that are included in the consolidated financial statements of private international corporations (the shares or interests of which are not listed on a stock exchange or international stock exchanges) or public international corporations, as well as in cases where there are audited financial statements certified by companies corresponding to the listed stock exchange requirements;

      consistency between all forms of financial reporting;

      presence of signatures of responsible (authorized) persons of the borrower under the provided financial statements.

      If there are audited financial statements that comply with the listing requirements of the stock exchange, the audited financial statements are used as a priority for all purposes, and reconciliation with the tax return is not required. A tax return reconciliation of the financial statements shall not be required for entities that are included in the consolidated financial statements of private international corporations (shares or interests that are not listed on a stock exchange or international securities exchanges) or public international corporations.

      From 1 January 2024, a tax return shall be required (where a tax return is required by the Tax Code) and there shall not be conflict between the tax return and the financial statements used to assess indicators of impairment and calculate cash flows for provisioning purposes for the same period. Discrepancies between financial and tax reporting indicators shall be allowed due to differences in accounting and tax accounting. In other cases, the reasons for significant discrepancies in data between reporting forms shall be described in the conclusion of the responsible unit of the bank for the borrower and are considered by the authorized collegial body of the bank.

      The bank shall determine the materiality of discrepancies in internal documents. In the absence of established thresholds, significant discrepancies shall be (but not limited to) discrepancies of more than 30 (thirty) percent in terms of revenue, final financial result, and return on assets.

      In case of objectivity of financial statements, the bank shall use the financial statements to assess indicators of impairment and calculate cash flows to calculate provisions.

      In the absence of financial statements and (or) tax returns (if their submission is not required in accordance with the Tax Code and the Law on Accounting and Financial Reporting), information about the borrower’s assets and other sources of income shall be requested (bank statements, confirmation availability of relevant assets).

      As part of the assessment of signs of impairment and categories of impairment, it shall be permitted to use the financial statements of borrowers, co-borrowers, guarantors and guarantors in consolidated form.

      To calculate the expected cash flows for a loan, it shall be allowed to consolidate the financial statements of the borrower (including from the bank) with the statements of persons (including those associated with the borrower) who have contractual obligations with the borrower to repay his debt in the event of his insolvency, as well as with the reporting of persons who do not have such contractual obligations with the borrower if the assets of this person act as collateral for the borrower’s obligations.

      If a bank issues a loan without complying with the requirements established in paragraphs thirty-three, thirty-four, thirty-five, thirty-six, thirty-eight, thirty-nine, forty-one, forty-second and forty-third of this subparagraph, all the borrower’s obligations shall be classified as impaired assets according to international standards financial statements (hereinafter referred to as IFRS);

      the presence of loan debt, including to other creditors;

      payment discipline (credit history) on loans;

      level of liquid assets;

      debt load;

      availability of other sources of repayment of debt to the bank;

      projected free cash flows;

      assessment of the borrower’s external environment (state of the economy, industry, development prospects, diversification of production and sales markets, and characteristics of the borrower’s operating activities, such as the borrower’s market share in the relevant market, positioning of the borrower’s product, geography of operations, business cyclicality, changes in consumer preferences, changes in technology, barriers to entry into the economic sector and other factors affecting the company’s ability to generate income and maintain prices);

      assessment of management quality (experience, competence, business reputation);

      assessment of the borrower's owners;

      presence of facts of involvement in legal proceedings;

      inclusion in the list of unreliable taxpayers.

      If the total amount of loans provided and contingent liabilities to a legal entity does not exceed 0.1 (zero point one) percent of the bank’s equity capital, the size of which is higher than 100 (one hundred) billion tenge, or does not exceed 0.2 (zero point two tenths) of a percent of the bank’s equity capital, the size of which is up to 100 (one hundred) billion tenge, the bank shall carry out a creditworthiness analysis based on the following information and taking into account the following factors (but not limited to):

      the presence of a constant and sufficient income of the borrower;

      the presence of loan debt, including to other creditors;

      payment discipline (credit history) on loans;

      debt load;

      availability of other sources of repayment of debt to the bank;

      prospects for the development of the relevant industry.

      Depending on the lending industry and the type of borrower, the set of quantitative and qualitative indicators changes.

      For individuals and legal entities, the credit policy defines cases (issuance of bank guarantees, letters of credit, bank guarantees issued against a bank counter-guarantee, as well as loans secured by highly liquid assets) in which an analysis of the borrower’s creditworthiness is not applied. For banks that are subsidiaries of non-resident banks of the Republic of Kazakhstan that have a long-term credit rating in foreign currency not lower than "A-" on the international scale of Standard & Poor's or a rating of a similar level from one of the other rating agencies, the use of analysis creditworthiness shall be allowed at the level of the parent organization of the borrower or an organization that includes the borrower in the consolidated financial statements, carried out by the parent bank or an entity affiliated with the bank, provided that the analysis was carried out no later than 12 (twelve) months from the date of the borrower’s application;

      internal procedure for making credit decisions regarding loan restructuring, which is based on the principles of validity, expediency and independence, and includes a description of cases and conditions for loan restructuring. The bank shall determine cases and types of restructuring in accordance with the requirements of the Resolution of the Board of the National Bank of the Republic of Kazakhstan dated December 22, 2017 No. 269 "On approval of the Rules for the creation of provisions (reserves) in accordance with international financial reporting standards and the requirements of the legislation of the Republic of Kazakhstan on accounting and financial reporting", registered in the State Register of Normative Legal Acts under No. 16502 (hereinafter referred to as Resolution No. 269).

      The bank shall decide on restructuring loans for borrowers, taking into account the availability of prospects for repaying the loan after restructuring.

      The decision to carry out a forced restructuring of loans, determined in accordance with the requirements of Resolution No. 269, (for borrowers and (or) a group of related borrowers, total debt, including contingent liabilities, which exceeds 1 (one) percent of the bank’s equity capital, the amount of which exceeds 100 (one hundred) billion tenge, or 2 (two) percent of the bank’s equity capital, the amount of which is up to 100 (one hundred) billion tenge) shall be adopted by the board of the bank or the authorized collegial body of the bank, which includes the chairman of the board of the bank. Information about decisions made shall be sent to members of the board of directors of the bank every quarter;

      acceptable methods of credit risk management, taking into account (but not limited to) the following factors:

      own knowledge and experience in using the method;

      economic efficiency;

      type of borrower and (or) counterparties, their financial condition;

      3) the bank shall carry out lending activities in accordance with internal documents regulating the performance of transactions that involve credit risk, which shall include, but not limited to, the following:

      conditions for providing loans to individuals and legal entities (including persons associated with the bank by special relations and bank employees) for each type of lending, including requirements for potential borrowers and (or) counterparties;

      requirements for information of the borrower and (or) counterparty, including financial and other information necessary to decide on issuing a loan;

      internal procedure for corporate lending, which provides for analysis of the lending sector, and the borrower’s credit history, as well as a rating system based on quantitative and qualitative factors, allowing for a detailed assessment of loan quality;

      scoring methodology or analysis of the borrower's solvency and creditworthiness, based on quantitative and qualitative characteristics, and the internal procedure for its use;

      establishing a minimum acceptable rating level (if any) at which a loan is issued;

      internal order and procedures for approval, adoption, analysis and monitoring of deviations from credit policies, standards, procedures, and limits;

      establishing lending limits and (or) interest rates on loans taking into account the analysis of borrowers, including taking into account, if any, ratings and (or) scoring of borrowers. Lending limits, including for unsecured loans, shall be established by currencies, industries, categories of borrowers (counterparties) (financial organizations, corporate, retail lending), products, groups of related parties and per borrower;

      internal procedure for considering and approving applications for loans, making decisions on issuance (refusal to issue), including concerning lending to persons associated with the bank by special relations;

      internal procedure concerning collateral, defining:

      types of collateral and their eligibility criteria for individual bank products, including for deciding on the possibility of lending to the borrower;

      requirements for the collateral structure depending on the type of collateral and the type of banking product;

      limits on types of collateral depending on the type of product and structure of the bank’s loan portfolio;

      determination of liquid and highly liquid collateral;

      the share of liquid collateral in the overall collateral structure, a coefficient characterizing the ratio of the loan amount to the value of the collateral (the lowest value from the assessment of the collateral by the appraiser and employees of the collateral service department (if both are available) or the available assessment);

      the share of highly liquid collateral in the overall collateral structure, a coefficient characterizing the ratio of the loan amount to the value of the collateral (the lowest value from the assessment of the collateral by the appraiser and employees of the collateral service department (if both are available) or the available assessment);

      requirements for inspecting collateral as part of accepting collateral and issuing a loan, including defining requirements for the use of special technical means (a selective approach to inspecting part of mortgage lending is allowed, ensuring an independent sample of at least 20 (twenty) percent of the total all collaterals);

      the procedure for monitoring and working with collateral, establishing requirements depending on the type of collateral;

      requirements for revaluation of collateral;

      procedures to ensure the legal validity of pledges, including requirements for registration of pledges depending on the type of pledge and the type of bank product;

      prompt assessment of the sufficiency of collateral, taking into account changes in the borrower’s production performance, the cost and safety of the collateral, including its exposure to other circumstances that significantly affect its assessment;

      procedures for the sale of collateral depending on the collateral and the type of bank product, including deadlines for sale and collection;

      objectivity (adequacy) of assessing the value of collateral by appraisers, except for the case when the total amount of loans provided and contingent liabilities to the borrower does not exceed 0.1 (zero point one) percent of the bank’s equity capital and the object of assessment is real estate in cities of republican significance and in cities that are regional centers;

      requirements for establishing discounts concerning the value of the collateral determined by the appraiser depending on various parameters (incorrect approach to valuation, the presence of affiliation of the appraiser and the borrower, the presence of affiliation of the appraiser and the bank, including employees of the collateral service) and the liquidity of the collateral.

      When deciding to issue a loan, the collateral for which is real estate and intangible assets (subsoil use rights), the bank considers the results of the assessment. If the market value determined as of the date of the last assessment by the appraiser is more than 100,000 (one hundred thousand) monthly calculation indices, for subsoil use rights more than 500,000 (five hundred thousand) monthly calculation indices, the bank shall provide (at least 1 (one) once a year) assessment of the collateral by an appraiser.

      The bank shall ensure registration of the collateral, regardless of its type, with the authorized registration body if there are signs of a significant increase in credit risk in accordance with IFRS, as well as the requirements of Resolution No. 269 for collateral, the market value of which as of the date of the last assessment by the appraiser is more than 100,000 (one hundred thousand) monthly calculation indices, for subsoil use rights - more than 500,000 (five hundred thousand) monthly calculation indices.

      The internal procedure for assessing the objectivity (adequacy) of assessing the value of collateral on the part of bank employees shall ensure but not limited to, the use of correct approaches to assessment, including a clear formalization of the requirements for acceptable approaches to assessment when forming an internal assessment of the bank, namely:

      within the framework of this approach, the procedure for applying various valuation approaches depending on the type of collateral shall be established;

      in the case of using expert assessments when assessing the value of collateral, a regulated process is provided, indicating the limits for the use of such assessments;

      within the framework of the income approach, if there are negative operating cash flows or a negative EBITDA value (earnings before interest, taxes, depreciation and amortization) for the object for the last 4 (four) quarters or the completed calendar year, the discounted cash flow approach shall not be allowed. This requirement shall not apply to the following cases:

      assessment of a company at the investment stage, as well as if the balance sheet of the company being assessed has assets, including contracts, capable of generating cash flow;

      assessment of objects capable of generating cash flow in the presence of supporting information or market data.

      Within the framework of the income approach, when calculating the value of an object, a discount rate is used that corresponds to the level of risk of the object being assessed, the calculation of which is established in the internal documents of the bank.

      As part of the comparative approach, when calculating the value of an object, information on the most current transactions available on the market and (or) offers for the sale of objects comparable to the object being assessed shall be used, and in the event of their absence, appropriate adjustments shall be applied.

      The internal procedure for assessing the objectivity (adequacy) of the assessment of the value of collateral, including that determined by the appraiser, on the part of the bank's collateral service unit, shall ensure, but not limited to, a clear formalization of the requirements for the list of analogues and the criteria for recognizing them as comparable in the context of:

      type and (or) subtype of the object;

      object location;

      the total area of the facility;

      condition of the premises, external condition of the object being assessed;

      purpose of the object;

      other technical characteristics of the object.

      The collateral service unit, for each appraiser’s report, prepares a conclusion based on the results of an analysis of the objectivity (adequacy) of assessing the value of collateral based on internal procedures.

      The bank shall develop an internal procedure for analyzing the objectivity (adequacy) of the assessment of the value of collateral determined by the appraiser, who shall provide, but not limited to:

      the procedure for applying valuation approaches depending on the type of collateral;

      criteria and requirements for the correctness of assessment calculations;

      requirements and restrictions regarding the use of assumptions, adjustments and expert judgments;

      availability of detailed and reasonable calculations;

      availability of complete information allowing to identification of the object of collateral;

      mandatory inspection and video and photographic recording of the pledged item;

      availability of a complete package of title documents;

      identification in assessment reports of the reasons and criteria that led to a significant (more than 10 (ten) percent) difference in the values of collateral in accordance with the requirements of the internal documents of the bank.

      If a significant (more than 10 (ten) percent) difference in the value of the collateral is identified in the assessment reports, the bank shall enter information on the circumstances that led to the difference into the statistical journal of the value of the collateral.

      The bank shall analyze valuation reports, information on which is included in the statistical journal of the value of collateral, to eliminate the possibility of incorrect valuation of collateral.

      When deciding on issuing a loan, the bank shall use the value of the collateral determined based on the results of an assessment of the objectivity (adequacy) of the value of the collateral determined by the appraiser, taking into account all parameters.

      The assessment of decisions made for compliance with the established internal procedure shall be carried out in accordance with the requirements of Chapter 11 of the Rules. If deviations from the established internal procedure are detected, interested departments shall report information about the identified deviations to the authorized collegial body of the bank. To eliminate significant deviations in the activities of the bank, the authorized collegial body of the bank shall set restrictions on the volume (loan amount) and (or) on the number of deviations and exercise control over compliance with the established restrictions.

      The bank shall provide:

      storage in the bank’s internal systems for at least 5 (five) years after repayment of the loan and (or) off-balance sheet liability and (or) after the borrower ceases to be a client of the data bank on collateral on the bank’s balance sheet, including the assessment of its value;

      timely updating of data on collateral in accordance with the internal documents of the bank and automatic transfer of data to modules responsible for calculating risk metrics (PD, LGD, EAD), provisions and capital, as well as to modules responsible for automatic formation of managerial, financial and regulatory reporting;

      automatic recording and storage of data on any manual adjustments to collateral data, including primary data before applying manual adjustments, data on persons responsible for applying manual adjustments.

      Collateral data to be stored shall include (but not limited to):

      linking to the internal unique identifier of the valuation object, business identification number (hereinafter referred to as BIN) or individual identification number (hereinafter referred to as IIN) and internal unique identifiers (if they differ from BIN or IIN) of the mortgagor, borrower, co-borrowers and guarantors and clear display of the identifier groups of related borrowers and all BINs or IINs of related borrowers;

      type and subtype of collateral;

      cadastral number of the property being assessed (if applicable);

      location of the assessment object (country, region, address);

      date of termination of the pledge agreement in the bank system;

      market value before applying discounts to collateral;

      date of assessment (revaluation) of collateral;

      applied discounts for a period of at least 5 (five) years for each valuation object, including current collateral and real estate on the bank’s balance sheet, as well as for all valuation objects sold by the bank. Among the discounts, information shall be stored on the probability of collection and (or) the probability of sale, the expected period before the sale, the applied discount rate and indices, expected selling costs, discount values in the event of non-application of liquidity ratios in accordance with Resolution No. 269;

      market value after taking into account all discounts, including the equivalent in national currency;

      the value of the collateral used in calculating provisions;

      flag of the encumbrance of the valuation object;

      the order of encumbrance of the valuation object;

      information about the pledgor, guarantor, surety, insurer (legal or individual, name, unique identifier);

      date of confirmation of the existence of an encumbrance on the subject of valuation;

      the seniority of the bank's rights of claim on the object of assessment at the level of the borrower or loan;

      allocated value of the security for collateral at the borrower and loan level (indicating the share of collateral for each borrower regarding their unique identifiers);

      approach to assessing collateral;

      unit of area used;

      total usable area of the property being assessed (if applicable);

      proportion of area leased at the valuation date (if applicable);

      proportion of area potentially available for rental (if applicable);

      4) the presence of an adequate rating model and (or) scoring system.

      The board of directors of the bank shall determine the responsible units for the development of the rating model and (or) scoring system, their implementation, application and control of their functioning. The rating model and (or) scoring system contain a description of each level of credit risk and the conditions for their assignment. In the process of assigning a borrower’s credit rating and (or) a scoring score, the bank shall take into account the financial condition of the borrower (borrowers) and other available information on the borrower.

      When assigning a borrower's credit rating and (or) scoring score, the bank shall be guided by current available information on factors affecting the borrower's future creditworthiness and solvency.

      The credit rating assigned to legal entities is subject to periodic monitoring to ensure relevance. The frequency of revision shall increase in the presence of negative information that carries the risk of deterioration in the financial condition of the borrower and (or) the impossibility of repaying obligations to the bank and other available information;

      5) the presence of an adequate system for classifying assets according to the level of credit risk.

      As part of the system for classifying assets by credit risk level, the bank shall implement and use comprehensive procedures and information systems (if not available, software) to monitor the quality of the loan portfolio. Procedures and information systems shall include criteria that identify and identify problem loans and ensure appropriate controls.

      The system for classifying assets by credit risk level shall provide information for the board of directors, committees under the board of directors, the board, and other units of the bank involved in the credit risk management process and allow assessing the level of credit risk of the bank both as a whole on the balance sheet and in the context of each asset.

      The system for classifying assets by credit risk level shall be based on a detailed analysis of all assets (except for receivables from non-core activities in an amount not exceeding 2 (two) percent of the bank’s equity capital) that are subject to credit risk.

      A detailed analysis of assets shall include an assessment of:

      probability of default on the obligations of the borrower and (or) counterparty (PD);

      the amount of losses in the event of default of the borrower and (or) counterparty (LGD);

      the amount of liabilities subject to default (EAD);

      the period during which the risk position is maintained;

      the value of collateral and the possibility of its sale;

      business environment and economic conditions.

      Classification of assets (except for receivables from non-core activities in an amount not exceeding 2 (two) percent of the bank’s equity capital) that are subject to credit risk shall be carried out based on at least 5 (five) categories and ensures:

      reliable assessment of capital adequacy under ICAAP;

      the required level of provisions to cover expected losses.

      Assets for which there is overdue debt on principal and (or) accrued interest for a period of more than 90 (ninety) calendar days are classified into the worst categories unless there are compelling and justified grounds for classification into a higher category.

      Assets for which there is overdue debt on the principal debt and (or) accrued interest for a period of less than 90 (ninety) calendar days are classified into the worst category if there are other factors of the borrower’s insolvency, defined by internal documents;

      6) existence of a policy for managing distressed assets.

      The board of directors of the bank shall approve the problem asset management policy, which contains:

      identification of distressed assets;

      methods of managing distressed assets (restructuring, sale, write-off, seizure of collateral, bankruptcy and other methods);

      limits on problem assets (by portfolio) and deadlines for implementing approved methods for managing problem assets to bring them into compliance with the established limits if they are violated;

      quantitative and qualitative parameters of early response to the risk of an increase in the volume of problem assets;

      a list of interested departments and the internal procedure for their interaction when working with problem assets;

      internal procedure for providing management reporting to the board of directors on the level of problem assets;

      procedures for assessing the methods used by the bank for managing distressed assets;

      7) the presence of a reliable methodology for creating provisions.

      To ensure that the provisions formed are sufficient to cover expected losses, the bank shall annually (or more often if necessary) analyze the methodology for forming provisions by:

      determining the compliance of provisions calculated in accordance with the requirements of the provisioning methodology with the actual amounts of losses;

      analysis of current market conditions, and changes in macroeconomic indicators;

      validation of the provisioning methodology.

      When forming provisions for collective loans, the bank shall analyze historical data covering the required period and most accurately reflecting the bank’s credit losses. In this case, historical data shall be supplemented by an analysis of the current market and economic situation.

      If the methodology for forming provisions indicates that there are no signs of an increase in credit risk for loans for which provisions are formed on an individual basis, such loans are subject to the assessment of the level of credit risk on a collective basis.

      The bank shall ensure the development (updating) of a general methodology for models for assessing the probability of default, which describes the detailed requirements that each model for assessing the probability of default meets, including requirements for taking into account the influence of forecast macroeconomic information.

      The methodology for assessing the probability of default shall contain but not be limited to, the following requirements for:

      determination of credit impairment;

      quality, depth and volume of data used;

      sampling methodologies for developing and testing models;

      the presence of individual blocks of the model (including the requirement to take into account financial, qualitative factors, the possibility of government or support at the group level) and their maximum weight in determining the final PD;

      methodologies for calibrating the model based on observed credit impairment levels (calibrating the model based on actual statistics on credit impairment levels);

      development and accounting of macro-scenarios, methodology for calculating and applying migration matrices;

      development of a valid credit scale compatible with the credit scales of leading rating agencies;

      calculation of different types of PD (at initial recognition, twelve-month, lifetime PD, point in time (PIT PD) and cyclical (TTC PD);

      calculation of the PD model for financial guarantees;

      estimating annual PD using annual data on observed default rates or alternative approaches based on reliable statistical analysis.

      As part of the development of the model, the following shall be required:

      when applying the scoring model, calculating the scoring score for each of the borrowers in the development sample;

      when applying a scoring model, calibrate the model, that is, convert the scoring score into a PD value using models of the observed historical level of credit impairment for the portfolio;

      development of a model for taking into account the macroeconomic situation and transferring TTC PD to PIT PD;

      estimate annual PD by either using annual data on observed default rates or alternative approaches based on reliable statistical analysis;

      provide for the selection of the current volume of historical data on the observed level of defaults when developing the model and the calibration of PIT values based on expected macro indicators;

      establishing a minimum PD limit for residents of the Republic of Kazakhstan corresponding to the PD of the Republic of Kazakhstan, except for statistically justified cases.

      The bank shall ensure automatic calculation in the bank’s internal systems of all risk metrics (PD, LGD, EAD), and provisions, as well as identification of events of a significant increase in credit risk, events that are objective evidence of impairment according to IFRS, and impairment categories.

      The bank shall ensure storage in the systems for at least 5 (five) years after repayment of the loan (or) off-balance sheet obligation of the following data (but not limited to):

      results of passing or failing the SPPI test;

      classification of a financial instrument in accordance with IFRS 9;

      events that are objective evidence of impairment (a separate data field for each event for each borrower and (or) obligation);

      stage of impairment of the borrower;

      probabilities of scenarios using the "going-concern" and "gone-concern" methods for individually assessed borrowers;

      effective interest rate (original and current interest rates);

      default levels (by number of borrowers, obligations and amount of obligations) in absolute and percentage terms;

      levels of returns (by the amount of liabilities - separately taking into account recoveries and excluding recoveries) in absolute and percentage terms;

      levels of restructurings (by the number of borrowers, obligations and the amount of obligations - separately for restructurings and separately for forced restructurings) in absolute and percentage terms;

      recovery rates (by number of borrowers, liabilities and amount of liabilities) in absolute and percentage terms;

      levels of write-offs (by the amount of liabilities - separately for partial and separately for full write-offs) in absolute and percentage terms;

      PD values (for each borrower and (or) obligation from the moment of issuance and throughout the entire term of the loan and (or) off-balance sheet obligation);

      values of twelve-month PD and lifetime PD at the time of recognition and for each month during the term of the loan and (or) off-balance sheet liability;

      LGD values (including the LGD value for each borrower and (or) liability) from the date of issuance of the loan and (or) off-balance sheet liability (but not earlier than the date of implementation of IFRS 9) and for each month during the term of the loan and (or) off-balance sheet liability;

      EAD values (including the EAD value for each borrower and (or) liability) from the date of issuance of the loan and (or) off-balance sheet liability (but not earlier than the date of implementation of IFRS 9) and for each month during the term of the loan and (or) off-balance sheet liability;

      credit losses (including expected credit losses for each borrower and (or) liability) from the date of issuance of the loan and (or) off-balance sheet liability (but not earlier than the date of implementation of IFRS 9) and for each month during the life of the loan and (or) off-balance sheet liability obligations;

      values of risk weighting factors (RWA) (including RWA values for each borrower and (or) liability) from the date of issuance of the loan and (or) off-balance sheet liability (but not earlier than the date of implementation of IFRS 9) and for each month during the term of the loan and (or) an off-balance sheet liability;

      credit conversion rates;

      the amount of on-balance sheet and off-balance sheet obligations of the borrower (for the last 5 (five) years);

      written-off loans of the borrower (over the last 5 (five) years);

      the total value of provisions (at the borrower level and the liability level);

      linking to the BIN or IIN and internal unique identifiers (if they differ from the BIN or IIN) of the borrower and the loan and (or) off-balance sheet liability;

      linking to BIN or IIN and internal unique identifiers (if they differ from BIN or IIN) of all co-borrowers and guarantors;

      linking to a unique identifier of a group of related borrowers in accordance with the internal documents of the bank;

      linking to the BIN or IIN of members of a group of related borrowers in accordance with the internal documents of the bank;

      financial indicators of borrowers required to determine the stage of impairment and calculate provisions;

      a sign that the subject belongs to the category of entrepreneurship according to the Entrepreneurial Code of the Republic of Kazakhstan;

      flag of belonging to the list of persons associated with the bank by special relations;

      flag of restructuring and (or) forced restructuring;

      all dates of restructuring of the loan and the borrower of loans in this bank.

      The systems of the bank shall record and store in the systems the fact of an event of a significant increase in credit risk and an event that is objective evidence of impairment under IFRS for all borrowers, their on-balance sheet and off-balance sheet liabilities and the bank's portfolios;

      8) availability of a procedure for validating credit risk assessment models.

      To ensure the adequacy of credit risk assessment using models, the bank shall regulate the processes of their validation, backtesting, and acceptable levels of deviations from the planned risk level. In case of deviation from the planned risk level, the bank shall develop a plan of corrective measures.

      Validation shall be carried out through one or more of the following methods:

      checking the discriminatory ability of the model;

      assessment of the predictive accuracy of the model;

      rating migration analysis;

      comparative analysis of ratings.

      Validation shall be carried out at least 1 (one) time every 3 (three) years by an independent unit of the bank or with the involvement of an independent third party. The frequency of validation shall depend on the current market situation, strategy, volume of assets, and level of complexity of the bank’s operations, and increases in the event of significant changes in the economy or the bank’s internal lending processes. Validation results shall be provided to the risk management committee.

      Internal validation scoring models shall be carried out by an independent unit of the bank at least 1 (one) time every 1 (one) year.

      Internal validation scoring models shall be carried out by an independent unit of the bank while formalizing the full validation process in the internal documents of the bank, including, but not limited to, a detailed process of validating the parameters used in calculating provisions (participants, inspection perimeter, inspection areas, criteria for preparing judgments, format for presenting results, deadlines).

      An independent unit of the bank responsible for validation shall generate a conclusion for each verified parameter with a description of the verification process, disclosure of the results and degree of significance.

      Validation results with detailed justification shall be provided to the risk management committee.

      Based on the results of the review of the validation results, the risk management committee shall draw up a protocol, including a conclusion on whether or not changes to the model are necessary.

      As part of model validation, it shall be required to carry out, among other things:

      checking the model's compliance with regulatory requirements;

      backtesting of the model to determine the accuracy of the model’s predictions (checking the accuracy of the model on samples different from the one on which the model was developed). The bank shall check the relevance of the model based on the most recent observations;

      checking the depth and quality of the data used to develop the models. As part of the verification, it shall be necessary to verify through econometric tests that the sample is sufficient for subsequent modelling;

      checking the model for compliance with other models for assessing risk metrics;

      9) the use of adequate and reasonable expert estimates when assessing credit risk.

      In situations where it is necessary to use expert assessments, the bank shall provide:

      a regulated process for using expert assessments, indicating the limits for the use of such assessments;

      a sufficient level of competence of employees conducting expert assessment;

      a uniform approach to the use of expert assessments. Under the same conditions, expert assessments shall not have significant deviations;

      The expert assessment shall be carried out based on reasonable and documented assumptions, using due care.

      The use of expert assessments by the bank taking into account historical data shall be supplemented by an analysis of the current market and economic situation, in particular (as applicable):

      changes in the processes of granting loans, standards and practices of decision-making, returns, and write-offs;

      changes in external and internal economic factors, business environment, taking into account dynamics;

      changes in the level of non-performing and restructured loans;

      the emergence of new market segments and products;

      changes in credit risk concentration;

      10) the availability of the necessary tools, including a set of data storage tools that provide complete and reliable information about loans (including receivables and contingent liabilities), as well as other transactions that have a credit risk, which allows a correct assessment of the level of credit risk.

      The bank shall carry out credit administration in accordance with procedures that shall include, but not be limited to the following:

      checking the compliance of the submitted loan documents with the conditions for granting loans;

      checking the compliance of loan agreements with the decisions made;

      formation and maintenance of a credit dossier.

      It shall be allowed to generate a credit dossier (part of a credit dossier) in electronic form. The credit dossier shall contain (including but not limited to):

      borrower identification documents:

      This group shall include documents proving the identity of an individual, documents related to the formation of a legal entity (with the disclosure of the ultimate owners - individuals who own directly or indirectly ten or more percent of shares or participation interests, except for the cases established by paragraph 3 of Article 8- 1 of the Law on Banks), confirmation of its legal personality, as well as documents confirming the powers of persons acting on behalf of the borrower and authorized to sign loan and collateral documentation on behalf of the borrower.

      Documentation related to determining the intended use (except for overdrafts, consumer loans without confirmation of intended use with an aggregate amount of less than 0.2 (zero point two) percent of the bank's equity capital and loans to replenish working capital with an aggregate amount of less than 0.2 (zero as much as two tenths) percent of the bank’s equity capital, syndicated loans with the participation of non-resident banks of the Republic of Kazakhstan):

      This group shall include documents and information on the transaction for which financing is requested (including the initial purposes of financing in the event of restructuring and (or) refinancing), including for large borrowers:

      documents confirming the purpose of using the loan, including for legal entities - supply agreements, purchase and sale agreements, foreign trade contracts;

      for a legal entity, the amount of loans and contingent liabilities for which exceeds, for banks whose equity capital exceeds 100 (one hundred) billion tenge - 0.1 (zero point one) percent of the bank’s equity, for banks whose equity capital does not exceed 100 (one hundred) billion tenge - 0.2 (zero point two) percent of the bank’s equity capital - a feasibility study for issuing a loan, characterizing the payback period and the level of profitability of the loan transaction, or the borrower’s business plan, which reflects information about description of activities indicating the purposes of using the loan, sales markets and marketing strategy of the borrower, risk assessment and management, financial plan detailed by year (financial indicators of the implementation of the business plan by year, sources and amount of financing for the business plan and loan repayment), income estimate (expenses) (for loans related to investment purposes, start-up projects or loans, the main source of repayment of which is planned to be proceeds from the sale of goods and (or) services purchased using loan funds).

      For the purposes of this paragraph:

      a working capital loan means a loan provided to finance current production processes;

      a consumer loan - a loan provided to an individual or individual entrepreneur without forming a legal entity and meeting the following criteria:

      the issuance of a loan shall not be related to the purpose of financing business activities and it shall be assumed that the loan will not be used by the borrower to carry out business activities;

      the loan shall be planned to be used for the purchase of durable goods (residential real estate, cars, household appliances, furniture, etc.) and (or) payment for various services (educational, tourism, medical, repair and construction, etc.) and (or) other purchases and purposes (refinancing a loan in another bank (if the previously received loan is related to consumer purposes), mobile phones, food, etc.);

      the recipient of the loan shall have a permanent source of income (salary, pension, benefits, dividends from securities, income from rental real estate and other income), which objectively allows him/her to service his/her obligations to the bank under the loan received, confirmed in the manner determined by the internal documents of the bank.

      documents required to analyze the client’s financial condition and quality of collateral:

      this group of documents shall include all documents based on which an analysis of the borrower’s financial condition shall be carried out and reflecting the main economic indicators of the borrower’s activities, as well as documents confirming the availability, quality, amount of accepted collateral, which include (but not limited to):

      documents confirming the authority of the person authorized to sign the collateral documentation;

      appraiser's report on the valuation of real estate;

      conclusion of the collateral service unit on the adequacy of the collateral assessment by the appraiser in accordance with the requirements of the Rules and internal documents of the bank;

      documents confirming the rights to the pledged object;

      a copy of the pledge agreement containing a note on its registration with the authorized registration authorities.

      Documentation required for credit monitoring. This group shall include documentation generated by bank departments in the course of maintaining a loan or necessary to confirm periodic credit monitoring, as well as procedures for updating information about borrowers (counterparties) for credit risk management;

      11) availability and functioning of the management information system.

      The bank shall develop management reporting forms, which include, but are not limited to, the following information:

      about the loan portfolio and its quality, presented including the dynamics of its changes;

      on the size (level) of exposure to credit risk, including an assessment of the approximation of the total exposure to the limits established by the bank for various types of loans (pre-limit approach);

      on exposure to credit risk concerning a group of related borrowers and the dynamics of its change;

      on the concentration of credit risk of the largest borrowers (counterparties) and borrowers (counterparties) connected with the bank by special relationships, including with the bank’s shareholders, and the dynamics of its change;

      on internal ratings of borrowers (counterparties) and the dynamics of their changes, on monitoring the quality of loans according to ratings of borrowers (counterparties) and its frequency;

      on the amount of provisions and assessment of the level of adequacy of provisions;

      about restructured, refinanced and problem loans;

      on monitoring and control over compliance with limits;

      about deviations from policies and limits.

      Footnote. Paragraph 42 - as amended by the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated December 29, 2022 No. 119 (the order of enforcement see Paragraph 5).

      43. The board of directors shall ensure the existence of a market risk management system that is consistent with the current market situation, development strategy, assets and the level of complexity of the bank’s operations and ensure the effective identification, measurement, monitoring and control of the bank’s market risk, as well as defines a strategy for hedging market risk with the purpose of ensuring the adequacy of equity to cover it.

      The market risk management system shall be integrated into the bank's internal risk management processes, and its results shall be an integral part of the process of monitoring and controlling the level and profile of its market risk, as well as the decision-making process in the implementation of the bank's current activities. Market risk assessment results shall be taken into account in the process of developing a bank development strategy.

      Market risk management shall be carried out on the basis of managing the position of assets and liabilities, forming the value of financial instruments with a positive interest margin and expected profitability, managing an open foreign exchange position, constantly monitoring market risks and monitoring established risk appetite levels for relevant operations.

      The market risk management system shall include the management of securities portfolios and control of open positions in currencies, interest rates, and derivative financial instruments.

      44. In the process of market risk management, the bank shall determine:

      1) the organizational structure of the bank involved in the process of market risk management, including the internal order of subordination and reporting;

      2) the structure of the trading and banking books, as well as the procedures for dividing instruments into instruments of the trading and banking books.

      The trading book shall be a part of a bank’s financial portfolio that presents financial instruments purchased and sold to support trading operations, generate income in the form of the difference between the purchase and sale prices, and hedge the bank’s operations from various types of risk. Trading book positions shall be regularly reevaluated. All other operations shall relate to the bank book;

      3) assets (liabilities) sensitive to changes in interest rates;

      4) ways, methods and models for assessing market risk;

      5) risk orientation, bank approaches to establishing and monitoring risk appetite levels and risk minimization methods.

      45. The functioning of the market risk management system shall be carried out based on the following main components, but not limited to them:

      1) approval and periodic analysis of the bank’s investment activity strategy, formation of an optimal structure of assets and liabilities, taking into account the bank’s specific risk profile, the level of adequacy of the bank’s capital and the level of liquidity to cover the significant market risk.

      The investment strategy shall meet the following basic principles:

      the content corresponds to the bank’s overall strategy in terms of goals, directions and deadlines for implementation;

      the presence of a relationship between the tactical and strategic processes of managing the bank’s investment activities;

      maximizing profit, ensuring the growth of a high-quality investment portfolio, maintaining a sufficient level of liquid assets in the overall structure of the bank’s assets;

      formation of the structure of assets and liabilities taking into account the implementation of requirements, methods and procedures for managing market risk;

      2) approval of a procedure for identifying, assessing, monitoring, and controlling market risks, taking into account all areas of the activities of the bank that are subject to market risk (banking and trading books, balance sheet and off-balance sheet transactions), as well as methods for hedging these risks.

      The bank shall develop a market risk management process that shall include, but not limited to, the following:

      participants in the market risk management process, their powers and responsibilities with a clear definition of the accountability structure, as well as the internal procedure for the exchange of information;

      a list of foreign currencies, and financial instruments with which transactions are permitted, indicating the purposes of their use, as well as internal requirements and criteria for financial instruments, including the volume, composition and conditions;

      internal procedures and procedures for identifying, measuring, monitoring and controlling the level of market risk.

      Procedures for identifying, measuring, monitoring and controlling market risk:

      cover all types of assets, liabilities, off-balance sheet positions;

      cover all types of market risk and their sources;

      allow for regular assessment and monitoring of changes in factors affecting the level of market risk, including rates, prices and other market conditions;

      allow to identify market risk timely and take action in response to unfavourable changes in market conditions.

      To assess the accepted level of market risk, the bank shall use models that correspond to the development strategy, the volume of assets and the level of complexity of the bank’s operations.

      Concerning the banking book, the bank shall separately identify, measure (evaluate), monitor and control interest rate risk.

      To quantify the interest rate risk of the banking book, the bank shall use at least two complementary methods to monitor its level and manage it:

      quantitative assessment of changes in the economic value of equity (EVE), that is, the calculation of the amount by which the net value of cash flows generated by claims and obligations reflected in the bank’s balance sheet and off-balance sheet accounts will change;

      quantitative assessment of changes in net interest income (NII), that is, the calculation of the amount by which the bank’s expected net interest income will change in accordance with interest rate shock scenarios (parallel shift of rates up and (or) down).

      The methods for assessing interest rate risk used by the bank cover all significant sources of interest rate risk inherent in the operations (transactions) carried out by the bank that are sensitive to changes in interest rates. Concerning financial instruments denominated in foreign currency that are sensitive to changes in interest rates, the total volume of which exceeds 5 (five) percent of the volume of assets (liabilities), the bank shall measure interest rate risk separately for each foreign currency. The assumptions adopted within the methodology for assessing interest rate risk shall be documented in the relevant internal documents of the bank.

      The bank periodically conducts sensitivity analyses for each type of market risk inherent in the bank's activities. Sensitivity analysis shall show the impact on the bank's profit (loss) and equity capital of possible changes in variable risk factors.

      The bank shall periodically carry out backtesting of market risk assessment models. The bank shall conduct backtesting to verify the reliability and effectiveness of market risk assessment models and, if necessary, improve them. The results of back-testing with proposals, if necessary, to improve market risk management procedures shall be sent to the risk management committee and the board of directors of the bank.

      The bank shall regularly monitor the level of market risk to prevent the possibility of exceeding established risk appetite levels. The frequency of monitoring market risk shall be determined by the bank based on the degree of its significance for the relevant line of business of the bank.

      Information obtained in the process of monitoring market risk about a significant change in the level of risk shall be promptly communicated to the board of directors and the risk management committee of the bank to make the necessary decisions.

      To minimize market risk, the bank shall establish:

      risk appetite levels for currency, price and interest rate risks in accordance with Chapter 3 of the Rules;

      constant monitoring of compliance with established risk appetite levels;

      procedures for immediately informing the board of directors, the risk management committee, the board of the bank and other interested structural units about the achievement of limit values and (or) violations of established risk appetite levels;

      measures to reduce market risk taken when risk appetite levels are reached;

      3) market risk management procedures for:

      changes in the structure of financial instruments, their quantitative and cost indicators;

      development and implementation of new technologies and conditions for carrying out banking operations and other transactions, other financial innovations and technologies;

      when entering new markets;

      4) methods and criteria for hedging risks, including establishing criteria for the effectiveness (optimality) and cost of hedging.

      The bank shall develop and implement a hedging strategy for each type of market risk, which contains:

      hedged items;

      description of the hedging instruments used (use of exchange and over-the-counter market instruments, taking into account the assessment of the reliability of the counterparty, the timing of hedging instruments);

      internal procedure for determining the required level of liquidity to cover hedging instruments;

      description of the procedure and methods for assessing the effectiveness of hedging.

      A hedge shall be considered effective if the change in the fair value or cash flow of the hedged item is fully offset by the change in the fair value or cash flow of the hedging instrument. Hedging shall be carried out concerning a specific identifiable risk, rather than the general risks of the bank;

      5) internal procedures and procedures for monitoring the bank’s profitability from the use of financial instruments;

      6) procedures for stress testing to assess market risk, including the internal procedure for using their results as part of the risk management process.

      The bank shall conduct stress testing of market risks periodically to identify the level of potential market risks inherent in the bank's activities and assess the bank's ability to withstand changes.

      The frequency of stress testing, procedures and methods of implementation shall be established in the relevant internal documents of the bank. The frequency of stress testing shall be determined based on the bank’s level of exposure to market risk, capital market volatility and other external factors. The frequency of stress testing shall increase in cases of significant changes in external factors.

      When conducting stress testing, the following scenarios shall be used:

      historical;

      providing for changes in the exchange rates of foreign currencies and (or) precious metals for open positions of the bank;

      providing for changes in the market value of financial instruments;

      providing for changes in the general level of interest rates, scenarios of growth or decline in the profitability of financial instruments sensitive to changes in interest rates;

      providing for changes in profitability;

      providing for changes in the relationship between interest rates on resources attracted and placed by the bank;

      providing for changes in the degree of volatility of market interest rates;

      providing for a sharp deterioration in key market, financial and (or) other factors and conditions of the activities of the bank.

      The bank shall use methodology and stress-testing scenarios that are appropriate to its business structure and risk profile.

      The results of stress testing shall be presented to the board of directors, the risk management committee, the board of the bank, and interested structural units of the bank periodically. If the results of stress testing indicate the bank’s vulnerability to certain risk factors, the bank shall take measures to reduce the level of accepted risk;

      7) a system of indicators for early detection of exposure to market risk, including those based on the pre-limit approach;

      8) procedures for making changes to the internal documents of the bank and procedures in cases of changes in market conditions affecting the level of the bank’s exposure to market risk;

      9) approval of the internal procedure of a system of high-quality, detailed, periodic management information, allowing timely and complete assessment of the level of exposure to market risk, approach to established levels of risk appetite and timely response to changes.

      The bank shall ensure that it has an effective management information system designed to provide the board of directors of the bank, risk management committee and interested departments of the bank with information about the bank's exposure to market risk.

      Management information shall contain, but not limited to, the following:

      information on the current state of interest rates, exchange rates, market quotes and their dynamics;

      information on significant open positions by currencies and financial instruments;

      information on the level of interest rate risk for aggregate positions on financial instruments sensitive to changes in interest rates;

      information on the interest rate risk of the banking portfolio, filled out in accordance with paragraphs seven, eight and nine of subparagraph 1) paragraph 8 of the Report Structure on compliance with the internal process for assessing capital adequacy and the internal process for assessing liquidity adequacy in accordance with the Appendix to the Rules;

      information on the compliance of positions on financial instruments sensitive to changes in interest rates with established limits;

      information about early warning indicators of market risk;

      expert assessments on changes in interest rates, exchange rates, and price indices in the future;

      results of measuring market risks;

      10) the existence of an internal procedure for taking measures to reduce market risk;

      11) availability of procedures for assessing the fair value of financial instruments based on market information.

      Footnote. Paragraph 45 - as amended by the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated December 29, 2022 No. 119 (shall be enforced upon the expiration of ten calendar days after the day of its first official publication).

      46. The board of directors shall ensure the existence of an operational risk management system that is fully integrated into the overall risk management process of the bank at all levels of the bank's organizational structure and in newly created products, activities, processes and systems, and ensures the effective identification, measurement, monitoring and control of operational risk of the bank in order to ensure the adequacy of equity to cover it. The operational risk management system shall include, but is not limited to, the following:

      1) a detailed description of the interaction between all participants involved in the operational risk management process, including the internal order of accountability.

      The bank shall determine the participants in the operational risk management process based on 3 (three) lines of defense.

      The first line of defense is provided by the structural units of the bank. This means that the heads of structural units are responsible for identifying, measuring, monitoring and controlling operational risk inherent in their activities, including those related to personnel, products, processes and systems. Based on the current market situation, strategy, volume of assets, the level of complexity of the bank’s operations, to ensure the effective functioning of the operational risk management system in the first line of defense, risk coordinators for operational risk are appointed in the bank’s structural units, the internal procedure for their interaction with the management units is determined operational risk and internal audit.

      The second line of defense shall be provided by an independent operational risk management unit.

      The third line of defense shall be provided by the internal audit unit through an independent assessment of the effectiveness of the bank's operational risk management system;

      2) a description of operational risk measurement tools;

      3) the internal procedure for establishing the operational risk appetite risk level;

      4) the internal procedure for the exchange of information and the base of internal events of operational risk;

      5) a system for classifying operational risk events to ensure accuracy in identifying risk;

      6) analysis of operational risk and the corresponding revision of the operational risk management policy in the event of a significant change in the level and types of operational risk of the bank.

      47. In order to build an effective operational risk management system, the board of directors shall be responsible for:

      1) approval of the operational risk management policy, which includes, but is not limited to, the following components:

      goals and objectives of operational risk management;

      basic principles of operational risk management;

      classification of types of operational risk events;

      level of risk appetite for operational risk of the bank;

      identification of participants in the operational risk management process based on 3 (three) lines of defense, their authority, responsibility with a clear definition of the accountability structure;

      determination of the internal order and procedures for identifying, measuring, monitoring and controlling operational risk, including:

      definition of key indicators of operational risk;

      definition of procedures and mechanisms for managing operational risk;

      internal procedure for the exchange of information between participants in the operational risk management process along 3 (three) lines of protection, including types, forms and terms of information submission;

      procedures for the approval, confirmation, analysis and monitoring of deviations from policies, procedures, limits;

      the internal procedure and procedures for approving new products, activities, processes and systems and/or making significant changes to existing products, activities, processes and systems;

      requirements for amendments to internal documents and procedures in cases of detection of deficiencies in the management of operational risk and (or) the occurrence of conditions affecting the bank's level of exposure to operational risk;

      2) the formation of a risk culture of operational risk management;

      3) regular analysis of the operational risk management system in order to ensure timely identification and management of operational risk caused by changes in external factors, as well as operational risks associated with new products, activities, processes or systems, including changes in the level and types of risk;

      4) ensuring the appropriate conditions for the application of best operational risk management practices;

      5) approval and control of risk appetite levels in relation to operational risk with regular review. In the process of analyzing the relevance of risk appetite levels, changes in external factors are taken into account, a significant increase in the volume of a bank’s operations, including for certain types of activities, the results of audits of the internal control system (if any), the effectiveness of the operational risk management or risk reduction system, and the volume of incurred losses, as well as the frequency, extent and nature of violations of established levels of risk appetite.

      48. The bank identifies, measures, monitors and controls operational risk through the following (but not limited to):

      1) the use of audit results.

      The results of audits shall be an additional source of information in the process of managing operational risk of a bank;

      2) collection and analysis of internal data on operational risk events.

      The collection and analysis of internal data on operational risk events (maintaining a database of operational risk events) is a process that allows one to assess the exposure to operational risk and the effectiveness of internal control based on information on operating losses.

      Analysis of the occurrence of losses gives an idea of the causes of large losses and information on whether the failures in the control system are episodic or systemic;

      3) analysis of external events on operational risks.

      The external data on operational risk events include (if any) the total operating losses, terms, data on coverage of losses, as well as relevant incidental information on cases of losses in other banks;

      4) conducting a self-assessment of operational risk.

      A tool through which a bank identifies and evaluates operational risks inherent in bank processes and evaluates their impact on processes and the effectiveness of existing control procedures for identified operational risks;

      5) descriptions (regulation) of business processes.

      Description (regulation) of business processes - a process in which the structural units that make up the first line of defense determine the main stages of business processes, types of activities, organizational functions that help identify operational risks, the relationships between risks, deficiencies in control and risk management;

      6) the use of key indicators of operational risk.

      Key indicators of operational risk are the values and (or) statistical data that provide an idea of the operational risk profile to which the bank is exposed. Key indicators of operational risk are used to monitor changes in the level of operational risk in the bank, which, in turn, ensures the identification of shortcomings in the processes, organization, failures and potential losses;

      7) scenario analysis of operational risk.

      Scenario analysis of operational risk is a process of comparing external events of losses with internal processes of a bank and obtaining an expert opinion of the heads of structural units and risk management departments about deficiencies in the control system or risks not previously identified to identify potential cases of operational risk and assess possible consequences.

      The risk management committee shall ensure that there is a process to regularly monitor the level of operational risk.

      49. The bank shall ensure the existence of a management information system, including the establishment of an internal procedure that shall determine the composition and frequency of operational risk management reporting, presented to various recipients of the bank's responsible executives (units) for the preparation and delivery of information to the relevant recipients. The established internal reporting procedure allows for proactive operational risk management. Management reporting on operational risk shall contain:

      1) information on violations of the established risk appetite levels of the bank for operational risk;

      2) information on significant internal events of operational risk and losses, disaggregated by the classification of operational risk, on the amount of damage, indicating the causes, types of events, consequences;

      3) information on significant external events of operational risk for decision making;

      4) information on corrective measures taken on significant events of operational risk occurrence and (or) analysis of the effectiveness of the measures taken;

      5) results of self-assessment of operational risk;

      6) monitoring results of key risk indicators;

      7) the results of scenario analysis;

      8) information about the operational risk map.

      Management reporting shall contain complete, reliable, timely information. The frequency of reporting reflects the degree of exposure of the bank to risks, as well as the pace and nature of changes in its activities.

      The processes for the formation of management reporting on operational risk shall be periodically analyzed in order to continuously improve the management of operational risk and the further development of principles, procedures and processes for managing operational risk.

      50. To identify potential risks arising in stressful situations, the bank shall periodically (but at least once every six months) conduct stress testing to identify sources of potential threats to capital adequacy. Stress testing shall be carried out by the bank using the following methods (but not limited to):

      1) scenario analysis;

      2) sensitivity analysis.

      The stress testing process shall include the following:

      Stress testing shall allow the bank to analyze the impact of stress scenarios on the level of capital adequacy, assess the level of risk when the internal and external environment changes;

      The degree and frequency of stress testing correspond to the chosen business model, scale of activity, types and complexity of operations, as well as the bank’s role in the financial system. The bank can increase the frequency of stress testing in deteriorating market conditions or at the request of bank management;

      The board of directors of the bank takes an active part in the stress testing process in terms of approving stress testing procedures, and scenarios (including considering conservative scenarios also during periods of economic growth), evaluating the results and, as a result, taking measures to minimize what is revealed during stress testing capital risk.

      When carrying out stress testing, the bank shall use, but not limited to, the following stress testing scenarios:

      general economic scenario, which is based on an assessment of the impact of a decline in the country’s economic situation, including a decline in economic growth in general and in individual sectors of the economy;

      a scenario specific to the bank’s business, which is based on an assessment of the influence of local stress factors, including those related to the characteristics of the bank’s lending activities and the structure of its loan portfolio;

      a scenario that takes into account the possibility of emergencies.

      The bank develops stress testing scenarios based on conservative but potentially realizable negative changes in external and internal indicators that affect a decrease in the level of capital adequacy.

      The board of directors of the bank shall approve stress testing scenarios and accepted assumptions, as well as stress testing results. The reasonableness of the selection of scenarios and the bank's associated assumptions shall be documented and reviewed in conjunction with the results of the stress test.

      In determining stress scenarios and sensitivities, the bank shall use a wide range of information, including historical and hypothetical stress situations, including those outside the normal range of risks and forecasts.

      In addition to the possibility of applying stress scenarios applied by the regulator, the bank shall strive to use the most applicable stress situations that correspond to its characteristics but are not limited to them.

      The board of directors of the bank shall regularly review stress testing scenarios for significant changes. If it is necessary to change the stress testing scenarios, an interim assessment shall be carried out.

      When developing stress testing scenarios and assumptions, the bank shall be guided by the following:

      the scenarios include all significant risks to which the bank is potentially exposed;

      during stress testing, the bank considers the relationship between different types of risks;

      the bank takes a conservative approach when determining stress-testing assumptions. Based on the type and severity of the scenario, the bank shall consider the appropriateness of several assumptions concerning its activities;

      stress testing approaches and models are statistically and econometrically sound;

      internal models of banks for certain types of risks are adapted for stress testing;

      the bank considers short-term and long-term, as well as idiosyncratic and market scenarios, regardless of how high the level of capital adequacy is at the moment, including:

      lack of accessibility to capital markets;

      reduction in the cost of energy resources;

      depreciation of the national currency;

      real estate market crisis;

      change in rates;

      change in gross domestic product;

      crisis in the agricultural sector;

      rising inflation expectations;

      increased unemployment and decreased income;

      decrease in the market value of assets.

      The results of the stress test and predicted risks, as well as subsequent actions to minimize the negative impact, are reported and discussed with the board of directors of the bank and departments involved in the liquidity risk management process. The board of directors of the bank shall integrate the results of the stress testing process into the bank's strategic and budgetary planning process. The results of stress testing shall be used to set internal limits.

      The board of directors of the bank shall take into account the results of stress testing in the process of maintaining capital adequacy in the event of unforeseen circumstances, including eliminating shortcomings in the process.

      Footnote. Paragraph 50 - as amended by the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated December 29, 2022 No. 119 (shall come into effect ten calendar days after the day of its first official publication).

      51. The bank shall ensure the existence of procedures for the development, approval and implementation of new products, activities, processes and systems, or significant changes to existing products, activities, processes and systems, ensuring:

      1) an assessment of the risks inherent in new products, activities, processes and systems of sludge and in the case of significant changes to existing products, activities, processes and systems;

      2) analysis of the costs and benefits of implementation;

      3) an assessment of changes in levels of risk appetite of the bank and the introduction of appropriate changes;

      4) the availability of the necessary control mechanisms, the risk management process;

      5) the availability of information on the level of residual risks;

      6) the existence of procedures and methods for identifying, measuring, monitoring and controlling risks inherent in new products, activities, processes and systems or in the case of significant changes to existing products, activities, processes and systems;

      7) an assessment of the bank's ability to invest in human resources and the technological infrastructure of the bank before introducing new products, activities, processes and systems or in the event of significant changes to existing products, activities, processes and systems.

      52. Each year, the board of directors of the bank evaluates capital adequacy based on the results identified in the internal process of assessing the adequacy of equity and other information available to the board of directors of the bank.

      The internal process of assessing capital adequacy is subject to a continuous review of both quantitative and qualitative indicators, including the application of its results, approaches to stress testing, risk identification and information collection, validation of risk assessment models. The review is carried out within 3 (three) lines of defense, based on their role in ICAAP. The review facilitates timely changes when internal and external factors change.

Chapter 6. Internal Liquidity Adequacy Assessment Process

      53. The board of directors shall approve the bank’s internal document that regulates the main approaches and principles of the ILAAP and contains the following sections:

      1) a description of the organizational structure of the ILAAP;

      2) a description of the risk appetite strategy;

      3) organization of liquidity risk and funding management, including daily liquidity risk and liquidity gaps;

      4) a description of the process of integrating liquidity risk management in the process of approving new products and activities;

      5) a review of the funding strategy and contingency plan for liquidity;

      6) organization of management of liquidity buffers and collateral;

      7) organization of stress testing procedures;

      8) the organization of self-assessment procedures for the internal liquidity adequacy assessment process.

      54. The description of the organizational structure of the ILAAP contains a list of participants in the ILAAP, indicating the responsibilities of the bank’s collegial bodies and units involved in the implementation of liquidity and liquidity risk management processes, including:

      1) the board of directors of the bank shall be responsible for managing liquidity risk and determining the level of risk appetite. The board of directors of the bank shall approve the report on compliance with the ICAAP and ILAAP no later than April 30 of the year following the reporting year;

      2) the risk management committee shall be responsible for developing policies and procedures in the field of liquidity management within the risk appetite level established by the board of directors. In addition, the risk management committee shall periodically notify the board of directors of the bank about compliance with risk appetite and significant changes in liquidity levels;

      3) the unit (units) of the entity entrusted with the functions of internal control, carries out verification of compliance with the ILAAP procedures and brings the results to the attention of the board of directors of the bank;

      4) unit (units) participating (participating) in the risk management process:

      is (are) responsible for the implementation of the liquidity risk management process;

      is (are) responsible for preparing a report on compliance with the ICAAP and ILAAP in accordance with the Structure of the report on compliance with the internal process for assessing capital adequacy and the internal process for assessing liquidity adequacy in accordance with the Appendix to the Rules. The bank shall ensure the availability of supporting documents, which include, but are not limited to, calculations, applied models, explanatory notes, analytical reports, self-assessment results and assessment of the effectiveness of the ILAAP;

      is (are) responsible for preparing the stress testing;

      5) the liquidity management unit (units) develops and implements measures for operational liquidity management and, together with the risk management unit, shall develop a financing plan in case of unforeseen circumstances;

      6) the internal audit unit shall evaluate the effectiveness of the ILAAP.

      Footnote. Paragraph 54 - as amended by the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated December 29, 2022 No. 119 (shall be enforced upon the expiration of ten calendar days after the day of its first official publication).

      55. As part of the ILAAP, the board of directors of the bank shall be responsible for adhering to the approved risk appetite strategy.

      56. The bank shall develop an effective process for identifying, assessing, monitoring and controlling liquidity risk, which includes detailed forecasting of cash flows by assets, liabilities and off-balance sheet instruments at different time intervals.

      The bank shall evaluate all balance sheet and off-balance sheet items that affect the level of liquidity risk. The bank shall assess the level of liquidity in the market to cover the needs of the bank in attracting funding in order to regulate liquidity risk.

      When managing liquidity risk, the bank shall take into account the decrease in the value of assets and the impact of their sale during stresses on liquidity, profitability and capital.

      The bank shall take into account the interaction between liquidity risk and other types of risks to which it is exposed.

      Measurement of liquidity includes an assessment of the inflows and outflows of cash of the bank to determine the potential shortage of liquid assets in the future. The bank shall measure and predict estimated cash flows from assets and liabilities, including off-balance sheet claims and liabilities, at different time horizons under normal conditions and in a number of scenarios, with varying degrees of stress.

      These time horizons shall include:

      the need for liquidity and the possibility of financing on an intraday basis;

      need for liquidity and the possibility of financing for short and medium-term horizons up to 1 (one) year;

      long-term liquidity of more than 1 (one) year.

      The bank shall develop early warning indicators that identify increased liquidity and limited funding risks. The developed indicators reveal a negative trend in the level of liquidity and funding of the bank and reflect a real assessment in order to take immediate measures to mitigate the impact of emerging risks on the financial position of the bank.

      The bank shall define triggers for qualitative and quantitative indicators of early warning.

      Qualitative or quantitative indicators of early warning include, but are not limited to, the following:

      rapid growth of assets, especially those financed by liabilities with the possibility of early withdrawal, or for which there is no established maturity;

      increase in concentration in individual assets or liabilities;

      widening gaps in currencies;

      decrease in the weighted average maturity of obligations;

      approximation to the values of the bank’s internal limits and (or) prudential standards, defined as permissible, but requiring separate corrective measures in the existing procedures of the risk management system in order to reduce the risk level;

      negative trends or increased risk associated with the activities of the bank;

      a significant decrease in bank income, deterioration in the quality of assets and the general financial condition of the bank

      negative information, including in the media related to the bank;

      lowering the bank's credit rating;

      decrease in stock quotes or increase in the value of the bank's debt;

      increase in the cost of corporate or retail funding;

      an increase in the requirements of counterparties for the provision of additional collateral and (or) refusals for new transactions without collateral and for the extension of terms;

      closing or reducing the established amount of credit lines provided to the bank;

      increased outflow of retail deposits;

      increase in outflow of term corporate deposits;

      difficulties in attracting long-term financing.

      The bank shall actively manage its intraday liquidity position and associated risks in order to timely fulfill payment and settlement obligations, both in normal and stressful situations, thereby contributing to the smooth functioning of payment and settlement systems.

      The bank shall manage intraday liquidity risk through procedures that include, but are not limited to:

      tracking daily liquidity positions taking into account expected cash inflows and outflows, forecasting the size of a potential financing gap arising in different periods of the trading day;

      identification of key customers acting as the main sources of incoming or outgoing liquidity flows, forecasting inflows and outflows by establishing constant communication and awareness of the nearest future large incomes and withdrawals;

      identification of key periods, dates and circumstances in which liquidity flows and possible credit needs are especially high;

      understanding the needs of business units;

      control of the intraday liquidity position in relation to the expected payments in order to determine the size of the necessary additional intraday liquidity or the need to limit the outflow of liquidity to cover priority payments;

      availability of reliable funding sources in order to obtain a sufficient level of required intraday liquidity in a short time;

      management of bank assets that are used as collateral in case of the need to obtain daily borrowed funds;

      the availability of a sufficient amount of such assets, operational mechanisms for collateral;

      monitoring of outflows of funds of key clients in accordance with intraday needs;

      the bank response measures in case of unexpected breaks in daily liquidity flows, including measures to ensure business continuity.

      The bank shall provide an effective system of management information designed to provide the board of directors of the bank, the risk management committee and other interested structural units of the bank with information on the bank's exposure to liquidity risk and the state of liquidity of the bank.

      The bank shall develop a management reporting system that:

      covers all sources of liquidity risk, including contingent liability risks, as well as risks associated with the occurrence of events that entail early repayment of obligations and the need for a certain amount of liquidity from relevant sources;

      provides information on liquidity positions in the context of different time horizons;

      provides a risk measurement for monitoring positions on liquidity, both under normal and stressful conditions, by types of currencies in which the bank has significant positions, both individually and on an aggregated basis;

      allows monitoring and analysis of the dynamics of unencumbered highly liquid assets, with the aim of selling them or using them as collateral to raise funds in the event of stressful situations;

      allows you to monitor and analyze information on factors affecting the level of stock of liquid assets;

      provides assessment and forecasting of future cash flows in the context of different time horizons, including taking into account the results of stress testing in various scenarios;

      involves providing more detailed and relevant information on a more frequent basis during periods of stress.

      The management reporting system includes, but is not limited to, establishing an internal order that shall determine:

      the criteria, composition, internal procedure and frequency of reporting on liquidity risk management to various recipients (for example, daily reporting shall be presented to executives responsible for liquidity risk management, regular reporting to the management board, risk management committee and board of directors, with an increased frequency - to periods of stressful situations);

      compare the current liquidity risk level with the established limits, identify negative factors leading to negative trends in the liquidity level, as well as ways to limit violations;

      reports on violations of liquidity risk limits indicating threshold values, causes of violations and proposals to level out the current situation;

      responsible executives (units) for the preparation and communication of information to the appropriate recipients.

      Information systems ensure the functioning of the liquidity risk management system, including monitoring compliance with the established limits. Information systems correspond to the complexity of the bank’s business, risk profile, areas of activity, assets and the role of the bank in the financial system.

      57. Description of the process of integrating liquidity risk management into the approval process of new products and activities.

      The bank shall take into account the costs, benefits and liquidity risks in the process of approving new products for all important activities.

      The ILAAP of the bank shall take into account the measurement of costs, benefits and liquidity risks inherent in all areas of the bank's business (including activities related to contingent risks that do not have a direct effect at the moment, but have the opportunity to be implemented in the future). This distribution of costs, benefits and liquidity risks includes factors related to the expected maturity of assets and liabilities, their market liquidity risk characteristics and any other relevant factors, including the benefits of access to relatively stable funding sources.

      58. Review of funding strategy and contingency financing plan with liquidity (hereinafter referred to as the financing plan). The bank shall diversify the funding sources and sets internal concentration limits, taking into account the following factors (but not limited to):

      1) types of funding sources in the context of products, tools, markets;

      2) urgency of funding;

      3) characteristics of the issuer, counterparty or creditor, including economic sector, geographical location;

      4) the currency of funding sources.

      The diversification goals are part of financing plans (up to and over a year) and are taken into account in the process of drawing up strategic and budget planning.

      The board of directors, the risk management committee and the management board of the bank shall be informed about the characteristics and diversification of funding sources and periodically review the funding strategy in order to immediately respond to changes in the internal and external environment.

      An important component of ensuring diversification of funding is providing access to financial markets, which is crucial in the efficiency and ability to attract funds from investors and counterparties. Providing access to relevant markets shall take into account, but is not limited to, the following:

      maintaining an availability in financial markets selected for funding purposes;

      the opportunity to strengthen availability in selected financing markets;

      identification, establishment, maintenance of relationships with current and potential lenders providing funds;

      increasing the bank's capitalization in order to ensure the readiness of creditors to maintain relations with the bank.

      The bank identifies alternative funding sources that increase the bank's ability to withstand stressful situations and liquidity crises. Depending on the nature, severity and duration of the liquidity crisis, potential sources of financing include, but are not limited to, the following:

      deposit growth;

      extension of maturities;

      issue of short-term and long-term debt instruments;

      intragroup transfers of funds, sale of subsidiaries or lines of business;

      asset securitization;

      sale of existing highly liquid assets or the conclusion of repo transactions;

      containing the increase in volumes in the main areas of activity (for example, slowing down the issuance of loans).

      The board of directors of the bank, the risk management committee and the management board shall periodically evaluate and monitor the ability to quickly raise funds from each funding source in order to assess the effectiveness of ensuring liquidity in the long term.

      The board of directors of the bank approves a financing plan that clearly defines the process for eliminating liquidity shortages in emergency situations. The financing plan corresponds to the scale of the bank’s activities, risk profile, types and complexity of operations, assets and the role of the bank in the financial system. The financing plan includes a clear description of a diversified set of adequate, affordable, ongoing potential measures to ensure unforeseen expenses to maintain liquidity and reduce the cash deficit in various adverse situations.

      The financing plan shall contain:

      well-defined and accessible sources of financing in case of unforeseen circumstances, with an assessment of the possible amount of funds that are raised from these sources;

      the time required to attract additional funds from each of the sources of contingency financing;

      clear operating procedures governing:

      formation of the composition of executives (bodies, units) of the bank responsible for the development and implementation of the financing plan, indicating the powers and areas of their responsibility in order to ensure internal coordination and communication;

      a detailed algorithm of actions and their prioritization in relation to what actions need to be taken, who is responsible for their adoption, when and how these actions are implemented;

      several options for implementing various stressful situations.

      In order to ensure operational reliability, the financing plan is regularly tested and updated.

      59. The bank shall have a constant stock of unencumbered highly liquid assets that might be used as soon as possible without significant losses and discounts under various stressful scenarios, including events that entail loss of access or reduction in the volume of liquid funds provided by creditors, including against collateral, as well as placed by depositors.

      The required liquidity reserve shall be comparable with the established risk of the bank's appetite for liquidity risk. This requires determining the required size of the stock of unencumbered highly liquid assets to assess liquidity needs under stress. The assessment of liquidity needs under current conditions and during periods of stress shall include:

      both contractual and non-contractual cash outflows (inflows);

      unconditional demand of depositors to withdraw funds;

      and shall take into account the inability to obtain unsecured financing, as well as the loss or reduction of access to liquid funds.

      The necessary liquidity reserve shall mainly be formed from the highest quality liquid assets, such as:

      monetary funds;

      liquid government securities;

      finance marketing tools, possible to implement in most periods of negative stress scenarios and less negative as unencumbered liquid assets sold or used as security without significant loss or discount.

      General characteristics for the determination of highly liquid assets include:

      transparency of its structure and risk profile;

      ease and certainty of the assessment;

      existence of a liquid market for a given asset in all stress scenarios;

      available market volumes for the asset, including bank stocks relative to normal market turnover;

      absence of legal, regulatory or operational barriers to using these assets in order to receive financing at any time to meet liquidity needs.

      Effective management of collateral shall be carried out through the following, but not limited to, procedures that determine:

      assessment of the bank's needs for assets that must be used as collateral, including assets that are currently pledged, taking into account the timing of their release;

      conformity assessment of each type of asset for use as collateral in relation to each type of main counterparties and secured financing markets;

      diversification of assets to be used as collateral by the issuer, volume relative to the capabilities of the financial market and counterparties, price sensitivity to avoid excessive concentration, and also taking into account various market stress scenarios;

      monitoring collateral by issuer, geographical location, currencies, in order to assess how quickly assets are mobilized if necessary.

      60. The stress testing system shall include an analysis of the types of stress testing used, stress testing scenarios, applicable assumptions, and a methodological basis for verifying the stability of the liquidity sufficiency indicator in case of changing market conditions and management measures.

      The bank shall periodically conduct stress testing on various factors of short-term and long-term scenarios, oriented both to the specifics of the bank, and to large-scale market stresses and the combination of both scenarios in order to analyze and quantify their impact on the level of liquidity, on the bank's cash flows profitability and solvency.

      The results of stress tests shall be reviewed by the board of directors of the bank. Based on the results of the review, measures are taken to eliminate or mitigate the consequences to limit the impact on the bank, create the necessary liquidity reserve and adjust the liquidity level.

      The results of stress tests play a key role in formulating a bank financing plan and in determining a strategy and an ILAAP.

      The stress testing process shall include the following:

      the bank shall analyze the impact of stress scenarios on the liquidity position, estimates the level of liquidity risk occurrence when the internal and external environment changes, at different time periods (short-term, long-term), including on an intraday basis;

      the degree and frequency of stress testing is consistent with the chosen business model, the scale of activity, types and complexity of operations, as well as the role of the bank in the financial system. The bank shall have the ability to increase the frequency of stress testing in worsening market conditions or at the request of the board of directors of the bank or risk management committee;

      the board of directors of the bank shall take part in the stress testing process in terms of approving stress testing procedures and scenarios (including considering conservative stress scenarios even during periods of liquidity surplus), evaluating the results and as a result of taking measures to minimize the identified during stress testing the risk of visibility;

      in stress testing, the bank shall take into account the possible behavioral response of other market participants to market stress events and the extent to which the overall result strengthens market movement and aggravates the market load.

      In developing scenarios and additional stress testing, the bank is guided by the following:

      Scenarios include all the main funding and liquidity risks in the market to which the bank is potentially exposed;

      the bank shall consider short-term and protracted, as well as idiosyncratic and market scenarios, regardless of how high the level of liquidity is at the moment, including:

      simultaneous lack of liquidity in several previously highly liquid markets;

      serious difficulties in accessing secured and unsecured funding;

      currency convertibility restrictions;

      serious operational or settlement failures affecting one or more major payment or settlement systems;

      the bank shall take into account the relationship between reduced liquidity in the market and funding restrictions;

      during stress testing, the bank shall consider the relationship of various types of risks;

      the bank shall take into account liquidity requirements in many currencies and several major payment and settlement systems;

      the bank shall take a conservative approach in determining the assumptions of stress testing. Based on the type and severity of the scenario, the bank shall take into account the relevance of a number of assumptions regarding its activities, which include, but are not limited to, the following:

      narrowing market-wide liquidity;

      outflow of retail and corporate funding;

      lack of access to new secured and unsecured sources of funding;

      need for significant discounts for the sale of assets and (or) repos;

      default of counterparties, including on the interbank market;

      possibility of establishing additional margin and collateral;

      possibility of changes in the timing of financing;

      liquidity aimed at fulfilling contingent liabilities for off-balance sheet instruments and operations, including credit lines;

      planned change in the volume of assets;

      non-renewability of interbank deposits;

      inability to use credit lines provided to the bank;

      impact of triggers on a significant decrease in credit ratings;

      conversion of funds of bank customers;

      decrease in the ability to sell liquid assets taking into account legal, regulatory, operational and time constraints;

      limited access to funds of the authorized body, companies of the quasi-public sector;

      limited operational ability of the bank to sell assets;

      significant decrease in the bank's credit rating;

      appearance of negative information about the bank, affecting the level of trust in the bank.

      Stress scenarios shall be analyzed by the bank on a regular basis in order to confirm their relevance. The analyzes shall take into account changes in market conditions, changes in the nature, volume of assets or the complexity of the business model and activities of the bank, and actual experience in situations of stress.

      The board of directors of the bank shall approve stress testing scenarios and assumptions made, as well as the results of stress testing. The validity of the choice of scenarios and relevant assumptions of the bank shall be documented and considered along with the results of the stress test.

      The results of the stress test and predicted risks, as well as subsequent actions to minimize the negative impact, are reported and discussed with the board of directors of the bank and departments involved in the liquidity risk management process. The board of directors of the bank integrates the results of the stress testing process into the strategic and budget planning process of the bank. The results of stress testing shall be used to establish internal limits.

      The board of directors of the bank shall include the results of stress testing in the assessment and planning of the financing plan, including for purposes of correcting deficiencies in the plan.

      61. The bank shall annually conduct a self-assessment of the ILAAP to identify weaknesses in the process in terms of the following:

      1) liquidity management policies;

      2) process organization;

      3) procedures, systems and regulatory actions;

      4) level of liquidity and the availability of funding.

      Based on the results of the self-assessment and in identifying inconsistencies and (or) weaknesses of the process, the bank shall draw up an action plan containing information on corrective actions to be implemented, including information on the responded parties, expected deadlines, and required resources.

Chapter 7. Business Continuity Management

      62. The board of directors of the bank shall ensure the existence of a bank business continuity management system that is consistent with the current market situation, strategy, volume of assets, and complexity of the bank’s operations.

      The bank shall manage business continuity through procedures, but not limited to those listed in paragraphs 63-71 of the Rules.

      63. The bank shall carry out, according to the method defined in the internal document of the bank, an analysis of the impact on activities, through which the assessment shall be carried out of:

      1) impacts, damages or losses on personnel, premises, technologies or information of the bank;

      2) violations of the requirements of civil, tax, banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and currency control, payments and payment systems, on pension provision, on the securities market, on accounting and financial reporting on credit bureaus and the formation of credit records, on debt collection activities, on mandatory guarantee of deposits, on counteracting the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint-stock companies;

      3) loss of reputation.

      An analysis of the impact on the bank's activities shall be carried out to determine the time frame for the restoration of critical activities, as well as to identify the resources necessary to resume and continue key activities in case of unforeseen circumstances (critical resources).

      To analyze the impact on the bank:

      assesses the amount of possible losses in connection with the downtime of providing critical products and services over time;

      sets the maximum acceptable period of downtime for each activity by identifying:

      the maximum period within which activity resumes;

      the period of time within which the normal level of activity is resumed;

      identifies types and levels of performance of activities, assets or other resources that need to be continuously maintained in a minimum working condition and and (or) restored in a timely manner to provide critical products and services;

      shall determine the amount of resources minimally necessary for the restoration and further implementation of critical activities in emergency mode;

      sets a target recovery time for each of the critical activities. The target recovery time is less than the maximum allowable downtime of the corresponding product or service;

      establishes a recovery point between the last data backup and the start of downtime of a critical activity;

      ranks critical activities by target recovery time, prioritizing;

      identifies suppliers, counteragents, other interested parties on whom critical types of the bank’s activities depend and how these executives assist the bank in unforeseen circumstances.

      64. The bank shall identify critical activities. Identified in the process of analysis of the impact on the activities of the bank, the loss of which has the maximum negative impact on the bank in the short term and needs to be restored as soon as possible, is a critical type of activity.

      65. The bank shall determine the resources necessary to support critical activities, which include but are not limited to the following:

      1) personnel.

      In determining personnel as a resource necessary to support critical activities, the bank shall determine:

      the required number of employees;

      necessary skills and competencies;

      2) premises.

      When determining premises as a resource necessary to support critical activities, the bank shall determine:

      main and alternative sites;

      premises requiring increased protection;

      3) technology.

      In determining technologies as a resource necessary to support critical activities, the bank shall determine:

      information technology services supporting critical activities;

      telecommunication services supporting critical activities;

      other technologies supporting critical activities, including perimeter security, collection technologies;

      4) information.

      In determining information as a resource necessary to support critical activities, the bank shall determine:

      information necessary to carry out critical activities, including internal documents of the bank;

      the amount of information that needs to be restored (recovery target point);

      methods for storing, protecting and restoring information;

      5) suppliers, external services and supplies.

      The bank shall determine suppliers, external services and supplies on which the implementation of critical activities depends;

      6) financial resources.

      The bank shall determine the amount of financial resources that is potentially available for the implementation of the plan(s) of ensuring the continuity and restoration of the bank in case of unforeseen circumstances.

      66. The bank shall carry out contingency risk analysis, which allows assessing threats and vulnerabilities in critical activities and the resources they use. As threats that have a negative impact on resources, the bank shall consider, but not limited to, the following:

      1) inaccessibility of employees;

      2) inaccessibility of technologies, including information and communication technologies (computer viruses, computer hardware failure, loss of communication);

      3) inaccessibility of supply (water, electricity);

      4) lack of access to buildings (premises);

      5) inaccessibility of key suppliers, contractors;

      6) inaccessibility of key information;

      7) inaccessibility of financial resources.

      67. The bank shall define contingency risk management measures that cover (but not limited to) the following key resources:

      1) personnel;

      2) premises;

      3) technology;

      4) information;

      5) suppliers, contractors and supply channels.

      When choosing contingency risk management measures, the bank shall take into account the results of the analysis of the impact on the bank’s activities and shall determine, including the internal procedure for interaction with external suppliers involved in restoration work, with external counterparties (depositors, creditors), shareholders of the bank, with the authorized body and other authorities, as well as with the media and other interested parties.

      When choosing measures to manage the risks of unforeseen circumstances, the bank shall take into account, but is not limited to the following factors:

      the most acceptable period of downtime for a critical activity;

      the costs of the implementation of the plan(s) for the continuity and restoration of activities;

      consequences of failure to take action;

      realistic risks and the magnitude of losses from their implementation;

      consistency with the established goals of the business continuity management system;

      consistency with policies and procedures for the management of business continuity.

      The bank shall define measures to maintain key knowledge and competencies to ensure the continuity of its activities. Measures include, but are not limited to, the following:

      regulation of the internal procedure for the implementation of critical activities;

      maintaining a list of additional competencies of personnel not used in daily activities for the redistribution of functions in the face of a shortage of workers;

      personnel training in professional skills, including cross-functional training.

      The bank shall determine measures to reduce the impact on the provision of critical products and services due to the lack of main premises. These measures include, but are not limited to, the following:

      provision of alternative facilities;

      transfer of personnel to other premises of the bank;

      use of workplaces of workers performing non-critical work;

      work at home or in remote premises.

      When choosing alternative premises, the bank shall take into account, but not limited to, the following features:

      security of the premise;

      access to the premises;

      proximity to the main premise;

      availability of necessary communications.

      The bank shall determine measures to maintain the operability of information technology and communication services necessary to ensure business continuity.

      The bank shall determine measures to ensure the integrity, accessibility and confidentiality of information necessary to ensure business continuity in the event of a critical event.

      The bank shall determine the list of resources used (including material supply, financial resources) and measures to ensure their availability, including from external suppliers and contractors and other interested parties in the event of a critical event, which includes:

      storage of additional resources, including technological and telecommunication equipment, in storage facilities;

      agreements with the supplier on the urgent delivery (replacement) of resources in the warehouse;

      availability of alternative resource providers.

      68. The bank shall ensure the development and availability of plan(s) for ensuring continuity and (or) restoration of activities. The plan(s) for ensuring continuity and (or) restoration of activities meets the following principles:

      1) understandable to responsible executives;

      2) available for use by responsible executives;

      3) has goals and scope consistent with the business continuity management policy, including:

      a list of critical activities of the bank, as well as the maximum allowable downtime, including those requiring recovery;

      target recovery time for critical activities, including for information technology and telecommunications;

      measures to minimize the risk of loss of reputation;

      4) consistent with the actions of external organizations;

      5) contains a description of the functions and responsibilities of personnel involved in ensuring the continuity and restoration of activities;

      6) has an activation scheme, including:

      the decision-making procedure for activation, including a list of employees responsible for confirming activation and the conditions under which activation of the plan is required;

      a list of employees informed about the activation of the plan;

      7) contains a diagram of emergency external and internal communications, paying attention to:

      communications within the team of workers involved in the recovery and emergency provision of critical products and services;

      communications with external organizations involved in business continuity;

      communications with the authorized body;

      communications with the mass media and customers;

      communications with counterparties and other interested parties during the restoration work;

      communication methods;

      8) contains requirements for the minimum amount of resources and suppliers needed at various points in time for the restoration and emergency provision of critical activities;

      9) contains a sequence of actions for the restoration and continuous provision of critical activities, including:

      a scheme for involving third-party organizations in the recovery process;

      a scheme for involving counterparties and stakeholders of the bank in the process of restoring the bank's activities;

      the sequence and places of recovery of critical activities of the bank;

      the timing and place of restoration of critical information technology services, as well as the sequence of actions for their restoration, including restoration of network infrastructure in a new building, restoration of basic functionality, applications and databases, synchronization, backup, telecommunications;

      dates and places for mobilizing the necessary resources;

      10) contains all the necessary details, including the location of the reserve premises, routes, contacts of the authorized body and other authorities, organizations involved in the restoration of the bank, as well as ways to contact them;

      11) contains a method for documenting key information on the progress of work, decisions made and measures taken;

      12) has a circuit:

      cancellation of emergency operation, including criteria to decide on completion of emergency operation;

      transition to a daily functioning mode;

      recovery on damaged domestic banking processes after liquidation of consequences of unforeseen circumstances;

      13) has the sole owner of the plan responsible for maintaining and reviewing.

      69. The bank shall test a plan (plans) to ensure continuity and (or) restoration of activities in order to determine that:

      1) critical activities are protected regardless of the severity of the critical event;

      2) these plans ensure the activities of the bank in unforeseen circumstances and the transition to daily operation.

      70. The bank shall:

      1) carry out testing in the event of significant changes in the activities of the bank;

      2) carry out testing, as individual elements of the business continuity management system, and in the aggregate, in order to verify the reliability of the system as a whole;

      3) carry out test planning in such a way as to minimize the impact of critical events that arise during the test;

      4) define the goals and objectives of each testing;

      5) determine the group of observers (testing controllers) from the bank employees responsible for the development of the plan (plans) for ensuring continuity and (or) restoration of activities, employees exercising internal control, and, if necessary, independent specialists from organizations specializing in on the provision of advisory services in the field of business continuity and information security of the bank. A group of observers (testing controllers) shall carry out:

      control of each test;

      assessment of test results;

      drawing up a protocol on testing, its results and feedback, including the necessary corrective actions;

      coordination of the protocol with the heads of bank departments involved in testing and the plan (plans) for ensuring continuity and (or) restoration of activities;

      6) draws up and approves a report on the results of testing on the basis of an agreed audit protocol, which includes analysis of the test results, proposals on eliminating identified shortcomings and improving plans and other elements of the bank's business continuity management system.

      A report on the results of testing with proposals, if necessary, to improve the plan (plans) for ensuring continuity and (or) restoration of activities is sent to the risk management committee for review and the board of directors of the bank for approval.

      71. The board of directors of the bank shall ensure that there is a management information system that includes, but is not limited to, information on the status of implementation of procedures and processes for managing business continuity, revealed facts of violations of internal procedures and policies, incidents, results of inspections and plans to increase the bank’s stability and ability restore certain operations.

Chapter 8. Information Technology Risk Management

      72. The board of directors of the bank shall ensure the existence of an information technology risk management system that matches the external operating environment, strategy, organizational structure, volume of assets, the nature and level of complexity of the bank’s operations and ensures the minimization of information technology risks.

      73. The information technology risk management system includes, but is not limited to, the following:

      1) information technology risk management policy;

      2) information technology risk management procedures;

      3) management information system;

      4) assessment of the effectiveness of the risk management system of information technology by the internal audit unit.

      74. The bank shall determine the following participants in the information technology risk management system (but not limited to):

      1) bank risk management unit;

      2) information technology unit.

      75. The bank shall create a structural unit for risk management, which functions include risk management of information technology, including:

      1) development, implementation and development of a risk management system for information technology;

      2) participation in the development and coordination of action plans for the implementation of the strategy of the bank in terms of ensuring the availability of information and communication technologies;

      3) participation in the risk assessment of information technology;

      4) monitoring the level of risk of information technology;

      5) interaction and advice to structural units of the bank on information technology risk management;

      6) planning and analysis of the results of an information technology risk assessment conducted by the information technology unit;

      7) development and formation of a risk register, including information technology risks;

      8) reporting on the implementation of significant risks of information technology and monitoring the implementation of measures to eliminate their consequences to the risk management committee;

      9) provision of reports or other information on information technology risk management to the board of directors;

      10) use of the results of internal audit in terms of information technology risks.

      76. The bank shall create a structural unit for information technology, which functions include:

      1) conducting a risk assessment of information technology;

      2) development of measures for processing information technology risks and reporting on their implementation to the risk management unit;

      3) preparation and submission of reports on the implementation of significant risks of information technology to the risk unit of the bank, as well as on the elimination of their consequences;

      4) development of action plans for the implementation of the strategy of the bank in terms of ensuring the accessibility of information and communication technologies for critical business processes.

      The bank shall ensure the independence of the structural unit for risk management from the structural unit for information technology.

      77. The risk management unit shall develop an internal document that defines the procedure for managing information technology risks, which includes, but is not limited to, the following:

      1) information technology risk identification procedures;

      2) procedures for determining internal and (or) external factors affecting the implementation of each of the risks of information technology;

      3) procedures for assessing the possibility and consequences of all identified risks of information technology, applying qualitative and (or) quantitative methods of assessment, including on the basis of data on their implementation;

      4) procedures for the collection and storage of information on the implementation of significant risks of information technology;

      5) the procedures for the formation of a risk register, including the risks of information technologies;

      6) procedures for developing information technology risk treatment measures;

      7) procedures for monitoring the implementation of measures to handle the risks of information technology.

      78. The information technology unit shall develop an action plan to implement the strategy of the bank in terms of ensuring the availability of information and communication technologies for critical business processes, which discloses, but is not limited to, the following:

      1) determination of resource requirements, including the determination of the budget associated with the development of information and communication technologies;

      2) description of the required measures in the field of information and communication technologies, indicating the timelines and those responsible for their implementation.

      The bank shall ensure the existence of a management information system, including, but not limited to, the establishment of an internal procedure that defines the criteria, composition and frequency of reporting on risk management of information technology of the bank, responsible executives (units) for the preparation and delivery of information to the relevant recipients.

Chapter 9. Information Security Risk Management

      79. The board of directors of the bank shall ensure the existence of an information security risk management system that is consistent with the external operating environment, the strategy of the bank, organizational structure, assets, the nature and complexity of the bank’s operations and is aimed at minimizing information security risks.

      80. The information security risk management system includes, but is not limited to, the following:

      1) information security risk management policy;

      2) information security risk management procedures;

      3) management information system;

      4) assessment of the effectiveness of the information security risk management system by the internal audit unit.

      81. The bank shall determine the following participants in the information security risk management system (but not limited to):

      1) bank risk management unit;

      2) information security unit;

      3) information technology unit;

      4) units-owners of protected information.

      82. The bank shall create a structural unit for risk management, which functions include information security risk management:

      1) development, implementation and development of an information security risk management system;

      2) participation in the development and coordination of action plans for the implementation of the strategy of the bank in terms of ensuring information security;

      3) creation and leadership of a working group on the formation of a list of critical information assets of the bank, including at least units that own information to be protected;

      4) participation in the information security risk assessment;

      5) monitoring the level of information security risks;

      6) interaction and consultation of structural units of the bank on information security risk management;

      7) planning and analysis of the results of the information security risk assessment conducted by the information security unit;

      8) development and formation of a risk register, including information security risks;

      9) reporting on the implementation of significant information security risks and monitoring the implementation of measures to eliminate their consequences to the risk management committee;

      10) provision of reports or other information on information security risk management to the board of directors of the bank;

      11) use of the results of the internal audit in terms of information security risks.

      83. The bank shall create a structural unit for information security, which functions include:

      1) conducting an information security risk assessment;

      2) development of measures for processing information security risks and reporting on their implementation in the risk management unit;

      3) preparation and submission of reports on the implementation of significant information security risks to the risk unit of the bank, as well as on elimination of their consequences;

      4) development of action plans for the implementation of the bank strategy in terms of ensuring information security.

      The bank shall ensure the independence of the structural unit for risk management from the structural unit for information security.

      84. The risk management unit shall develop an internal document that defines the procedure for managing information security risks, which includes, but is not limited to, the following:

      1) procedures for the identification and classification of information assets in order to identify critical information assets;

      2) procedures for identifying vulnerabilities of critical information assets;

      3) procedures for identifying potential threats in relation to critical information assets;

      4) procedures for identifying existing information security risk management measures;

      5) procedures for assessing the possibility and consequences of violation of confidentiality, integrity and accessibility of information assets, using qualitative and (or) quantitative methods of assessment, including on the basis of data on their implementation;

      6) procedures for the collection and storage of information on the implementation of significant information security risks;

      7) procedures for the formation of a risk register, including information security risks;

      8) procedures for monitoring the implementation of measures to handle information security risks and.

      85. The information security unit shall develop an action plan for the implementation of the strategy of the bank regarding information security, which discloses, but is not limited to, the following:

      1) determination of resource requirements, including determination of the budget associated with the implementation of measures aimed at managing information security risks;

      2) description of the required measures in the field of information security with an indication of the time frame and responsible executors for their implementation.

      86. The units-owners of protected information, in the framework of information security risk management, carry out:

      1) providing a description of the protected information to the risk management unit;

      2) formation of a list of critical information assets of the bank as part of a working group on the formation of a list of critical information assets of the bank under the leadership of the risk management unit.

      87. The bank shall ensure the availability of a management information system, including, but not limited to the establishment of an internal procedure that defines the criteria, composition and frequency of reporting on information security risk management of the bank, responsible executives (units) for the preparation and delivery of information to relevant recipients.

Chapter 10. Compliance Risk Management

      88. The board of directors of the bank shall control the compliance risk management process of the bank, create a compliance control unit in the bank, appoint and release from the post the chief compliance controller, and approve the compliance risk management policy.

      The compliance control unit shall organize procedures to comply with the requirements of the civil, tax, banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and currency control, payments and payment systems, on pension provision, on the securities market, on accounting and financial reporting on credit bureaus and the formation of credit records, on debt collection activities, on mandatory guarantee of deposits, on counteracting the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint-stock companies, the legislation of foreign countries that affect the activity of the bank and the bank's internal documents, governing the procedure for the bank to provide services and conduct operations in the financial market, and provides complete and reliable information to the board of directors about the existence of compliance risk.

      The risk management committee shall be responsible for developing a compliance risk management policy to be approved by the board of directors and containing the basic principles of the compliance risk management board, including the principles of creating a compliance culture in the bank, on the basis of which compliance risk is identified and managed at all levels of the structure of the bank.

      89. Compliance control unit shall be responsible for developing a compliance risk management policy, ensuring compliance risk management and coordinating the activities of the bank in managing compliance risk. The compliance risk management policy of a branch of a non-resident bank of the Republic of Kazakhstan is developed by the compliance control unit of a non-resident bank of the Republic of Kazakhstan, the branch of which is opened on the territory of the Republic of Kazakhstan.

      A compliance control unit is a structural unit of the bank, independent of any activities of the bank’s structural units that constitute the first line of defense.

      The independence of the compliance control unit shall be ensured by the following factors:

      the compliance control unit has the status of an independent structural unit;

      employees of the compliance control department shall not hold part-time positions in other structural units of the bank;

      the head and employees of the compliance control unit shall not find themselves in a situation where there is a possible conflict of interest between their responsibilities for managing compliance risk and any other responsibilities assigned to them;

      the compliance control unit, within the framework of its competence, has access and, if necessary, requires any information from the bank’s structural units, and subsidiaries of the bank, and also involves employees of the bank and its subsidiaries to assist in the performance of the compliance control function.

      Footnote. Paragraph 89 - as amended by the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated 02.24.2021 No. 43 (shall be enforced upon the expiration of ten calendar days after the day of its first official publication).

      90. The compliance control unit shall perform, but not limited to, the following functions:

      1) development of internal procedures, methods and procedures for identifying, measuring, monitoring and controlling the bank’s compliance risk on a consolidated basis;

      2) development, implementation and ensuring the availability of internal control rules to combat ML/TF;

      3) formation of a compliance program (plan), which includes, among other things:

      risk management policy, taking into account the requirements of civil, tax, banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and currency control, on payments and payment systems, on pensions, on the securities market, on accounting and financial reporting, on credit bureaus and the formation of credit histories, on collection activities, on mandatory deposit guarantees, on combating legalization (laundering) of proceeds from crime and financing terrorism, about joint stock companies;

      checking the bank’s compliance with the requirements of civil, tax, and banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and exchange control, on payments and payment systems, on pensions, the securities market, on accounting and financial reporting, on credit bureaus and the formation of credit histories, on collection activities, on mandatory deposit guarantees, on combating legalization (laundering) of proceeds from crime and the financing of terrorism, on joint stock companies, regulating issues provision of services by the bank and conduct of operations in the financial market, as well as legislation of foreign countries that influences the activities of the bank to determine the degree of exposure of the bank to compliance risk;

      staff training on compliance risk management;

      4) assistance to the board of the bank in managing the bank’s compliance risk;

      5) consulting the management and employees of the bank on the norms of civil, tax, banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and currency control, on payments and payment systems, on pensions, on the securities market, on accounting and financial reporting, on credit bureaus and the formation of credit histories, on collection activities, on mandatory deposit guarantees, on combating the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint stock companies, rules, policies related to compliance risk management, including informing about changes, except when such a function is performed by a legal unit of the bank;

      6) control of the organization of work in the bank to familiarize bank employees with the requirements of the internal documents of the bank regulating the procedure for the bank to provide services and conduct operations in the financial market;

      7) coordination of the activities of the bank’s subsidiaries on issues of compliance risk management, including ML/TF risk;

      8) mandatory participation in the process of introducing new banking products and services;

      9) ensuring the organization of measures in the bank to identify, assess and control conflicts of interest;

      10) developing independently or jointly with structural units and officials of the bank recommendations to eliminate identified violations and shortcomings in the bank’s work related to compliance risk management and submitting relevant information to the board of directors of the bank;

      11) development and maintenance of a compliance risk reporting system and periodic provision of information on issues of managing the bank’s compliance risk to the board of directors of the bank;

      compliance risk management with the bank’s structural units, including the internal audit department;

      13) coordinating the collection of quantitative and qualitative indicators to assess the risk of the bank’s involvement in ML/TF risks and transmitting information to the authorized body annually no later than February 5 of the year following the reporting year.

      compliance risk management functions in accordance with the internal documents of the bank shall be delegated, if necessary, to other structural units of the bank, provided there is no conflict of interest.

      The provisions of subparagraphs 1) and 8) of this paragraph shall not apply to a branch of a non-resident bank of the Republic of Kazakhstan.

      Footnote. Paragraph 90 - as amended by the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated March 14, 2022 No. 21 (shall come into effect upon the expiration of ten calendar days after the day of its first official publication).

      91. The independence of the chief compliance controller shall be determined by:

      1) regardless of the authority, the chief compliance controller is appointed and dismissed by the board of directors of the bank;

      2) has unhindered access to the board of directors of the bank, without the participation of the board of the bank;

      3) has access to any information necessary for him to fulfill his duties;

      4) does not combine the position of chief operating officer, financial director, other similar functions of the bank’s operations, head of the internal audit unit.

      The combination of the functions of the chief compliance controller and the head of the compliance control unit is allowed.

      Interaction between the chief compliance controller and the board of directors and/or the risk management committee is carried out on a regular basis.

      Information on the appointment and dismissal of the chief compliance controller from office shall be brought to the information of the authorized body.

      At the request of the authorized body, the board of directors of the bank shall provide a justification for the reason for such a decision.

      92. The bank shall identify measure, implement monitoring and control of compliance risk and develops compliance risk management procedures, which include, but are not limited to, the following:

      1) development of internal guidelines (instructions) for bank employees on the management of compliance with the risk, including the risk of money laundering and terrorist financing, by preparing internal documents;

      2) monitoring compliance by the bank and its employees with policies and procedures for managing compliance risk;

      3) collecting data on compliance risk events;

      4) analysis of complaints (applications) of customers for the availability of compliance risk;

      5) development and analysis of quantitative and qualitative indicators characterizing the degree of bank exposure to compliance risk;

      6) conducting investigations (checks), independently or jointly with structural units and (or) bank officials, of facts of violation by the bank employees of the legislation of the Republic of Kazakhstan governing the provision of bank services and operations in the financial market, as well as the laws of foreign countries that affect on the activities of the bank, in accordance with the procedure determined by the internal document of the bank;

      7) providing advice on requests regarding the conformity of a particular transaction (deals) of a bank or part thereof with the legislation of the Republic of Kazakhstan, which regulates the provision of services by the bank and operations in the financial market, as well as the laws of foreign states that affect the bank's activities.

      93. In developing procedures for identifying, measuring monitoring and monitoring compliance risk, the bank shall take into account, but not limited to, the following factors:

      1) the volume of assets, the nature and complexity of the bank's business;

      2) the availability of data for use as source information;

      3) the state of information systems and their capabilities;

      4) the qualifications and experience of the personnel involved in the compliance risk management process.

      94. The bank shall ensure a compliance risk management system that shall take into account:

      1) bank strategy and activities;

      2) the volume of assets, the nature and complexity of the depreciation of the bank;

      3) the complexity of the organizational structure of the bank;

      4) the level and types of risks inherent in the activities of the bank;

      5) the effectiveness of compliance risk management procedures applied by the bank in the past;

      6) potential internal organizational changes and (or) changes in market conditions;

      7) the legislation of the Republic of Kazakhstan governing the provision of services by the bank and conducting operations in the financial market, as well as the legislation of foreign states that affect the activities of the bank.

      95. The compliance risk management system includes, but is not limited to, the following:

      1) compliance risk management policies and procedures;

      2) ML/FT risk management policies and procedures, including a customer acceptance policy. When developing and implementing decision-making procedures for accepting a client for service, the bank shall take into account inherent risk factors;

      3) an assessment of the effectiveness of the compliance risk management system by the internal audit unit.

      The compliance risk management system is based on 3 (three) lines of defense:

      bank employees;

      compliance control unit;

      internal audit unit.

      96. Compliance risk management policies and procedures include, but are not limited to, the following:

      1) goals and objectives of compliance risk management;

      2) principles of compliance risk management, including principles of creating a compliance culture in the bank (culture of compliance by the bank and its employees with the requirements of civil, tax, banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and currency control, payments and payment systems, on pension provision, on the securities market, on accounting and financial reporting on credit bureaus and the formation of credit records, on debt collection activities, on mandatory guarantee of deposits, on counteracting the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint-stock companies, the laws of foreign countries that affect on the activities of the bank and internal documents of the bank governing the procedures for the provision of services by the bank and conducting operations in the financial market);

      3) the internal order, methods and procedures for managing compliance risk, including those based on a risk-based approach;

      4) the internal procedure, methods and procedures for managing the risks of the intentional or unintentional involvement of the bank and (or) its subsidiaries in the money laundering and terrorist financing processes, or other criminal activities (money laundering and terrorist financing risk);

      5) participants in the compliance risk management system based on 3 (three) lines of defense, their authority, responsibility with a clear definition of the accountability structure;

      6) the authority and responsibility of the chief compliance controller, head of the compliance control unit;

      7) requirements for the professional qualities of employees of the compliance control unit;

      8) procedures for monitoring and coordinating the activities of bank subsidiaries on compliance risk management issues;

      9) the internal procedure for interaction and exchange of information between participants in the compliance risk management system.

      97. ML/TF risk management policies and procedures shall include, but not limited to, the following:

      1) development and implementation of internal documents regulating the procedure for managing ML/TF risk, implementing financial monitoring and internal control to combat ML/TF;

      2) a methodology for assessing ML/TF risks in accordance with the internal control rules of the bank to combat ML/TF;

      3) the internal procedure for organizing risk management of the bank in the context of its structural units and (or) employees in terms of ML/TF;

      4) the presence of a customer acceptance and service program (customer acceptance policy);

      5) when developing and implementing procedures for deciding on accepting a client for service, the bank takes into account risk factors, including those identified and posted on the Internet resource of the authorized body.

      Internal procedures and the procedure for refusing to establish and terminate business relations with a client shall be developed taking into account risk factors posted on the Internet resource of the authorized body. Information on facts of refusal to establish and terminate business relations shall be sent to the authorized body quarterly, no later than the 5th (fifth) day of the month following the reporting quarter;

      6) the presence of an automated information system and procedures that allow the identification of transactions subject to financial monitoring, and also allow the timely submission of relevant information and information to the authorized body for financial monitoring.

      Footnote. Paragraph 97 - as amended by the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated March 14, 2022 No. 21 (shall come into effect upon the expiration of ten calendar days after the day of its first official publication).

Chapter 11. Internal Control

      98. The bank shall ensure the presence of an internal control system that corresponds to the current market situation, strategy, volume of assets, and level of complexity of the bank’s operations. Internal control is a process built into the daily activities carried out by the authorized collegial bodies of the bank, structural units and all bank employees in the performance of their duties, and aimed at achieving the following goals:

      1) ensuring the efficiency of the activities of the bank, including the efficiency of managing banking risks, assets and liabilities, ensuring the safety of assets;

      2) ensuring the completeness, reliability and timeliness of financial, regulatory and other reporting for internal and external users, as well as information security;

      3) ensuring the bank’s compliance with the requirements of civil, tax, banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and exchange control, on payments and payment systems, on pension provision, about the securities market, about accounting and financial reporting, about credit bureaus and the formation of credit histories, about collection activities, about mandatory deposit guarantees, about combating the legalization (laundering) of proceeds from crime and the financing of terrorism, about joint-stock companies, internal documents of the bank;

      4) preventing the involvement of the bank and its employees, and bank clients in carrying out illegal activities, including fraud, deception, ML/TF, in carrying out operations on the territory of the Republic of Kazakhstan, related to transactions with a high risk of ML/TF, in carrying out operations on the territory of the Republic of Kazakhstan related to the further acquisition of unsecured digital assets on digital asset exchanges that are not members of the Astana International Financial Center that provide services for managing the digital asset platform.

      Concerning the participant of the Astana International Financial Center, which provides services for managing the digital asset platform, the bank assesses the ML/TF risk. When assigning a high level of ML/TF risk to a participant of the Astana International Financial Center providing digital asset platform management services, the bank shall apply enhanced customer due diligence measures, and shall be also responsible for:

      assessing the degree of exposure of services (products) provided to a participant of the Astana International Financial Center, which provides services for managing the digital asset platform, to ML/TF risks;

      carrying out due diligence procedures when establishing business relationships, which include, in addition to the due diligence measures provided for clients, additional measures to obtain and record information about the reputation and nature of the activities of the participant in the Astana International Financial Center providing services for managing the digital asset platform, the application of measures against him/her by the Astana International Financial Center Committee for the Regulation of Financial Services;

      termination of business relations with a participant of the Astana International Financial Center providing services for managing the digital assets platform, in cases where the bank identifies facts of use by a participant of the Astana International Financial Center providing services for managing the digital assets platform of accounts located in a shell bank;

      refusal to establish or terminate business relations with a participant of the Astana International Financial Center providing services for managing the digital assets platform, the founders of which are registered in the territory of a foreign state:

      included in the list of states (territories) that do not implement or insufficiently implement the recommendations of the Financial Action Task Force (FATF), compiled by the authorized financial monitoring body;

      subject to international sanctions in accordance with United Nations Security Council resolutions;

      included in the list of offshore zones in accordance with the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated February 24, 2020 No. 8 "On establishing the List of offshore zones for banking and insurance activities, the activities of professional participants in the securities market and other licensed types of activities in the securities market, the activities of joint-stock investment funds and the activities of organizations engaged in microfinance activities," registered in the State Register of Normative Legal Acts under No. 20095;

      determined by the bank as posing a high risk of ML/TF based on other factors (information about the level of corruption, illegal production, trafficking and (or) transit of drugs, information about support for international terrorism, etc.).

      monitoring and studying transactions with money of a participant in the Astana International Financial Center, which provides services for managing the digital assets platform, as well as preventing the illegal withdrawal of funds abroad, including to offshore zones;

      taking measures established by the requirements of the legislation of the Republic of Kazakhstan on combating the legalization (laundering) of proceeds from crime and the financing of terrorism when suspicious transactions with money and (or) other property are identified (hereinafter referred to as Suspicious transactions);

      termination of business relations with a participant of the Astana International Financial Center providing services for managing the digital asset platform, in cases established by the requirements of the legislation of the Republic of Kazakhstan on combating the legalization (laundering) of proceeds from crime and the financing of terrorism;

      ensuring the verification of the source of origin of funds of a participant of the Astana International Financial Center, which provides services for managing the digital assets platform, when replenishing a bank account;

      ensuring the storage of records of transactions on money transactions and providing information to the authorized body for financial monitoring;

      ensuring the storage of at least five years of documents, data and (or) information received and collected as part of the due diligence of a participant in the Astana International Financial Center providing digital asset platform management services;

      verifying the affiliation and (or) involvement of a participant in the Astana International Financial Center, which provides services for managing the digital asset platform, and its beneficial owner to a public official, his/her spouse and close relatives in cases established by the requirements of the legislation of the Republic of Kazakhstan on combating the legalization (laundering) of proceeds from crime or the financing of terrorism;

      submission to the authorized body for financial monitoring of the necessary information when identifying suspicious transactions within the time limits established by the requirements of the legislation of the Republic of Kazakhstan on combating the legalization (laundering) of proceeds from crime or the financing of terrorism.

      Concerning bank clients carrying out transactions with a participant of the Astana International Financial Center, which provides services for managing the digital asset platform, the bank, when conducting one-time banking transactions in an amount not exceeding 1,000 (one thousand) US dollars in equivalent at the market exchange rate on the date of the banking transaction, shall apply simplified customer due diligence measures, except for cases of suspicious transactions by customers.

      Concerning bank clients carrying out transactions with a participant of the Astana International Financial Center providing services for managing the digital asset platform, the bank, when conducting one-time banking transactions in an amount equal to or exceeding 1,000 (one thousand) US dollars in equivalent at the market exchange rate currencies on the date of the banking transaction, applies enhanced customer due diligence measures and shall be responsible for:

      ensuring the verification of the source of origin of funds of bank clients when making a transfer in favor of a participant in the Astana International Financial Center, which provides services for managing the digital assets platform;

      taking measures established by the requirements of the legislation of the Republic of Kazakhstan on combating the legalization (laundering) of proceeds from crime and the financing of terrorism when suspicious transactions are identified;

      monitoring and studying transactions with money of bank clients, as well as preventing illegal withdrawal of funds abroad, including offshore zones;

      termination of business relations with bank clients in cases established by the requirements of the legislation of the Republic of Kazakhstan on combating the legalization (laundering) of proceeds from crime and the financing of terrorism.

      When opening a bank account to service client transactions, a participant of the Astana International Financial Center providing services for managing the digital asset platform shall submit the following documents:

      license of a participant of the Astana International Financial Center, providing services for managing the digital asset platform, to provide financial services for managing the digital asset platform, issued by the Astana International Financial Center Committee for the Regulation of Financial Services;

      an extract from the register confirming registration as a participant in the Astana International Financial Center, which provides services for managing the digital asset platform;

      business plan and business model of a participant in the Astana International Financial Center, providing services for managing the digital asset platform;

      anti-ML/TF policy of a participant in the Astana International Financial Center, which provides services for managing the digital asset platform;

      an order on the appointment of the head of a participant in the Astana International Financial Center, which provides services for managing the digital asset platform;

      information about the executive body of the participant of the Astana International Financial Center, which provides services for managing the digital asset platform, and its head (identity document, confirmation of place of residence, letters of recommendation, information about the absence of an unexpunged or outstanding criminal record).

      Effective internal control shall be ensured by developing appropriate management controls and a control culture (control environment).

      Management control and control culture (control environment) shall characterize the general attitude, awareness and practical actions of the board of directors of the bank and the board of the bank aimed at creating and effective functioning of the internal control system.

      Footnote. Paragraph 98 - as amended by the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated April 27, 2023 No. 14 (shall come into effect upon the expiration of ten calendar days after the day of its first official publication).

      99. Management control and control culture (control environment) shall be formed by the board of directors and the board of the bank on the basis of ethical principles, standards of professional activity and corporate governance, which together with their legislatively established duties and responsibilities ensure adequate control by the bank’s governing bodies including control of:

      1) the organization of the bank’s activities, including the development and implementation of the strategy of the bank, internal bank documents;

      2) the functioning of the banking risk management system and the assessment of banking risks;

      3) the distribution of powers in banking operations and other transactions;

      4) managing information flows (receiving and transmitting information) and ensuring information security;

      5) the creation and functioning of the internal control system.

      100. The bank shall ensure the existence and functioning of the bank’s internal control system, which includes, but is not limited to:

      1) principles of organizing an internal control system;

      2) requirements for the professional qualities of employees;

      3) the internal procedure and procedures for the implementation of internal control;

      4) the definition of participants in the internal control system based on three lines of defense, their authority, responsibility with a clear definition of the structure of accountability;

      5) the internal procedure for interaction and exchange of information between participants in the internal control system along three lines of defense;

      6) the internal procedure for amending internal documents of the bank and in cases of detection of deficiencies in the process of internal control.

      The bank’s internal control system shall be based on the following principles:

      participation in the internal control process of all structural units and employees of the bank and internal control organizations as daily activities at all management levels;

      internal control coverage of all areas of activity and business processes and regulation of internal control procedures in all areas and business processes of the bank;

      implementation the internal control on an ongoing basis (continuity).

      101. The bank shall determine the participants of the internal control system based on three lines of protection:

      1) the first line of defense is provided by the structural units of the bank. The heads of structural units shall be responsible for organizing and implementing internal control in the structural unit;

      2) the second line of defense is provided by risk management, compliance control, a legal unit, a personnel department, a unit(s) performing (performing) financial control functions, and other structural units of the bank that exercise control functions;

      3) the third line of defense shall be provided by the internal audit unit through an independent assessment of the effectiveness of the internal control system.

      102. The bank shall develop internal control procedures based on the following interrelated elements:

      1) control over risk management;

      2) control actions and separation of powers;

      3) information and interaction;

      4) monitoring and correction of deficiencies.

      103. The internal control system shall provide control over the timely identification and assessment on an ongoing basis of the risks inherent to the bank and the adoption of timely measures to minimize significant risks in accordance with the bank's internal documents. The internal control system provides, but is not limited to:

      1) consideration and accounting during risk assessment of internal factors (the complexity of the bank’s organizational structure, the nature of its activities, qualitative characteristics of personnel, organizational changes, personnel turnover), as well as external factors (changes in economic conditions and the situation in the banking sector, technological innovations) which negatively affect the achievement of the goals set by the bank;

      2) risk assessment in certain areas of the bank;

      3) carrying out by the bank of new operations and services, subject to the availability of their regulation in the bank's internal documents;

      4) ensuring timely informing of executives (departments, bodies of the bank), defined in the relevant internal documents of the bank, about the factors affecting the level of exposure of the bank to risks.

      The internal control system is subject to adjustment as any new or uncontrolled material risks are identified, including those related to the introduction of new services and products.

      104. Control activities include, but are not limited to:

      1) control carried out by the board of directors of the bank, committees of the board of directors and the board of the bank in order to identify and eliminate deficiencies in internal control, violations, errors;

      2) control carried out by the heads of structural units;

      3) control of physical availability and access to material assets, ensuring the protection of premises for the storage of material assets;

      4) verification of compliance with the established limits;

      5) a system of coordination and delegation of rights and powers;

      6) verification of the timely and correct reflection of the operations and transactions of the bank in accounting and reporting;

      7) verification of compliance with the policies and procedures of the bank in transactions and transactions.

      Control actions within the framework of the separation of duties contribute to minimizing the conflict of interests and the conditions for its occurrence, committing unlawful actions, as well as preventing the provision of the same structural unit and (or) employee with the opportunity:

      to make banking operations and other transactions and at the same time carry out their reflection in accounting;

      authorize the payment of money and carry out their actual payment, taking into account the limits established by the bank's internal documents;

      conduct operations on bank accounts of customers and accounts reflecting their own financial and economic activities of the bank;

      evaluate the reliability and completeness of the documents presented at the time of loan issuance, and monitor the repayment of the loan;

      perform actions in any other areas of activity in which a conflict of interest arises.

      Depending on the bank's operations, the following control methods shall be used:

      double control (the "four-eye" and "shared access" principles).

      The “four eyes” principle requires that the work of one employee be checked (approved) by another employee in order to involve the second employee in verifying the correctness of calculation, authorization and documentation of the operation.

      The principle of “shared access” implies a procedure in which 2 (two) or more employees are equally responsible for the physical protection of values ​​and documents. Responsibility shall be established by the relevant internal document of the bank and shall be brought to the information of all employees;

      analysis of operations.

      Preliminary analysis of the operation to prevent an incorrect or unauthorized operation.

      Subsequent analysis after its completion in order to reveal the fact of an unauthorized operation.

      To ensure the effectiveness of the subsequent analysis, it is necessary that the executive conducting the subsequent analysis be independent of the workers conducting this operation;

      reports on the results of operations to provide bank management with information on bank performance, financial conditions and deviations from the budget;

      training bank personnel in control techniques and error detection;

      data protection;

      providing protection against personnel errors;

      checking for errors in order to detect them in a timely manner.

      105. From the position of internal control, reliable and detailed financial, operational information and information on compliance with the established requirements of the civil, tax, banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and currency control, payments and payment systems, on pension provision, on the securities market, on accounting and financial reporting on credit bureaus and the formation of credit records, on debt collection activities, on mandatory guarantee of deposits, on counteracting the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint-stock companies, as well as incoming external market information about events and conditions related to decision-making. The collection, analysis of information and its transfer to its intended purpose shall involve ensuring:

      1) the board of directors of the bank, the board of the bank and the executives (units, bodies of the bank) specified in the relevant internal documents with information for making decisions and performing their duties;

      2) the availability of information flows that ensure the integrity, security and accessibility of information inside and outside the bank;

      3) adequate control over the management of information flows and information security of the bank.

      Internal control of the functioning of information systems and technical means provides for the control of information technology systems, which is carried out in order to ensure their security, uninterrupted and continuous operation.

      From the position of internal control, compulsory accounting of all bank operations and transactions is ensured.

      Monitoring the timeliness, reliability and sufficiency of the financial information of the bank requires verification of the following (but not limited to):

      information systems providing accounting in the bank for compliance with the legislation of the Republic of Kazakhstan in the field of accounting and financial reporting and IFRS;

      availability in the bank of internal documents on accounting;

      ensuring chronological and timely registration of operations and events in accounting;

      ability to generate financial statements at the end of each business day;

      correspondence of synthetic (final) accounting to analytical (detailed) accounting;

      regular checks of accounting records by employees who are not involved in the process of authorizing or reporting transactions in the financial statements;

      accounting records based on primary documents and ensuring the proper design and preservation of primary documents.

      106. Monitoring of the internal control system of the bank on an ongoing basis shall be carried out by the first and second line of defense, as well as the board of the bank.

      Significant internal control deficiencies shall be reported to the board of directors of the bank.

      The internal audit unit shall evaluate the effectiveness of internal control.

      The Risk Management Committee shall exercise control the functioning of the internal control system.

      107. The management reporting of the bank on internal control shall include the information on significant violations and deficiencies identified in the process of internal control, as well as on the results of decisions made or measures to eliminate them.

Chapter 12. Internal Audit

      108. The bank shall ensure the functioning of an internal audit taking into account the strategy, organizational structure, and volume of assets, nature and level of complexity of the bank's operations. The internal audit unit shall have clearly defined powers, independently in its activities, accountable to the board of directors of the bank. The internal audit unit shall have sufficient resources and powers to carry out objectively and efficiently its functions and responsibilities.

      The head and employees of the internal audit unit shall not hold a different position, shall not be members of the collegial body of the bank, and shall not combine responsibilities in the bank and (or) subsidiaries.

      The internal audit unit shall be guided in its activities by international standards of internal audit.

      109. The board of directors of the bank and the internal audit committee shall contribute to improving the efficiency of the internal audit unit by:

      1) ensuring unlimited access for employees of the internal audit unit to any documents, information and objects of the bank, including access to systems, records and minutes of meetings of collegial bodies of the bank;

      2) establishing requirements for the internal audit unit to independently evaluate the effectiveness of the system of morning control, risk management system, corporate governance in all areas of the bank's business;

      3) establishing requirements for internal auditors to comply with the code of ethics and requirements of the banking legislation of the Republic of Kazakhstan, the laws of the Republic of Kazakhstan on joint stock companies;

      4) establishing requirements for employees of the internal audit unit to have sufficient knowledge of banking activities and internal audit methods, the skills to collect the necessary and sufficient information, the ability to analyze and evaluate to perform their duties;

      5) establishing requirements for the board of the bank to timely and effectively implement the action plan to eliminate violations and deficiencies identified as a result of the audit;

      6) requirements to conduct a periodic assessment of the effectiveness of the bank's risk management system, internal accounting procedures, preparation and ensuring the integrity of financial and regulatory reporting, the compliance risk management system, and the internal control system.

      The internal audit unit shall carry out an independent, comprehensive assessment of the effectiveness of corporate governance, internal control, and risk management systems.

      The internal audit unit uses a risk-based approach in developing its plans and actions, forms an independent, informed opinion on the risks inherent in the bank's activities, and shall carry out appropriate assessments of internal processes.

      110. The effective activities of the internal audit unit shall be based on the following principles:

      1) independence and objectivity, which are achieved through the following:

      conducting an audit in any units of the bank and in any areas of activity based on a risk- based approach;

      absence of involvement of the internal audit unit in the development, implementation and application of internal control measures;

      absence of a conflict of interest in the activities of employees of the internal audit unit;

      rotation in the duties between employees of the internal audit unit, if possible, without prejudice to the competence and professionalism of employees;

      absence of connection between the remuneration of employees of the internal audit unit and the financial results of the structural units of the bank. The bonus part of the remuneration of the head and employees of the internal audit unit shall be established in such a way as to exclude the occurrence of a conflict of interest and not question the independence and objectivity of the internal audit unit;

      submission of reports of the internal audit unit for consideration by the board of directors and the committee on internal audit issues, for review without the right to adjust such reports to the board of the bank;

      accountability of the head of the internal audit unit directly to the board of directors of the bank, which appoints to the post, controls its activities and, if necessary, makes a decision on dismissal;

      Information on the decision on the release of the head of the internal audit unit of the positions shall be brought to the attention of the authorized body. Upon receipt of a request from an authorized body, the bank shall provide an explanation of the reasons for making this decision;

      2) professional competence and professional discretion, which meet the following characteristics:

      the ability of employees of the internal audit unit to collect and perceive information, verify and evaluate the revealed facts and interact with employees of the internal audit unit;

      responsibility of the head of the internal audit department for staffing, and constant monitoring and assessment of the required level of skills;

      the level of qualifications and skills of employees of the internal audit unit and (or) involved third-party experts that meet the requirements of professional competence, and the ability to conduct an internal audit of the bank's audited areas of activity at the proper level;

      professional development and in order to comply with changes in the internal and external environment;

      3) professional ethics, which meets the following principles:

      conscientious performance of duties by employees of the internal audit unit, their responsibility, decency and honesty;

      maintaining confidentiality of information obtained in the course of the performance of official duties;

      exclusion of a conflict of interest. Employees of the internal audit unit accepted from among bank employees are not allowed for the next 12 (twelve) months from the day they are transferred to the internal audit unit to conduct an audit of the unit in which they worked;

      the employees of the internal audit unit comply with the requirements of internal documents, banking legislation of the Republic of Kazakhstan, the legislation of the Republic of Kazakhstan on joint stock companies.

      111. The bank shall approve the regulation on the internal audit unit in order to ensure operational efficiency. The provision includes, but is not limited to:

      1) the status of the internal audit unit in the bank, the powers, duties and internal procedures for interaction with other units of the bank;

      2) the tasks and scope of the internal audit unit;

      3) the responsibilities of the internal audit unit to inform the board of directors, the management board and other interested departments of the bank about the results of the work performed;

      4) the conditions under which the internal audit unit provides advice;

      5) responsibility and accountability of the hands of the breeder of the internal audit unit;

      6) requirements to be guided by international standards of internal audit;

      7) procedures for the interaction of the internal audit unit with the external auditor of the bank;

      8) the powers of the internal audit unit in the course of business (including verification of any unit and type of activity of the bank and its subsidiaries, unlimited access to bank documents, data, material objects, management reporting, records and minutes of all meetings and meetings adopted decisions).

      112. The scope of activity of the internal audit unit includes the assessment of:

      1) the effectiveness of the risk management system and internal control;

      2) the effectiveness of bank policies and procedures;

      3) the reliability of the accounting system and information;

      4) the reliability, efficiency and integrity of management reporting systems (including relevance, accuracy, completeness, accessibility, confidentiality and the comprehensive data);

      5) the safety of assets and capital.

      113. The activities of the internal audit unit adequately cover all issues of regulation of the bank's activities (based on a risk-based approach), in particular:

      1) risk management, including:

      assessment of the organization of the risk management process, including the responsibilities of structural units;

      assessment of compliance of the bank's activities with a risk appetite strategy and risk appetite determination procedures;

      assessment of the effectiveness of the internal procedure for informing and disseminating issues and decisions adopted in the framework of risk management;

      assessment of the effectiveness of risk management systems, including identification, assessment, monitoring and control, response, reporting on risks arising in the activities of the bank;

      assessment of the process of generating data in information systems, and used in the framework of risk management, with a view to ensuring accuracy, reliability and completeness;

      assessment of the approval process and application of risk assessment models, including verification of the sequence of approaches, relevance, independence and reliability of the data sources used in these models.

      If during inspections the internal audit unit revealed significant facts of decision-making by the bank's management in the presence of a negative opinion of the risk management unit(s), such facts shall be brought by the internal audit unit to the board of directors of the bank notice;

      2) internal control system, including:

      checking the organization of the internal control system;

      assessment of processes and procedures of internal control;

      assessment of management information on internal control for reliability, completeness and timeliness;

      3) capital adequacy and liquidity, including:

      assessment of the effectiveness of internal processes for assessing capital adequacy and liquidity, the adequacy of the ratio of capital, liquidity and risks taken by the bank, compliance with mandatory standards;

      assessment of stress testing processes for capital and liquidity levels, taking into account the frequency of stress tests, testing tasks, realistic scenarios and assumptions made, process reliability;

      4) regulatory and management reporting.

      The internal audit unit shall evaluate the effectiveness of risk management and reporting processes for the bank management and the authorized body;

      5) compliance.

      Assessment of the effectiveness of processes and procedures for managing compliance risk and ML/FT risk;

      6) the activities of the financial unit:

      assessment of the process of generating initial financial data with a view to ensuring their adequacy, accuracy and completeness, and subsequent presentation of key data, including financial results, assessment of financial instruments and reduction of their value;

      assessment of the approval process and application of pricing models, including verification of the sequence of approaches, relevance, independence and reliability of the data sources used in these models;

      assessment of existing control mechanisms to prevent and detect violations of the rules of operations;

      Assessment of bank procedures for measuring and monitoring bank positions in terms of liquidity, currency and interest rate for compliance with the risk profile of the bank, the external environment and minimum regulatory requirements;

      selective testing of bank transactions for their compliance with policies and procedures during the audit and assessment of the effectiveness of internal control measures in relation to these transactions;

      assessment of the effectiveness of accounting processes, including control procedures.

      114. Based on the results of audits, a report shall be generated on the results of the internal audit, which contains, but is not limited to, the following:

      1) general information, including goals, scope, timing of the audit, information on the composition of the audit team;

      2) a list of violations and deficiencies identified during the audit, indicating the reasons for the violations and deficiencies, and their impact on the bank's activities;

      3) recommendations for eliminating identified violations and deficiencies;

      4) a list of executives to whom the audit report is sent.

      The report on the results of the internal audit is sent to the board of the bank for review, the material facts and conclusions drawn are sent to the bank's audit committee and board of directors.

      115. The head of the internal audit department shall be responsible for preparing the annual audit plan based on a risk-based approach, which includes, but is not limited to:

      1) the purpose and scope of the audit;

      2) areas subject to audit;

      3) the timing of the audit;

      4) the necessary personnel and other resources.

      The annual audit plan shall be based on a risk assessment and, if necessary, shall be  reviewed during the year.

Chapter 13. Outsourcing

      116. In the case of outsourcing external contractors to carry out certain operations and (or) business processes, the board of directors of the bank shall ensure the existence of effective principles and practices for managing risks arising from the involvement of external contractors. Activities to attract external contractors shall include:

      1) procedures for determining which functions are transferred to outsourcing g and how;

      2) the process of verifying the reliability of the financial condition of the company when selecting potential counterparties;

      3) reliable principles for concluding contracts with external contractors, taking into account the structure of their property, the conditions of confidentiality and providing for the right to terminate the contracts;

      4) risk management and monitoring programs related to the conclusion of such contracts, taking into account the financial position of the service provider;

      5) creation of conditions for effective control at the bank and in the organization that provides services;

      6) the development of effective plans in case of unforeseen circumstances;

      7) the implementation of complex contracts and (or) contracts for the provision of services with a clear distribution of responsibilities between the organization that provides services and the bank.

Chapter 14. Collateral management

      Footnote. The Rules are supplemented by Chapter 14 in accordance with the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated December 29, 2022 No. 119 (shall come into effect from July 1, 2023).

      117. The bank shall ensure the functioning of a collateral service unit that takes into account the strategy, organizational structure, volume of assets, nature and level of complexity of the bank’s business. The collateral service unit shall have clearly defined powers. The resources of the collateral service unit shall be determined by the bank taking into account the need to perform its functions and responsibilities objectively and efficiently.

      The head and employees of the collateral service department shall not hold positions in other structural units of the bank when there is a possible conflict of interest between their responsibilities for assessing collateral and any other responsibilities assigned to them.

      The collateral service unit shall be guided in its activities by the requirements of the legislation of the Republic of Kazakhstan, assessment standards and (or) international valuation standards.

      118. The internal documents of the bank help improve the efficiency of the collateral service unit by establishing:

      1) requirements for the collateral service unit to conduct an internal assessment of collateral as part of making decisions on issuing a loan and managing credit risk;

      2) requirements for employees of the collateral service unit to have sufficient knowledge about valuation activities and valuation methods, skills in collecting necessary and sufficient information, the ability to conduct analysis and evaluation to perform their job duties;

      3) requirements to conduct periodic assessments of the effectiveness of the collateral service.

      119. The effective operation of the collateral service unit shall be based on the following principles:

      1) absence of a conflict of interest in the activities of employees of the collateral service unit;

      2) the lack of connection between the remuneration of employees of the collateral service unit and the financial results of the activities of other individual structural units of the bank. The bonus portion of the remuneration of the head and employees of the collateral service unit shall be established in such a way as to exclude the emergence of a conflict of interest and not to cast doubt on the objectivity of the activities of the collateral service unit;

      3) professional competence of the employees of the collateral service unit (the head of the collateral service unit shall have a certificate of qualification as an "appraiser" issued by the chamber of appraisers, and membership in one of the chambers of appraisers in accordance with the Law of the Republic of Kazakhstan "On appraisal activities in the Republic of Kazakhstan").

      120. The bank shall approve the regulations on the collateral service unit to ensure the efficiency of activities. The provision shall include, but not be limited to, the following:

      1) the status of the collateral service unit in the bank, powers, responsibilities and internal procedures for interaction with other units of the bank;

      2) the tasks and scope of activity of the collateral service unit;

      3) responsibility and accountability of the collateral service unit;

      4) requirements for compliance with national assessment standards;

      5) requirements for maintaining a statistical journal of the value of collateral.

  Appendix
to the Rules for formation
of risk management and internal
control system for second-tier banks,
branches of non-resident banks
of the Republic of Kazakhstan

The structure of the report on compliance with the internal capital adequacy assessment process and the internal liquidity adequacy assessment process

      Footnote. The Rules are supplemented by an Appendix in accordance with the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated December 29, 2022 No. 119 (shall be enforced ten calendar days after the day of its first official publication).

Chapter 1. General principles of the internal capital adequacy assessment process and the internal liquidity adequacy assessment process

      1. The general basis of the internal capital adequacy assessment process and the internal liquidity adequacy assessment process shall include, but not be limited to, the following sections:

      1) the general system of the internal process for assessing capital adequacy (hereinafter referred to as the ICAAP) and the internal process for assessing liquidity adequacy (hereinafter referred to as the ILAAP);

      2) information about the structure of risk appetite;

      3) information about stress testing;

      4) information systems.

      2. The section "General system of ICAAP and ILAAP" shall include, but not limited to, the following subsections:

      1) current business model.

      Information about the current business model shall include, but not limited to, the following description:

      the chosen business model, indicating its main activities, geographical territories, branches and products;

      data allowing to assess the bank's ability to create profit, broken down by key profitability indicators, including ratios calculated by the bank (return on capital ratio, return on assets ratio);

      data on the dynamics of regulatory capital adequacy;

      data on the dynamics of assets and liabilities, including the funding structure;

      data on compliance with minimum regulatory requirements concerning capital adequacy and liquidity ratios;

      2) strategy and budget.

      The Strategy and Budget Information shall include, but not be limited to, the following:

      development strategy, including the bank’s goals and the time frame for achieving them;

      links between ICAAP and ILAAP and bank strategy;

      3) governance and risk management system.

      Information about the governance and risk management system shall contain, but not limited to, the following description:

      organizational structure and interaction between structural units on ICAAP and ILAAP issues, including the system of authorized collegial bodies of the bank, rules and procedures for risk management;

      the level of competence of risk management committee members, including their general management skills, knowledge and experience;

      regular meetings of the authorized collegial bodies of the bank on ICAAP and ILAAP issues;

      information on management reporting generated within the framework of the ICAAP and ILAAP, which are filled out in accordance with Table 1 of the Appendix to the Structure of the report on compliance with the internal process for assessing capital adequacy and the internal process for assessing liquidity adequacy (hereinafter referred to as the Structure).

      3. The section "Information on the structure of risk appetite" shall contain, but not limited to, the following description:

      a general risk appetite management system, including the presence of authorized collegial bodies of the bank responsible for the implementation of processes, control measures and information systems;

      accepted risks under which the bank operates as part of the implementation of the bank’s overall strategy;

      risk profile of the activities of the bank;

      risk appetite levels;

      the results of assessing the acceptability of the established risk appetite in the current period and how acceptable it will be in the future;

      Information about limits on risk appetite levels is filled out in accordance with Table 2 of the Appendix to the Structure.

      4. The "Stress Testing Information" section shall contain, but not limited to, the following description:

      stress testing procedures and approved stress testing scenarios;

      results of stress testing for risk metrics, strategy and budget indicators, risk appetite, and other indicators approved by the bank;

      integration of stress testing results into the risk management and control system;

      interaction (integration) between solvency and liquidity stress tests, including stress tests specific to ICAAP and ILAAP.

      5. The "Information Systems" section shall contain, but not limited to, the following description:

      information systems used to manage bank risks, including those used to monitor the quality of the loan portfolio, as well as ensure the functioning of the liquidity risk management system;

      information systems used to provide complete, reliable and timely financial, regulatory and management information;

      processes for collecting, storing and aggregating risk data at various levels;

      the data flow and data structure used for the ICAAP and ICAAP, including a description of the data checks applied.

Chapter 2. Information about ICAAP

      6. Information about the ICAAP shall include, but not limited to, the following sections:

      1) general ICAAP system;

      2) identification, assessment, control and monitoring of risks;

      3) internal (economic) capital and distribution of internal (economic) capital;

      4) stress testing;

      5) self-assessment.

      7. The "General ICAAP System" section shall contain, but not limited to, the following subsections:

      goals and scope of ICAAP;

      information about the ICAAP processes, which are filled out in accordance with Table 3 of the Appendix to the Structure;

      a list of risks covered by the ICAAP, with justification for possible differences between the risks covered by the ICAAP and the risk appetite.

      8. Section "Identification, assessment, control and monitoring of risks" shall contain, but not limited to, the following subsections:

      1) identification and assessment of significant risks.

      Information on identifying significant risks shall include, but not limited to, the following description:

      methodology for identifying risks, distribution by type of risks to which the bank is exposed or may be exposed in the future in the course of doing business and implementing the strategy, determining materiality;

      risk assessment methodologies, including using quantitative and qualitative methods;

      roles and responsibilities of departments as part of the process of identifying significant risks.

      Information about the bank's risk structure is filled out in accordance with Table 4 of the Appendix to the Structure.

      Information on the interest rate risk of the banking portfolio shall contain, but not limited to, the following:

      Information on the current value of the bank's banking book filled out in accordance with Table 5 of the Appendix to the Structure;

      Information on net interest income filled out in accordance with Table 6 of the Appendix to the Structure;

      2) control and monitoring of significant risks.

      Information on the implementation of control and monitoring of significant risks shall contain, but not limited to, the following description:

      processes for control and monitoring of significant risks, indicating the functions and responsibilities of the bank’s units;

      control, monitoring and risk mitigation tools used;

      volumes of accepted risks, indicating established risk limits.

      9. Section "Internal (economic) capital and distribution of internal (economic) capital" shall contain, but not limited to, the following subsections:

      1) internal (economic) capital.

      Information on internal (economic) capital shall contain, but not limited to, the following:

      description of the calculation methodology, models for assessing internal (economic) capital for all significant risks;

      description of the data used to assess internal (economic) capital;

      the amount of necessary internal (economic) capital.

      Information on the assessment of internal (economic) and regulatory equity capital is filled out in accordance with Table 7 of the Appendix to the Structure;

      2) capital distribution.

      Capital distribution information shall include, but not be limited to, the following description:

      methodology and assumptions used to allocate internal (economic) capital for each significant type of risk;

      application of stress testing results.

      10. The "Stress Testing" section shall contain, but not limited to, the following subsections:

      1) stress testing scenarios.

      Information about stress testing scenarios shall include, but not limited to, the following:

      description of stress testing methods and scenarios in the context of significant risks, their frequency, methodology and assumptions used;

      justification of the reason for choosing the scenario under consideration for stress testing;

      a list of the main financial and economic factors taken into account as part of stress testing;

      sources of information about financial and economic factors.

      Information about stress testing scenarios shall be filled out in accordance with Table 8 of the Appendix to the Structure;

      2) quantitative and qualitative analysis.

      Information on quantitative and qualitative analysis shall include, but not limited to, the following description:

      models and validity of using selected models;

      the main results of the internal assessment of capital adequacy in stressful situations, indicating the impact on the financial condition of the bank, including an assessment of the size and adequacy of internal (economic) and regulatory capital;

      the impact of the scenario results on the bank's business model, strategy and significant risks under the ICAAP;

      approach to integrating stress testing results into the process of setting internal limits.

      11. The "Self-assessment" section shall contain, but not limited to, the following subsections:

      1) planned activities of the reporting period.

      The bank describes the activities planned for the reporting year, including activities to ensure compliance with the required level of internal (economic) capital, and the corresponding results of the measures taken;

      2) general assessment.

      The bank shall analyse and evaluate the entire process, including internal rules, controls, resources, measurement and reporting systems;

      3) identifying areas requiring improvement.

      The bank shall describe areas requiring improvement and also describe the results of the previous assessment, including corrective actions completed or in progress;

      4) corrective actions.

      The bank shall describe planned actions to improve the areas identified during the self-assessment.

Chapter 3 Information about ILAAP

      12. Information about ILAAP shall include, but not limited to, the following sections:

      1) general ILAAP system;

      2) identification, assessment, monitoring and control of liquidity risk;

      3) funding strategy and contingency plan;

      4) management of liquidity buffer and collateral;

      5) stress testing;

      6) self-assessment.

      13. Section "General ILAAP system" shall contain, but not limited to, the following subsections:

      goals and areas of application of the ILAAP;

      information about the ILAAP processes, which are filled out in accordance with Table 9 of the Appendix to the Structure.

      14. Section "Identification, assessment, monitoring and control of liquidity risk" shall contain, but not limited to, the following subsections:

      1) identification and assessment of liquidity risk.

      Information on identifying and assessing liquidity risk shall include, but not limited to, the following description:

      methodology for identifying liquidity risk;

      risk assessment methodologies, including using quantitative and qualitative methods;

      process of forecasting cash flows for assets, liabilities and off-balance sheet instruments over different time horizons;

      description of the functions and responsibilities of departments as part of the process of identifying and assessing liquidity risks;

      2) monitoring and control.

      Information on monitoring and controlling liquidity risk shall include, but not limited to, the following description:

      processes for control and monitoring of liquidity risks over different time horizons, indicating the functions and responsibilities of bank units;

      early warning indicators;

      the tools used to control, monitor and mitigate liquidity risk over different time horizons;

      procedures for managing intraday liquidity risk;

      volumes of accepted risks, indicating established limits on liquidity risk.

      15. The section "Funding strategy and contingency financing plan" shall contain, but not be limited to, the following subsections:

      1) funding strategy.

      Funding strategy information shall include, but not be limited to, the following description:

      types of funding sources in the context of products, instruments, and markets;

      the main factors influencing the ability to attract funding;

      alternative sources of funding;

      assessing their capabilities to attract funding, including indicating:

      a quantitative review of funds raised;

      main markets and products used;

      a review of planned cash outflows indicating the timing of the obligation;

      2) contingency financing plan.

      The Contingency funding plan information shall include, but not limited to, the following:

      sources of financing in case of unforeseen circumstances;

      the time required to raise additional funds from each contingency funding source;

      order, development of a financing plan in case of unforeseen circumstances, indicating responsible persons;

      algorithm of actions of responsible persons for the implementation of the financing plan in case of unforeseen circumstances;

      Contingency plan testing results and update information.

      16. The section "Management of liquidity buffers and collateral" shall contain, but not limited to, the following subsections:

      1) liquidity buffer.

      The bank shall describe the quantitative expression of the required volume of highly liquid assets, which is considered sufficient to meet liquidity needs, including under stress conditions, as well as the quantitative expression of the existing liquidity buffer.

      Information about the liquidity buffer shall include, but not limited to, the following:

      methodology and assumptions for calculating the required liquidity reserve;

      the definition applied by the bank concerning high-quality liquid assets and their composition;

      criteria for determining the liquid value of assets;

      description of concentration risk management within the liquidity buffer;

      description of the comparability of the liquidity reserve with the established risk appetite;

      2) collateral management.

      Collateral management information shall include, but not limited to, the following:

      a review of the methodology regarding the management of collateral, distinguishing between encumbered and unencumbered assets, as well as a quantitative review of the amount of collateral available;

      A review of the monitoring of collateral requirements and limits (if any), which takes into account any additional requirements that arise as a result of potential liquidity problems (for example, changes in market and/or financial condition, changes in credit rating).

      17. The "Stress Testing" section shall contain, but not limited to, the following subsections:

      1) stress testing scenarios.

      Information about stress testing scenarios shall include, but not limited to, the following:

      description of stress testing methods and scenarios, their frequency, methodology and assumptions used;

      justification of the reason for choosing the scenario under consideration for stress testing;

      a list of the main financial and economic factors taken into account as part of stress testing;

      2) quantitative and qualitative analysis.

      Information on quantitative and qualitative analysis shall include, but not limited to, the following description:

      quantifying the impact of stress testing results on liquidity and funding indicators (indicating the impact on each risk metric);

      integration of stress testing results into the process of strategic and budget planning and into the process of establishing internal limits;

      integrating stress testing results into the assessment and planning of the contingency financing plan, including correcting deficiencies in the contingency financing plan.

      Information on the results of stress testing is filled out in accordance with Table 10 of the Appendix to the Structure.

      18. The "Self-assessment" section shall contain, but not limited to, the following subsections:

      1) planned events.

      The bank shall describe the activities planned for the reporting year based on the results of the self-assessment and the corresponding results of the measures taken;

      2) general assessment.

      The bank conducts an assessment of organizational processes to identify weaknesses in the process, in terms of liquidity management policy, organization of the process, procedures, systems and control actions, level of liquidity and availability of funding;

      3) identifying areas requiring improvement.

      The bank shall describe areas requiring improvement and also describe the results of the previous assessment, including corrective actions completed or in progress;

      4) corrective actions.

      The bank shall describe planned actions to improve the areas identified during the self-assessment.

  Appendix
to the Report Structure on compliance
with the internal process for assessing
capital adequacy and the internal
process for assessing liquidity adequacy

      Table 1

Information on management reporting generated within the framework of ICAAP and ILAAP

No.

Report name

The authorized collegial body of the bank approving the report

Frequency and (or) date of approval for the reporting period

Responsible department

1

2

3

4

5





















      Note:

      All reporting generated as part of the ICAAP and ILAAP process shall include, but not be limited to, a stress test report, a credit risk report, a market risk report, an operational risk report, a report on liquidity positions by time horizon, a report on factors affecting the level of stock of liquid assets, a report on the risk of funding concentration, a report on other significant risks.

      table 2

Information about limits by risk appetite levels

No.

Types of risk

Type of limit set

The value of the established limit (in thousands of tenge and (or) percent)

Set level defined as acceptable
as of the reporting date (in thousands of tenge and (or) percent)

as of the previous reporting date

at the reporting date

1

2

3

4

5

6

1.

Credit risk

1.1






1.2






2

Market risk

2.1






2.2






3

Operational risk

3.1






3.2






4

Liquidity risk

4.1






4.2






5

Other significant risks (if any, indicate which ones)

5.1






5.2






      Table continuation:

Failure to comply with limits

Achieving levels defined as acceptable

Reasons for non-compliance with limits and the level defined as acceptable

number of cases

total length of days

number of cases

total length of days

7

8

9

10

11




























































      Note:

      in columns 4 and 5 for each of the risk appetite limits established by the bank, a numerical or percentage value shall be indicated;

      in column 6, for each of the risk appetite limits established by the bank, the level determined as acceptable shall be indicated;

      in column 7 for each of the established limits, the number of cases of its violation in the reporting period shall be indicated;

      in column 8 the total duration of days of limit violation in the reporting period shall be indicated;

      in column 9 for each of the established levels defined as acceptable, the number of cases of its achievement in the reporting period shall be indicated;

      in column 10 the total duration of days of achieving the levels determined as acceptable in the reporting period shall be indicated;

      in column 11 the reasons for non-compliance with the risk appetite limits and levels determined as acceptable in the reporting period shall be indicated;

      if the level defined as acceptable is not established, columns 6, 9 and 10 shall not be filled in.

      Table 3

Information about ICAAP processes

No.

ICAAP process stage

Description

Responsible department

Internal document regulating the process

1

2

3

4

5

1.

Identification of significant risks




2.

Assessment of significant risks




3.

Calculation of internal (economic)/
regulatory capital




4.

Conducting stress testing




5.

Planning and assessment of the adequacy of internal (economic) and regulatory capital




6.

Integrating ICAAP results in a risk appetite strategy




7.

Self-assessment under ICAAP




      Note:

      in column 3 a description of the methodology used by the bank for each stage of the ICAAP shall be indicated;

      in column 4 the responsible unit carrying out the corresponding stage shall be indicated;

      in column 5 the internal document regulating the relevant ICAAP process shall be indicated.

      Table 4

Information about the bank's risk structure

No.

Types and subtypes of risks

Methodology and (or) models for identifying and assessing significant risks

1

2

3

1

Credit risk


1.1



...



2

Market risk


2.1



...



3

Operational risk


3.1



...



4

Other significant risks (if any, please indicate which):


4.1



...



      Note:

      in column 2 the types and subtypes (if any) of risks shall be indicated;

      in column 3 the methodology and (or) models used to identify and assess significant risks shall be indicated.

      Table 5

Information on the current value of the bank's banking book

      (thousand tenge)

Indicators

Amount of current value (actual)

up to 1 month

from 1 to 3 months

from 3 to 6 months

from 6 months to 1 year

from 1 to 2 years

from 2 to 3 years

from 3 to 5 years

from 5 to 10 years

over 10 years

1

2

Income generating assets










...










...










Obligations related to payment of remuneration










...










...










Off-balance sheet position










EVE = Income Producing Assets

Obligations related to payment of remuneration

Off-balance sheet position


      Table continuation:

Amount of current value (actual)

Amount of cost in national currency (forecast)

Amount of cost in foreign currency (forecast)

+___ basis point

-____ basis point

+___ basis point

-_____ basis point

3

4

5

6

7




































      Note:

      column 2, assets and liabilities sensitive to changes in interest rates shall be distributed by the number of time baskets in accordance with the bank’s internal methodology;

      columns 4 and 5 shall indicate the change in the economic value of the bank’s assets and liabilities, in the event of a parallel change throughout the entire range of the yield curve of interest rates on assets and liabilities denominated in national currency, at basis points determined by the bank;

      columns 6 and 7 shall indicate the change in the economic value of the bank's assets and liabilities, in the event of a parallel change throughout the entire range of the yield curve of interest rates on assets and liabilities denominated in foreign currency, on the basis points determined by the bank.

      Table 6

Information on net interest income

      (thousand tenge)

Indicators

Amount of current value (actual)

Amount of cost in national currency (forecast)

Amount of cost in foreign currency (forecast)

National currency

foreign currency

+___
basis point

-___ basis point

+___ basis point

-____ basis point

1

2

3

4

5

6

7

Interest income







...







...







Interest expenses







...







...







Net interest income (expense)







      Note:

      columns 4 and 5 shall indicate changes in interest income and interest expenses, in the event of a parallel change in the yield curve of interest rates on claims and obligations denominated in national currency, by basis points determined by the bank;

      columns 6 and 7 shall indicate changes in interest income and interest expenses, in the event of a parallel change in the yield curve of interest rates on claims and obligations denominated in foreign currency, by basis points determined by the bank.

      Table 7

Information on the assessment of internal (economic) and regulatory equity capital

No.

Types of risks

Regulatory equity

Internal (economic) capital

Fact (t)

Forecast
(t+1)

Prognosis taking into account stress

Fact
(t)

Forecast
(t+1)

Prognosis taking into account stress

1

2

3

4

5

6

7

8

1.

Total regulatory capital compliant/total domestic (economic) capital required







2.

Credit risk-weighted assets







3.

Market risk-weighted assets







4.

Operational risk







5.

Total risk-weighted assets







6.

Capital requirements taking into account credit risk







7.

Capital requirements taking into account market risk







8.

Capital requirements taking into account operational risk







9.

Other significant risks to be quantified (specify which)







9.1.








9.2.








10.

Capital requirements taking into account significant risks







      Note:

      columns 3 and 4 shall indicate the actual and forecast value of capital for each type of risk, as well as the forecast value taking into account stress testing.

      If not applicable, the abbreviation NA - "not applicable" shall be used.

      Table 8

      Information about stress testing scenarios

No.

Stress Test Scenario

Script Options

Time horizon, frequency

Type of risk

1

2

3

4

5






      Note:

      column 2 shall indicate the name for each stress testing scenario;

      column 3 for each scenario shall indicate the value of the stress testing parameter;

      column 4 shall indicate for each parameter of the stress scenario, the time horizon and frequency of implementation;

      column 5 for each stress scenario parameter shall indicate the types of risks that it affects.

      Table 9

Information about the ILAAP processes

No.

Stage of the ILAAP process

Description

Responsible department

Internal document regulating the process

1

2

3

4

5

1.

Identification of significant liquidity risks




2.

Assessment of significant liquidity risks




3.

Calculation of the main indicators of liquidity risk (liquidity coverage ratio, net stable funding ratio and others)




4.

Short-term liquidity analysis




5.

Long-term liquidity analysis




6.

Funding sustainability analysis




7.

Analysis of liquidity buffer and collateral management




8.

Liquidity risk analysis in the new product approval process




9.

Conducting stress testing




10.

Consistency with risk appetite strategy




11.

Self-assessment according to ILAAP




      Note:

      column 3 shall indicate a description of the methodology used by the bank for each stage of the ILAAP;

      column 4 shall indicate the responsible unit carrying out the corresponding stage;

      column 5 shall indicate the internal document regulating the relevant ICAAP process.

      Table 10

Information about the results of stress testing

No.

Index

Stress test scenario

Script options

Fact (t)

1

2

3

4

5

1.

Liquidity coverage ratio




2.

Net stable funding ratio




3.

Highly liquid assets




4.

Liabilities on deposits of individuals




5.

Short-term financing




6.

Other indicators (if any, indicate which one)




      Table continuation:

Taking into account stress (time horizon 1)

Note

6

7













      Note:

      column 5 shall indicate the actual value for the reporting period;

      column 6 shall indicate the values taking into account the application of the time horizon;

      column 7 shall indicate notes to the table.

      Liquidity coverage ratio and net stable funding ratio shall be applicable for all banks except Islamic banks.

      The stress testing scenario and parameters shall be determined in accordance with the external operating environment, strategy, organizational structure, volume of assets, nature and level of complexity of the bank's operations.

  Annex
to the Resolution of the Board
of the National Bank of the
Republic of Kazakhstan
dated November 12, 2019 No. 188

The list of regulatory legal acts of the Republic of Kazakhstan, as well as structural elements of some regulatory legal acts of the Republic of Kazakhstan, recognized as terminated

      1. Resolution of the Board of the National Bank of the Republic of Kazakhstan dated February 26, 2014 No. 29 “On approval of the Rules for the formation of a risk management and internal control system for second-tier banks” (registered in the State Register of Normative Legal Acts under No. 9322, published on April 17, 2014 in the Legal Information System “Adilet”).

      2. Paragraph 22 of the List of Regulatory Legal Acts of the Republic of Kazakhstan, amended and supplemented, approved by Resolution of the Board of the National Bank of the Republic of Kazakhstan dated August 27, 2014 No. 168 “On amendments and additions to some regulatory legal acts of the Republic of Kazakhstan” (registered in the State Register of Normative Legal Acts under No. 9796, published on November 12, 2014 in the Legal Information System “Adilet”).

      3. Paragraph 4 of the List of some regulatory legal acts of the Republic of Kazakhstan, that amends and supplements on the regulation of the financial market, payments and payment systems, approved by the Resolution of the Board of the National Bank of the Republic of Kazakhstan dated October 29, 2018 No. 267 “On Amendments and Additions” to some regulatory legal acts of the Republic of Kazakhstan on the regulation of the financial market, payments and payment systems ”( registered in the State Register of Normative Legal Acts under No. 18123, published on January 11, 2019 in the Reference Control Bank of normative legal acts of the Republic of Kazakhstan).

If you found any error on the page, please highlight a word or a phrase and then press «Ctrl+Enter» key combination

 

On-page search

Enter text to search

Hint: Browser has internal on-page search. It works faster and is usually activated by pressing ctrl-F.