Unofficial translation
On approval of the Rules for formation of risk management and internal control system for second-tier banks, branches of non-resident banks of the Republic of Kazakhstan
Footnote. The title - as amended by the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated 24.02.2021 №. 43 (shall come into effect ten calendar days after the day of its first official publication).In accordance with the Law of the Republic of Kazakhstan "On Banks and Banking Activities in the Republic of Kazakhstan," the Board of the National Bank of the Republic of Kazakhstan hereby RESOLVED:
Footnote. Preamble – in the wording of the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated 24.06.2024 № 30 (shall enter into force upon expiry of ten calendar days after the day of its first official publication).1. To approve the attached Rules for formation of risk management and internal control system for second-tier banks, and branches of non-resident banks of the Republic of Kazakhstan.
Footnote. Paragraph 1 - as amended by the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated 24.02.2021 №. 43 (shall come into effect ten calendar days after the day of its first official publication).2. To recognize as terminated the regulatory legal acts of the Republic of Kazakhstan, as well as the structural elements of some regulatory legal acts of the Republic of Kazakhstan according to the list in accordance with the Annex to this Resolution.
3. The Department of Methodology and Regulation of Financial Organizations in the manner prescribed by the legislation of the Republic of Kazakhstan shall ensure:
1) together with the Legal Department, the state registration of this Resolution with the Ministry of Justice of the Republic of Kazakhstan;
2) placement of this Resolution on the official Internet resource of the National Bank of the Republic of Kazakhstan after its official publication;
3) within ten working days after the state registration of this Resolution, submission the information on the implementation of measures, provided for in subparagraph 2) of this paragraph and paragraph 4 of this Resolution, to the Legal Department.
4. Within ten calendar days after the state registration of this Resolution the Department of External Communications - the press service of the National Bank of the Republic of Kazakhstan shall ensure the direction of copy hereof to periodicals for official publication.
5. Control over execution of this resolution shall be entrusted to Deputy Chairman of the National Bank of the Republic of Kazakhstan O. A. Smolyakova.
6. This Resolution shall come into effect upon expiry calendar days after the day of its first official publication.
7. Second-tier banks, by October 1, 2020, shall bring their activities in accordance with the requirements of this Resolution.
Footnote. Paragraph 7 is in the wording of the Resolution of the Board of the Agency of the Republic of Kazakhstan on regulation and development of the financial market dated June 18.06.2020 №. 66 (shall be enforced from the date of its first official publication).
| Chairman of the | |
| National Bank | Ye. Dossayev |
| Approved by the Resolution of the Board of the National Bank of the Republic of Kazakhstan dated November 12, 2019 №. 188 |
The Rules for formation of risk management and internal control system for second-tier banks, branches of non-resident banks of the Republic of Kazakhstan
Footnote. The title - as amended by the resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated 24.02.2021 №. 43 (shall come into effect ten calendar days after the day of its first official publication).
1. These Rules for formation of risk management and internal control system for second-tier banks, branches of non-resident banks of the Republic of Kazakhstan (hereinafter referred to as the Rules) have been developed in accordance with part two of paragraph 1 of Article 40-5 of the Law of the Republic of Kazakhstan dated August 31, 1995 "On Banks" and banking activities in the Republic of Kazakhstan" (hereinafter referred to as the Law on Banks) and shall establish the procedure for forming risk management system and internal control of second-tier banks, branches of non-resident banks of the Republic of Kazakhstan (hereinafter referred to as the bank).
Footnote. Paragraph 1 - as amended by the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated 24.02.2021 №. 43 (shall come into effect ten calendar days after the day of its first official publication).2. The following concepts shall be used in the Rules:
1) information security risk - the probable occurrence of damage due to a breach of confidentiality, intentional violation of the integrity or availability of the bank's information assets;
2) information technology risk - the probability of damage arising due to the failure (malfunction) of information and communication technologies operated by the bank;
3) the data exchange center for payment transactions with signs of fraud - a legal entity of the National Bank of the Republic of Kazakhstan that implements measures aimed at preventing payment transactions with signs of fraud (hereinafter referred to as the NBRK anti-fraud center);
4) database of incidents with signs of fraud - a database of incidents with signs of fraud, which is maintained by the bank in electronic form;
5) fraud risk – the probability of financial losses and reputational risks due to fraudulent actions by third parties and/or bank employees;
6) anti-fraud system of the bank – a set of technical and analytical measures aimed at preventing and detecting transactions with signs of fraud in the provision of banking services;
7) authorized collegial body of the bank - board of directors, committee of the board of directors, management board, committee of the management board;
8) reputational risk - the probability of losses, failure to receive planned income as a result of a narrowing of the client base, a decrease in other development indicators due to the formation in society of a negative perception of the bank’s reliability, the quality of the services it provides, or the nature of the activities of the bank in general;
9) dropper – a person who has provided a third party with access to his/her bank account and/or electronic payment instrument, and also transferred his/her payment instruments for use by a third party, including for material compensation, which has resulted in their unauthorized use in illegal transactions;
10) legal risk - the probability of losses arising due to the bank's or counterparty's failure to comply with the requirements of the civil, tax, banking legislation of the Republic of Kazakhstan, the legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, the legislation of the Republic of Kazakhstan on currency regulation and currency control, on payments and payment systems, on pension provision, on the securities market, on accounting and financial reporting, on credit bureaus and the formation of credit histories, on collection activities, on mandatory guarantee of deposits, on combating the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint-stock companies, and in relations with non-residents of the Republic of Kazakhstan - the legislation of the country of its origin, as well as the terms of concluded agreements;
11) internal capital adequacy assessment process - a set of processes for managing significant risks, taking into account the volume of assets, the nature and level of complexity of activities, organizational structure, strategic plans, the bank's risk profile, the regulatory framework, the assessment and aggregation of such risks to determine the target level of capital adequacy of the bank to maintain a stable financial position and solvency.
The capital of a branch of a non-resident bank of the Republic of Kazakhstan refers to the assets of a branch of a non-resident bank of the Republic of Kazakhstan accepted as a reserve, calculated in accordance with the requirements of the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated February 12, 2021 № 23 "On the establishment of prudential standards and other mandatory norms and limits for branches of non-resident banks of the Republic of Kazakhstan (including branches of non-resident Islamic banks of the Republic of Kazakhstan), their standard values and calculation methods, including the procedure for the formation of assets of branches of non-resident banks of the Republic of Kazakhstan (including branches of non-resident Islamic banks of the Republic of Kazakhstan), accepted as a reserve, and their minimum size", registered in the State Register of Normative Legal Acts under № 22213 (hereinafter referred to as Resolution № 23);
12) capital financing plan - a set of procedures and an action plan for responding to a critical decrease in the bank's capital;
13) statistical journal of the value of collateral - an internal journal of the value of collateral, including a description and characteristics of the collateral, information on the results of the first and most current assessment of the independent quality assessment (date of assessment, name of the independent quality assessment, cost, assessment method), conclusions of the collateral service (date, cost), reasons for the difference in cost, information on sales (if any);
14) unsecured consumer loan - a bank loan without a condition on collateral at the time of issue, granted to an individual for purposes not related to the implementation of entrepreneurial activities;
15) compliance risk - the probability of losses arising due to non-compliance by the bank and its employees with the requirements of the civil, tax, banking legislation of the Republic of Kazakhstan, the legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, the legislation of the Republic of Kazakhstan on currency regulation and currency control, on payments and payment systems, on pension provision, on the securities market, on accounting and financial reporting, on credit bureaus and the formation of credit histories, on collection activities, on mandatory guarantee of deposits, on combating the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint-stock companies, internal documents of the bank regulating the procedure for the provision of services by the bank and the conduct of operations in the financial market, as well as the legislation of foreign states that affect the activities of the bank;
16) corporate governance - a system of relationships between the board of the bank (the relevant executive body of a non-resident bank of the Republic of Kazakhstan the branch of which is opened in the territory of the Republic of Kazakhstan, the executive employees of the branch of a non-resident bank of the Republic of Kazakhstan), the board of directors (the relevant management body of a non-resident bank of the Republic of Kazakhstan the branch of which is opened in the territory of the Republic of Kazakhstan), shareholders, executive employees and auditors, as well as the relationship between the authorized collegial bodies of the bank.
The corporate governance system allows for the distribution of powers and responsibilities, as well as the construction of a corporate decision-making process;
17) credit risk - the probability of losses arising as a result of the failure of the borrower or counterparty to fulfill their obligations in accordance with the terms of the bank loan agreement;
18) creditworthiness - a comprehensive legal and financial characteristic of the borrower, represented by financial and non-financial indicators, allowing one to assess his/her ability in the future to fully and timely fulfill obligations under a bank loan agreement;
19) loan agreement - an agreement between a bank and a borrower on the provision of financing (including conditional financing), as a result of which the bank has (or will have in the future) claims on the borrower;
20) contingency financing plan - a set of procedures and action plans to respond to a decline in the bank's ability to meet its obligations on time;
21) supervisory stress testing is a tool of the authorized body aimed at assessing the financial stability of banks to hypothetical (stress) scenarios of developments. Banks, based on a single methodology and scenarios for all participants in supervisory stress testing, perform calculations using internal models and provide the authorized body with the results of stress testing. In this case, banks shall be responsible for the proper quality of the calculations performed and the results of stress testing;
22) authorized body for financial monitoring - a state body that carries out financial monitoring and takes other measures to combat the legalization (laundering) of proceeds from crime, the financing of terrorism, and the financing of the proliferation of weapons of mass destruction;
23) division-owner of protected information - a division of the bank, the owner of information, the violation of confidentiality, integrity or availability of which will lead to losses for the bank;
24) critical information asset - an information asset determined in accordance with the Resolution of the Board of the National Bank of the Republic of Kazakhstan dated March 27, 2018 № 48 "On approval of the Requirements for ensuring information security of banks, branches of non-resident banks of the Republic of Kazakhstan and organizations carrying out certain types of banking operations, the Rules and deadlines for providing information on information security incidents, including information on violations, failures in information systems", registered in the State Register of Normative Legal Acts under № 16772 (hereinafter referred to as Resolution № 48);
25) significant risk - a risk, the realization of which will lead to a deterioration in the financial stability of the bank;
26) conflict of interest - a situation in which a contradiction arises between the personal interests of bank officials (officials of the management body, the executive body of a non-resident bank of the Republic of Kazakhstan, the branch of which is opened in the territory of the Republic of Kazakhstan, executive employees of a branch of a non-resident bank of the Republic of Kazakhstan), its shareholders and/or its employees and the proper performance of their official powers or the property and other interests of the bank and/or its employees and/or clients, which will entail unfavorable consequences for the bank and/or its clients;
27) market risk - the probability of financial losses on balance sheet and off-balance sheet items caused by unfavorable changes in the market situation, expressed in changes in market interest rates, foreign exchange rates, market value of financial instruments, goods;
28) operational risk - the probability of losses arising as a result of inadequate and insufficient internal processes, human resources and systems, or the influence of external events, except for strategic risk and reputational risk;
29) information on sustainable development (ESG (Environmental, Social, Governance) - information that is non-financial information in the area of sustainable development, disclosed by the bank as part of the sustainable development report (ESG).
30) Sustainable Development Report (ESG (Environmental, Social, Governance) - a report and/or annual report that shall include issues of ecology, social responsibility and the functioning of the environmental and social risk management system, the corporate governance system;
31) internal process of assessing the adequacy of liquidity - a set of liquidity risk management processes, to ensure that the bank maintains an appropriate level of liquidity and implements an appropriate liquidity risk management system at various time intervals depending on the types of activities and currencies;
32) liquidity risk - the probability of financial losses arising as a result of the bank’s inability to fulfill its obligations on time without significant losses;
33) interest rate risk - the risk of financial expenses (losses) arising due to an unfavorable change in interest rates on the bank’s assets and liabilities;
34) policy - an internal document approved by the board of directors of the bank, defining the main quantitative and qualitative parameters, principles, standards, ensuring the effective functioning of the bank and compliance of its activities with the strategy, risk profile, risk appetite. Within the framework of the policy, the board of directors of the bank shall ensure the existence of relevant internal documents describing individual procedures, processes, instructions;
35) strategic risk - the probability of losses arising as a result of errors (deficiencies) made in making decisions that determine the strategic development of the bank and expressed in insufficient consideration of possible dangers inherent in the bank's activities, incorrect or insufficiently substantiated determination of promising areas of activity in which the bank will achieve an advantage over competitors, the absence or incomplete provision of the necessary resources and organizational measures to ensure the achievement of the strategic goals of the bank's activities;
36) stress testing - a method for assessing the potential impact of exceptional but possible events on the financial condition of a bank;
37) risk - the probability that expected or unforeseen events will harm the financial stability of the bank, its capital and/or income;
38) risk profile - a set of types of risk and other information characterizing the degree of exposure of the bank to risks inherent in all types of the bank's activities to identify weaknesses and determine the priority of subsequent actions within the risk management system;
39) risk appetite - the aggregated level(s) of significant risks (limits on the acceptable amount of risk) that the bank is ready to accept or intends to exclude when implementing the strategy;
40) risk appetite statement - a document approved by the board of directors of the bank describing the aggregated level(s) of material risks (limits on the acceptable risk size) that the bank is ready to accept or intends to exclude when implementing the strategy. The risk appetite statement contains a statement of a qualitative nature, as well as a quantitative nature, including indicators regarding profitability, capital, liquidity, risks, and other applicable indicators;
41) risk culture - processes, procedures, internal rules of the bank aimed at understanding, accepting, managing and controlling risks to minimize their impact on the financial condition of the bank, as well as ethical norms and standards of professional activity of all participants in the organizational structure. Risk culture complements the existing approved procedures, processes and mechanisms of the bank's activities and is an integral component of the risk management system;
42) risk treatment - the process of selecting and implementing measures to change risks;
43) risk register - a structured list of risks containing the criteria and causes of the occurrence of risks, the probability of their occurrence, impact (damage), priority and methods of risk treatment;
44) authorized body - a state body that carries out state regulation, control and supervision of the financial market and financial organizations;
45) organizational structure - an internal document and/or a set of internal documents establishing the quantitative composition and system of management bodies, executives and structural divisions of the bank, reflecting the structure of subordination and accountability;
46) a participant of the Astana International Financial Centre providing services for managing a digital asset platform - a legal entity registered in accordance with the current law of the Astana International Financial Centre and carrying out activities on the territory of the Astana International Financial Centre for managing a digital asset platform;
47) internal (economic) capital - capital required to cover significant risks, including potential ones, accepted by the bank, calculated within the bank using its models;
48) environmental and social risk management system - a set of policies, procedures, tools and internal resources for identifying and managing environmental and social risks when lending to bank borrowers;
49) Environmental and Social Due Diligence (ESDD) - an analysis of potential environmental and social risks associated with the activities of a potential bank client to ensure that the issuance of a loan does not carry environmental and social risks that may pose a potential liability or risk to the bank.
When applying the requirements of the Rules to a branch of a non-resident bank of the Republic of Kazakhstan:
the board of directors refers to the relevant governing body of a non-resident bank of the Republic of Kazakhstan;
the management board refers to the executive employees of a branch of a non-resident bank of the Republic of Kazakhstan;
equity capital refers to the assets of a branch of a non-resident bank of the Republic of Kazakhstan, accepted as a reserve, calculated in accordance with the requirements of Resolution № 23;
financial statements refer to statements based on accounting data of a branch of a non-resident bank of the Republic of Kazakhstan;
the head of risk management refers to the head of the risk management department of a branch of a non-resident bank of the Republic of Kazakhstan;
The chief compliance controller refers to the head of the compliance control department of a branch of a non-resident bank of the Republic of Kazakhstan.
When applying the requirements of the Rules:
Social risks refer to the probability of losses arising from interactions with society, including customers, suppliers and other interested parties;
environmental risks refer to the risks of causing environmental damage that has significant and irreversible consequences for the natural environment and/or its individual components, or harm to the life and/or health of people;
ESG (Environmental, Social, Governance) risks (hereinafter referred to as ESG risks) refer to environmental risks, social risks and corporate governance risks that affect the bank’s profits and losses.
Footnote. Paragraph 2 - as amended by the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated 27.12.2024 № 93 (for the procedure for entry into force, refer to paragraph 5).3. The purpose of the Rules is to determine the requirements for the formation of risk management systems and internal control by the bank by ensuring:
1) effective management of the bank risks through their timely identification, measurement, control and monitoring to ensure that the bank equity is consistent with the level of risks taken by it and that there is an appropriate level of liquidity;
2) good corporate governance practices and an appropriate level of business ethics and risk culture;
3) compliance by the bank and its employees with the requirements of the civil, tax, banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and currency control, payments and payment systems, on pension provision, on the securities market, on accounting and financial reporting on credit bureaus and the formation of credit records, on debt collection activities, on mandatory guarantee of deposits, on counteracting the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint-stock companies, internal policies, procedures and other internal documents of a bank;
4) timely detection and elimination of deficiencies in the activities of the bank and its employees;
5) creation of adequate mechanisms in the bank to deal with unforeseen or emergency situations.
4. The board of directors of the bank shall ensure that a risk management system is in place that matches the selected business model, scale of activity, in terms of types and complexity of operations, and shall provide an appropriate process for identifying, measuring and evaluating, monitoring, controlling and minimizing significant bank risks in order to determine the bank’s equity and liquidity necessary to cover significant risks inherent in the bank business.
The risk management system is a set of components established by the Rules, which shall provide a mechanism for the interaction of internal procedures developed, regulated by the bank, processes, policies, structural units of the bank in order to timely identify, measure, control and monitor the risks of the bank, as well as minimize them to ensure its financial stability and stable functioning.
5. The risk management system shall ensure:
1) the optimal relationship between the profitability of the main activities of the bank and the level of risks taken, based on the choice of a viable and sustainable business model, an effective strategy and a budget planning process, taking into account the risk appetite strategy;
2) an objective assessment of the size of the bank’s risks, the completeness and documentation of risk management processes, their preventive identification, measurement and assessment, monitoring and control, and minimization of significant types of risks at each level of the organizational structure with the optimal use of financial resources, personnel and information systems to maintain sufficient the volume of the bank's equity capital and liquidity;
3) coverage of all types of bank activities exposed to significant risks at all levels of the organizational structure, complete assessment of individual significant types of risks, and their mutual influence to determine the bank’s risk profile and build a risk appetite strategy;
4) availability of risk appetite levels for all types of significant risks and an algorithm of actions in cases of violation of established levels, including responsibility for accepting risks whose level is determined to be high, procedures for informing the board of directors, committees under the board of directors and the board of the bank (the relevant executive body a non-resident bank of the Republic of Kazakhstan, a branch of which is opened on the territory of the Republic of Kazakhstan) as part of the risk appetite strategy;
5) awareness of the authorized collegial bodies of the bank making decisions that carry risks, through the construction of an effective corporate governance system, the availability of complete, reliable and timely management information about the significant risks inherent in the activities of the bank;
6) rational decision-making and action in the interests of the bank based on a comprehensive assessment of the information provided in good faith, with due diligence and care (duty of care). The duty of care and diligence shall not apply to errors in business decision-making unless the employees and officers of the bank were grossly negligent;
7) making decisions by employees and officials of the bank and acting in good faith in the interests of the bank, without taking into account personal benefits, the interests of persons associated with the bank by special relations, to the detriment of the interests of the bank (duty of loyalty);
8) clear distribution of functions, responsibilities and powers of risk management between all structural units and employees of the bank, their responsibilities, taking into account minimizing conflicts of interest;
9) separation of the risk management and internal control functions from the bank’s operating activities by building a system of three lines of defense, which includes:
the first line - at the level of the bank's structural units;
the second line - at the level of risk management units and those performing control functions;
the third line - at the level of the internal audit unit in terms of assessing the effectiveness of the risk management system;
10) availability of documents developed to regulate the activities of the bank, create and operate effective risk management and internal control systems in the bank and corresponding to the strategy, organizational structure, risk profile of the bank and the requirements of the civil, tax, banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and currency control, on payments and payment systems, on pensions, on the securities market, on accounting and financial reporting, on credit bureaus and the formation of credit histories, on collection activities, on the mandatory guarantee of deposits, on combating the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint stock companies, as well as their periodic review and updating;
11) compliance with the requirements of civil, tax, and banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and exchange control, on payments and payment systems, on pensions, on the securities market, about accounting and financial reporting, about credit bureaus and the formation of credit histories, about collection activities, about mandatory deposit guarantees, about combating the legalization (laundering) of proceeds from crime and the financing of terrorism, about joint-stock companies;
12) compliance with current procedures, processes, policies and other internal documents of the bank for risk management through building an effective internal control system.
Footnote. Paragraph 5 - as amended by the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated 24.02.2021 №. 43 (shall come into force ten calendar days after the day of its first official publication).6. The authorized body, in the framework of evaluating the effectiveness of the bank’s risk management system, shall be guided by the following principles:
1) ensuring the financial stability of banks, preventing deterioration of the financial situation of banks and increasing risks associated with the activities of banks, protecting the legitimate interests of depositors, creditors, customers and correspondents of banks;
2) prevalence of the essence over the form, expressed in the assessment of the bank’s risk management system as a mechanism for measuring and evaluating, monitoring, controlling, and minimizing the bank’s significant risks, rather than formally regulated bank procedures and compliance with the civil, tax, banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and currency control, payments and payment systems, on pension provision, on the securities market, on accounting and financial reporting on credit bureaus and the formation of credit records, on debt collection activities, on mandatory guarantee of deposits, on counteracting the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint-stock companies, internal documents of the bank;
3) proportionality in the exercise of control and supervision functions, as well as when applying the results of control and supervision, measures provided for by the laws of the Republic of Kazakhstan, based on the business model adopted by the bank, the scale of activity, types and complexity of operations and the materiality of the bank's risks;
4) application of a uniform approach to the assessment of the risk management system and supervisory response measures;
5) identification of significant risks in the activities of the bank.
7. The authorized body shall evaluate:
1) the effect of corporate governance system;
2) significant risks inherent in the bank's activities, taking into account the types and complexity of the bank's operations;
3) compliance of the risk management systems with the selected business model, the scope of activities, types and complexity of the bank's operations;
4) financial condition of large participants of the bank in order to determine the possibility of maintaining the financial stability of the bank;
5) impact of the financial condition of the participants of the banking conglomerate on the financial stability of the bank;
6) the effectiveness of the application of preventive measures in order to prevent the deterioration of the financial stability of the bank by adjusting risk management systems based on the scale of activity and the level of risks taken;
7) application of a system of quantitative and qualitative indicators in the framework of assessing the activities of the bank and the effectiveness of modeling methods.
Chapter 2. Business Model
8. Business model of a bank is a combination of the chosen strategy, products, and planning processes that ensure competitiveness and a sufficient level of profitability. The main principles in the formation of a business model of a bank shall be:
1) viability, expressed in the bank's ability to provide a sufficient level of profitability in the next 12 (twelve) months and based on budget planning and forecasting of financial indicators;
2) sustainability, expressed in the ability of the bank to provide a sufficient level of profitability for a period of at least 3 (three) years and based on strategic planning and forecasting of financial indicators.
Bank shall conduct regular analysis of the business model in order to assess the impact on it of strategic risks and the risks inherent in the activities of the bank.
Banking activities shall be carried out within the framework of the chosen business model taking into account the volume of assets, the nature and level of complexity of the activity, organizational structure, and risk profile.
9. The strategy of the bank shall be approved by the board of directors of the bank for a period of at least 3 (three) years and shall contain:
1) the mission and goals of development of the bank. Goals shall be measurable, achievable, realistic, and have precise timelines for implementation;
2) target market segments by sectors of the economy and geographical distribution of the development of the bank;
3) analysis of the strengths and weaknesses of the selected bank strategy, taking into account key sources of income;
4) quantitative indicators of the loan portfolio, liquid assets, customer deposits and other borrowed funds, taking into account the established levels of risk appetite. At the same time, realistic assumptions shall be used that take into account available and accessible resources, current and potential economic conditions;
5) analysis of key sources of income;
6) key types of investments, their structure and planned changes, including the introduction and development of new products and services, taking into account the assessment of risks and processes associated with their implementation and development, as well as assessing the current capabilities of the bank to introduce and develop such products;
7) scenarios of the strategic development of the bank's activity (negative, and the most possible scenarios).
10. The budget of the bank shall be approved annually by the board of directors of the bank and shall contain a monthly forecast of financial indicators (assets and liabilities, income and expenses, information on the loan portfolio, customer deposits and other borrowed funds, by currency (national and foreign currencies in total), categories of customers).
The budget shall correspond to the strategy of the bank. Therewith, the assumptions used shall be realistic and take into account available and accessible resources, current and potential economic conditions and possible risks.
One of the components of effective budget planning shall be the tariff policy, which minimally includes the following components:
internal procedures and procedures for conducting market analysis of demand and prices for banking services;
internal procedure and procedures for the formation of the structure of interest rates and tariffs;
acceptable lower and upper limits for interest rates and tariffs for the bank, as well as requirements for the internal procedure for their approval, taking into account the requirements of the civil and banking legislation of the Republic of Kazakhstan, on payments and payment systems, on mandatory guarantee of deposits, their application and periodic review;
criteria for choosing a method for determining prices for banking services, as well as requirements for methods based on assessing the nature and level of complexity of the bank's activities and the risks inherent in the bank;
participants in the pricing process and the order of interaction between them, including the exchange of information;
the internal procedure and procedures for timely informing bank customers about the conditions for the provision of banking services, as well as informing about changes.
Bank shall monthly analyze the budget to ensure that the predicted indicators are consistent with the actual values; the reasons for the deviations detected, followed by the development of corrective corrective measures, if necessary, and shall make reasonable adjustments with their further documentation.
11. In the process of strategic and budget planning, the bank shall analyze the key sources of profitability in order to identify potential risks.
In order to keep the strategy and budget of the bank up to date, the bank shall annually analyze the target markets where it operates, evaluate the competitive environment, the adequacy of resources and the ability to generate short and long term returns.
Strategic and budget planning shall be carried out within the framework of accepted and approved levels of risk appetite.
Chapter 3. Risk Appetite Strategy
12. In order to build an effective risk management system, the board of directors of the bank shall approve the risk appetite strategy as a separate document, or as an integral part of the strategy of the bank. The risk appetite strategy shall define clear boundaries of the volume of accepted risks where the bank operates as part of the implementation of the bank’s general strategy, and shall also determine the risk profile of the bank’s activities in order to prevent risks or minimize their negative impact on the financial position of the bank. The risk appetite strategy shall be taken into account:
1) in strategic and budget planning defined by Chapter 2 of the Rules;
2) in internal processes for assessing capital adequacy and liquidity, as defined by Chapters 5 and 6 of the Rules;
3) in formation of the organizational structure of the bank and the wage policy defined by Chapter 4 of the Rules.
13. Effective risk appetite strategy shall:
1) contain a description of the risk profile of the bank;
2) contain the process of disseminating the strategy to all structural units and is brought to the attention of bank employees;
3) be aimed at introducing a risk culture at all levels of the bank's organizational structure, as well as at disseminating the practice of observing risk appetite levels within the risk culture;
4) provide protection from the bank taking excessive risks when making decisions;
5) be the basis for the formation of a statement of risk appetite;
6) change in case of significant changes in market conditions and (or) the level of financial stability of the bank.
14. Within the framework of the risk appetite strategy, the board of directors of the bank shall form a risk appetite statement that sets the general direction with respect to the risks accepted by the bank in the framework of budget planning and operational activities of the bank. Effective statement of risk appetite shall:
1) be formed taking into account the strategy of the bank;
2) determine for each significant type of risk the aggregated level (levels) of risk appetite, which the bank accepts in its activities taking into account the risk profile;
3) include quantitative indicators that are used to determine the aggregated level(s) of risk appetite for each significant type of risk;
4) include a statement of a qualitative nature that describes the grounds for taking risks by the bank, or their exclusion, including reputational and (or) other risks, a quantitative assessment of which is not feasible, and also establishes approaches to control them;
5) imply a prognostic approach, shall take into account the results of stress testing in order to identify potential events leading to a violation of risk appetite levels.
15. In order to determine risk appetite, the board of directors of the bank shall set the aggregated level(s) of risk appetite and levels of risk appetite for each type of significant risk.
The applicable levels of risk appetite shall meet the following requirements:
have a clear definition;
be relevant;
measurable;
calculated on a periodic basis;
information on the actual values of risk appetite levels and their performance shall be provided to the board of directors and the committee of the bank risk management;
developed taking into account the prognostic approach.
16. Effective levels of risk appetite shall:
1) be set at a level that facilitates the bank's compliance with the aggregated level(s) of risk appetite;
2) take into account available capital, liquidity, profitability, development strategy;
3) take into account all significant concentration risks (concentration on the client, on currency, on country risk, on market segments and other types of concentration);
4) be based not only on the application of best practices and (or) the requirements of the authorized body, but shall also take into account the essential risks inherent to the bank;
5) be developed using objective and clear assessments, are not ambiguous;
6) be regularly reviewed for relevance;
7) take into account reasonable assumptions, supported by the results of stress testing.
17. The procedure for determining risk appetite levels shall include, but shall not be limited to, the following components:
1) the internal procedure for calculating and determining quantitative and qualitative parameters characterizing the levels of risk appetite of the bank;
2) information and materials, methods and tools used to calculate and determine risk appetite levels;
3) responsible executives and (or) departments of the bank involved in calculating and determining the risk appetite levels of the bank and responsible for monitoring and monitoring the established levels of risk appetite;
4) the conditions under which an adjustment is made to the risk appetite approved at the level.
Quantitative methods used to establish risk appetite levels shall a high degree of reliability in assessing the level of risk.
18. Risk appetite levels shall include the following risk level limits:
1) the level that does not require the application of corrective measures;
2) the level defined as permissible, but requiring separate corrective measures in the existing procedures of the risk management system in order to reduce the risk level;
3) the level defined as high, requiring the application of appropriate measures to prevent the deterioration of the financial stability of the bank and its solvency.
When determining risk appetite, the bank shall assess the acceptability of the established risk appetite in the current time period and to what extend it will be acceptable in the future by means of stress testing (scenario analysis and sensitivity analysis).
If significant risks are identified that are not described in the risk profile, the bank shall assess the level of risk, finalize appropriate procedures to include such risks in the risk profile, determine the level of risk appetite and develop measures to prevent and (or) minimize the identified risk.
Aggregated level(s) of risk appetite shall be established and reviewed (revised) on a periodic basis. The levels of risk appetite for certain types of risk shall be reviewed during the year when the situation on the market changes and (or) changes in the requirements of the authorized body, but within the aggregated level of risk appetite.
Chapter 4. Corporate Governance
19. The main elements of an effective corporate governance system are:
1) organizational structure;
2) corporate values;
3) strategy of the activities of the bank;
4) distribution of responsibilities and powers regarding decision-making between the authorized bodies of the bank;
5) mechanisms of interaction and cooperation between members of the board of directors, the board (the relevant executive body of a non-resident bank of the Republic of Kazakhstan, the branch of which is opened on the territory of the Republic of Kazakhstan, senior employees of a branch of a non-resident bank of the Republic of Kazakhstan), external and internal auditors of the bank;
6) procedures and techniques for risk management;
7) internal control system;
8) reward system;
9) the presence of an adequate management reporting system;
10) transparency of corporate governance.
Footnote. Paragraph 19 - as amended by the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated 24.02.2021 №. 43 (shall come into effect ten calendar days after the day of its first official publication).20. The organizational structure of the bank shall correspond to the chosen business model, scale of activity, types and complexity of operations, minimize conflicts of interest and distribute powers for risk management between collegial bodies and structural units, including, but not limited to:
1) board of directors of the bank;
2) committees under the board of directors of the bank;
3) the board of the bank (the relevant executive body of a non-resident bank of the Republic of Kazakhstan, a branch of which is opened on the territory of the Republic of Kazakhstan, senior employees of a branch of a non-resident bank of the Republic of Kazakhstan);
4) risk management unit(s);
compliance control unit;
6) internal audit unit;
7) unit performing the functions of a collateral service, including an outsourced collateral service (except for cases where the bank’s strategy does not provide for the provision of loans secured by collateral and there are no loans issued against collateral in the bank’s current portfolio) (hereinafter referred to as the Collateral unit services).
Footnote. Paragraph 20 - as amended by the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated 29.12.2022 №. 119 (the order of enforcement see Paragraph 5).21. The main principles and responsibilities of the board of directors of the bank shall include:
1) making rational decisions and acting in the interests of the bank based on a comprehensive assessment of the information provided in good faith, with due diligence and care (duty of care). The duty of care and care shall not extend to errors in the process of making business decisions unless the members of the board of directors have shown gross negligence in doing so;
2) making decisions and acting in good faith in the interests of the bank, without taking into account personal benefits, the interests of persons connected with the bank by special relations, to the detriment of the interests of the bank (duty of loyalty);
3) active involvement in the activities of the bank and awareness of significant changes in the activities of the bank and external conditions, as well as making timely decisions aimed at protecting the bank’s interests in the long term;
4) preliminary consideration of the draft corporate governance code and/or amendments to it.
Within the framework of the corporate governance code, a procedure for managing conflicts of interest and mechanisms for its implementation, as well as control over execution, shall be developed. The procedure shall contain the following components:
mechanism of the procedure for minimizing conflicts of interest in the activities of the bank;
an approval process that a board member goes through before serving as an officer in another organization to prevent conflicts of interest;
the obligation of members of the board of directors to immediately provide information on any issue that creates a conflict of interest or is a potential cause for its occurrence;
the obligation of members of the board of directors to refrain from voting on issues in which the member of the board of directors has a conflict of interest;
mechanism for the board of directors to respond to violations of the provisions of the procedure.
Within the framework of the corporate governance code, procedures shall be developed by which bank employees confidentially report violations related to the bank's activities;
5) ensuring that the bank’s corporate governance system complies with the following principles:
compliance with the scale and nature of the activities of the bank, its structure, risk profile, and the bank’s business model;
protection of shareholders' rights, provided for in accordance with the civil and banking legislation of the Republic of Kazakhstan, the legislation of the Republic of Kazakhstan on joint-stock companies and support for the implementation of these rights;
ensuring timely and reliable disclosure of information in accordance with the banking legislation of the Republic of Kazakhstan, the legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, the legislation of the Republic of Kazakhstan on currency regulation and currency control, on payments and payment systems, on the securities market, on combating the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint-stock companies;
control over timely and reliable disclosure of information on sustainable development (ESG);
to perform their duties, members of the board of directors have access to complete, relevant and timely information;
6) approval of the following internal documents and control of their implementation:
organizational structure of the bank;
bank development strategies;
sustainable development strategies of the bank, including those that are an integral part of the bank’s development strategy;
policies for managing bank profitability;
stress testing procedures and scenarios;
contingency funding plan;
business continuity management policies;
internal procedures for paying remuneration to bank executives and bank employees directly reporting to the board of directors of the bank;
personnel policy;
pay policies;
accounting policy;
tariff policy;
credit policy;
distressed asset policies;
a document regulating the main approaches and principles of the Internal Capital Adequacy Assessment Process (hereinafter referred to as ICAAP);
a document regulating the basic approaches and principles of the internal liquidity adequacy assessment process (hereinafter referred to as ILAAP);
policy (policies) for managing information technology and information security risks of the bank;
internal control policies;
credit risk management policies;
a set of policies for managing environmental and social risks;
sustainable development policies;
market risk management policies;
operational risk management policies;
compliance risk management policies;
policies for managing the risk of legalization (laundering) of proceeds from crime and financing of terrorism (hereinafter referred to as ML/FT);
collateral policy;
liquidity management policies;
internal audit policy, code of ethics for internal auditors, regulations on the internal audit unit, procedures for implementing internal audit, annual internal audit plan;
policies (procedures) for engaging an external auditor;
7) approval of the bank’s risk appetite strategy and risk appetite levels;
8) monitoring compliance with the risk appetite strategy, risk appetite levels and risk management policies;
9) ensuring the availability of a financial service responsible for accounting and high-quality preparation of financial statements;
10) preliminary approval of annual financial statements certified by an audit organization, as well as sending a request for periodic independent audits, if necessary;
11) elect members of the bank’s board (members of the relevant executive body of a non-resident bank of the Republic of Kazakhstan, which branch is opened in the territory of the Republic of Kazakhstan), appoint the head of risk management, the head of internal audit and the chief compliance controller;
12) review of reports submitted by the audit committee, followed by monitoring the elimination of identified violations;
13) control over effective compliance with the bank's procedures, through which bank employees confidentially report violations related to the bank's activities and the civil, tax, banking legislation of the Republic of Kazakhstan, the legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, the legislation of the Republic of Kazakhstan on currency regulation and currency control, on payments and payment systems, on pension provision, on the securities market, on accounting and financial reporting, on credit bureaus and the formation of credit histories, on collection activities, on mandatory guarantee of deposits, on combating the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint-stock companies, as well as on abuses;
14) formation of three lines of defense in the bank:
the first line of defense shall be provided by the bank's structural divisions responsible for timely identification, risk assessment, dissemination of information about them to the divisions of the second line of defense, as well as risk management. The first line of defense shall carry out operations within the approved levels of the bank's risk appetite and functions within the framework of the adopted risk management policies;
the second line of defense shall be provided by independent risk management, compliance control and other control units (including, within their competence, units implementing security, financial control, personnel support, legal risk management, and operational risk management functions). The risk management unit(s) shall conduct a comprehensive analysis of risks in the bank's activities, generate the necessary reports to the board of directors of the bank and the risk management committee, and facilitate critical assessment and identification of risks by board members and business units.
The compliance control department shall organize procedures for compliance with the requirements of the civil, tax, banking legislation of the Republic of Kazakhstan, the legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, the legislation of the Republic of Kazakhstan on currency regulation and currency control, on payments and payment systems, on pension provision, on the securities market, on accounting and financial reporting, on credit bureaus and the formation of credit histories, on collection activities, on mandatory deposit guarantees, on combating the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint-stock companies, the legislation of foreign states that influence the activities of the bank, as well as internal documents of the bank regulating the procedure for the provision of services by the bank and the conduct of operations in the financial market, and provide complete and reliable information to the board of directors on the presence of compliance risks;
the third line of defence shall be provided by an independent internal audit unit responsible for assessing the quality and effectiveness of the risk management and internal control system, the first and second lines of defence;
15) exercising control over the activities of the bank’s board (the relevant executive body of a non-resident bank of the Republic of Kazakhstan, a branch of which is open in the territory of the Republic of Kazakhstan, the executives of the branch of a non-resident bank of the Republic of Kazakhstan) by:
monitoring the implementation by the board of the bank (the relevant executive body of a non-resident bank of the Republic of Kazakhstan the branch of which is opened in the territory of the Republic of Kazakhstan, the executive employees of a branch of a non-resident bank of the Republic of Kazakhstan) of the strategy and policies approved by the board of directors, decisions of the general meeting of shareholders;
approval of internal documents regulating the activities of the bank's board (the relevant executive body of a non-resident bank of the Republic of Kazakhstan, the branch of which is opened in the territory of the Republic of Kazakhstan, executives of a branch of a non-resident bank of the Republic of Kazakhstan) in accordance with the Rules;
ensuring the implementation of an internal control system;
holding regular meetings with members of the bank's board (the relevant executive body of a non-resident bank of the Republic of Kazakhstan, the branch of which is opened in the territory of the Republic of Kazakhstan, and executives of the branch of a non-resident bank of the Republic of Kazakhstan);
conducting an analysis and critical assessment of the information provided by the board (the relevant executive body of a non-resident bank of the Republic of Kazakhstan, the branch of which is opened in the territory of the Republic of Kazakhstan, the executive employees of the branch of a non-resident bank of the Republic of Kazakhstan);
establishment of the necessary performance standards and remuneration system for members of the board (the relevant executive body of a non-resident bank of the Republic of Kazakhstan, the branch of which is opened in the territory of the Republic of Kazakhstan, executive employees of a branch of a non-resident bank of the Republic of Kazakhstan), which correspond to the long-term goals defined by the bank’s strategy and aimed at financial stability;
16) interaction and control over the work of the head of risk management (the head of risk management of a non-resident bank of the Republic of Kazakhstan, the branch of which is opened on the territory of the Republic of Kazakhstan);
17) periodic (at least once a year) assessment of the activities of each member of the board of directors of the bank;
18) ensuring that records of decisions taken are kept (minutes of meetings, brief information on the issues considered, recommendations, if any, as well as special opinions of members of the board of directors of the bank). Such documents and/or materials shall be provided to the authorized body upon request in accordance with the legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations;
19) ensuring a developed information technology infrastructure to collect and analyze complete, reliable, timely information for risk management purposes. Awareness of the existence of limitations in the information technology infrastructure for determining risk appetite levels;
20) deciding on issuing a loan, the amount of which exceeds 5 (five) percent of the bank’s equity capital based on an analysis and assessment of the feasibility of issuing the loan;
21) making a decision on issuing an unsecured consumer loan, the amount of which exceeds 20,000,000 (twenty million) tenge based on an analysis and assessment of the feasibility of issuing a bank loan. This paragraph shall not include cases of issuing an unsecured consumer loan when refinancing mortgage loans.
The requirements specified in paragraph five of subparagraph 5) and paragraphs four, twenty-one and twenty-two of subparagraph 6) of part one of this paragraph shall not apply to second-tier banks that are subsidiaries of international banks that have approved policies and procedures for assessing and managing ESG risks, environmental and social risks, as well as disclosing information on ESG risks, environmental and social risks, which apply to subsidiaries of international banks that have sustainable development strategies and policies and publish consolidated reports on sustainable development (ESG) and reports on environmental and social risks.
Footnote. Paragraph 21 - as amended by the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated 27.12.2024 № 93 (for the procedure for entry into force, refer to paragraph 5).22. The composition of the board of directors of the bank and qualification requirements for its members shall meet the following requirements:
1) the composition of the board of directors of the bank and its powers shall be sufficient to exercise effective control;
2) the board of directors of the bank shall consist of executives with the necessary qualifications, impeccable business reputation and experience, all of which shall be sufficient for the general management of the bank, in accordance with the chosen business model, scale of activity, type and complexity of operations;
3) members of the board of directors of the bank shall be focused on interaction, cooperation and critical discussion in the decision - making process;
4) members of the board of directors of the bank shall conscientiously fulfill their duties and make decisions, minimize conflicts of interest.
23. In order to increase the efficiency and more detailed work in certain areas of the bank’s activities and based on the selected business model, scale of operations, types and complexity of operations, risk profile, the board of directors of the bank creates special committees under the board of directors of the bank.
Each committee shall carry out its activities within the framework of a document defining its powers, competence, as well as principles of work, the internal procedure for submitting reports to the board of directors of the bank, the tasks facing the members of the committee and restrictions on the duration of work of members of the board of directors of the bank in the committee. The board of directors of the bank shall provide for periodic rotation of members (with the exception of experts) of such committees in order to avoid concentration of powers and to promote the new views.
The committees shall keep records of decisions made (minutes of meetings, brief information on the issues discussed, recommendations, if any, as well as special opinions of committee members). The chairman of the committee under the board of directors shall be a member of the board of directors who is not a head or member of the executive body.
24. As part of the risk management system, the committees of the board of directors of the bank shall consider the following issues:
1) strategic planning;
2) personnel and remuneration;
3) audit;
4) risk management;
5) sustainable development and management of environmental and social risks;
6) other issues provided for by the internal documents of the bank.
The consideration of the listed issues shall be carried out by one or several committees of the board of directors of the bank, except for audit issues, which shall be considered by a separate committee of the board of directors.
The requirement specified in subparagraph 5) of part one of this paragraph shall not apply to second-tier banks that are subsidiaries of international banks that have approved policies and procedures for assessing and managing ESG risks, environmental and social risks, as well as disclosing information on ESG risks, environmental and social risks, which apply to subsidiaries of international banks that publish consolidated reports on sustainable development (ESG) and reports on environmental and social risks.
Footnote. Paragraph 24 - as amended by the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated 27.12.2024 № 93 (for the procedure for entry into force, refer to paragraph 5).25. The main requirements for the composition of the audit committee:
1) the audit committee shall include only members of the board of directors of the bank;
2) the chairman of the audit committee shall be an independent director of the bank;
3) the audit committee shall include at least one member of the board of directors of the bank with experience in the field of audit and (or) accounting and financial reporting and (or) risk management.
26. The audit committee shall be responsible for:
1) ensuring the development of an internal audit policy, code of ethics for the internal auditor, the provisions of the internal audit unit, internal audit procedures and the management information system in accordance with the requirements established by Chapter 12 of the Rules for further submission for approval by the board of directors of the bank;
2) interaction with the external auditor on the quality of the information provided on the activities of the bank, consideration of the recommendations of external auditors, monitoring the elimination of identified comments, as well as reviewing the annual financial statements certified by the audit organization for further submission for preliminary approval by the board of directors of the bank;
3) ensuring the development of policies (procedures) for attracting an external auditor for further submission for approval by the board of directors of the bank, including determining:
criteria and conditions for the selection of an external auditor;
payment systems for the audit of financial statements, as well as for the provision of advisory services to the bank on audit matters;
4) consideration of the amount of payment for the services of an external auditor;
5) preliminary review of the annual internal audit plan;
6) preliminary consideration of the results of internal and external audit reports, monitoring the timely implementation by the bank's board of actions to eliminate violations and the implementation of recommendations of internal and external audit, discrepancies activities of the policy of the bank, the requirements of civil, tax, banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and currency control, payments and payment systems, on pension provision, on the securities market, on accounting and financial reporting on credit bureaus and the formation of credit records, on debt collection activities, on mandatory guarantee of deposits, on counteracting the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint-stock companies, and international financial reporting standards;
7) consideration of acts of inspections of the authorized body and opinions of other experts regarding the structure and effectiveness of the overall risk management system and internal morning control at the bank;
8) consideration of the results of evaluating the effectiveness of internal audit.
27. The main requirements for the composition of the risk management committee:
1) the chairman of the risk management committee shall be an independent director of the bank, or the chairman of the board of directors;
2) the composition shall include at least one member of the bank committee with experience in the field of risk management or internal control.
28. The Risk Management Committee shall be responsible for:
1) ensuring the development of a risk appetite strategy, determining the risk profile of a bank;
2) determination of the size of the aggregated level(s) of the bank’s risk appetite and the bank’s risk appetite levels for each significant type of risk for further submission for approval by the board of directors of the bank;
3) ensuring the development of a document regulating the basic approaches and principles of ICAAP, taking into account the requirements established by Chapter 5 of the Rules, for further submission for approval by the board of directors of the bank and for monitoring compliance with the approved document;
4) ensuring the development of a document regulating the basic approaches and principles of the ILAAP, taking into account the requirements established by Chapter 6 of the Rules, for further submission for approval by the board of directors of the bank and for monitoring compliance with the approved document;
5) ensuring the development of stress testing procedures and stress testing scenarios for further submission for approval by the board of directors of the bank;
6) ensuring the development of a bank continuity management policy, taking into account the requirements established by Chapter 7 of the Rules, for further submission for approval by the board of directors of the bank and for monitoring compliance with the bank specified in this subparagraph of the policy;
7) ensuring the development of a contingency financing plan for further submission to the board of directors of the bank for approval;
8) ensuring the development of policy of risk management of information technology and information security of the bank to meet the requirements established by Chapter 8 of the Rules, for further submission to the approval of the board of directors of the bank and for monitoring compliance by the bank specified in this subparagraph of the policies (policy);
9) ensuring the development of a compliance risk management policy, taking into account the requirements established by Chapter 9 of the Rules, for further submission for approval by the board of directors of the bank and for monitoring compliance with the bank specified in this subparagraph of the policy;
10) ensuring the development of an internal procedure that shall determine the functioning of the management information system, which ensures that the board of directors of the bank is provided on a regular basis with complete, reliable and timely information about the level of risks taken. The decree described in this subparagraph shall include the criteria, composition, frequency of formation and form of submission to the board of directors of the bank of management information on the level of risks taken by the bank and its subsidiaries, indicating the structural units and bank agencies responsible for the timely preparation and submission of information to the board of directors of the bank. The management reporting forms contain information taking into account the requirements established by Chapters 5, 6, 7, 8 and 9 of the Rules, as well as information:
according to the results of stress testing and other tools for assessing and identifying the interconnectedness of bank risks among themselves;
by assessing the impact of risks on the financial condition of the bank, including assessing changes in income and expenses of the bank, assessing the size and sufficiency and equity, identifying the main factors and causes that caused the changes and affecting key performance indicators;
11) monitoring the observance by the bank board of risk appetite levels;
12) the availability of internal models and information systems for risk management of the bank, as well as in order to provide complete, reliable and timely financial, regulatory and managerial information;
13) consideration of the results of assessing the quality and effectiveness of functioning with the risk management and internal control systems, corporate governance in general, aimed at ensuring the protection of the bank and its reputation for further submission for approval by the board of directors of the bank.
The Risk Management Committee shall regularly receive the data and reports from the risk management unit(s) and other responsible departments on the current risk level of the bank, violations of risk appetite levels and risk mitigation mechanisms.
29. The main requirements for the composition of the committee on personnel and remuneration:
1) the chairman of the personnel and remuneration committee shall be an independent member of the board of directors of the bank;
2) the committee on personnel and remuneration shall include at least one member of the committee with experience in the field of personnel management.
30. The Personnel and Remuneration Committee shall be responsible for ensuring the development of:
1) taking into account the minimization of conflicts of interest, the draft organizational structure of the bank for further approval by the board of directors of the bank;
2) procedures for managing conflicts of interest and mechanisms for its implementation for further approval by the relevant body of the bank;
3) policies on remuneration, calculation of monetary rewards, as well as other types of material incentives for the bank’s executive employees for further submission for approval by the board of directors of the bank in accordance with the Resolution of the Board of the National Bank of the Republic of Kazakhstan dated February 24, 2012 №. 74 "On establishing Requirements for internal policy on remuneration, calculation of monetary rewards, as well as other types of material incentives for executive employees of a bank, insurance (reinsurance) organization, insurance broker, the branch of a non-resident bank of the Republic of Kazakhstan, branch of a non-resident insurance (reinsurance) organization of the Republic of Kazakhstan, the branch of an insurance broker - non-resident of the Republic of Kazakhstan", registered in the Register of State Registration of normative Legal Acts under №. 7525.
The size of the reward shall directly depend on the risk-to-result ratio. Methods of paying remuneration against future income, the timing and probability of receipt of which are uncertain, shall be carefully weighed based on accepted qualitative and quantitative indicators. The remuneration system shall provide for the possibility of changing the amount of non-fixed remuneration taking into account all risks, including violations of risk appetite limits, internal procedures or requirements of the authorized body.
Footnote. Paragraph 30 - as amended by the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated 30.12.2021 №. 110 (shall come into effect from January 1, 2022).31. The main requirements for the composition of the strategic planning committee are:
1) the chairman of the strategic planning committee shall be an independent member of the board of directors of the bank;
2) the composition of the strategic planning committee shall include at least one member of the committee who has experience in one of the following areas:
development of information technology;
development and provision of banking services;
risk management;
budget planning.
32. The Strategic Planning Committee shall be responsible for the preliminary review of:
1) the draft on the strategy of the bank for further submission for approval by the board of directors of the bank, as well as for monitoring the implementation of the strategy and assessing the compliance of the strategy of the bank with the current market and economic situation, risk profile and financial potential, as well as the requirements of the civil, tax, banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and currency control, payments and payment systems, on pension provision, on the securities market, on accounting and financial reporting on credit bureaus and the formation of credit records, on debt collection activities, on mandatory guarantee of deposits, on counteracting the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint-stock companies;
2) the draft budget of the bank for the corresponding year for further submission for approval by the board of directors of the bank, as well as for exercising control over its implementation;
3) the draft of bank profitability management policy for further submission for approval by the board of directors of the bank, as well as monitoring and controlling compliance by the bank and its employees with this policy;
4) the documents submitted for consideration by the board of directors of the bank containing information on the implementation of the strategy, development plans, achievement of target values of the strategic key indicators of the bank.
33. The board of the bank shall manage the bank's current activities in accordance with the selected business model, scale of activities, types and complexity of operations, risk profile, and internal documents approved by the board of directors of the bank. The board of the bank shall be responsible for:
1) ensuring the implementation of the bank’s strategy, compliance with the procedures, processes and policies approved by the board of directors of the bank;
2) development of a draft strategy of the bank for subsequent submission for approval to the board of directors of the bank, as well as monitoring the implementation of the strategy and assessing the compliance of the bank's strategy with the current market and economic situation, risk profile and financial potential, as well as the requirements of the civil, tax, banking legislation of the Republic of Kazakhstan, the legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, the legislation of the Republic of Kazakhstan on currency regulation and currency control, on payments and payment systems, on pension provision, on the securities market, on accounting and financial reporting, on credit bureaus and the formation of credit histories, on collection activities, on mandatory guarantee of deposits, on counteracting the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint-stock companies;
3) development of a draft budget of the bank for the relevant year for subsequent submission for approval by the board of directors of the bank;
4) development of a draft policy for managing the bank’s profitability for subsequent submission for approval by the board of directors of the bank, as well as monitoring compliance by the bank and its employees with the said policy;
5) development of an internal procedure determining the dissemination of the strategy, policies and other internal documents of the bank within 10 (ten) working days from the date of approval and/or introduction of amendments and additions to them to the bank employees in the areas of activity assigned to it, and for monitoring the compliance of the bank and its employees with the requirements of the Rules;
6) development of the bank’s personnel policy for further approval by the board of directors of the bank, as well as monitoring its compliance with the bank’s strategy, organizational structure, risk profile, achieved results and requirements of the labor and banking legislation of the Republic of Kazakhstan, and the legislation of the Republic of Kazakhstan on joint-stock companies.
The HR policy shall establish standards, conditions and mechanisms that ensure the involvement of competent management personnel in banking activities and ensure the following:
availability of personnel with the necessary experience, qualifications and impeccable business reputation, capable of managing the processes and risks associated with the activities of the bank;
maintaining diversity in the workforce, including gender, ethnicity and age across key employee categories;
creating working conditions that promote health and safety in the workplace, including emergency response training, first aid and fire safety training, and safe office buildings;
maintaining sufficient resources to effectively carry out functions and responsibilities;
minimizing conflicts of interest in the performance of their duties;
minimizing the risk of concentration of powers on one employee;
internal procedure for remuneration of employees, including the procedure for payment of remuneration, as well as other types of material incentives;
conducting an assessment of the performance of bank employees;
7) development of a tariff policy for subsequent submission for approval to the board of directors, as well as monitoring compliance by the bank and its employees with the tariff policy;
8) development of the bank’s credit policy for further submission to the risk management committee and approval by the board of directors of the bank;
9) approval of a plan(s) to ensure continuity and/or restoration of activities;
10) providing the board of directors of the bank with the necessary information to monitor and evaluate the quality of the board’s work in accordance with the established internal documents of the bank and the Rules, which include:
achievement by the bank's management of the goals set in the bank's strategy, indicating, if any, the reasons preventing their achievement;
compliance of the bank's activities with the strategy and policies approved by the board of directors of the bank;
the results of the bank's activities and its financial position, including information on the stability (volatility) of the bank's profitability;
non-compliance of the bank's decisions with the procedures, processes and policies approved by the board of directors of the bank;
exceeding the approved risk appetite levels and the reasons for their violation;
information on the timeliness, completeness and quality of the bank’s management’s elimination of violations and deficiencies identified by the compliance control, risk management, internal control, internal audit, and external audit and authorized body departments, as well as the implementation of their recommendations;
information on the status of internal control, in terms of timely detection of incorrect, incomplete or unauthorized transactions, deficiencies in asset safety activities, errors in the preparation of financial and regulatory reports, violations of the bank's internal documents, requirements of the civil, tax, banking legislation of the Republic of Kazakhstan, the legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, the legislation of the Republic of Kazakhstan on currency regulation and currency control, on payments and payment systems, on pension provision, on the securities market, on accounting and financial reporting, on credit bureaus and the formation of credit histories, on collection activities, on mandatory deposit guarantees, on combating the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint-stock companies, as well as the exclusion of conflicts of interest and internal abuse and fraud, including in relation to persons associated with the bank by special relations;
11) development of an internal procedure for considering customer requests arising in the process of providing banking services, as well as for monitoring the bank's compliance with the requirements specified in this subparagraph. The internal procedure for considering customer requests shall take into account the requirements of the banking legislation of the Republic of Kazakhstan and determine:
procedures for handling customer complaints (applications), including the receipt, initial processing, registration of requests received by the bank, and responses to customer requests;
a structural division of a bank responsible for maintaining records of customer requests;
procedures for communicating (transferring) received requests to the responsible structural divisions or employees who will be tasked with processing and preparing a response to the client’s request;
deadlines for the timely processing of customer requests and preparation of responses to customer requests;
internal procedure for interaction between structural divisions of the bank when considering customer requests and preparing responses to customer requests;
internal order and procedures for maintaining the classifier of incoming requests from bank clients;
12) development of a procedure and/or internal procedure for refusing to carry out transactions that have a high risk of ML/FT, as well as termination of business relations with a client, taking into account the inherent risk factors;
13) development and implementation of a set of policies for managing environmental and social risks;
14) development of procedures for disclosure of information on sustainable development (ESG);
15) development of procedures and/or internal procedures for making decisions on the acceptability of environmental and social risks in important and high-risk projects before concluding a bank loan agreement;
16) development of procedures and/or internal procedures for refusing to carry out loan transactions that have high environmental and social risks;
17) development and implementation of the bank’s sustainable development policy;
18) development of data collection systems and creation of statistics on environmental and social risk management to generate information on sustainable development (ESG);
19) development and implementation of procedures and/or internal procedures for the introduction of sustainable development principles in the bank;
20) ensuring timely and reliable disclosure of information on sustainable development (ESG).
The relevant executive body of a non-resident bank of the Republic of Kazakhstan shall be responsible for:
1) development of a draft strategy for a branch of a non-resident bank of the Republic of Kazakhstan for subsequent submission for approval by the relevant governing body of the non-resident bank of the Republic of Kazakhstan;
2) development of a draft budget of a branch of a non-resident bank of the Republic of Kazakhstan for the relevant year for subsequent submission for approval by the relevant governing body of the non-resident bank of the Republic of Kazakhstan;
3) development of a draft policy for managing the profitability of a branch of a non-resident bank of the Republic of Kazakhstan for subsequent submission for approval by the relevant governing body of the non-resident bank of the Republic of Kazakhstan;
4) development of an internal procedure determining the dissemination of the strategy, policies and other internal documents of a non-resident bank of the Republic of Kazakhstan within 10 (ten) working days from the date of approval and/or introduction of amendments and additions to them to the employees of the branch of a non-resident bank of the Republic of Kazakhstan in the areas of activity assigned to it;
5) development of the personnel policy of the branch of a non-resident bank of the Republic of Kazakhstan for further approval by the relevant management body of the non-resident bank of the Republic of Kazakhstan. The personnel policy shall establish standards, conditions and mechanisms that ensure the involvement of competent management personnel in banking activities and ensure the following:
availability of personnel with the necessary experience, qualifications and impeccable business reputation, capable of managing the processes and risks associated with the activities of a branch of a non-resident bank of the Republic of Kazakhstan;
maintaining diversity in the workforce, including gender, ethnicity and age across key employee categories;
creating working conditions that promote health and safety in the workplace, including emergency response training, first aid and fire safety training, and safe office buildings;
maintaining sufficient resources to effectively carry out functions and responsibilities;
minimizing conflicts of interest in the performance of their duties;
minimizing the risk of concentration of powers on one employee;
the internal procedure for remuneration of employees of a branch of a non-resident bank of the Republic of Kazakhstan, including the procedure for paying remuneration, as well as other types of material incentives;
conducting an assessment of the performance of employees of a branch of a non-resident bank of the Republic of Kazakhstan;
6) development of a tariff policy for subsequent submission for approval to the relevant governing body of a non-resident bank of the Republic of Kazakhstan;
7) development of a credit policy for a branch of a non-resident bank of the Republic of Kazakhstan for further submission for consideration by the risk management committee and approval by the relevant governing body of the non-resident bank of the Republic of Kazakhstan;
8) approval of a plan(s) to ensure continuity and/or restoration of the activities of a branch of a non-resident bank of the Republic of Kazakhstan;
9) development of an internal procedure for considering customer requests arising in the process of providing banking services by a branch of a non-resident bank of the Republic of Kazakhstan. The internal procedure for considering customer requests shall take into account the requirements of the banking legislation of the Republic of Kazakhstan and determine:
procedures for handling complaints (applications) from clients, including the receipt, initial processing, registration of requests received by a branch of a non-resident bank of the Republic of Kazakhstan, and responses to requests from clients;
a structural subdivision of a branch of a non-resident bank of the Republic of Kazakhstan, responsible for maintaining records on customer requests;
procedures for communicating (transferring) received requests to the responsible structural divisions or employees who will be tasked with processing and preparing a response to the client’s request;
deadlines for timely processing of customer requests and preparation of responses to customer requests;
internal procedure for interaction between structural divisions of a branch of a non-resident bank of the Republic of Kazakhstan when considering customer requests and preparing responses to customer requests;
internal order and procedures for maintaining the classifier of incoming requests from clients of a branch of a non-resident bank of the Republic of Kazakhstan;
10) development of a procedure and/or internal procedure for refusing to carry out transactions that have a high risk of ML/FT, as well as termination of business relations with a client, taking into account the inherent risk factors;
11) development and implementation of a set of policies for managing environmental and social risks;
12) development of procedures for disclosure of information on sustainable development (ESG);
13) development of procedures and/or internal procedures for making decisions on the acceptability of environmental and social risks in important and high-risk projects before concluding a bank loan agreement;
14) development of procedures and/or internal procedures for refusing to carry out loan transactions that have high environmental and social risks;
15) development and implementation of the sustainable development policy of a non-resident bank of the Republic of Kazakhstan;
16) development of systems for collecting statistical data on environmental and social risk management and the generation of information on sustainable development (ESG);
17) development and implementation of procedures and/or internal procedures for the introduction of sustainable development principles in the bank;
18) ensuring timely and reliable disclosure of information on sustainable development (ESG).
The executives of the branch of a non-resident bank of the Republic of Kazakhstan shall manage the current activities of the branch of a non-resident bank of the Republic of Kazakhstan in accordance with the selected business model, scale of activity, types and complexity of operations, risk profile and internal documents approved by the relevant management body of the non-resident bank of the Republic of Kazakhstan, and shall be responsible for:
1) ensuring the implementation of the strategy of the branch of a non-resident bank of the Republic of Kazakhstan, compliance with the procedures, processes and policies approved by the non-resident bank of the Republic of Kazakhstan;
2) monitoring the implementation of the strategy and assessing the compliance of the strategy of a branch of a non-resident bank of the Republic of Kazakhstan with the current market and economic situation, risk profile and financial potential, as well as the requirements of the civil, tax, banking legislation of the Republic of Kazakhstan, the legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, the legislation of the Republic of Kazakhstan on currency regulation and currency control, on payments and payment systems, on pension provision, on the securities market, on accounting and financial reporting, on credit bureaus and the formation of credit histories, on collection activities, on mandatory guarantee of deposits, on counteracting the legalization (laundering) of proceeds from crime and the financing of terrorism;
3) monitoring compliance by a branch of a non-resident bank of the Republic of Kazakhstan and its employees with the policy for managing the profitability of a branch of a non-resident bank of the Republic of Kazakhstan;
4) monitoring the compliance of the personnel policy of the branch of a non-resident bank of the Republic of Kazakhstan with the strategy, organizational structure, risk profile of the branch of a non-resident bank of the Republic of Kazakhstan, the results achieved and the requirements of the labor and banking legislation of the Republic of Kazakhstan;
5) monitoring compliance by a branch of a non-resident bank of the Republic of Kazakhstan and its employees with the tariff policy;
6) provision to the relevant management body of a non-resident bank of the Republic of Kazakhstan of the necessary information for monitoring and assessing the quality of work of the executives of the branch of a non-resident bank of the Republic of Kazakhstan in accordance with the established internal documents of the non-resident bank of the Republic of Kazakhstan and the Rules, which shall include:
achievement by the management of the branch of a non-resident bank of the Republic of Kazakhstan of the goals established in the strategy of the branch of a non-resident bank of the Republic of Kazakhstan, indicating, if any, the reasons preventing their achievement;
compliance of the activities of the branch of a non-resident bank of the Republic of Kazakhstan with the strategy and policies approved by the relevant governing body of the non-resident bank of the Republic of Kazakhstan;
the results of the activities of a branch of a non-resident bank of the Republic of Kazakhstan and its financial position, including information on the stability (volatility) of the profitability of a branch of a non-resident bank of the Republic of Kazakhstan;
non-compliance of decisions taken by a branch of a non-resident bank of the Republic of Kazakhstan with the procedures, processes and policies approved by the relevant governing body of the non-resident bank of the Republic of Kazakhstan;
exceeding the approved risk appetite levels and the reasons for their violation;
information on the timeliness, completeness and quality of the elimination by the management of the branch of a non-resident bank of the Republic of Kazakhstan of violations and deficiencies identified by the departments of compliance control, risk management, internal control, internal audit, external audit and the authorized body, as well as the implementation of their recommendations;
information on the state of internal control in terms of timely detection of incorrect, incomplete or unauthorized transactions, deficiencies in activities to ensure the safety of assets, errors in the formation of reports based on the accounting data of a branch of a non-resident bank of the Republic of Kazakhstan and regulatory reporting, violations of internal documents of a branch of a non-resident bank of the Republic of Kazakhstan, requirements of the civil, tax, banking legislation of the Republic of Kazakhstan, the legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, the legislation of the Republic of Kazakhstan on currency regulation and currency control, on payments and payment systems, on pension provision, on the securities market, on accounting and financial reporting, on credit bureaus and the formation of credit histories, on collection activities, on mandatory guarantee of deposits, on counteracting the legalization (laundering) of proceeds from crime and the financing of terrorism, as well as the elimination of conflicts of interest and internal abuse and fraud, including in relation to persons associated with the branch of a non-resident bank of the Republic of Kazakhstan by special relations;
7) monitoring compliance by a branch of a non-resident bank of the Republic of Kazakhstan with the requirements of the internal procedure for considering customer requests arising in the process of providing banking services.
The relevant executive body of a non-resident bank of the Republic of Kazakhstan shall be responsible for the proper performance of duties delegated to collegial bodies or employees of a non-resident bank of the Republic of Kazakhstan, including employees of a branch of a non-resident bank of the Republic of Kazakhstan within the framework of the approved organizational structure of a non-resident bank of the Republic of Kazakhstan and a branch of a non-resident bank of the Republic of Kazakhstan.
The board of the bank shall be responsible for the proper performance of duties delegated to collegial bodies or bank employees within the framework of the approved organizational structure of the bank.
The requirements specified in subparagraphs 13), 14), 15), 16), 17), 18), 19) and 20) of part one and subparagraphs 11), 12), 13), 14), 15), 16), 17) and 18) of part two of this paragraph shall not apply to second-tier banks that are subsidiaries of international banks that have approved policies and procedures for assessing and managing ESG risks, environmental and social risks, as well as disclosing information on ESG risks, environmental and social risks, applying to subsidiaries of international banks that publish consolidated reports on sustainable development (ESG) and reports on environmental and social risks.
Footnote. Paragraph 33 - as amended by the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated 27.12.2024 № 93 (for the procedure for entry into force, refer to paragraph 5).34. The board of directors of the bank shall ensure the existence of a risk management unit(s), supervised and/or headed by a head of risk management who has sufficient authority, independence and resources, and who interacts with the board of directors.
The risk management unit(s) shall perform, but not be limited to, the following functions:
1) development of a risk management system, including risk management policies and procedures, risk appetite strategy and determination of risk appetite levels;
1-1) development of a system for managing environmental and social risks in accordance with Chapter 10-1 of the Rules;
2) identification of significant current and potential risks inherent in the activities of the bank, including through supervisory stress testing for banks included in the supervisory stress testing perimeter and internal stress testing;
3) risk assessment and determination of the aggregated level(s) of risk appetite;
4) development of risk appetite levels for subsequent consideration by the risk management committee and approval by the board of directors of the bank, monitoring of compliance with risk appetite levels;
5) development of early warning systems and triggers aimed at identifying violations of risk appetite levels;
6) provision of management reports to the management board, risk management committee and board of directors of the bank.
7) ensuring the implementation of a comprehensive environmental and social risk assessment (ESDD);
8) analysis of the results of the integrated environmental and social risk assessment (ESDD), including verification of compliance with requirements and risk categorization;
9) consideration of projects with medium or high levels of environmental and social risks or their transfer to the board or executive body of a non-resident bank of the Republic of Kazakhstan for consideration for a final decision.
The provisions of subparagraphs 1) and 4) of part two of this paragraph in terms of development and subsequent submission for consideration by the risk management committee, approval by the board of directors of the bank of risk appetite levels, as well as subparagraph 5) of part two of this paragraph shall not apply to a branch of a non-resident bank of the Republic of Kazakhstan.
The requirements specified in subparagraphs 1-1), 7), 8) and 9) of part two of this paragraph shall not apply to second-tier banks that are subsidiaries of international banks that have approved policies and procedures for assessing and managing ESG risks, environmental and social risks, as well as disclosing information on ESG risks, environmental and social risks, which apply to subsidiaries of international banks that publish consolidated reports on sustainable development (ESG) and reports on environmental and social risks.
Footnote. Paragraph 34 - as amended by the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated 27.12.2024 № 93 (for the procedure for entry into force, refer to paragraph 5).34-1. The board of directors of the bank shall ensure the existence of a division and/or an authorized person for sustainable development, supervised by a member of the board of the bank and/or a chief sustainability officer.
The sustainable development unit and/or the designated person responsible for sustainable development shall perform, but not be limited to, the following functions:
1) implementation of sustainable development practices (ESG) and approaches in the activities of the bank;
2) development of internal documents on ESG, except for documents on managing environmental and social risks when lending to clients, and the bank’s environmental and social risk management system;
3) provision of information on sustainable development (ESG) to the bank’s management and board of directors upon request;
4) organizing regular training for bank employees on issues of sustainable development, environmental and social risks, as well as regularly updating the content of all trainings related to sustainable development;
5) coordination of the preparation of the report on sustainable development (ESG).
The requirements specified in part two of this paragraph shall not apply to second-tier banks that are subsidiaries of international banks that have approved policies and procedures for assessing and managing ESG risks, environmental and social risks, as well as disclosing information on ESG risks, environmental and social risks, which apply to subsidiaries of international banks that publish consolidated reports on sustainable development (ESG) and reports on environmental and social risks.
Footnote. The Rules are supplemented by paragraph 34-1 in accordance with the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated 27.12.2024 № 93 (shall come into effect on 01.07.2025).35. The qualifications and professional experience of the head of risk management shall correspond to the chosen business model, the scale of activity, types and complexity of operations, and risk profile. The independence of the head of risk management shall be determined by:
1) regardless of submission, the head of risk management shall be appointed and release from the post by the board of directors of the bank;
2) shall have unhindered access to the board of directors of the bank, without the participation of the board;
3) shall have access to any information necessary to fulfill his duties;
4) shall not combine the position of the chief operating director, financial director, other similar functions of the bank’s operational activities (except for underwriting, collateral service), the head of the internal audit unit.
The interaction between the head of risk management and the board of directors and (or) the risk management committee shall be carried out on a regular basis. Information on the decision to release the head of risk management from the post shall be passed to the authorized body. At the request of the authorized body, the board of directors of the bank shall provide a justification for the reason for this decision.
36. Identification, measurement, monitoring and control of risks shall be carried out on an ongoing basis at all levels of the bank's management. Improvement of the risk management and internal control system shall be carried out in accordance with the change in the risk profile of the bank, as well as taking into account changes in the external environment.
The bank shall identify all significant risks inherent in the bank's activities (including risks on balance sheet and off-balance sheet transactions, by groups, portfolios and certain types of activities of business units). In order to effectively manage significant risks, the board of directors of the bank, the risk management committee and the head of risk management shall regularly assess the risks inherent in the bank’s activities and maintain the relevance of the bank’s risk profile. The risk assessment procedure includes a continuous analysis of current risks, as well as identification of new and potential risks. When assessing risks, the bank shall take into account the degree of concentration of significant risks.
During identification and measuring risks, both quantitative and qualitative parameters shall be taken into account. The bank shall also consider risks that are difficult to assess, for example, reputational, legal risks.
In addition to identifying and measuring risk exposure, the risk management unit shall evaluate possible ways to reduce risks and points out the need to reduce the level of risk. In cases where a decision is made to take a risk that exceeds the established risk appetite levels, the head of risk management shall submit a report on such an exception to the board of directors with a proper analysis of the reasons for the excess and subsequently monitors the reduction of the level of accepted risk within the risk management system and level established by it.
The head of risk management shall inform the board of directors of the bank of the existence of significant discrepancies between the opinion of the risk management unit and the decision of the board of the bank regarding the level of risks taken by the bank.
Regular reporting on risk issues, including risk management policies and procedures, within the bank shall be a key factor in a high risk management culture. The risk management culture shall facilitate the full exchange of risk information and calls for an open discussion and critical assessment of issues related to risk taking by employees, the board and the board of directors of the bank.
Significant information on issues related to risks requiring immediate decision-making or urgent measures shall be urgently passed to the board of directors of the bank, the risk management committee and, if necessary, the board of the bank, responsible officials and heads of control units for preventive measures.
The bank shall exclude the creation of closed groups within separate units that impede the effective exchange of information on risks and lead to decision making by authorized bodies of the bank without taking into account the opinion (expertise) of the bank's units involved. In order to overcome the problems associated with the exchange of information, the board of directors, the management board and units of the bank that exercise control ensure the effectiveness of the internal communications system and, if necessary, make appropriate changes.
37. The Bank shall ensure the existence of an internal control system that is consistent with the current market situation, strategy, volume of assets, and level of complexity of the bank's operations. The internal control system shall be aimed at achieving the following goals:
1) ensuring the effectiveness of the bank, including the effectiveness of managing risks, assets and liabilities, ensuring the safety of assets;
2) ensuring the completeness, reliability and timeliness of financial, regulatory and other reporting for internal and external users;
3) ensuring information security;
4) ensuring that the bank complies with the requirements of the civil, tax, banking legislation of the Republic of Kazakhstan, the legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, the legislation of the Republic of Kazakhstan on currency regulation and currency control, on payments and payment systems, on pension security, on the securities market, on accounting and financial reporting, on credit bureaus and the formation of credit records, on debt collection activity, the mandatory guarantee of deposits, on counteraction to legalization (laundering) of proceeds from crime and terrorist financing, on the joint stock companies, on internal documents of the bank.
Within the framework of internal control, the examination shall be carried out of the bank's processes for carrying out activities for compliance with internal policies and procedures, as well as the requirements of the civil, tax, banking legislation of the Republic of Kazakhstan, the legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, the legislation of the Republic of Kazakhstan on currency regulation and currency control, on payments and payment systems, on pension security, on the securities market, on accounting and financial reporting, on credit bureaus and the formation of credit records, on debt collection activity, the mandatory guarantee of deposits, on counteraction to legalization (laundering) of proceeds from crime and terrorist financing, on the joint stock companies. The bank shall have reliable internal and external information in order to manage risks, make strategic business decisions and determine the adequacy of equity and liquidity. The board of directors of the bank and the relevant committees of the board of directors of the bank shall make decisions related to the adoption of risks based on high-quality, relevant and reliable data.
Risk measurement and modeling methods shall be used in addition to qualitative risk analysis and monitoring. The head of risk management shall inform the board of directors of the bank and the risk management committee about the methods used and potential shortcomings of risk management models and analytical approaches in the bank.
Chapter 5. Internal Capital Adequacy Assessment Process
38. The board of directors of the bank shall approve an internal document of the bank that regulates the main approaches and principles of the ICAAP and contains the following sections:
1) description of the organizational structure of ICAAP;
2) description of the risk appetite strategy;
3) organization of credit, market, operational risk management within the framework of ICAAP;
4) organization of stress testing procedures;
5) organization of risk management procedures in the framework of new products and activities;
6) organization of self-assessment procedures for the internal capital adequacy assessment process.
39. ICAAP shall be an integral part of the management of the bank and is created to:
1) the identification, assessment, aggregation and control of significant types of risk inherent in the activities of the bank, in order to determine the necessary level of capital sufficient to cover them, including:
credit risk;
market risk;
operational risk;
as well as other risks to which the bank is exposed;
2) capital planning, based on the strategy of the bank, the results of a comprehensive assessment of significant risks, stress testing of the bank’s financial stability in relation to internal and external risk factors, as well as requirements for the bank’s own capital adequacy established by Article 42 of the Law on Banking Activities.
40. The description of the organizational structure of the ICAAP shall contain a list of ICAAP participants indicating the responsibilities of the collegial bodies and units of the bank involved in the implementation of capital adequacy management processes, including:
1) the board of directors of the bank shall be responsible for managing capital adequacy for risk management purposes and determining the level(s) of risk appetite. The board of directors of the bank shall approve a report on compliance with ICAAP and ILAAP, including information on maintaining the required level of capital adequacy, no later than April 30 of the year following the reporting year;
2) the risk management committee shall be responsible for developing risk management policies and procedures in the field of capital management within the framework of the risk appetite level established by the board of directors of the bank. The risk management committee shall periodically notify the board of the bank of directors of significant changes in capital levels;
3) the unit (units) of the person entrusted with the functions of internal control, shall check compliance with ICAAP procedures and bring the results to the attention of the board of directors of the bank;
4) unit (units) participating in the risk management process:
shall be responsible for the implementation of the capital adequacy management process;
shall be responsible for preparing a report on compliance with the ICAAP and ILAAP in accordance with the Structure of the report on compliance with the internal process for assessing capital adequacy and the internal process for assessing liquidity adequacy in accordance with the Appendix to the Rules. The bank shall ensure the availability of supporting documents for the report on compliance with ICAAP and ILAAP, which shall include, but not be limited to, calculations, models used, explanatory notes, analytical reports, self-assessment results, assessment of the effectiveness of ICAAP and results of verification of compliance with ICAAP procedures;
shall be responsible for preparing the stress testing;
5) the unit responsible for budget development and planning carries out investment planning and budget development for all areas of the activities of the bank;
6) the capital management unit (units) shall develop and implement measures to increase the level of capitalization and develop, together with interested units, a capital financing plan;
7) the internal audit unit shall evaluate the effectiveness of the ICAAP.
As part of the ICAAP, the board of the bank of directors shall be responsible for compliance with the approved risk appetite strategy developed in accordance with Chapter 3 of the Rules.
Footnote. Paragraph 40 - as amended by the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated 29.12.2022 №. 119 (shall come into effect ten calendar days after the day of its first official publication).41. The bank shall ensure that there is an effective credit risk management system that corresponds to the current market situation, strategy, volume of assets, level of complexity of the bank’s operations and ensures effective identification, measurement, monitoring and control of the bank’s credit risk to ensure the adequacy of equity capital to cover it, and shall include, but not be limited to, the following components:
1) the internal procedure for carrying out transactions that involve credit risk and making appropriate decisions;
2) credit administration procedures;
3) credit risk assessment procedures;
4) credit monitoring;
5) management of collateral;
6) management of problem loans;
7) assessment of the effectiveness of the credit risk management system;
8) procedures for identifying environmental and social risks in the activities of the clients of the bank;
9) development of draft conditions or action plans in the event of identification of medium or high levels of environmental and social risks in the activities of a bank client when issuing a loan;
10) monitoring the bank client’s compliance with the terms and action plans established when issuing a loan in the presence of medium or high levels of environmental and social risks in the bank client’s activities.
The requirements specified in subparagraphs 8), 9) and 10) of part one of this paragraph shall not apply to second-tier banks that are subsidiaries of international banks that have approved policies and procedures for assessing and managing ESG risks, environmental and social risks, as well as disclosing information on ESG risks, environmental and social risks, which apply to subsidiaries of international banks that publish consolidated reports on sustainable development (ESG) and reports on environmental and social risks.
Footnote. Paragraph 41 - as amended by the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated 27.12.2024 № 93 (for the procedure for entry into force, refer to paragraph 5).42. Within the framework of the credit risk management system, the bank shall be guided by the following principles and requirements:
1) the board of directors and the risk management committee of the bank shall ensure the following:
maintaining sufficient levels of provisions;
implementation of control over the credit risk assessment process, which shall be ensured by the following:
taking the necessary measures to ensure the completeness and reliability of information for decision-making purposes;
compliance with the requirements of the Civil Code of the Republic of Kazakhstan, the Code of the Republic of Kazakhstan "On Taxes and Other Mandatory Payments to the Budget (Tax Code)" (hereinafter referred to as the Tax Code), the Law on Banks, the Law of the Republic of Kazakhstan "On Accounting and Financial Reporting" (hereinafter referred to as the Law on Accounting and Financial Reporting), the Law of the Republic of Kazakhstan "On Credit Bureaus and the Formation of Credit Histories in the Republic of Kazakhstan", internal policies and procedures for credit risk management;
taking measures to ensure complete and reliable management, regulatory and financial reporting;
the existence of a loan assessment procedure independent of business units;
approval of an adequate system of classification of assets by level of credit risk, based on the use of all available information in the process of assessing loans;
the presence of detailed and fully regulated procedures for interaction between participants in the credit risk management process;
building an effective internal control system, including an assessment of the compliance of the level of provisions with expected losses within the framework of the approved methodology for forming provisions and the internal capital adequacy assessment process;
implementation of control over the process of assessing environmental and social risks, which shall be ensured by the following:
approval of the bank’s sustainable development strategy;
approval of a set of policies for managing environmental and social risks;
approval of the organizational structure of the bank to form and ensure the proper functioning of the environmental and social risk management system, as well as the distribution of relevant duties and responsibilities;
decision-making on environmental and social issues related to important financing projects (by "important financing projects" we mean deciding on issuing a loan and/or other financial instruments to a borrower, the amount of which exceeds 5 (five) percent of the bank’s equity capital) with a high level of environmental and social risks;
implementation of general control over the implementation of the strategy in the field of sustainable development, a set of policies for managing environmental and social risks, as well as compliance with the requirements related to the environmental and social risk management system;
ensuring access of the head of the sustainable finance unit and/or the chief sustainability officer to the board of directors to disclose information on sustainable development (ESG);
establishing internal limits on environmental and social risks for industries or sectors most exposed to environmental threats and defining limits for various environmentally friendly projects, industries or sectors;
1-1) The committee under the board of directors of the bank shall ensure the following:
preliminary approval of the bank's sustainable development strategy;
preliminary approval of a set of policies for managing environmental and social risks;
2) the bank shall carry out credit activities and manage credit risk within the framework of the approved credit policy, which shall include, but not be limited to, the following:
the main areas of the bank's lending activities;
participants in the credit process and their areas of responsibility;
internal procedure for making credit decisions, including the procedure for reviewing and approving loans, including in relation to lending to persons with special relationships with the bank, credit limits to limit the concentration of credit risk;
the procedure for analyzing the borrower's creditworthiness.
If the total amount of loans provided and contingent liabilities accepted by an individual exceeds 0.01 (zero point one hundredth) percent of the bank's equity capital, the amount of which is greater than 100 (one hundred) billion tenge, or exceeds 0.02 (zero point two hundredths) percent of the bank's equity capital, the amount of which is up to 100 (one hundred) billion tenge, the bank shall perform a creditworthiness analysis based on the following information and taking into account the following factors (but not be limited to them):
availability of a permanent and sufficient income of the borrower;
availability of real estate and other property;
the presence of loan debt, including to other creditors;
debt burden;
payment discipline (credit history) for loans;
borrower rating in the bank's scoring systems (if any);
the presence of other debt;
availability of other sources of repayment of debt to the bank;
balances and transactions on bank accounts;
information about education and employment (field of activity);
socio-demographic characteristics;
information on the intended use of funds;
additional information about the borrower's income.
If the total amount of loans provided and contingent liabilities accepted by an individual does not exceed 0.01 (zero point one hundredth) percent of the bank's equity capital, the amount of which is greater than 100 (one hundred) billion tenge, or does not exceed 0.02 (zero point two hundredths) percent of the bank's equity capital, the amount of which is up to 100 (one hundred) billion tenge, the bank shall carry out a creditworthiness analysis based on the following information and taking into account the following factors (but not be limited to them):
availability of a permanent and sufficient income of the borrower;
the presence of loan debt, including to other creditors;
debt burden;
payment discipline (credit history) for loans;
borrower rating in the bank's scoring systems (if any);
availability of other sources of repayment of debt to the bank;
balances and transactions on bank accounts;
information on education and employment;
socio-demographic characteristics;
information on the intended use of funds (if any).
If the total amount of loans provided and contingent liabilities to a legal entity exceeds 500 (five hundred) million tenge or 0.2 (zero point two) percent of the bank's equity capital, the bank shall conduct a creditworthiness analysis based on the following information and taking into account the following factors (but not be limited to):
analysis of financial statements and key financial ratios of legal entity borrowers (profitability, ratio of equity and debt, cash flow plan (except for cases of issuing loans to financial institutions, placing deposits in financial institutions, opening a credit line for a period of less than 6 (six) months), income level.
The financial statements of the borrower accepted for analysis (except for cases of financing in the form of overdrafts, credit cards, credit lines for a term of less than 6 (six) months), whose total liabilities to the bank exceed 0.2 (zero point two) percent of the bank's equity capital, shall meet the following requirements:
availability of three main reporting forms with breakdowns of accounts for material (significant) components of the balance sheet (more than 5 (five) percent of the balance sheet total) and/or profit and loss statement (more than 5 (five) percent of revenue). This requirement shall not apply to Joint-Stock Company "Samruk-Kazyna" National Welfare Fund, Joint-Stock Company "Baiterek" National Management Holding, public companies with a long-term credit rating on the international scale of Standard & Poor's, Moody's Investors Service or Fitch Ratings Inc. (Feech Ratings), legal entities that are included in the consolidated financial statements of private international corporations (whose shares or participation interests are not listed on a stock exchange or international stock exchanges) or public international corporations, as well as in cases where there are audited financial statements certified by companies that meet the listing requirements of a stock exchange;
consistency between all forms of financial reporting;
the presence of signatures of the responsible (authorized) persons of the borrower on the provided financial statements.
If audited financial statements are available those comply with the listing requirements of the stock exchange, the audited financial statements shall be used in preference for all purposes, and reconciliation with the tax return shall not be required. Reconciliation with the tax return of the financial statements shall not be required for legal entities that are included in the consolidated financial statements of private international corporations (shares or participation interests of which are not listed on a stock exchange or international stock exchanges) or public international corporations.
From 1 January 2026, a tax return shall be required (if filing a tax return is required under the Tax Code) and there shall be no contradiction between the data from the tax return and the data from the financial statements used to assess impairment indicators and calculate cash flows to calculate provisions for the same period. Discrepancies between the indicators of financial and tax statements shall be allowed due to differences in accounting and tax accounting. In other cases, the reasons for significant discrepancies in data between the reporting forms shall be described in the conclusion of the bank's responsible division for the borrower and shall be considered by the bank's authorized collegial body.
The bank shall establish the materiality of discrepancies in internal documents. In the absence of established thresholds, material discrepancies shall be (but not be limited to) discrepancies in the amount of more than 30 (thirty) percent in terms of revenue, final financial result, and return on assets.
In the case of objective financial statements, the bank shall use the financial statements to assess the signs of impairment and calculate cash flows to calculate provisions.
In the absence of financial statements and/or tax returns (in cases where their submission is not required in accordance with the Tax Code and the Law on Accounting and Financial Reporting), information on the borrower's assets and other sources of income (bank account statements, confirmation of ownership of the relevant assets) shall be requested.
When assessing impairment indicators and impairment categories, it shall be allowed to use financial statements of borrowers, co-borrowers, guarantors and sureties in consolidated form.
To calculate the expected cash flows on a loan, it shall be allowed to consolidate the financial statements of the borrower (including those on the part of the bank) with the statements of persons (including those associated with the borrower) who have contractual obligations with the borrower to repay its debt in the event of its insolvency, as well as with the statements of persons who do not have such contractual obligations with the borrower if the assets of this person act as collateral for the obligations of the borrower.
If a bank issues a loan without complying with the requirements established by paragraphs thirty-three, thirty-four, thirty-five, thirty-six, thirty-eight, thirty-ninth, forty-one, forty-two and forty-three of this subparagraph, all of the borrower’s obligations shall be classified as impaired assets under international financial reporting standards (hereinafter referred to as IFRS);
the presence of loan debt, including to other creditors;
payment discipline (credit history) for loans;
level of liquid assets;
debt burden;
availability of other sources of repayment of debt to the bank;
projected free cash flows;
assessment of the borrower's external environment (the state of the economy, industry, development prospects, diversification of production and sales markets, and characteristics of the borrower's operating activities, such as the borrower's market share in the relevant market, positioning of the borrower's product, geography of operations, business cyclicality, changes in consumer preferences, changes in technology, barriers to entry into the economic sector and other factors affecting the company's ability to generate income and maintain prices);
assessment of the quality of management (experience, competence, business reputation);
assessment of the borrower's owners;
the presence of facts of involvement in legal proceedings;
inclusion in the list of unreliable taxpayers.
If the total amount of loans provided and contingent liabilities to a legal entity does not exceed 500 (five hundred) million tenge or 0.2 (zero point two) percent of the bank's equity capital, the bank shall conduct a creditworthiness analysis based on the following information and taking into account the following factors (but not be limited to):
availability of a permanent and sufficient income of the borrower;
the presence of loan debt, including to other creditors;
payment discipline (credit history) for loans;
debt burden;
availability of other sources of repayment of debt to the bank;
development prospects of the relevant industry.
Depending on the lending industry and the type of borrower, the set of quantitative and qualitative indicators shall change.
Concerning individuals and legal entities, the credit policy shall define cases (issuance of bank guarantees, letters of credit, bank guarantees issued under a bank counter-guarantee, as well as loans secured by highly liquid assets) in which the borrower's creditworthiness analysis shall not be applied. For banks that are subsidiaries of non-resident banks of the Republic of Kazakhstan, having a long-term credit rating in foreign currency of at least "A-" on the international scale of the Standard & Poor's agency or a rating of a similar level from one of the other rating agencies, it shall be allowed to use a creditworthiness analysis at the level of the borrower's parent organization or the organization that includes the borrower in the consolidated financial statements, conducted by the parent bank or an affiliated person concerning the bank, provided that the analysis shall be carried out no later than 12 (twelve) months from the date of the borrower's application;
internal procedure for making credit decisions regarding loan restructuring, which is based on the principles of validity, appropriateness and independence, and includes a description of the cases and conditions for loan restructuring. The bank shall determine the cases and types of restructuring in accordance with the requirements of the Resolution of the Board of the National Bank of the Republic of Kazakhstan dated December 22, 2017 № 269 "On approval of the Rules for creating provisions (reserves) in accordance with international financial reporting standards and the requirements of the legislation of the Republic of Kazakhstan on accounting and financial reporting", registered in the State Register of Normative Legal Acts under № 16502 (hereinafter referred to as Resolution № 269).
The bank shall decide on restructuring loans for borrowers, taking into account the prospects for repaying the loan after restructuring.
The decision to carry out forced restructuring of loans, determined in accordance with the requirements of Resolution № 269 (for borrowers and/or a group of related borrowers, the total debt, including contingent liabilities, which exceeds 1 (one) percent of the bank's equity capital, the amount of which is above 100 (one hundred) billion tenge, or 2 (two) percent of the bank's equity capital, the amount of which is up to 100 (one hundred) billion tenge) shall be made by the board of directors of the bank or an authorized collegial body of the bank, which shall include the chairman of the board of directors of the bank. Information on the decisions taken shall be sent to the members of the board of directors of the bank quarterly;
acceptable methods of credit risk management, taking into account (but not limited to) the following factors:
own knowledge and experience in using the method;
economic efficiency;
type of borrower and/or counterparties, their financial status;
3) the bank shall carry out credit activities in accordance with internal documents regulating the execution of transactions that are inherent in credit risk, which shall include, but not be limited to, the following:
conditions for providing loans to individuals and legal entities (including persons connected with the bank by special relations and bank employees) for each type of lending, including requirements for potential borrowers and/or counterparties;
requirements for information of the borrower and/or counterparty, including financial and other information necessary for deciding on issuing a loan;
requirements for conducting an integrated environmental and social risk assessment (ESDD) in accordance with Chapter 10-1 of the Regulations;
an internal procedure for corporate lending, which provides for an analysis of the lending sector, the borrower's credit history, as well as a rating system based on quantitative and qualitative factors, allowing for a detailed assessment of the quality of loans;
the methodology of credit scoring or analysis of the solvency and creditworthiness of the borrower, based on quantitative and qualitative characteristics, and the internal procedure for its use;
establishing a minimum acceptable rating level (if any) at which a loan is issued;
internal order and procedures for approval, confirmation, analysis and monitoring of deviations from credit policies, standards, procedures, limits;
setting credit limits and/or interest rates on loans, taking into account the analysis of borrowers, including taking into account, if any, the ratings and/or scoring assessment of borrowers. Credit limits, including for unsecured loans, shall be set by currencies, industries, categories of borrowers (counterparties) (financial institutions, corporate, retail lending), products, groups of related parties and per borrower;
internal procedure for reviewing, approving applications for loans, making decisions on issuing (refusing to issue), including lending to persons connected with the bank by special relations;
internal procedure regarding collateral, determining:
types of collateral and criteria for their acceptability for individual bank products, including for deciding on the possibility of lending to a borrower;
requirements for the structure of collateral, depending on the type of collateral and the type of banking product;
limits on types of collateral depending on the type of products and the structure of the bank’s loan portfolio;
definition of liquid and highly liquid collateral;
the share of liquid collateral in the overall structure of security, a coefficient characterizing the ratio of the loan amount to the value of the collateral (the lowest value from the collateral assessment by the appraiser and employees of the pledge service department (if both are available) or the available assessment);
the share of highly liquid collateral in the overall structure of security, a coefficient characterizing the ratio of the loan amount to the value of the collateral (the lowest value from the collateral assessment by the appraiser and employees of the pledge service department (if both are available) or the available assessment);
requirements for inspecting collateral as part of the acceptance of collateral and the issuance of a loan, including the determination of requirements for the use of special technical means (a selective approach to inspecting part of mortgage lending shall be permitted, with the provision of an independent sample of at least 20 (twenty) percent of the total number of all collateral);
the procedure for monitoring and working with collateral, establishing requirements depending on the type of collateral;
requirements for revaluation of collateral;
procedures to ensure the legal validity of collateral, including requirements for registration of collateral depending on the type of collateral and the type of bank product;
prompt assessment of the adequacy of collateral, taking into account changes in the borrower’s production performance indicators, the cost and safety of the collateral, including its exposure to other circumstances that significantly affect its assessment;
procedures for the sale of collateral, depending on the collateral and the type of bank product, including deadlines for sale and collection;
objectivity (adequacy) of the assessment of the value of collateral by appraisers, except for the case when the total amount of loans provided and contingent liabilities to the borrower shall not exceed 0.1 (zero point one) percent of the bank's equity capital and the object of the assessment is real estate in cities of national significance and in cities that are regional centers;
requirements for establishing discounts concerning the value of the collateral determined by the appraiser, depending on various parameters (incorrect approach to the assessment, affiliation between the appraiser and the borrower, affiliation between the appraiser and the bank, including employees of the collateral service) and the liquidity of the collateral.
When deciding on issuing a loan, the collateral for which is real estate and intangible assets (subsoil use rights), the bank shall consider the results of the assessment. If the market value determined on the date of the last assessment by the appraiser is more than 100,000 (one hundred thousand) monthly calculation indices, for subsoil use rights more than 500,000 (five hundred thousand) monthly calculation indices, the bank shall ensure (at least once a year) that the collateral is assessed by the appraiser.
The bank shall ensure registration of collateral regardless of its type with the authorized registration body in the event of the presence of signs of a significant increase in credit risk in accordance with IFRS, as well as the requirements of Resolution № 269 for collateral, the market value of which on the date of the last assessment by the appraiser is more than 100,000 (one hundred thousand) monthly calculation indices, for subsoil use rights - more than 500,000 (five hundred thousand) monthly calculation indices.
The internal procedure for assessing the objectivity (adequacy) of the valuation of collateral by bank employees shall ensure, but not be limited to, the use of correct approaches to assessment, including a clear formalization of requirements for acceptable approaches to assessment when forming the bank’s internal assessment, namely:
within the framework of this approach, the procedure for applying various assessment approaches depending on the type of collateral is established;
in the case of the use of expert assessments in assessing the value of collateral, a regulated process is ensured, indicating the limits for the use of such assessments;
within the framework of the income approach, in case of negative operating cash flows or negative EBITDA (earnings before interest, taxes, depreciation and amortization) for the facility for the last 4 (four) quarters or the completed calendar year, the application of the discounted cash flow approach shall not be permitted. This requirement shall not apply to the following cases:
valuations of a company at the investment stage, as well as whether the balance sheet of the company being evaluated contains assets, including contracts capable of generating cash flow;
assessments of objects capable of generating cash flow in the presence of supporting information or market data.
Within the framework of the income approach, when calculating the value of an object, a discount rate is used that corresponds to the risk level of the object being assessed, the calculation of which is established in the bank’s internal documents.
Within the framework of the comparative approach, when calculating the value of an object, information shall be used on the most relevant transactions available on the market and/or offers for the sale of objects comparable to the object of valuation, and in the event of their absence, appropriate adjustments shall be applied.
The internal procedure for assessing the objectivity (adequacy) of the valuation of collateral, including that determined by the appraiser, on the part of the bank's collateral service division, shall ensure, but not be limited to, a clear formalization of the requirements for the list of analogues and the criteria for recognizing them as comparable in terms of:
type and/or subtype of the object;
location of the object;
total area of the object;
the condition of the premises, the external condition of the assessment object;
the intended purpose of the object;
other technical characteristics of the object.
The collateral service department shall prepare a conclusion based on the results of the analysis of the objectivity (adequacy) of the collateral value assessment for each appraiser's report based on the internal procedure.
The bank shall develop an internal procedure for analyzing the objectivity (adequacy) of the collateral value assessment determined by the appraiser, which shall ensure, but not be limited to, the following:
the procedure for applying assessment approaches depending on the type of collateral;
criteria and requirements for the correctness of assessment calculations;
requirements and limitations regarding the use of assumptions, adjustments and expert judgments;
availability of detailed and substantiated calculations;
availability of complete information allowing identification of the collateral;
mandatory inspection and video and photographic recording of the collateral;
availability of a complete package of title documents;
identification in the assessment reports of the reasons and criteria that led to a significant (more than 10 (ten) percent) difference in the value of the collateral in accordance with the requirements of the bank’s internal documents.
If a significant (more than 10 (ten) percent) difference in the value of collateral is identified in the appraisal reports, the bank shall enter information on the circumstances that led to the difference into the statistical journal of the value of collateral.
The bank shall analyze the appraisal reports, information on which shall be entered into the statistical journal of the value of collateral, to exclude the possibility of an incorrect appraisal of the collateral.
When deciding on issuing a loan, the bank shall use the value of the collateral determined based on the results of an assessment of the objectivity (adequacy) of the value of the collateral determined by the appraiser taking into account all parameters.
The assessment of the decisions made for compliance with the established internal procedure shall be carried out in accordance with the requirements of Chapter 11 of the Rules. In the event of detection of deviations from the established internal procedure, the interested departments shall communicate information about the identified deviations to the authorized collegial body of the bank. To exclude significant deviations in the bank's activities, the authorized collegial body of the bank shall establish restrictions on the volume (loan amount) and/or the number of deviations and shall monitor compliance with the established restrictions.
The bank shall provide the following:
storage in the bank’s internal systems for at least 5 (five) years after the repayment of the loan and/or off-balance sheet liability and/or after the borrower ceased to be a client of the bank of data on the collateral on the bank’s balance sheet, including an assessment of its value;
timely updating of collateral data in accordance with the bank’s internal documents and automatic transfer of data to modules responsible for calculating risk metrics (PD, LGD, EAD), provisions and capital, as well as to modules responsible for the automatic generation of management, financial and regulatory reporting;
Automatic recording and storage of data on any manual adjustments to collateral data, including primary data before manual adjustments were applied, data on persons responsible for applying manual adjustments.
Collateral data to be maintained shall include (but not be limited to) the following:
linking to the internal unique identifier of the appraisal object, business identification number (hereinafter referred to as BIN) or individual identification number (hereinafter referred to as IIN) and internal unique identifiers (if they differ from BIN or IIN) of the pledger, borrower, co-borrowers and guarantors and clear display of the identifier of groups of related borrowers and all BIN or IIN of related borrowers;
type and subtype of collateral;
cadastral number of the assessed object (if applicable);
location of the appraisal object (country, region, address);
date of termination of the pledge agreement in the bank system;
market value before applying discounts to collateral;
date of the assessment (reassessment) of the collateral;
applied discounts for a period of at least 5 (five) years for each appraisal object, including current collateral and real estate on the bank's balance sheet, as well as for all appraisal objects sold by the bank. Among the discounts, information shall be stored on the probability of collection and/or the probability of sale, the expected period until sale, the applied discount rate and indices, the expected costs of sale, the discount values in the event of non-application of liquidity ratios in accordance with Resolution № 269;
market value after taking into account all discounts, including the equivalent in national currency;
the value of the collateral used in calculating provisions;
flag of the encumbrance of the assessed object;
the order of encumbrance of the assessed object;
information about the pledger, guarantor, surety, insurer (legal entity or individual, name, unique identifier);
date of confirmation of the existence of an encumbrance on the appraisal object;
seniority of the bank's rights of claim on the valuation object at the borrower or loan level;
the allocated value of collateral for collateral at the borrower and loan level (indicating the proportion of collateral per borrower concerning their unique identifiers);
approach to the assessment of collateral;
unit of area used;
the total usable area of the subject property (if applicable);
the proportion of area leased on the valuation date (if applicable);
the proportion of area potentially available for rent (if applicable);
4) the presence of an adequate rating model and/or scoring system.
The board of directors of the bank shall determine the departments responsible for developing the rating model and/or scoring system, their implementation, application and control of their functioning. The rating model and/or scoring system shall contain a description of each level of credit risk and the conditions for assigning them. In the process of assigning a borrower's credit rating and/or scoring score, the bank shall take into account the financial condition of the borrower (borrowers) and other available information on the borrower.
When assigning a borrower's credit rating and/or scoring score, the bank shall be guided by current available information on factors influencing the future creditworthiness and solvency of the borrower.
The credit rating assigned to legal entities shall be subject to periodic monitoring for relevance. The frequency of revision shall increase in the event of negative information that carries a risk of deterioration of the financial condition of the borrower and/or the inability to repay obligations to the bank and other available information;
5) the presence of an adequate system for classifying assets according to the level of credit risk.
As part of the asset classification system by credit risk level, the bank shall implement and use comprehensive procedures and information systems (if not available, software) to monitor the quality of the loan portfolio. The procedures and information systems shall include criteria that identify and detect problem loans and ensure proper control.
The system of classifying assets by credit risk level shall provide information for the board of directors, committees under the board of directors, the management board, and other divisions of the bank involved in the credit risk management process and allow for assessing the level of credit risk of the bank both as a whole for the balance sheet and each asset.
The system of classification of assets by level of credit risk shall be based on a detailed analysis of all assets (except for accounts receivable from non-core activities in an amount not exceeding 2 (two) percent of the bank's equity capital) that are subject to credit risk.
A detailed analysis of assets shall include an assessment of the following:
probability of default on the obligations of the borrower and/or counterparty (PD);
the amount of losses in the event of default of the borrower and/or counterparty (LGD);
amounts of liabilities exposed to default (EAD);
the period during which the risk position is maintained;
the value of the collateral and the possibility of its sale;
business environment and economic conditions;
environmental and social risks.
The classification of assets (except for accounts receivable from non-core activities in an amount not exceeding 2 (two) percent of the bank’s equity capital), which are subject to credit risk, shall be carried out based on at least 5 (five) categories and ensure:
reliable assessment of capital adequacy under the ICAAP;
the required level of provisions to cover expected losses.
Assets for which there is overdue debt on the principal debt and/or accrued interest for a period of more than 90 (ninety) calendar days are classified in the worst categories, unless there are compelling and justified grounds for classification in a higher category.
Assets for which there is overdue debt on the principal debt and/or accrued interest for a period of less than 90 (ninety) calendar days are classified in the worst category if there are other factors of the borrower's insolvency determined by internal documents;
6) the existence of a policy for managing problem assets.
The board of directors of the bank shall approve a policy for managing problem assets, which shall contain the following:
identification of problem assets;
methods of managing problem assets (restructuring, sale, write-off, seizure of collateral, bankruptcy and other methods);
limits on problem assets (in terms of portfolios) and deadlines for implementing approved methods for managing problem assets to bring them into compliance with the established limits if they are violated;
quantitative and qualitative parameters of early response to the risk of increasing the volume of problem assets;
a list of interested departments and the internal procedure for their interaction when working with problem assets;
internal procedure for providing management reports to the board of directors on the level of problem assets;
procedures for assessing the methods used by the bank to manage problem assets;
7) the presence of a reliable methodology for forming provisions.
To ensure that the provisions formed are sufficient to cover expected losses, the bank annually (or more often if necessary) shall analyze the methodology for forming provisions by:
determining the compliance of provisions calculated in accordance with the requirements of the methodology for forming provisions with the actual amounts of losses;
analysis of current market conditions, changes in macroeconomic indicators;
validation of the methodology for forming provisions.
When forming provisions for collective loans, the bank shall analyze historical data covering the required period and most accurately reflecting the bank's credit losses. At the same time, historical data shall be supplemented by an analysis of the current market and economic situation.
If the methodology for forming provisions indicates no signs of increased credit risk for loans for which provisions are formed on an individual basis, such loans are subject to an assessment of the level of credit risk on a collective basis.
The bank shall ensure the development (updating) of a general methodology for default probability assessment models, describing the detailed requirements that each default probability assessment model meets, including requirements for taking into account the impact of forecast macroeconomic information.
The methodology for default probability assessment models shall include, but not be limited to, the following requirements for:
determination of credit impairment;
the quality, depth and volume of data used;
sampling methodologies for developing and testing models;
the presence of individual blocks of the model (including the requirement to take into account financial, qualitative factors, the possibility of state or group-level support) and their maximum weight in determining the final PD;
methodologies for calibrating the model based on observed credit impairment levels (calibrating the model based on actual statistics of credit impairment levels);
development and consideration of macro-scenarios, methodology for calculating and applying migration matrices;
development of a valid credit scale compatible with the credit scales of leading rating agencies;
calculation of different types of PD (at initial recognition, twelve-month, lifetime PD, point in time PD (PIT PD) and cyclical PD (TTC PD);
calculation of the PD model for financial guarantees;
estimating annual PD using annual observed default rate data or alternative approaches based on sound statistical analysis.
As part of the development of the model, it is required:
when using a scoring model, calculating a scoring score for each of the borrowers in the sample for development;
when using a scoring model, calibrating the model, i.e. converting the scoring score into a PD value using models of the observed historical level of credit impairment for the portfolio;
development of a model for taking into account the macroeconomic situation and the translation of TTC PD into PIT PD;
estimate annual PD either by using annual observed default rate data or alternative approaches based on sound statistical analysis;
provide for the selection of the current volume of historical data on the observed level of defaults when developing the model and calibration of PIT values based on expected macro indicators;
establishment of a minimum PD limit for residents of the Republic of Kazakhstan corresponding to the PD of the Republic of Kazakhstan, except for statistically justified cases.
The bank shall ensure automatic calculation in the Bank’s internal systems of all risk metrics (PD, LGD, EAD), and provisions, as well as the identification of events of significant increase in credit risk, events that are objective evidence of impairment under IFRS, and impairment categories.
The bank shall ensure that the following data (but not be limited to) are stored in the systems for at least 5 (five) years after the repayment of the loan (or) off-balance sheet obligation:
results of passing or failing the SPPI test;
classification of financial instruments in accordance with IFRS 9;
events that provide objective evidence of impairment (a separate data field for each event for each borrower and/or obligation);
borrower impairment stage;
probabilities of scenarios using the going-concern and gone-concern methods for individually assessed borrowers;
effective interest rate (initial and current interest rates);
default rates (by number of borrowers, obligations and by amount of obligations) in absolute and percentage terms;
levels of returns (by the amount of obligations - separately taking into account recoveries and excluding recoveries) in absolute and percentage terms;
levels of restructurings (by number of borrowers, obligations and by amount of obligations - separately for restructurings and separately for forced restructurings) in absolute and percentage terms;
recovery rates (by number of borrowers, obligations and by amount of obligations) in absolute and percentage terms;
write-off levels (by the amount of liabilities - separately for partial and separately for full write-offs) in absolute and percentage terms;
PD values (for each borrower and/or obligation from the moment of issue and throughout the entire term of the loan and/or off-balance sheet obligation);
the values of the twelve-month PD and lifetime PD at the time of recognition and for each month during the term of the loan and/or off-balance sheet obligation;
LGD values (including the LGD value for each borrower and/or liability) from the date of issuance of the loan and/or off-balance sheet liability (but not earlier than the date of implementation of IFRS 9) and for each month during the term of the loan and/or off-balance sheet liability;
EAD values (including the EAD value for each borrower and/or liability) from the date of issuance of the loan and/or off-balance sheet liability (but not earlier than the date of implementation of IFRS 9) and for each month during the term of the loan and/or off-balance sheet liability;
credit losses (including the values of expected credit losses for each borrower and/or liability) from the date of issuance of the loan and/or off-balance sheet liability (but not earlier than the date of implementation of IFRS 9) and for each month during the term of the loan and/or off-balance sheet liability;
the values of risk-weighting factors (RWAs) (including RWA values for each borrower and/or obligation) from the date of issuance of the loan and/or off-balance sheet obligation (but not earlier than the date of implementation of IFRS 9) and for each month during the term of the loan and/or off-balance sheet obligation;
credit conversion rates;
amounts of the borrower’s balance sheet and off-balance sheet liabilities (for the last 5 (five) years);
written-off loans of the borrower (for the last 5 (five) years);
the final value of provisions (at the borrower level and at the obligation level);
linking to the BIN or IIN and internal unique identifiers (if they differ from the BIN or IIN) of the borrower and the loan and/or off-balance sheet obligation;
linking to the BIN or IIN and internal unique identifiers (if they differ from the BIN or IIN) of all co-borrowers and guarantors;
linking to a unique identifier of a group of related borrowers in accordance with the bank’s internal documents;
linking to the BIN or IIN of the participants of the group of related borrowers in accordance with the bank’s internal documents;
financial indicators of borrowers required to determine the stage of impairment and calculate provisions;
a sign of a subject’s belonging to the category of entrepreneurship in accordance with the Entrepreneurial Code of the Republic of Kazakhstan;
flag indicating that the person is included in the list of persons connected with the bank by special relations;
flag of restructuring and/or forced restructuring;
all dates of loan restructurings and borrower restructurings for loans in this bank.
The bank's systems shall record and store in the systems the fact of an event of a significant increase in credit risk and an event that is objective evidence of impairment under IFRS for all borrowers, their balance sheet and off-balance sheet liabilities and the bank's portfolios;
8) the existence of a procedure for validating credit risk assessment models.
To ensure the adequacy of credit risk assessment using models, the bank shall regulate the processes of their validation, back testing, and acceptable levels of deviation from the planned risk level. In the event of a deviation from the planned risk level, the bank shall develop a plan of corrective measures.
Validation shall be accomplished by one or more of the following methods:
testing the discriminatory ability of the model;
assessment of the predictive accuracy of the model;
analysis of rating migration;
comparative analysis of ratings.
Validation shall be performed at least once every 3 (three) years by an independent division of the bank or with the involvement of an independent third party. The frequency of validation shall depend on the current market situation, strategy, volume of assets, level of complexity of the bank's operations, and increases in the event of significant changes in the economy or the bank's internal lending processes. The results of validation shall be provided to the risk management committee.
Internal validation of scoring models shall be carried out by an independent division of the bank at least once every 1 (one) year.
Internal validation of scoring models shall be carried out by an independent division of the bank with the formalization in the bank's internal documents of the full validation process, including, but not be limited to, a detailed process for validating the parameters used in calculating provisions (participants, verification perimeter, verification areas, criteria for preparing judgments, format for presenting results, deadlines).
The bank's independent validation unit shall issue a report on each verified parameter, describing the verification process, disclosing the results and the degree of significance.
The results of the validation with detailed rationale shall be provided to the risk management committee.
Based on the review of the validation results, the risk management committee shall draw up a report that includes a conclusion on whether or not changes to the model are necessary.
As part of the model validation, it shall be necessary to carry out, among other things:
verification of the model's compliance with regulatory requirements;
back-testing the model to determine the accuracy of the model's predictions (checking the accuracy of the model on samples other than the one on which the model was developed). The bank checks the relevance of the model based on the most recent observations;
checking the depth and quality of the data used in developing the models. As part of the check, it shall be necessary to verify through econometric tests that the sample is sufficient for subsequent modeling;
testing the model for consistency with other risk metric assessment models;
9) the use of adequate and justified expert assessments when assessing credit risk.
In situations where the use of expert assessments is necessary, the bank shall provide the following:
a regulated process for the application of expert assessments, indicating the limits of the application of such assessments;
sufficient level of competence of employees conducting expert assessment;
a uniform approach to the application of expert assessments. Under identical conditions, expert assessments shall not have significant deviations;
Expert judgment shall be made based on reasonable and documented assumptions, with the application of due care.
The bank's use of expert assessments taking into account historical data shall be supplemented by an analysis of the current market and economic situation, in particular (as applicable):
changes in loan processes, standards and practices for decision-making, returns, write-offs;
changes in external and internal economic factors, business environment, taking into account the dynamics;
changes in the level of non-performing and restructured loans;
the emergence of new market segments and products;
changes in the concentration of credit risk;
10) availability of the necessary tools, including a set of data storage tools, providing complete and reliable information on loans (including accounts receivable and contingent liabilities), as well as other transactions that are inherent in credit risk, which allow for a correct assessment of the level of credit risk.
The bank shall carry out credit administration in accordance with procedures that shall include, but not be limited to, the following:
verification of compliance of submitted credit documents with the terms and conditions for granting loans;
verification of compliance of loan agreements with the decisions taken;
formation and maintenance of credit files.
It is permitted to create a credit file (part of a credit file) in electronic form. The credit file shall contain (including, but not be limited to):
documents to identify the borrower:
This group shall include documents certifying the identity of an individual, documents related to the formation of a legal entity (with disclosure of the ultimate owners-individuals who directly or indirectly own ten or more percent of shares or participation interests, except for cases established by paragraph 3 of Article 8-1 of the Law on Banks), confirmation of its legal capacity, as well as documents confirming the authority of persons acting on behalf of the borrower and authorized to sign credit and collateral documentation on behalf of the borrower.
Documentation related to the determination of the intended use (except for overdrafts, consumer loans without confirmation of intended use in the aggregate amount of less than 0.2 (zero point two) percent of the bank's equity capital and loans to replenish working capital in the aggregate amount of less than 0.2 (zero point two) percent of the bank's equity capital, syndicated loans with the participation of non-resident banks of the Republic of Kazakhstan):
This group shall include documents and information on the transaction for which financing is requested (including the initial purposes of financing in the case of restructuring and/or refinancing), including for large borrowers:
documents confirming the purpose of using the loan, including for legal entities - supply agreements, purchase and sale agreements, foreign trade contracts;
for a legal entity, the amount of loans and contingent liabilities of which exceeds, for banks which equity capital exceeds 100 (one hundred) billion tenge - 0.1 (zero point one) percent of the bank's equity capital, for banks which equity capital does not exceed 100 (one hundred) billion tenge - 0.2 (zero point two) percent of the bank's equity capital - a feasibility study for issuing a loan, characterizing the payback period and the level of profitability of the financed transaction, or a business plan of the borrower, which shall reflect information on the description of the activity indicating the purposes of using the loan, sales markets and the borrower's marketing strategy, risk assessment and management, a detailed financial plan by year (financial indicators of the implementation of the business plan by year, sources and volume of financing for the business plan and loan repayment), an income (expense) estimate (for loans related to investment purposes, start-up projects or loans, the main source of repayment of which is planned proceeds from the sale of goods and/or services purchased using credit funds).
For the purposes of this paragraph:
a loan for replenishment of working capital is understood to mean a loan provided for financing current production processes;
A consumer loan refers to a loan granted to an individual or an individual entrepreneur without forming a legal entity and corresponding to the following criteria:
the issuance of a loan shall not be related to the purpose of financing entrepreneurial activity and it shall be assumed that the loan will not be used by the borrower to carry out entrepreneurial activity;
the loan is planned to be used for the purchase of durable goods (residential real estate, cars, household appliances, furniture, etc.) and/or payment for various services (educational, tourist, medical, repair and construction, etc.) and/or other purchases and purposes (refinancing a loan in another bank (if the previously received loan is related to consumer purposes), mobile phones, food, etc.);
the recipient of the loan has a permanent source of income (salary, pension, benefits, dividends from securities, income from renting out real estate and other income), which objectively allows him/her to service his/her obligations to the bank for the loan received, confirmed in the manner determined by the bank's internal documents.
Documents required to analyze the client's financial condition and the quality of the security:
This group of documents shall include all documents based on which an analysis of the financial condition of the borrower shall be carried out and reflecting the main economic indicators of the borrower's activities, as well as documents confirming the availability, quality, and size of the accepted security, which shall include (but not be limited to):
documents confirming the authority of the person authorized to sign the collateral documentation;
appraiser's report on the valuation of real estate;
conclusion of the collateral service division on the adequacy of the appraiser's assessment of the collateral in accordance with the requirements of the Rules and the bank's internal documents;
documents confirming the rights to the collateral;
a copy of the pledge agreement containing a note on its registration with the authorized registration authorities.
Documentation required for credit monitoring. This group shall include documentation generated by bank divisions during the course of a loan or required to confirm periodic credit monitoring, as well as procedures for updating information on borrowers (counterparties) for credit risk management;
11) the presence and functioning of the management information system.
The bank shall develop management reporting forms that shall include, but not be limited to, the following information:
about the loan portfolio and its quality, presented including the dynamics of its changes;
on the size (level) of exposure to credit risk, including an assessment of the approach of the total exposure to the limits established by the bank for various types of loans (pre-limit approach);
on the exposure to credit risk concerning a group of related borrowers and the dynamics of its change;
on the concentration of credit risk of the largest borrowers (counterparties) and borrowers (counterparties) connected with the bank by special relations, including with the bank’s shareholders, and the dynamics of its change;
on internal ratings of borrowers (counterparties) and the dynamics of their changes, on monitoring the quality of loans based on the ratings of borrowers (counterparties) and their frequency;
on the size of provisions and assessment of the level of adequacy of provisions;
on restructured, refinanced and problem loans;
on monitoring and control over compliance with limits;
about deviations from policies and limits.
The requirements specified in paragraphs eleven, twelve, thirteen, fourteen, fifteen, sixteen, seventeen and eighteen of subparagraph 1), subparagraph 1-1), paragraph four of subparagraph 3) and paragraph twelve of subparagraph 5) of part one of this subparagraph shall not apply to second-tier banks that are subsidiaries of international banks that have approved policies and procedures for assessing and managing ESG risks, environmental and social risks, as well as disclosing information on ESG risks, environmental and social risks, which apply to subsidiaries of international banks that publish consolidated reports on sustainable development (ESG) and reports on environmental and social risks.
Footnote. Paragraph 42 - as amended by the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated 27.12.2024 № 93 (for the procedure for entry into force, refer to paragraph 5).43. The board of directors shall ensure the existence of a market risk management system that is consistent with the current market situation, development strategy, assets and the level of complexity of the bank’s operations and ensure the effective identification, measurement, monitoring and control of the bank’s market risk, as well as defines a strategy for hedging market risk with the purpose of ensuring the adequacy of equity to cover it.
The market risk management system shall be integrated into the bank's internal risk management processes, and its results shall be an integral part of the process of monitoring and controlling the level and profile of its market risk, as well as the decision-making process in the implementation of the bank's current activities. Market risk assessment results shall be taken into account in the process of developing a bank development strategy.
Market risk management shall be carried out on the basis of managing the position of assets and liabilities, forming the value of financial instruments with a positive interest margin and expected profitability, managing an open foreign exchange position, constantly monitoring market risks and monitoring established risk appetite levels for relevant operations.
The market risk management system shall include the management of securities portfolios and control of open positions in currencies, interest rates, and derivative financial instruments.
44. In the process of market risk management, the bank shall determine:
1) the organizational structure of the bank involved in the process of market risk management, including the internal order of subordination and reporting;
2) the structure of the trading and banking books, as well as the procedures for dividing instruments into instruments of the trading and banking books.
The trading book shall be a part of a bank’s financial portfolio that presents financial instruments purchased and sold to support trading operations, generate income in the form of the difference between the purchase and sale prices, and hedge the bank’s operations from various types of risk. Trading book positions shall be regularly reevaluated. All other operations shall relate to the bank book;
3) assets (liabilities) sensitive to changes in interest rates;
4) ways, methods and models for assessing market risk;
5) risk orientation, bank approaches to establishing and monitoring risk appetite levels and risk minimization methods.
45. The functioning of the market risk management system shall be carried out based on the following main components, but not limited to them:
1) approval and periodic analysis of the bank’s investment activity strategy, formation of an optimal structure of assets and liabilities, taking into account the bank’s specific risk profile, the level of adequacy of the bank’s capital and the level of liquidity to cover the significant market risk.
The investment strategy shall meet the following basic principles:
the content corresponds to the bank’s overall strategy in terms of goals, directions and deadlines for implementation;
the presence of a relationship between the tactical and strategic processes of managing the bank’s investment activities;
maximizing profit, ensuring the growth of a high-quality investment portfolio, maintaining a sufficient level of liquid assets in the overall structure of the bank’s assets;
formation of the structure of assets and liabilities taking into account the implementation of requirements, methods and procedures for managing market risk;
2) approval of a procedure for identifying, assessing, monitoring, and controlling market risks, taking into account all areas of the activities of the bank that are subject to market risk (banking and trading books, balance sheet and off-balance sheet transactions), as well as methods for hedging these risks.
The bank shall develop a market risk management process that shall include, but not limited to, the following:
participants in the market risk management process, their powers and responsibilities with a clear definition of the accountability structure, as well as the internal procedure for the exchange of information;
a list of foreign currencies, and financial instruments with which transactions are permitted, indicating the purposes of their use, as well as internal requirements and criteria for financial instruments, including the volume, composition and conditions;
internal procedures and procedures for identifying, measuring, monitoring and controlling the level of market risk.
Procedures for identifying, measuring, monitoring and controlling market risk:
cover all types of assets, liabilities, off-balance sheet positions;
cover all types of market risk and their sources;
allow for regular assessment and monitoring of changes in factors affecting the level of market risk, including rates, prices and other market conditions;
allow to identify market risk timely and take action in response to unfavourable changes in market conditions.
To assess the accepted level of market risk, the bank shall use models that correspond to the development strategy, the volume of assets and the level of complexity of the bank’s operations.
Concerning the banking book, the bank shall separately identify, measure (evaluate), monitor and control interest rate risk.
To quantify the interest rate risk of the banking book, the bank shall use at least two complementary methods to monitor its level and manage it:
quantitative assessment of changes in the economic value of equity (EVE), that is, the calculation of the amount by which the net value of cash flows generated by claims and obligations reflected in the bank’s balance sheet and off-balance sheet accounts will change;
quantitative assessment of changes in net interest income (NII), that is, the calculation of the amount by which the bank’s expected net interest income will change in accordance with interest rate shock scenarios (parallel shift of rates up and (or) down).
The methods for assessing interest rate risk used by the bank cover all significant sources of interest rate risk inherent in the operations (transactions) carried out by the bank that are sensitive to changes in interest rates. Concerning financial instruments denominated in foreign currency that are sensitive to changes in interest rates, the total volume of which exceeds 5 (five) percent of the volume of assets (liabilities), the bank shall measure interest rate risk separately for each foreign currency. The assumptions adopted within the methodology for assessing interest rate risk shall be documented in the relevant internal documents of the bank.
The bank periodically conducts sensitivity analyses for each type of market risk inherent in the bank's activities. Sensitivity analysis shall show the impact on the bank's profit (loss) and equity capital of possible changes in variable risk factors.
The bank shall periodically carry out backtesting of market risk assessment models. The bank shall conduct backtesting to verify the reliability and effectiveness of market risk assessment models and, if necessary, improve them. The results of back-testing with proposals, if necessary, to improve market risk management procedures shall be sent to the risk management committee and the board of directors of the bank.
The bank shall regularly monitor the level of market risk to prevent the possibility of exceeding established risk appetite levels. The frequency of monitoring market risk shall be determined by the bank based on the degree of its significance for the relevant line of business of the bank.
Information obtained in the process of monitoring market risk about a significant change in the level of risk shall be promptly communicated to the board of directors and the risk management committee of the bank to make the necessary decisions.
To minimize market risk, the bank shall establish:
risk appetite levels for currency, price and interest rate risks in accordance with Chapter 3 of the Rules;
constant monitoring of compliance with established risk appetite levels;
procedures for immediately informing the board of directors, the risk management committee, the board of the bank and other interested structural units about the achievement of limit values and (or) violations of established risk appetite levels;
measures to reduce market risk taken when risk appetite levels are reached;
3) market risk management procedures for:
changes in the structure of financial instruments, their quantitative and cost indicators;
development and implementation of new technologies and conditions for carrying out banking operations and other transactions, other financial innovations and technologies;
when entering new markets;
4) methods and criteria for hedging risks, including establishing criteria for the effectiveness (optimality) and cost of hedging.
The bank shall develop and implement a hedging strategy for each type of market risk, which contains:
hedged items;
description of the hedging instruments used (use of exchange and over-the-counter market instruments, taking into account the assessment of the reliability of the counterparty, the timing of hedging instruments);
internal procedure for determining the required level of liquidity to cover hedging instruments;
description of the procedure and methods for assessing the effectiveness of hedging.
A hedge shall be considered effective if the change in the fair value or cash flow of the hedged item is fully offset by the change in the fair value or cash flow of the hedging instrument. Hedging shall be carried out concerning a specific identifiable risk, rather than the general risks of the bank;
5) internal procedures and procedures for monitoring the bank’s profitability from the use of financial instruments;
6) procedures for stress testing to assess market risk, including the internal procedure for using their results as part of the risk management process.
The bank shall conduct stress testing of market risks periodically to identify the level of potential market risks inherent in the bank's activities and assess the bank's ability to withstand changes.
The frequency of stress testing, procedures and methods of implementation shall be established in the relevant internal documents of the bank. The frequency of stress testing shall be determined based on the bank’s level of exposure to market risk, capital market volatility and other external factors. The frequency of stress testing shall increase in cases of significant changes in external factors.
When conducting stress testing, the following scenarios shall be used:
historical;
providing for changes in the exchange rates of foreign currencies and (or) precious metals for open positions of the bank;
providing for changes in the market value of financial instruments;
providing for changes in the general level of interest rates, scenarios of growth or decline in the profitability of financial instruments sensitive to changes in interest rates;
providing for changes in profitability;
providing for changes in the relationship between interest rates on resources attracted and placed by the bank;
providing for changes in the degree of volatility of market interest rates;
providing for a sharp deterioration in key market, financial and (or) other factors and conditions of the activities of the bank.
The bank shall use methodology and stress-testing scenarios that are appropriate to its business structure and risk profile.
The results of stress testing shall be presented to the board of directors, the risk management committee, the board of the bank, and interested structural units of the bank periodically. If the results of stress testing indicate the bank’s vulnerability to certain risk factors, the bank shall take measures to reduce the level of accepted risk;
7) a system of indicators for early detection of exposure to market risk, including those based on the pre-limit approach;
8) procedures for making changes to the internal documents of the bank and procedures in cases of changes in market conditions affecting the level of the bank’s exposure to market risk;
9) approval of the internal procedure of a system of high-quality, detailed, periodic management information, allowing timely and complete assessment of the level of exposure to market risk, approach to established levels of risk appetite and timely response to changes.
The bank shall ensure that it has an effective management information system designed to provide the board of directors of the bank, risk management committee and interested departments of the bank with information about the bank's exposure to market risk.
Management information shall contain, but not limited to, the following:
information on the current state of interest rates, exchange rates, market quotes and their dynamics;
information on significant open positions by currencies and financial instruments;
information on the level of interest rate risk for aggregate positions on financial instruments sensitive to changes in interest rates;
information on the interest rate risk of the banking portfolio, filled out in accordance with paragraphs seven, eight and nine of subparagraph 1) paragraph 8 of the Report Structure on compliance with the internal process for assessing capital adequacy and the internal process for assessing liquidity adequacy in accordance with the Appendix to the Rules;
information on the compliance of positions on financial instruments sensitive to changes in interest rates with established limits;
information about early warning indicators of market risk;
expert assessments on changes in interest rates, exchange rates, and price indices in the future;
results of measuring market risks;
10) the existence of an internal procedure for taking measures to reduce market risk;
11) availability of procedures for assessing the fair value of financial instruments based on market information.
Footnote. Paragraph 45 - as amended by the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated 29.12.2022 №. 119 (shall be enforced upon the expiration of ten calendar days after the day of its first official publication).46. The board of directors shall ensure the existence of an operational risk management system that is fully integrated into the overall risk management process of the bank at all levels of the bank's organizational structure and in newly created products, activities, processes and systems, and ensures the effective identification, measurement, monitoring and control of operational risk of the bank in order to ensure the adequacy of equity to cover it. The operational risk management system shall include, but is not limited to, the following:
1) a detailed description of the interaction between all participants involved in the operational risk management process, including the internal order of accountability.
The bank shall determine the participants in the operational risk management process based on 3 (three) lines of defense.
The first line of defense is provided by the structural units of the bank. This means that the heads of structural units are responsible for identifying, measuring, monitoring and controlling operational risk inherent in their activities, including those related to personnel, products, processes and systems. Based on the current market situation, strategy, volume of assets, the level of complexity of the bank’s operations, to ensure the effective functioning of the operational risk management system in the first line of defense, risk coordinators for operational risk are appointed in the bank’s structural units, the internal procedure for their interaction with the management units is determined operational risk and internal audit.
The second line of defense shall be provided by an independent operational risk management unit.
The third line of defense shall be provided by the internal audit unit through an independent assessment of the effectiveness of the bank's operational risk management system;
2) a description of operational risk measurement tools;
3) the internal procedure for establishing the operational risk appetite risk level;
4) the internal procedure for the exchange of information and the base of internal events of operational risk;
5) a system for classifying operational risk events to ensure accuracy in identifying risk;
6) analysis of operational risk and the corresponding revision of the operational risk management policy in the event of a significant change in the level and types of operational risk of the bank.
47. In order to build an effective operational risk management system, the board of directors shall be responsible for:
1) approval of the operational risk management policy, which includes, but is not limited to, the following components:
goals and objectives of operational risk management;
basic principles of operational risk management;
classification of types of operational risk events;
level of risk appetite for operational risk of the bank;
identification of participants in the operational risk management process based on 3 (three) lines of defense, their authority, responsibility with a clear definition of the accountability structure;
determination of the internal order and procedures for identifying, measuring, monitoring and controlling operational risk, including:
definition of key indicators of operational risk;
definition of procedures and mechanisms for managing operational risk;
internal procedure for the exchange of information between participants in the operational risk management process along 3 (three) lines of protection, including types, forms and terms of information submission;
procedures for the approval, confirmation, analysis and monitoring of deviations from policies, procedures, limits;
the internal procedure and procedures for approving new products, activities, processes and systems and/or making significant changes to existing products, activities, processes and systems;
requirements for amendments to internal documents and procedures in cases of detection of deficiencies in the management of operational risk and (or) the occurrence of conditions affecting the bank's level of exposure to operational risk;
2) the formation of a risk culture of operational risk management;
3) regular analysis of the operational risk management system in order to ensure timely identification and management of operational risk caused by changes in external factors, as well as operational risks associated with new products, activities, processes or systems, including changes in the level and types of risk;
4) ensuring the appropriate conditions for the application of best operational risk management practices;
5) approval and control of risk appetite levels in relation to operational risk with regular review. In the process of analyzing the relevance of risk appetite levels, changes in external factors are taken into account, a significant increase in the volume of a bank’s operations, including for certain types of activities, the results of audits of the internal control system (if any), the effectiveness of the operational risk management or risk reduction system, and the volume of incurred losses, as well as the frequency, extent and nature of violations of established levels of risk appetite.
48. The bank identifies, measures, monitors and controls operational risk through the following (but not limited to):
1) the use of audit results.
The results of audits shall be an additional source of information in the process of managing operational risk of a bank;
2) collection and analysis of internal data on operational risk events.
The collection and analysis of internal data on operational risk events (maintaining a database of operational risk events) is a process that allows one to assess the exposure to operational risk and the effectiveness of internal control based on information on operating losses.
Analysis of the occurrence of losses gives an idea of the causes of large losses and information on whether the failures in the control system are episodic or systemic;
3) analysis of external events on operational risks.
The external data on operational risk events include (if any) the total operating losses, terms, data on coverage of losses, as well as relevant incidental information on cases of losses in other banks;
4) conducting a self-assessment of operational risk.
A tool through which a bank identifies and evaluates operational risks inherent in bank processes and evaluates their impact on processes and the effectiveness of existing control procedures for identified operational risks;
5) descriptions (regulation) of business processes.
Description (regulation) of business processes - a process in which the structural units that make up the first line of defense determine the main stages of business processes, types of activities, organizational functions that help identify operational risks, the relationships between risks, deficiencies in control and risk management;
6) the use of key indicators of operational risk.
Key indicators of operational risk are the values and (or) statistical data that provide an idea of the operational risk profile to which the bank is exposed. Key indicators of operational risk are used to monitor changes in the level of operational risk in the bank, which, in turn, ensures the identification of shortcomings in the processes, organization, failures and potential losses;
7) scenario analysis of operational risk.
Scenario analysis of operational risk is a process of comparing external events of losses with internal processes of a bank and obtaining an expert opinion of the heads of structural units and risk management departments about deficiencies in the control system or risks not previously identified to identify potential cases of operational risk and assess possible consequences.
The risk management committee shall ensure that there is a process to regularly monitor the level of operational risk.
49. The bank shall ensure the existence of a management information system, including the establishment of an internal procedure that shall determine the composition and frequency of operational risk management reporting, presented to various recipients of the bank's responsible executives (units) for the preparation and delivery of information to the relevant recipients. The established internal reporting procedure allows for proactive operational risk management. Management reporting on operational risk shall contain:
1) information on violations of the established risk appetite levels of the bank for operational risk;
2) information on significant internal events of operational risk and losses, disaggregated by the classification of operational risk, on the amount of damage, indicating the causes, types of events, consequences;
3) information on significant external events of operational risk for decision making;
4) information on corrective measures taken on significant events of operational risk occurrence and (or) analysis of the effectiveness of the measures taken;
5) results of self-assessment of operational risk;
6) monitoring results of key risk indicators;
7) the results of scenario analysis;
8) information about the operational risk map.
Management reporting shall contain complete, reliable, timely information. The frequency of reporting reflects the degree of exposure of the bank to risks, as well as the pace and nature of changes in its activities.
The processes for the formation of management reporting on operational risk shall be periodically analyzed in order to continuously improve the management of operational risk and the further development of principles, procedures and processes for managing operational risk.
50. To identify potential risks arising in stress situations, the bank shall periodically (but not less than once every six months) conduct stress testing to identify sources of potential threat to capital adequacy. Stress testing shall be conducted by the bank using the following methods (but not be limited to):
1) scenario analysis;
2) sensitivity analysis.
The stress testing process shall include the following:
stress testing allows the bank to analyze the impact of stress scenarios on the level of capital adequacy, to assess the level of risk occurrence when the internal and external environment changes;
the extent and frequency of stress testing corresponds to the chosen business model, scale of operations, types and complexity of operations, as well as the bank's role in the financial system. The bank can increase the frequency of stress testing in deteriorating market conditions or at the request of the bank's management;
the board of directors of the bank takes an active part in the stress testing process in terms of approving procedures for conducting stress tests, scenarios (including considering conservative scenarios also during periods of economic growth), evaluating the results and, as a result, taking measures to minimize the capital risk identified during stress testing.
The bank shall use, but not be limited to, the following stress testing scenarios when conducting stress testing:
a general economic scenario that is based on an assessment of the impact of a decline in the country's economic situation, including a decline in economic growth in general and in individual sectors of the economy;
a scenario specific to the bank’s business, which is based on an assessment of the impact of local stress factors, including those related to the specifics of the bank’s lending activities and the structure of its loan portfolio;
a scenario that takes into account the likelihood of emergencies.
The bank shall develop stress testing scenarios based on conservative but potentially realizable negative changes in external and internal indicators that affect a decrease in the capital adequacy level.
The board of directors of the bank shall approve the stress testing scenarios and the assumptions made, as well as the stress testing results. The justification for the choice of scenarios and the bank's corresponding assumptions shall be documented and reviewed together with the stress testing results.
In determining stress scenarios and sensitivities, the bank shall use a wide range of information, including historical and hypothetical stress situations, including those outside the normal range of risks and forecasts.
In addition to the possibility of using the stress scenarios applied by the regulator, the bank shall strive to use the most applicable stress situations that correspond to its characteristics, but not be limited to them.
The board of directors of the bank shall regularly review stress testing scenarios for significant changes. If stress testing scenarios need to be changed, an interim assessment shall be carried out.
When developing stress testing scenarios and assumptions, the bank shall be guided by the following:
scenarios include all significant risks to which the bank is potentially exposed;
During stress testing, the bank shall consider the relationship between different types of risks;
The bank shall take a conservative approach in determining stress testing assumptions. Based on the type and severity of the scenario, the bank shall consider the appropriateness of several assumptions concerning its activities;
stress testing approaches and models are statistically and econometrically sound;
banks' internal models for individual types of risks are adapted to the purposes of stress testing;
The bank shall consider short-term and long-term, as well as idiosyncratic and market scenarios, regardless of how high the current capital adequacy level is, including:
lack of accessibility to capital markets;
reduction in the cost of energy resources;
weakening of the national currency;
real estate market crisis;
change of rates;
change in gross domestic product;
crisis in the agricultural sector;
rising inflation expectations;
increasing unemployment and decreasing incomes of the population;
decrease in the market value of assets;
the emergence of environmental and social risks.
The requirement specified in paragraph eighteen of part nine of this paragraph shall not apply to second-tier banks that are subsidiaries of international banks that have approved policies and procedures for assessing and managing ESG risks, environmental and social risks, as well as disclosing information on ESG risks, environmental and social risks, which apply to subsidiaries of international banks that publish consolidated reports on sustainable development (ESG) and reports on environmental and social risks.
The results of the stress test and the predicted risks, as well as subsequent actions to minimize the negative impact, are reported and discussed with the board of directors of the bank and the units involved in the liquidity risk management process. The board of directors of the bank integrates the results of the stress testing process into the bank's strategic and budget planning process. The results of the stress testing shall be used to set internal limits.
The board of directors of the bank shall take into account the results of stress testing in the process of maintaining capital adequacy in the event of unforeseen circumstances, including eliminating deficiencies in the process.
Footnote. Paragraph 50 - as amended by the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated 27.12.2024 № 93 (for the procedure for entry into force, refer to paragraph 5).51. The bank shall ensure the existence of procedures for the development, approval and implementation of new products, activities, processes and systems, or significant changes to existing products, activities, processes and systems, ensuring:
1) an assessment of the risks inherent in new products, activities, processes and systems of sludge and in the case of significant changes to existing products, activities, processes and systems;
2) analysis of the costs and benefits of implementation;
3) an assessment of changes in levels of risk appetite of the bank and the introduction of appropriate changes;
4) the availability of the necessary control mechanisms, the risk management process;
5) the availability of information on the level of residual risks;
6) the existence of procedures and methods for identifying, measuring, monitoring and controlling risks inherent in new products, activities, processes and systems or in the case of significant changes to existing products, activities, processes and systems;
7) an assessment of the bank's ability to invest in human resources and the technological infrastructure of the bank before introducing new products, activities, processes and systems or in the event of significant changes to existing products, activities, processes and systems.
52. Each year, the board of directors of the bank evaluates capital adequacy based on the results identified in the internal process of assessing the adequacy of equity and other information available to the board of directors of the bank.
The internal process of assessing capital adequacy is subject to a continuous review of both quantitative and qualitative indicators, including the application of its results, approaches to stress testing, risk identification and information collection, validation of risk assessment models. The review is carried out within 3 (three) lines of defense, based on their role in ICAAP. The review facilitates timely changes when internal and external factors change.
Chapter 6. Internal Liquidity Adequacy Assessment Process
53. The board of directors shall approve the bank’s internal document that regulates the main approaches and principles of the ILAAP and contains the following sections:
1) a description of the organizational structure of the ILAAP;
2) a description of the risk appetite strategy;
3) organization of liquidity risk and funding management, including daily liquidity risk and liquidity gaps;
4) a description of the process of integrating liquidity risk management in the process of approving new products and activities;
5) a review of the funding strategy and contingency plan for liquidity;
6) organization of management of liquidity buffers and collateral;
7) organization of stress testing procedures;
8) the organization of self-assessment procedures for the internal liquidity adequacy assessment process.
54. The description of the organizational structure of the ILAAP contains a list of participants in the ILAAP, indicating the responsibilities of the bank’s collegial bodies and units involved in the implementation of liquidity and liquidity risk management processes, including:
1) the board of directors of the bank shall be responsible for managing liquidity risk and determining the level of risk appetite. The board of directors of the bank shall approve the report on compliance with the ICAAP and ILAAP no later than April 30 of the year following the reporting year;
2) the risk management committee shall be responsible for developing policies and procedures in the field of liquidity management within the risk appetite level established by the board of directors. In addition, the risk management committee shall periodically notify the board of directors of the bank about compliance with risk appetite and significant changes in liquidity levels;
3) the unit (units) of the entity entrusted with the functions of internal control, carries out verification of compliance with the ILAAP procedures and brings the results to the attention of the board of directors of the bank;
4) unit (units) participating (participating) in the risk management process:
is (are) responsible for the implementation of the liquidity risk management process;
is (are) responsible for preparing a report on compliance with the ICAAP and ILAAP in accordance with the Structure of the report on compliance with the internal process for assessing capital adequacy and the internal process for assessing liquidity adequacy in accordance with the Appendix to the Rules. The bank shall ensure the availability of supporting documents, which include, but are not limited to, calculations, applied models, explanatory notes, analytical reports, self-assessment results and assessment of the effectiveness of the ILAAP;
is (are) responsible for preparing the stress testing;
5) the liquidity management unit (units) develops and implements measures for operational liquidity management and, together with the risk management unit, shall develop a financing plan in case of unforeseen circumstances;
6) the internal audit unit shall evaluate the effectiveness of the ILAAP.
Footnote. Paragraph 54 - as amended by the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated 29.12.2022 №. 119 (shall be enforced upon the expiration of ten calendar days after the day of its first official publication).55. As part of the ILAAP, the board of directors of the bank shall be responsible for adhering to the approved risk appetite strategy.
56. The bank shall develop an effective process for identifying, assessing, monitoring and controlling liquidity risk, which includes detailed forecasting of cash flows by assets, liabilities and off-balance sheet instruments at different time intervals.
The bank shall evaluate all balance sheet and off-balance sheet items that affect the level of liquidity risk. The bank shall assess the level of liquidity in the market to cover the needs of the bank in attracting funding in order to regulate liquidity risk.
When managing liquidity risk, the bank shall take into account the decrease in the value of assets and the impact of their sale during stresses on liquidity, profitability and capital.
The bank shall take into account the interaction between liquidity risk and other types of risks to which it is exposed.
Measurement of liquidity includes an assessment of the inflows and outflows of cash of the bank to determine the potential shortage of liquid assets in the future. The bank shall measure and predict estimated cash flows from assets and liabilities, including off-balance sheet claims and liabilities, at different time horizons under normal conditions and in a number of scenarios, with varying degrees of stress.
These time horizons shall include:
the need for liquidity and the possibility of financing on an intraday basis;
need for liquidity and the possibility of financing for short and medium-term horizons up to 1 (one) year;
long-term liquidity of more than 1 (one) year.
The bank shall develop early warning indicators that identify increased liquidity and limited funding risks. The developed indicators reveal a negative trend in the level of liquidity and funding of the bank and reflect a real assessment in order to take immediate measures to mitigate the impact of emerging risks on the financial position of the bank.
The bank shall define triggers for qualitative and quantitative indicators of early warning.
Qualitative or quantitative indicators of early warning include, but are not limited to, the following:
rapid growth of assets, especially those financed by liabilities with the possibility of early withdrawal, or for which there is no established maturity;
increase in concentration in individual assets or liabilities;
widening gaps in currencies;
decrease in the weighted average maturity of obligations;
approximation to the values of the bank’s internal limits and (or) prudential standards, defined as permissible, but requiring separate corrective measures in the existing procedures of the risk management system in order to reduce the risk level;
negative trends or increased risk associated with the activities of the bank;
a significant decrease in bank income, deterioration in the quality of assets and the general financial condition of the bank
negative information, including in the media related to the bank;
lowering the bank's credit rating;
decrease in stock quotes or increase in the value of the bank's debt;
increase in the cost of corporate or retail funding;
an increase in the requirements of counterparties for the provision of additional collateral and (or) refusals for new transactions without collateral and for the extension of terms;
closing or reducing the established amount of credit lines provided to the bank;
increased outflow of retail deposits;
increase in outflow of term corporate deposits;
difficulties in attracting long-term financing.
The bank shall actively manage its intraday liquidity position and associated risks in order to timely fulfill payment and settlement obligations, both in normal and stressful situations, thereby contributing to the smooth functioning of payment and settlement systems.
The bank shall manage intraday liquidity risk through procedures that include, but are not limited to:
tracking daily liquidity positions taking into account expected cash inflows and outflows, forecasting the size of a potential financing gap arising in different periods of the trading day;
identification of key customers acting as the main sources of incoming or outgoing liquidity flows, forecasting inflows and outflows by establishing constant communication and awareness of the nearest future large incomes and withdrawals;
identification of key periods, dates and circumstances in which liquidity flows and possible credit needs are especially high;
understanding the needs of business units;
control of the intraday liquidity position in relation to the expected payments in order to determine the size of the necessary additional intraday liquidity or the need to limit the outflow of liquidity to cover priority payments;
availability of reliable funding sources in order to obtain a sufficient level of required intraday liquidity in a short time;
management of bank assets that are used as collateral in case of the need to obtain daily borrowed funds;
the availability of a sufficient amount of such assets, operational mechanisms for collateral;
monitoring of outflows of funds of key clients in accordance with intraday needs;
the bank response measures in case of unexpected breaks in daily liquidity flows, including measures to ensure business continuity.
The bank shall provide an effective system of management information designed to provide the board of directors of the bank, the risk management committee and other interested structural units of the bank with information on the bank's exposure to liquidity risk and the state of liquidity of the bank.
The bank shall develop a management reporting system that:
covers all sources of liquidity risk, including contingent liability risks, as well as risks associated with the occurrence of events that entail early repayment of obligations and the need for a certain amount of liquidity from relevant sources;
provides information on liquidity positions in the context of different time horizons;
provides a risk measurement for monitoring positions on liquidity, both under normal and stressful conditions, by types of currencies in which the bank has significant positions, both individually and on an aggregated basis;
allows monitoring and analysis of the dynamics of unencumbered highly liquid assets, with the aim of selling them or using them as collateral to raise funds in the event of stressful situations;
allows you to monitor and analyze information on factors affecting the level of stock of liquid assets;
provides assessment and forecasting of future cash flows in the context of different time horizons, including taking into account the results of stress testing in various scenarios;
involves providing more detailed and relevant information on a more frequent basis during periods of stress.
The management reporting system includes, but is not limited to, establishing an internal order that shall determine:
the criteria, composition, internal procedure and frequency of reporting on liquidity risk management to various recipients (for example, daily reporting shall be presented to executives responsible for liquidity risk management, regular reporting to the management board, risk management committee and board of directors, with an increased frequency - to periods of stressful situations);
compare the current liquidity risk level with the established limits, identify negative factors leading to negative trends in the liquidity level, as well as ways to limit violations;
reports on violations of liquidity risk limits indicating threshold values, causes of violations and proposals to level out the current situation;
responsible executives (units) for the preparation and communication of information to the appropriate recipients.
Information systems ensure the functioning of the liquidity risk management system, including monitoring compliance with the established limits. Information systems correspond to the complexity of the bank’s business, risk profile, areas of activity, assets and the role of the bank in the financial system.
57. Description of the process of integrating liquidity risk management into the approval process of new products and activities.
The bank shall take into account the costs, benefits and liquidity risks in the process of approving new products for all important activities.
The ILAAP of the bank shall take into account the measurement of costs, benefits and liquidity risks inherent in all areas of the bank's business (including activities related to contingent risks that do not have a direct effect at the moment, but have the opportunity to be implemented in the future). This distribution of costs, benefits and liquidity risks includes factors related to the expected maturity of assets and liabilities, their market liquidity risk characteristics and any other relevant factors, including the benefits of access to relatively stable funding sources.
58. Review of funding strategy and contingency financing plan with liquidity (hereinafter referred to as the financing plan). The bank shall diversify the funding sources and sets internal concentration limits, taking into account the following factors (but not limited to):
1) types of funding sources in the context of products, tools, markets;
2) urgency of funding;
3) characteristics of the issuer, counterparty or creditor, including economic sector, geographical location;
4) the currency of funding sources.
The diversification goals are part of financing plans (up to and over a year) and are taken into account in the process of drawing up strategic and budget planning.
The board of directors, the risk management committee and the management board of the bank shall be informed about the characteristics and diversification of funding sources and periodically review the funding strategy in order to immediately respond to changes in the internal and external environment.
An important component of ensuring diversification of funding is providing access to financial markets, which is crucial in the efficiency and ability to attract funds from investors and counterparties. Providing access to relevant markets shall take into account, but is not limited to, the following:
maintaining an availability in financial markets selected for funding purposes;
the opportunity to strengthen availability in selected financing markets;
identification, establishment, maintenance of relationships with current and potential lenders providing funds;
increasing the bank's capitalization in order to ensure the readiness of creditors to maintain relations with the bank.
The bank identifies alternative funding sources that increase the bank's ability to withstand stressful situations and liquidity crises. Depending on the nature, severity and duration of the liquidity crisis, potential sources of financing include, but are not limited to, the following:
deposit growth;
extension of maturities;
issue of short-term and long-term debt instruments;
intragroup transfers of funds, sale of subsidiaries or lines of business;
asset securitization;
sale of existing highly liquid assets or the conclusion of repo transactions;
containing the increase in volumes in the main areas of activity (for example, slowing down the issuance of loans).
The board of directors of the bank, the risk management committee and the management board shall periodically evaluate and monitor the ability to quickly raise funds from each funding source in order to assess the effectiveness of ensuring liquidity in the long term.
The board of directors of the bank approves a financing plan that clearly defines the process for eliminating liquidity shortages in emergency situations. The financing plan corresponds to the scale of the bank’s activities, risk profile, types and complexity of operations, assets and the role of the bank in the financial system. The financing plan includes a clear description of a diversified set of adequate, affordable, ongoing potential measures to ensure unforeseen expenses to maintain liquidity and reduce the cash deficit in various adverse situations.
The financing plan shall contain:
well-defined and accessible sources of financing in case of unforeseen circumstances, with an assessment of the possible amount of funds that are raised from these sources;
the time required to attract additional funds from each of the sources of contingency financing;
clear operating procedures governing:
formation of the composition of executives (bodies, units) of the bank responsible for the development and implementation of the financing plan, indicating the powers and areas of their responsibility in order to ensure internal coordination and communication;
a detailed algorithm of actions and their prioritization in relation to what actions need to be taken, who is responsible for their adoption, when and how these actions are implemented;
several options for implementing various stressful situations.
In order to ensure operational reliability, the financing plan is regularly tested and updated.
59. The bank shall have a constant stock of unencumbered highly liquid assets that might be used as soon as possible without significant losses and discounts under various stressful scenarios, including events that entail loss of access or reduction in the volume of liquid funds provided by creditors, including against collateral, as well as placed by depositors.
The required liquidity reserve shall be comparable with the established risk of the bank's appetite for liquidity risk. This requires determining the required size of the stock of unencumbered highly liquid assets to assess liquidity needs under stress. The assessment of liquidity needs under current conditions and during periods of stress shall include:
both contractual and non-contractual cash outflows (inflows);
unconditional demand of depositors to withdraw funds;
and shall take into account the inability to obtain unsecured financing, as well as the loss or reduction of access to liquid funds.
The necessary liquidity reserve shall mainly be formed from the highest quality liquid assets, such as:
monetary funds;
liquid government securities;
finance marketing tools, possible to implement in most periods of negative stress scenarios and less negative as unencumbered liquid assets sold or used as security without significant loss or discount.
General characteristics for the determination of highly liquid assets include:
transparency of its structure and risk profile;
ease and certainty of the assessment;
existence of a liquid market for a given asset in all stress scenarios;
available market volumes for the asset, including bank stocks relative to normal market turnover;
absence of legal, regulatory or operational barriers to using these assets in order to receive financing at any time to meet liquidity needs.
Effective management of collateral shall be carried out through the following, but not limited to, procedures that determine:
assessment of the bank's needs for assets that must be used as collateral, including assets that are currently pledged, taking into account the timing of their release;
conformity assessment of each type of asset for use as collateral in relation to each type of main counterparties and secured financing markets;
diversification of assets to be used as collateral by the issuer, volume relative to the capabilities of the financial market and counterparties, price sensitivity to avoid excessive concentration, and also taking into account various market stress scenarios;
monitoring collateral by issuer, geographical location, currencies, in order to assess how quickly assets are mobilized if necessary.
60. The stress testing system shall include an analysis of the types of stress testing used, stress testing scenarios, applicable assumptions, and a methodological basis for verifying the stability of the liquidity sufficiency indicator in case of changing market conditions and management measures.
The bank shall periodically conduct stress testing on various factors of short-term and long-term scenarios, oriented both to the specifics of the bank, and to large-scale market stresses and the combination of both scenarios in order to analyze and quantify their impact on the level of liquidity, on the bank's cash flows profitability and solvency.
The results of stress tests shall be reviewed by the board of directors of the bank. Based on the results of the review, measures are taken to eliminate or mitigate the consequences to limit the impact on the bank, create the necessary liquidity reserve and adjust the liquidity level.
The results of stress tests play a key role in formulating a bank financing plan and in determining a strategy and an ILAAP.
The stress testing process shall include the following:
the bank shall analyze the impact of stress scenarios on the liquidity position, estimates the level of liquidity risk occurrence when the internal and external environment changes, at different time periods (short-term, long-term), including on an intraday basis;
the degree and frequency of stress testing is consistent with the chosen business model, the scale of activity, types and complexity of operations, as well as the role of the bank in the financial system. The bank shall have the ability to increase the frequency of stress testing in worsening market conditions or at the request of the board of directors of the bank or risk management committee;
the board of directors of the bank shall take part in the stress testing process in terms of approving stress testing procedures and scenarios (including considering conservative stress scenarios even during periods of liquidity surplus), evaluating the results and as a result of taking measures to minimize the identified during stress testing the risk of visibility;
in stress testing, the bank shall take into account the possible behavioral response of other market participants to market stress events and the extent to which the overall result strengthens market movement and aggravates the market load.
In developing scenarios and additional stress testing, the bank is guided by the following:
Scenarios include all the main funding and liquidity risks in the market to which the bank is potentially exposed;
the bank shall consider short-term and protracted, as well as idiosyncratic and market scenarios, regardless of how high the level of liquidity is at the moment, including:
simultaneous lack of liquidity in several previously highly liquid markets;
serious difficulties in accessing secured and unsecured funding;
currency convertibility restrictions;
serious operational or settlement failures affecting one or more major payment or settlement systems;
the bank shall take into account the relationship between reduced liquidity in the market and funding restrictions;
during stress testing, the bank shall consider the relationship of various types of risks;
the bank shall take into account liquidity requirements in many currencies and several major payment and settlement systems;
the bank shall take a conservative approach in determining the assumptions of stress testing. Based on the type and severity of the scenario, the bank shall take into account the relevance of a number of assumptions regarding its activities, which include, but are not limited to, the following:
narrowing market-wide liquidity;
outflow of retail and corporate funding;
lack of access to new secured and unsecured sources of funding;
need for significant discounts for the sale of assets and (or) repos;
default of counterparties, including on the interbank market;
possibility of establishing additional margin and collateral;
possibility of changes in the timing of financing;
liquidity aimed at fulfilling contingent liabilities for off-balance sheet instruments and operations, including credit lines;
planned change in the volume of assets;
non-renewability of interbank deposits;
inability to use credit lines provided to the bank;
impact of triggers on a significant decrease in credit ratings;
conversion of funds of bank customers;
decrease in the ability to sell liquid assets taking into account legal, regulatory, operational and time constraints;
limited access to funds of the authorized body, companies of the quasi-public sector;
limited operational ability of the bank to sell assets;
significant decrease in the bank's credit rating;
appearance of negative information about the bank, affecting the level of trust in the bank.
Stress scenarios shall be analyzed by the bank on a regular basis in order to confirm their relevance. The analyzes shall take into account changes in market conditions, changes in the nature, volume of assets or the complexity of the business model and activities of the bank, and actual experience in situations of stress.
The board of directors of the bank shall approve stress testing scenarios and assumptions made, as well as the results of stress testing. The validity of the choice of scenarios and relevant assumptions of the bank shall be documented and considered along with the results of the stress test.
The results of the stress test and predicted risks, as well as subsequent actions to minimize the negative impact, are reported and discussed with the board of directors of the bank and departments involved in the liquidity risk management process. The board of directors of the bank integrates the results of the stress testing process into the strategic and budget planning process of the bank. The results of stress testing shall be used to establish internal limits.
The board of directors of the bank shall include the results of stress testing in the assessment and planning of the financing plan, including for purposes of correcting deficiencies in the plan.
61. The bank shall annually conduct a self-assessment of the ILAAP to identify weaknesses in the process in terms of the following:
1) liquidity management policies;
2) process organization;
3) procedures, systems and regulatory actions;
4) level of liquidity and the availability of funding.
Based on the results of the self-assessment and in identifying inconsistencies and (or) weaknesses of the process, the bank shall draw up an action plan containing information on corrective actions to be implemented, including information on the responded parties, expected deadlines, and required resources.
Chapter 7. Business Continuity Management
62. The board of directors of the bank shall ensure the existence of a bank business continuity management system that is consistent with the current market situation, strategy, volume of assets, and complexity of the bank’s operations.
The bank shall manage business continuity through procedures, but not limited to those listed in paragraphs 63-71 of the Rules.
63. The bank shall carry out, according to the method defined in the internal document of the bank, an analysis of the impact on activities, through which the assessment shall be carried out of:
1) impacts, damages or losses on personnel, premises, technologies or information of the bank;
2) violations of the requirements of civil, tax, banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and currency control, payments and payment systems, on pension provision, on the securities market, on accounting and financial reporting on credit bureaus and the formation of credit records, on debt collection activities, on mandatory guarantee of deposits, on counteracting the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint-stock companies;
3) loss of reputation.
An analysis of the impact on the bank's activities shall be carried out to determine the time frame for the restoration of critical activities, as well as to identify the resources necessary to resume and continue key activities in case of unforeseen circumstances (critical resources).
To analyze the impact on the bank:
assesses the amount of possible losses in connection with the downtime of providing critical products and services over time;
sets the maximum acceptable period of downtime for each activity by identifying:
the maximum period within which activity resumes;
the period of time within which the normal level of activity is resumed;
identifies types and levels of performance of activities, assets or other resources that need to be continuously maintained in a minimum working condition and and (or) restored in a timely manner to provide critical products and services;
shall determine the amount of resources minimally necessary for the restoration and further implementation of critical activities in emergency mode;
sets a target recovery time for each of the critical activities. The target recovery time is less than the maximum allowable downtime of the corresponding product or service;
establishes a recovery point between the last data backup and the start of downtime of a critical activity;
ranks critical activities by target recovery time, prioritizing;
identifies suppliers, counteragents, other interested parties on whom critical types of the bank’s activities depend and how these executives assist the bank in unforeseen circumstances.
64. The bank shall identify critical activities. Identified in the process of analysis of the impact on the activities of the bank, the loss of which has the maximum negative impact on the bank in the short term and needs to be restored as soon as possible, is a critical type of activity.
65. The bank shall determine the resources necessary to support critical activities, which include but are not limited to the following:
1) personnel.
In determining personnel as a resource necessary to support critical activities, the bank shall determine:
the required number of employees;
necessary skills and competencies;
2) premises.
When determining premises as a resource necessary to support critical activities, the bank shall determine:
main and alternative sites;
premises requiring increased protection;
3) technology.
In determining technologies as a resource necessary to support critical activities, the bank shall determine:
information technology services supporting critical activities;
telecommunication services supporting critical activities;
other technologies supporting critical activities, including perimeter security, collection technologies;
4) information.
In determining information as a resource necessary to support critical activities, the bank shall determine:
information necessary to carry out critical activities, including internal documents of the bank;
the amount of information that needs to be restored (recovery target point);
methods for storing, protecting and restoring information;
5) suppliers, external services and supplies.
The bank shall determine suppliers, external services and supplies on which the implementation of critical activities depends;
6) financial resources.
The bank shall determine the amount of financial resources that is potentially available for the implementation of the plan(s) of ensuring the continuity and restoration of the bank in case of unforeseen circumstances.
66. The bank shall carry out contingency risk analysis, which allows assessing threats and vulnerabilities in critical activities and the resources they use. As threats that have a negative impact on resources, the bank shall consider, but not limited to, the following:
1) inaccessibility of employees;
2) inaccessibility of technologies, including information and communication technologies (computer viruses, computer hardware failure, loss of communication);
3) inaccessibility of supply (water, electricity);
4) lack of access to buildings (premises);
5) inaccessibility of key suppliers, contractors;
6) inaccessibility of key information;
7) inaccessibility of financial resources.
67. The bank shall define contingency risk management measures that cover (but not limited to) the following key resources:
1) personnel;
2) premises;
3) technology;
4) information;
5) suppliers, contractors and supply channels.
When choosing contingency risk management measures, the bank shall take into account the results of the analysis of the impact on the bank’s activities and shall determine, including the internal procedure for interaction with external suppliers involved in restoration work, with external counterparties (depositors, creditors), shareholders of the bank, with the authorized body and other authorities, as well as with the media and other interested parties.
When choosing measures to manage the risks of unforeseen circumstances, the bank shall take into account, but is not limited to the following factors:
the most acceptable period of downtime for a critical activity;
the costs of the implementation of the plan(s) for the continuity and restoration of activities;
consequences of failure to take action;
realistic risks and the magnitude of losses from their implementation;
consistency with the established goals of the business continuity management system;
consistency with policies and procedures for the management of business continuity.
The bank shall define measures to maintain key knowledge and competencies to ensure the continuity of its activities. Measures include, but are not limited to, the following:
regulation of the internal procedure for the implementation of critical activities;
maintaining a list of additional competencies of personnel not used in daily activities for the redistribution of functions in the face of a shortage of workers;
personnel training in professional skills, including cross-functional training.
The bank shall determine measures to reduce the impact on the provision of critical products and services due to the lack of main premises. These measures include, but are not limited to, the following:
provision of alternative facilities;
transfer of personnel to other premises of the bank;
use of workplaces of workers performing non-critical work;
work at home or in remote premises.
When choosing alternative premises, the bank shall take into account, but not limited to, the following features:
security of the premise;
access to the premises;
proximity to the main premise;
availability of necessary communications.
The bank shall determine measures to maintain the operability of information technology and communication services necessary to ensure business continuity.
The bank shall determine measures to ensure the integrity, accessibility and confidentiality of information necessary to ensure business continuity in the event of a critical event.
The bank shall determine the list of resources used (including material supply, financial resources) and measures to ensure their availability, including from external suppliers and contractors and other interested parties in the event of a critical event, which includes:
storage of additional resources, including technological and telecommunication equipment, in storage facilities;
agreements with the supplier on the urgent delivery (replacement) of resources in the warehouse;
availability of alternative resource providers.
68. The bank shall ensure the development and availability of plan(s) for ensuring continuity and (or) restoration of activities. The plan(s) for ensuring continuity and (or) restoration of activities meets the following principles:
1) understandable to responsible executives;
2) available for use by responsible executives;
3) has goals and scope consistent with the business continuity management policy, including:
a list of critical activities of the bank, as well as the maximum allowable downtime, including those requiring recovery;
target recovery time for critical activities, including for information technology and telecommunications;
measures to minimize the risk of loss of reputation;
4) consistent with the actions of external organizations;
5) contains a description of the functions and responsibilities of personnel involved in ensuring the continuity and restoration of activities;
6) has an activation scheme, including:
the decision-making procedure for activation, including a list of employees responsible for confirming activation and the conditions under which activation of the plan is required;
a list of employees informed about the activation of the plan;
7) contains a diagram of emergency external and internal communications, paying attention to:
communications within the team of workers involved in the recovery and emergency provision of critical products and services;
communications with external organizations involved in business continuity;
communications with the authorized body;
communications with the mass media and customers;
communications with counterparties and other interested parties during the restoration work;
communication methods;
8) contains requirements for the minimum amount of resources and suppliers needed at various points in time for the restoration and emergency provision of critical activities;
9) contains a sequence of actions for the restoration and continuous provision of critical activities, including:
a scheme for involving third-party organizations in the recovery process;
a scheme for involving counterparties and stakeholders of the bank in the process of restoring the bank's activities;
the sequence and places of recovery of critical activities of the bank;
the timing and place of restoration of critical information technology services, as well as the sequence of actions for their restoration, including restoration of network infrastructure in a new building, restoration of basic functionality, applications and databases, synchronization, backup, telecommunications;
dates and places for mobilizing the necessary resources;
10) contains all the necessary details, including the location of the reserve premises, routes, contacts of the authorized body and other authorities, organizations involved in the restoration of the bank, as well as ways to contact them;
11) contains a method for documenting key information on the progress of work, decisions made and measures taken;
12) has a circuit:
cancellation of emergency operation, including criteria to decide on completion of emergency operation;
transition to a daily functioning mode;
recovery on damaged domestic banking processes after liquidation of consequences of unforeseen circumstances;
13) has the sole owner of the plan responsible for maintaining and reviewing.
69. The bank shall test a plan (plans) to ensure continuity and (or) restoration of activities in order to determine that:
1) critical activities are protected regardless of the severity of the critical event;
2) these plans ensure the activities of the bank in unforeseen circumstances and the transition to daily operation.
70. The bank shall:
1) carry out testing in the event of significant changes in the activities of the bank;
2) carry out testing, as individual elements of the business continuity management system, and in the aggregate, in order to verify the reliability of the system as a whole;
3) carry out test planning in such a way as to minimize the impact of critical events that arise during the test;
4) define the goals and objectives of each testing;
5) determine the group of observers (testing controllers) from the bank employees responsible for the development of the plan (plans) for ensuring continuity and (or) restoration of activities, employees exercising internal control, and, if necessary, independent specialists from organizations specializing in on the provision of advisory services in the field of business continuity and information security of the bank. A group of observers (testing controllers) shall carry out:
control of each test;
assessment of test results;
drawing up a protocol on testing, its results and feedback, including the necessary corrective actions;
coordination of the protocol with the heads of bank departments involved in testing and the plan (plans) for ensuring continuity and (or) restoration of activities;
6) draws up and approves a report on the results of testing on the basis of an agreed audit protocol, which includes analysis of the test results, proposals on eliminating identified shortcomings and improving plans and other elements of the bank's business continuity management system.
A report on the results of testing with proposals, if necessary, to improve the plan (plans) for ensuring continuity and (or) restoration of activities is sent to the risk management committee for review and the board of directors of the bank for approval.
71. The board of directors of the bank shall ensure that there is a management information system that includes, but is not limited to, information on the status of implementation of procedures and processes for managing business continuity, revealed facts of violations of internal procedures and policies, incidents, results of inspections and plans to increase the bank’s stability and ability restore certain operations.
Chapter 8. Information Technology Risk Management
72. The board of directors of the bank shall ensure the existence of an information technology risk management system that matches the external operating environment, strategy, organizational structure, volume of assets, the nature and level of complexity of the bank’s operations and ensures the minimization of information technology risks.
73. The information technology risk management system includes, but is not limited to, the following:
1) information technology risk management policy;
2) information technology risk management procedures;
3) management information system;
4) assessment of the effectiveness of the risk management system of information technology by the internal audit unit.
74. The bank shall determine the following participants in the information technology risk management system (but not limited to):
1) bank risk management unit;
2) information technology unit.
75. The bank shall create a structural unit for risk management, which functions include risk management of information technology, including:
1) development, implementation and development of a risk management system for information technology;
2) participation in the development and coordination of action plans for the implementation of the strategy of the bank in terms of ensuring the availability of information and communication technologies;
3) participation in the risk assessment of information technology;
4) monitoring the level of risk of information technology;
5) interaction and advice to structural units of the bank on information technology risk management;
6) planning and analysis of the results of an information technology risk assessment conducted by the information technology unit;
7) development and formation of a risk register, including information technology risks;
8) reporting on the implementation of significant risks of information technology and monitoring the implementation of measures to eliminate their consequences to the risk management committee;
9) provision of reports or other information on information technology risk management to the board of directors;
10) use of the results of internal audit in terms of information technology risks.
76. The bank shall create a structural unit for information technology, which functions include:
1) conducting a risk assessment of information technology;
2) development of measures for processing information technology risks and reporting on their implementation to the risk management unit;
3) preparation and submission of reports on the implementation of significant risks of information technology to the risk unit of the bank, as well as on the elimination of their consequences;
4) development of action plans for the implementation of the strategy of the bank in terms of ensuring the accessibility of information and communication technologies for critical business processes.
The bank shall ensure the independence of the structural unit for risk management from the structural unit for information technology.
77. The risk management unit shall develop an internal document that defines the procedure for managing information technology risks, which includes, but is not limited to, the following:
1) information technology risk identification procedures;
2) procedures for determining internal and (or) external factors affecting the implementation of each of the risks of information technology;
3) procedures for assessing the possibility and consequences of all identified risks of information technology, applying qualitative and (or) quantitative methods of assessment, including on the basis of data on their implementation;
4) procedures for the collection and storage of information on the implementation of significant risks of information technology;
5) the procedures for the formation of a risk register, including the risks of information technologies;
6) procedures for developing information technology risk treatment measures;
7) procedures for monitoring the implementation of measures to handle the risks of information technology.
78. The information technology unit shall develop an action plan to implement the strategy of the bank in terms of ensuring the availability of information and communication technologies for critical business processes, which discloses, but is not limited to, the following:
1) determination of resource requirements, including the determination of the budget associated with the development of information and communication technologies;
2) description of the required measures in the field of information and communication technologies, indicating the timelines and those responsible for their implementation.
The bank shall ensure the existence of a management information system, including, but not limited to, the establishment of an internal procedure that defines the criteria, composition and frequency of reporting on risk management of information technology of the bank, responsible executives (units) for the preparation and delivery of information to the relevant recipients.
Chapter 9. Information Security Risk Management
79. The board of directors of the bank shall ensure the existence of an information security risk management system that is consistent with the external operating environment, the strategy of the bank, organizational structure, assets, the nature and complexity of the bank’s operations and is aimed at minimizing information security risks.
80. The information security risk management system includes, but is not limited to, the following:
1) information security risk management policy;
2) information security risk management procedures;
3) management information system;
4) assessment of the effectiveness of the information security risk management system by the internal audit unit.
81. The bank shall determine the following participants in the information security risk management system (but not limited to):
1) bank risk management unit;
2) information security unit;
3) information technology unit;
4) units-owners of protected information.
82. The bank shall create a structural unit for risk management, which functions include information security risk management:
1) development, implementation and development of an information security risk management system;
2) participation in the development and coordination of action plans for the implementation of the strategy of the bank in terms of ensuring information security;
3) creation and leadership of a working group on the formation of a list of critical information assets of the bank, including at least units that own information to be protected;
4) participation in the information security risk assessment;
5) monitoring the level of information security risks;
6) interaction and consultation of structural units of the bank on information security risk management;
7) planning and analysis of the results of the information security risk assessment conducted by the information security unit;
8) development and formation of a risk register, including information security risks;
9) reporting on the implementation of significant information security risks and monitoring the implementation of measures to eliminate their consequences to the risk management committee;
10) provision of reports or other information on information security risk management to the board of directors of the bank;
11) use of the results of the internal audit in terms of information security risks.
83. The bank shall create a structural unit for information security, which functions include:
1) conducting an information security risk assessment;
2) development of measures for processing information security risks and reporting on their implementation in the risk management unit;
3) preparation and submission of reports on the implementation of significant information security risks to the risk unit of the bank, as well as on elimination of their consequences;
4) development of action plans for the implementation of the bank strategy in terms of ensuring information security.
The bank shall ensure the independence of the structural unit for risk management from the structural unit for information security.
84. The risk management unit shall develop an internal document that defines the procedure for managing information security risks, which includes, but is not limited to, the following:
1) procedures for the identification and classification of information assets in order to identify critical information assets;
2) procedures for identifying vulnerabilities of critical information assets;
3) procedures for identifying potential threats in relation to critical information assets;
4) procedures for identifying existing information security risk management measures;
5) procedures for assessing the possibility and consequences of violation of confidentiality, integrity and accessibility of information assets, using qualitative and (or) quantitative methods of assessment, including on the basis of data on their implementation;
6) procedures for the collection and storage of information on the implementation of significant information security risks;
7) procedures for the formation of a risk register, including information security risks;
8) procedures for monitoring the implementation of measures to handle information security risks and.
85. The information security unit shall develop an action plan for the implementation of the strategy of the bank regarding information security, which discloses, but is not limited to, the following:
1) determination of resource requirements, including determination of the budget associated with the implementation of measures aimed at managing information security risks;
2) description of the required measures in the field of information security with an indication of the time frame and responsible executors for their implementation.
86. The units-owners of protected information, in the framework of information security risk management, carry out:
1) providing a description of the protected information to the risk management unit;
2) formation of a list of critical information assets of the bank as part of a working group on the formation of a list of critical information assets of the bank under the leadership of the risk management unit.
87. The bank shall ensure the availability of a management information system, including, but not limited to the establishment of an internal procedure that defines the criteria, composition and frequency of reporting on information security risk management of the bank, responsible executives (units) for the preparation and delivery of information to relevant recipients.
Chapter 10. Compliance Risk Management
88. The board of directors of the bank shall control the compliance risk management process of the bank, create a compliance control unit in the bank, appoint and release from the post the chief compliance controller, and approve the compliance risk management policy.
The compliance control unit shall organize procedures to comply with the requirements of the civil, tax, banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and currency control, payments and payment systems, on pension provision, on the securities market, on accounting and financial reporting on credit bureaus and the formation of credit records, on debt collection activities, on mandatory guarantee of deposits, on counteracting the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint-stock companies, the legislation of foreign countries that affect the activity of the bank and the bank's internal documents, governing the procedure for the bank to provide services and conduct operations in the financial market, and provides complete and reliable information to the board of directors about the existence of compliance risk.
The risk management committee shall be responsible for developing a compliance risk management policy to be approved by the board of directors and containing the basic principles of the compliance risk management board, including the principles of creating a compliance culture in the bank, on the basis of which compliance risk is identified and managed at all levels of the structure of the bank.
89. Compliance control unit shall be responsible for developing a compliance risk management policy, ensuring compliance risk management and coordinating the activities of the bank in managing compliance risk. The compliance risk management policy of a branch of a non-resident bank of the Republic of Kazakhstan is developed by the compliance control unit of a non-resident bank of the Republic of Kazakhstan, the branch of which is opened on the territory of the Republic of Kazakhstan.
A compliance control unit is a structural unit of the bank, independent of any activities of the bank’s structural units that constitute the first line of defense.
The independence of the compliance control unit shall be ensured by the following factors:
the compliance control unit has the status of an independent structural unit;
employees of the compliance control department shall not hold part-time positions in other structural units of the bank;
the head and employees of the compliance control unit shall not find themselves in a situation where there is a possible conflict of interest between their responsibilities for managing compliance risk and any other responsibilities assigned to them;
the compliance control unit, within the framework of its competence, has access and, if necessary, requires any information from the bank’s structural units, and subsidiaries of the bank, and also involves employees of the bank and its subsidiaries to assist in the performance of the compliance control function.
Footnote. Paragraph 89 - as amended by the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated 24.02.2021 №. 43 (shall be enforced upon the expiration of ten calendar days after the day of its first official publication).90. The compliance control unit shall perform, but not limited to, the following functions:
1) development of internal procedures, methods and procedures for identifying, measuring, monitoring and controlling the bank’s compliance risk on a consolidated basis;
2) development, implementation and ensuring the availability of internal control rules to combat ML/TF;
3) formation of a compliance program (plan), which includes, among other things:
risk management policy, taking into account the requirements of civil, tax, banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and currency control, on payments and payment systems, on pensions, on the securities market, on accounting and financial reporting, on credit bureaus and the formation of credit histories, on collection activities, on mandatory deposit guarantees, on combating legalization (laundering) of proceeds from crime and financing terrorism, about joint stock companies;
checking the bank’s compliance with the requirements of civil, tax, and banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and exchange control, on payments and payment systems, on pensions, the securities market, on accounting and financial reporting, on credit bureaus and the formation of credit histories, on collection activities, on mandatory deposit guarantees, on combating legalization (laundering) of proceeds from crime and the financing of terrorism, on joint stock companies, regulating issues provision of services by the bank and conduct of operations in the financial market, as well as legislation of foreign countries that influences the activities of the bank to determine the degree of exposure of the bank to compliance risk;
staff training on compliance risk management;
4) assistance to the board of the bank in managing the bank’s compliance risk;
5) consulting the management and employees of the bank on the norms of civil, tax, banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and currency control, on payments and payment systems, on pensions, on the securities market, on accounting and financial reporting, on credit bureaus and the formation of credit histories, on collection activities, on mandatory deposit guarantees, on combating the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint stock companies, rules, policies related to compliance risk management, including informing about changes, except when such a function is performed by a legal unit of the bank;
6) control of the organization of work in the bank to familiarize bank employees with the requirements of the internal documents of the bank regulating the procedure for the bank to provide services and conduct operations in the financial market;
7) coordination of the activities of the bank’s subsidiaries on issues of compliance risk management, including ML/TF risk;
8) mandatory participation in the process of introducing new banking products and services;
9) ensuring the organization of measures in the bank to identify, assess and control conflicts of interest;
10) developing independently or jointly with structural units and officials of the bank recommendations to eliminate identified violations and shortcomings in the bank’s work related to compliance risk management and submitting relevant information to the board of directors of the bank;
11) development and maintenance of a compliance risk reporting system and periodic provision of information on issues of managing the bank’s compliance risk to the board of directors of the bank;
compliance risk management with the bank’s structural units, including the internal audit department;
13) coordinating the collection of quantitative and qualitative indicators to assess the risk of the bank’s involvement in ML/TF risks and transmitting information to the authorized body annually no later than February 5 of the year following the reporting year.
compliance risk management functions in accordance with the internal documents of the bank shall be delegated, if necessary, to other structural units of the bank, provided there is no conflict of interest.
The provisions of subparagraphs 1) and 8) of this paragraph shall not apply to a branch of a non-resident bank of the Republic of Kazakhstan.
Footnote. Paragraph 90 - as amended by the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated 14.03.2022 №. 21 (shall come into effect upon the expiration of ten calendar days after the day of its first official publication).91. The independence of the chief compliance controller shall be determined by:
1) regardless of the authority, the chief compliance controller is appointed and dismissed by the board of directors of the bank;
2) has unhindered access to the board of directors of the bank, without the participation of the board of the bank;
3) has access to any information necessary for him to fulfill his duties;
4) does not combine the position of chief operating officer, financial director, other similar functions of the bank’s operations, head of the internal audit unit.
The combination of the functions of the chief compliance controller and the head of the compliance control unit is allowed.
Interaction between the chief compliance controller and the board of directors and/or the risk management committee is carried out on a regular basis.
Information on the appointment and dismissal of the chief compliance controller from office shall be brought to the information of the authorized body.
At the request of the authorized body, the board of directors of the bank shall provide a justification for the reason for such a decision.
92. The bank shall identify measure, implement monitoring and control of compliance risk and develops compliance risk management procedures, which include, but are not limited to, the following:
1) development of internal guidelines (instructions) for bank employees on the management of compliance with the risk, including the risk of money laundering and terrorist financing, by preparing internal documents;
2) monitoring compliance by the bank and its employees with policies and procedures for managing compliance risk;
3) collecting data on compliance risk events;
4) analysis of complaints (applications) of customers for the availability of compliance risk;
5) development and analysis of quantitative and qualitative indicators characterizing the degree of bank exposure to compliance risk;
6) conducting investigations (checks), independently or jointly with structural units and (or) bank officials, of facts of violation by the bank employees of the legislation of the Republic of Kazakhstan governing the provision of bank services and operations in the financial market, as well as the laws of foreign countries that affect on the activities of the bank, in accordance with the procedure determined by the internal document of the bank;
7) providing advice on requests regarding the conformity of a particular transaction (deals) of a bank or part thereof with the legislation of the Republic of Kazakhstan, which regulates the provision of services by the bank and operations in the financial market, as well as the laws of foreign states that affect the bank's activities.
93. In developing procedures for identifying, measuring monitoring and monitoring compliance risk, the bank shall take into account, but not limited to, the following factors:
1) the volume of assets, the nature and complexity of the bank's business;
2) the availability of data for use as source information;
3) the state of information systems and their capabilities;
4) the qualifications and experience of the personnel involved in the compliance risk management process.
94. The bank shall ensure a compliance risk management system that shall take into account:
1) bank strategy and activities;
2) the volume of assets, the nature and complexity of the depreciation of the bank;
3) the complexity of the organizational structure of the bank;
4) the level and types of risks inherent in the activities of the bank;
5) the effectiveness of compliance risk management procedures applied by the bank in the past;
6) potential internal organizational changes and (or) changes in market conditions;
7) the legislation of the Republic of Kazakhstan governing the provision of services by the bank and conducting operations in the financial market, as well as the legislation of foreign states that affect the activities of the bank.
95. The compliance risk management system includes, but is not limited to, the following:
1) compliance risk management policies and procedures;
2) ML/FT risk management policies and procedures, including a customer acceptance policy. When developing and implementing decision-making procedures for accepting a client for service, the bank shall take into account inherent risk factors;
3) an assessment of the effectiveness of the compliance risk management system by the internal audit unit.
The compliance risk management system is based on 3 (three) lines of defense:
bank employees;
compliance control unit;
internal audit unit.
96. Compliance risk management policies and procedures include, but are not limited to, the following:
1) goals and objectives of compliance risk management;
2) principles of compliance risk management, including principles of creating a compliance culture in the bank (culture of compliance by the bank and its employees with the requirements of civil, tax, banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and currency control, payments and payment systems, on pension provision, on the securities market, on accounting and financial reporting on credit bureaus and the formation of credit records, on debt collection activities, on mandatory guarantee of deposits, on counteracting the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint-stock companies, the laws of foreign countries that affect on the activities of the bank and internal documents of the bank governing the procedures for the provision of services by the bank and conducting operations in the financial market);
3) the internal order, methods and procedures for managing compliance risk, including those based on a risk-based approach;
4) the internal procedure, methods and procedures for managing the risks of the intentional or unintentional involvement of the bank and (or) its subsidiaries in the money laundering and terrorist financing processes, or other criminal activities (money laundering and terrorist financing risk);
5) participants in the compliance risk management system based on 3 (three) lines of defense, their authority, responsibility with a clear definition of the accountability structure;
6) the authority and responsibility of the chief compliance controller, head of the compliance control unit;
7) requirements for the professional qualities of employees of the compliance control unit;
8) procedures for monitoring and coordinating the activities of bank subsidiaries on compliance risk management issues;
9) the internal procedure for interaction and exchange of information between participants in the compliance risk management system.
97. The ML/FT risk management policies and procedures shall include, but not be limited to, the following:
1) development and implementation of internal documents regulating the procedure for managing the risk of ML/FT, implementing financial monitoring and internal control to combat ML/FT;
2) the methodology for assessing ML/FT risks in accordance with the bank’s internal control rules to combat ML/FT;
3) the internal procedure for organizing the bank’s risk management in terms of its structural divisions and/or employees in terms of ML/FT;
4) the presence of a customer acceptance and service program (customer acceptance policy);
5) when developing and implementing procedures for making decisions on accepting a client for service, the bank shall take into account risk factors, including those identified and posted on the Internet resource of the authorized body.
Internal procedures and the procedure for refusal to establish and terminate business relations with a client are developed taking into account the risk factors posted on the Internet resource of the authorized body. Information on the facts of refusal to establish and terminate business relations shall be sent to the authorized body quarterly, no later than the 5th (fifth) day of the month following the reporting quarter;
6) the existence of an automated information system and procedures that enable the identification of transactions subject to financial monitoring, and also enable the timely sending of relevant information and data to the authorized body for financial monitoring.
The automated information system and procedures of the bank specified in subparagraph 6) of part one of this paragraph shall additionally ensure the identification of transactions that have characteristics corresponding to the typologies, schemes and methods of legalization (laundering) of criminal proceeds and financing of terrorism approved by the state body implementing financial monitoring, related to:
1) illegal production, circulation and/or transit of drugs;
2) making payments and transferring money in favor of digital asset exchanges that are not members of the Astana International Financial Center, the list of which is formed by the authorized body;
3) making payments and/or transferring money in favor of electronic casinos and Internet casinos.
Footnote. Paragraph 97 - as amended by the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated 31.12.2024 № 96 (for the procedure for entry into force, refer to paragraph 4).
Chapter 10-1. Environmental and Social Risk Management and Sustainability (ESG) Disclosures
Footnote. The Rules are supplemented by Chapter 10-1 in accordance with the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated 27.12.2024 № 93 (shall come into effect on 01.07.2025).
97-1. The board of directors of the bank shall ensure the existence of a system for managing environmental and social risks that is consistent with the sustainable development goals defined by the bank’s sustainable development strategy.
97-2. The environmental and social risk management system shall be implemented by the bank to manage environmental and social risks.
The bank's environmental and social risk management system shall include, but not be limited to, the following:
the process of identifying, assessing and managing environmental and social risks;
a set of policies for managing environmental and social risks;
documentation and accounting requirements to ensure transparency and effectiveness of environmental and social risk management;
procedures and decision-making processes related to the identification and management of environmental and social risks;
duties and powers of the authorized collegial bodies of the bank and heads of the risk management department and the sustainable development department on issues of environmental and social risk management;
conducting a comprehensive environmental and social risk assessment (ESDD) of the borrower;
making decisions based on the results of a comprehensive environmental and social risk assessment (ESDD) for the types of financing specified in paragraph 97-4 of the Rules;
the process of monitoring the environmental and social performance of the client;
availability of the necessary resources for internal information exchange and training of bank employees.
97-3. The bank shall carry out a comprehensive assessment of environmental and social risks (ESDD) associated with the activities of a potential borrower in financing medium-sized enterprises, corporate finance and project finance.
97-4. The set of policies for managing environmental and social risks shall include, but not be limited to, the following:
1) objectives and procedures for managing environmental and social risks;
2) principles of environmental and social risk management, including principles of creating an environmental and social culture in the bank (a culture of compliance by the bank and its employees with the principles of sustainable development);
3) internal order, methods and procedures for managing environmental and social risks;
4) acceptable lower and upper limits of environmental and social risks for the bank;
5) procedures for taking into account environmental and social risks in the bank’s lending activities;
6) powers and responsibilities of the heads of the risk management unit and the sustainable development unit;
7) requirements for the professional qualifications of employees of the Sustainable Development Unit;
8) internal procedures for interaction and exchange of information between participants in the environmental and social risk management system.
97-5. Disclosure of information on sustainable development (ESG) shall be carried out through inclusion in the bank's annual report and/or publication of a separate report on sustainable development (ESG).
The bank shall prepare an ESG report annually, no later than 30 July of the year following the reporting year when preparing the annual report and no later than 30 August of the year following the reporting year when preparing a separate report.
To analyze quantitative information, the bank shall include in the sustainable development report (ESG) the results of the reporting year and the two previous years (starting from January 1, 2027).
The requirements of Chapter 10-1 of the Rules shall not apply to second-tier banks that are subsidiaries of international banks that have approved policies and procedures for assessing and managing ESG risks, environmental and social risks, as well as disclosing information on ESG risks, environmental and social risks, which apply to subsidiaries of international banks that publish consolidated reports on sustainable development (ESG) and reports on environmental and social risks.
Chapter 11. Internal Control
98. The bank shall ensure the existence of an internal control system that corresponds to the current market situation, strategy, volume of assets, and level of complexity of the bank's operations. Internal control is a process built into the daily activities carried out by the authorized collegial bodies of the bank, structural divisions, and all employees of the bank in the performance of their duties, and aimed at achieving the following goals:
1) ensuring the efficiency of the activities of the bank, including the efficiency of managing banking risks, assets and liabilities, and ensuring the safety of assets;
2) ensuring the completeness, reliability and timeliness of financial, regulatory and other reporting for internal and external users, as well as information security;
3) ensuring the bank's compliance with the requirements of the civil, tax, and banking legislation of the Republic of Kazakhstan, the legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, the legislation of the Republic of Kazakhstan on currency regulation and currency control, on payments and payment systems, on pension provision, on the securities market, on accounting and financial reporting, on credit bureaus and the formation of credit histories, on collection activities, on mandatory guarantee of deposits, on combating the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint-stock companies, and internal documents of the bank;
4) preventing the involvement of the bank and its employees, the clients of the bank:
in the implementation of illegal activities, including fraud, deception, money laundering/financial terrorism, illegal production, trafficking and/or transit of drugs;
in the implementation of operations related to the implementation of transactions that have a high risk of ML/FT;
in the implementation of operations related to the further acquisition of unsecured digital assets on digital asset exchanges that are not members of the Astana International Financial Centre, the list of which is formed by the authorized body;
in making payments and/or transferring money in favor of electronic casinos and online casinos;
in making payments and/or transfers of money by individuals under the age of twenty-one in favor of the organizer of the gambling business.
The bank shall carry out an ML/FT risk assessment in the event of suspicions that business relations are used by the client for the purposes of illegal production, trafficking and/or transit of drugs, as well as concerning clients who are:
1) holders of more than five payment cards issued by one bank, except for additional payment cards issued in the name of children, as well as credit cards that are used exclusively for the issuance and repayment of bank loans;
2) holders of payment cards issued by three banks, more than three payment cards by each bank per client (if the bank has such information), except for additional payment cards issued in the name of children, as well as credit cards, which are used exclusively for the issuance and repayment of bank loans;
3) residents of countries with a high risk of ML/FT based on the factor of illegal production, trafficking and/or transit of drugs, except for countries of the Eurasian Economic Union;
4) involved in the implementation of payments and money transfers in favor of digital asset exchanges that are not members of the Astana International Financial Center, the list of which is formed by the authorized body.
Concerning the clients specified in part two of this paragraph, the bank shall assign a high level of ML/FT risk, apply enhanced due diligence measures to such clients and shall be responsible for:
ensuring that the source of funds of the bank's clients is verified;
taking measures established by the requirements of the legislation of the Republic of Kazakhstan on combating the legalization (laundering) of proceeds from crime and the financing of terrorism, when suspicious transactions are identified;
monitoring and studying transactions with bank clients’ money;
taking measures concerning non-residents of the Republic of Kazakhstan to establish the purpose and nature of business relations by requesting documents confirming the validity of their presence in the Republic of Kazakhstan (employment contract, training contract, residence permit for a foreigner in the Republic of Kazakhstan and other documents);
updating information about the client (his/her representative) in accordance with the requirements of the legislation of the Republic of Kazakhstan on combating the legalization (laundering) of proceeds from crime and the financing of terrorism;
sending information to the authorized body for financial monitoring of bank clients;
termination of business relations with the bank's clients in cases established by the requirements of the legislation of the Republic of Kazakhstan on combating the legalization (laundering) of proceeds from crime and the financing of terrorism.
The bank shall identify and block payments and money transfers in favor of digital asset exchanges that are not members of the Astana International Financial Center, the list of which shall be formed by the authorized body.
Concerning a participant of the Astana International Financial Centre providing services for managing the digital asset platform, the bank shall carry out an ML/FT risk assessment. When assigning a high ML/FT risk level to a participant of the Astana International Financial Centre providing services for managing the digital asset platform, the bank shall apply enhanced customer due diligence measures and shall be responsible for the following when conducting banking operations:
conducting an assessment of the degree of exposure of services (products) provided to a participant of the Astana International Financial Centre, providing services for managing the digital asset platform, to ML/FT risks;
conducting due diligence procedures when establishing business relationships, which include, in addition to the due diligence measures provided for clients, additional measures to obtain and record information about the reputation and nature of the activities of a participant of the Astana International Financial Centre providing services for managing the digital asset platform, and the application of measures against it by the Astana International Financial Centre Financial Services Regulatory Committee;
termination of business relations with a participant of the Astana International Financial Centre providing services for managing the digital asset platform, in cases where the bank discovers facts of the use by a participant of the Astana International Financial Centre providing services for managing the digital asset platform of accounts held in a shell bank;
refusal to establish or termination of business relations with a participant of the Astana International Financial Centre providing services for managing a digital asset platform, the founders of which are registered in the territory of a foreign state:
included in the list of states (territories) that do not comply or do not sufficiently comply with the recommendations of the Financial Action Task Force on Money Laundering (FATF), compiled by the authorized financial monitoring body;
subject to international sanctions in accordance with United Nations Security Council resolutions;
included in the list of offshore zones in accordance with the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated February 24, 2020 № 8 "On the establishment of the List of offshore zones for the purposes of banking and insurance activities, activities of professional participants in the securities market and other licensed types of activities in the securities market, activities of joint-stock investment funds and activities of organizations engaged in microfinance activities", registered in the State Register of Normative Legal Acts under № 20095;
identified by the bank as representing a high risk of ML/FT based on other factors (information on the level of corruption, illegal production, trafficking and/or transit of drugs, information on support for international terrorism, etc.).
monitoring and studying transactions with money of a participant of the Astana International Financial Centre, which provides services for managing the digital asset platform, as well as preventing the illegal transfer of funds abroad, including to offshore zones;
taking measures established by the requirements of the legislation of the Republic of Kazakhstan on combating the legalization (laundering) of proceeds from crime and the financing of terrorism, upon detection of suspicious transactions with money and/or other property (hereinafter referred to as suspicious transactions);
termination of business relations with a participant of the Astana International Financial Centre providing services for managing the digital asset platform, in cases established by the requirements of the legislation of the Republic of Kazakhstan on combating the legalization (laundering) of proceeds from crime and the financing of terrorism;
ensuring that the source of funds of a participant in the Astana International Financial Centre, providing services for managing the digital asset platform, is verified when replenishing a bank account;
ensuring the storage of records of transactions on operations with money and the provision of information to the authorized body for financial monitoring;
ensuring the storage for at least five years of documents, data and/or information received and collected as part of the due diligence of a participant of the Astana International Financial Centre providing services for the management of the digital asset platform;
verification of the affiliation and/or involvement of a participant of the Astana International Financial Centre, providing services for managing the digital asset platform, and its beneficial owner to a public official, his/her spouse and close relatives in cases established by the requirements of the legislation of the Republic of Kazakhstan on combating the legalization (laundering) of proceeds from crime or the financing of terrorism;
submission to the authorized body for financial monitoring of the necessary information upon detection of suspicious transactions within the timeframes established by the requirements of the legislation of the Republic of Kazakhstan on combating the legalization (laundering) of proceeds from crime or the financing of terrorism.
Concerning the bank's clients carrying out transactions with a participant of the Astana International Financial Centre providing services for managing the digital asset platform, the bank, when carrying out one-time banking transactions in an amount not exceeding 1,000 (one thousand) US dollars in equivalent at the market exchange rate on the date of the banking transaction, applies simplified measures for due diligence of clients, except in cases where clients carry out suspicious transactions.
Concerning the bank's clients carrying out transactions with a participant of the Astana International Financial Centre providing services for managing the digital asset platform, the bank, when carrying out one-time banking transactions in an amount equal to or exceeding 1,000 (one thousand) US dollars in equivalent at the market exchange rate on the date of the banking transaction, applies enhanced customer due diligence measures and shall be responsible for:
ensuring the verification of the source of origin of the bank's clients' funds when making a transfer in favor of a participant of the Astana International Financial Center providing services for managing the digital asset platform;
taking measures established by the requirements of the legislation of the Republic of Kazakhstan on combating the legalization (laundering) of proceeds from crime and the financing of terrorism, when suspicious transactions are identified;
monitoring and studying transactions with the bank’s clients’ money, as well as preventing the illegal transfer of funds abroad, including to offshore zones;
termination of business relations with the bank's clients in cases established by the requirements of the legislation of the Republic of Kazakhstan on combating the legalization (laundering) of proceeds from crime and the financing of terrorism.
When opening a bank account to service client transactions, a participant of the Astana International Financial Center providing services for managing the digital asset platform shall submit the following documents:
a license for a participant of the Astana International Financial Centre providing services for managing a digital asset platform, to provide a financial service for managing a digital asset platform, issued by the Astana International Financial Centre Financial Services Regulation Committee;
an extract from the register confirming registration as a participant in the Astana International Financial Centre, providing services for managing the digital asset platform;
business plan and business model of a participant of the Astana International Financial Center, providing services for managing a digital asset platform;
Anti-ML/FT policy of a participant of the Astana International Financial Centre providing services for managing the digital asset platform;
an order on the appointment of the head of a participant in the Astana International Financial Center providing services for managing the digital asset platform;
information about the executive body of the participant of the Astana International Financial Centre, providing services for managing the digital asset platform, and its director (identity document, confirmation of data on the place of residence, letters of recommendation, information on the absence of an unremoved or unexpunged criminal record).
Effective internal control shall be ensured by developing appropriate management control and a control culture (control environment).
Management control and control culture (control environment) shall characterize the general attitude, awareness and practical actions of the board of directors of the bank and the management board of the bank aimed at the creation and effective functioning of the internal control system.
Footnote. Paragraph 98 - as amended by the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated 31.12.2024 № 96 (shall come into effect upon expiry of ten calendar days after the date of its first official publication).99. Management control and control culture (control environment) shall be formed by the board of directors and the board of the bank on the basis of ethical principles, standards of professional activity and corporate governance, which together with their legislatively established duties and responsibilities ensure adequate control by the bank’s governing bodies including control of:
1) the organization of the bank’s activities, including the development and implementation of the strategy of the bank, internal bank documents;
2) the functioning of the banking risk management system and the assessment of banking risks;
3) the distribution of powers in banking operations and other transactions;
4) managing information flows (receiving and transmitting information) and ensuring information security;
5) the creation and functioning of the internal control system.
100. The bank shall ensure the existence and functioning of the bank’s internal control system, which includes, but is not limited to:
1) principles of organizing an internal control system;
2) requirements for the professional qualities of employees;
3) the internal procedure and procedures for the implementation of internal control;
4) the definition of participants in the internal control system based on three lines of defense, their authority, responsibility with a clear definition of the structure of accountability;
5) the internal procedure for interaction and exchange of information between participants in the internal control system along three lines of defense;
6) the internal procedure for amending internal documents of the bank and in cases of detection of deficiencies in the process of internal control.
The bank’s internal control system shall be based on the following principles:
participation in the internal control process of all structural units and employees of the bank and internal control organizations as daily activities at all management levels;
internal control coverage of all areas of activity and business processes and regulation of internal control procedures in all areas and business processes of the bank;
implementation the internal control on an ongoing basis (continuity).
101. The bank shall determine the participants of the internal control system based on three lines of protection:
1) the first line of defense is provided by the structural units of the bank. The heads of structural units shall be responsible for organizing and implementing internal control in the structural unit;
2) the second line of defense is provided by risk management, compliance control, a legal unit, a personnel department, a unit(s) performing (performing) financial control functions, and other structural units of the bank that exercise control functions;
3) the third line of defense shall be provided by the internal audit unit through an independent assessment of the effectiveness of the internal control system.
102. The bank shall develop internal control procedures based on the following interrelated elements:
1) control over risk management;
2) control actions and separation of powers;
3) information and interaction;
4) monitoring and correction of deficiencies.
103. The internal control system shall provide control over the timely identification and assessment on an ongoing basis of the risks inherent to the bank and the adoption of timely measures to minimize significant risks in accordance with the bank's internal documents. The internal control system provides, but is not limited to:
1) consideration and accounting during risk assessment of internal factors (the complexity of the bank’s organizational structure, the nature of its activities, qualitative characteristics of personnel, organizational changes, personnel tunover), as well as external factors (changes in economic conditions and the situation in the banking sector, technological innovations) which negatively affect the achievement of the goals set by the bank;
2) risk assessment in certain areas of the bank;
3) carrying out by the bank of new operations and services, subject to the availability of their regulation in the bank's internal documents;
4) ensuring timely informing of executives (departments, bodies of the bank), defined in the relevant internal documents of the bank, about the factors affecting the level of exposure of the bank to risks.
The internal control system is subject to adjustment as any new or uncontrolled material risks are identified, including those related to the introduction of new services and products.
104. Control activities include, but are not limited to:
1) control carried out by the board of directors of the bank, committees of the board of directors and the board of the bank in order to identify and eliminate deficiencies in internal control, violations, errors;
2) control carried out by the heads of structural units;
3) control of physical availability and access to material assets, ensuring the protection of premises for the storage of material assets;
4) verification of compliance with the established limits;
5) a system of coordination and delegation of rights and powers;
6) verification of the timely and correct reflection of the operations and transactions of the bank in accounting and reporting;
7) verification of compliance with the policies and procedures of the bank in transactions and transactions.
Control actions within the framework of the separation of duties contribute to minimizing the conflict of interests and the conditions for its occurrence, committing unlawful actions, as well as preventing the provision of the same structural unit and (or) employee with the opportunity:
to make banking operations and other transactions and at the same time carry out their reflection in accounting;
authorize the payment of money and carry out their actual payment, taking into account the limits established by the bank's internal documents;
conduct operations on bank accounts of customers and accounts reflecting their own financial and economic activities of the bank;
evaluate the reliability and completeness of the documents presented at the time of loan issuance, and monitor the repayment of the loan;
perform actions in any other areas of activity in which a conflict of interest arises.
Depending on the bank's operations, the following control methods shall be used:
double control (the "four-eye" and "shared access" principles).
The “four eyes” principle requires that the work of one employee be checked (approved) by another employee in order to involve the second employee in verifying the correctness of calculation, authorization and documentation of the operation.
The principle of “shared access” implies a procedure in which 2 (two) or more employees are equally responsible for the physical protection of values and documents. Responsibility shall be established by the relevant internal document of the bank and shall be brought to the information of all employees;
analysis of operations.
Preliminary analysis of the operation to prevent an incorrect or unauthorized operation.
Subsequent analysis after its completion in order to reveal the fact of an unauthorized operation.
To ensure the effectiveness of the subsequent analysis, it is necessary that the executive conducting the subsequent analysis be independent of the workers conducting this operation;
reports on the results of operations to provide bank management with information on bank performance, financial conditions and deviations from the budget;
training bank personnel in control techniques and error detection;
data protection;
providing protection against personnel errors;
checking for errors in order to detect them in a timely manner.
105. From the position of internal control, reliable and detailed financial, operational information and information on compliance with the established requirements of the civil, tax, banking legislation of the Republic of Kazakhstan, legislation of the Republic of Kazakhstan on state regulation, control and supervision of the financial market and financial organizations, legislation of the Republic of Kazakhstan on currency regulation and currency control, payments and payment systems, on pension provision, on the securities market, on accounting and financial reporting on credit bureaus and the formation of credit records, on debt collection activities, on mandatory guarantee of deposits, on counteracting the legalization (laundering) of proceeds from crime and the financing of terrorism, on joint-stock companies, as well as incoming external market information about events and conditions related to decision-making. The collection, analysis of information and its transfer to its intended purpose shall involve ensuring:
1) the board of directors of the bank, the board of the bank and the executives (units, bodies of the bank) specified in the relevant internal documents with information for making decisions and performing their duties;
2) the availability of information flows that ensure the integrity, security and accessibility of information inside and outside the bank;
3) adequate control over the management of information flows and information security of the bank.
Internal control of the functioning of information systems and technical means provides for the control of information technology systems, which is carried out in order to ensure their security, uninterrupted and continuous operation.
From the position of internal control, compulsory accounting of all bank operations and transactions is ensured.
Monitoring the timeliness, reliability and sufficiency of the financial information of the bank requires verification of the following (but not limited to):
information systems providing accounting in the bank for compliance with the legislation of the Republic of Kazakhstan in the field of accounting and financial reporting and IFRS;
availability in the bank of internal documents on accounting;
ensuring chronological and timely registration of operations and events in accounting;
ability to generate financial statements at the end of each business day;
correspondence of synthetic (final) accounting to analytical (detailed) accounting;
regular checks of accounting records by employees who are not involved in the process of authorizing or reporting transactions in the financial statements;
accounting records based on primary documents and ensuring the proper design and preservation of primary documents.
106. Monitoring of the internal control system of the bank on an ongoing basis shall be carried out by the first and second line of defense, as well as the board of the bank.
Significant internal control deficiencies shall be reported to the board of directors of the bank.
The internal audit unit shall evaluate the effectiveness of internal control.
The Risk Management Committee shall exercise control the functioning of the internal control system.
107. The management reporting of the bank on internal control shall include the information on significant violations and deficiencies identified in the process of internal control, as well as on the results of decisions made or measures to eliminate them.
Chapter 12. Internal Audit
108. The bank shall ensure the functioning of an internal audit taking into account the strategy, organizational structure, and volume of assets, nature and level of complexity of the bank's operations. The internal audit unit shall have clearly defined powers, independently in its activities, accountable to the board of directors of the bank. The internal audit unit shall have sufficient resources and powers to carry out objectively and efficiently its functions and responsibilities.
The head and employees of the internal audit unit shall not hold a different position, shall not be members of the collegial body of the bank, and shall not combine responsibilities in the bank and (or) subsidiaries.
The internal audit unit shall be guided in its activities by international standards of internal audit.
109. The board of directors of the bank and the internal audit committee shall contribute to improving the efficiency of the internal audit unit by:
1) ensuring unlimited access for employees of the internal audit unit to any documents, information and objects of the bank, including access to systems, records and minutes of meetings of collegial bodies of the bank;
2) establishing requirements for the internal audit unit to independently evaluate the effectiveness of the system of morning control, risk management system, corporate governance in all areas of the bank's business;
3) establishing requirements for internal auditors to comply with the code of ethics and requirements of the banking legislation of the Republic of Kazakhstan, the laws of the Republic of Kazakhstan on joint stock companies;
4) establishing requirements for employees of the internal audit unit to have sufficient knowledge of banking activities and internal audit methods, the skills to collect the necessary and sufficient information, the ability to analyze and evaluate to perform their duties;
5) establishing requirements for the board of the bank to timely and effectively implement the action plan to eliminate violations and deficiencies identified as a result of the audit;
6) requirements to conduct a periodic assessment of the effectiveness of the bank's risk management system, internal accounting procedures, preparation and ensuring the integrity of financial and regulatory reporting, the compliance risk management system, and the internal control system.
The internal audit unit shall carry out an independent, comprehensive assessment of the effectiveness of corporate governance, internal control, and risk management systems.
The internal audit unit uses a risk-based approach in developing its plans and actions, forms an independent, informed opinion on the risks inherent in the bank's activities, and shall carry out appropriate assessments of internal processes.
110. The effective activities of the internal audit unit shall be based on the following principles:
1) independence and objectivity, which are achieved through the following:
conducting an audit in any units of the bank and in any areas of activity based on a risk- based approach;
absence of involvement of the internal audit unit in the development, implementation and application of internal control measures;
absence of a conflict of interest in the activities of employees of the internal audit unit;
rotation in the duties between employees of the internal audit unit, if possible, without prejudice to the competence and professionalism of employees;
absence of connection between the remuneration of employees of the internal audit unit and the financial results of the structural units of the bank. The bonus part of the remuneration of the head and employees of the internal audit unit shall be established in such a way as to exclude the occurrence of a conflict of interest and no question the independence and objectivity of the internal audit unit;
submission of reports of the internal audit unit for consideration by the board of directors and the committee on internal audit issues, for review without the right to adjust such reports to the board of the bank;
accountability of the head of the internal audit unit directly to the board of directors of the bank, which appoints to the post, controls its activities and, if necessary, makes a decision on dismissal;
Information on the decision on the release of the head of the internal audit unit of the positions shall be brought to the attention of the authorized body. Upon receipt of a request from an authorized body, the bank shall provide an explanation of the reasons for making this decision;
2) professional competence and professional discretion, which meet the following characteristics:
the ability of employees of the internal audit unit to collect and perceive information, verify and evaluate the revealed facts and interact with employees of the internal audit unit;
responsibility of the head of the internal audit department for staffing, and constant monitoring and assessment of the required level of skills;
the level of qualifications and skills of employees of the internal audit unit and (or) involved third-party experts that meet the requirements of professional competence, and the ability to conduct an internal audit of the bank's audited areas of activity at the proper level;
professional development and in order to comply with changes in the internal and external environment;
3) professional ethics, which meets the following principles:
conscientious performance of duties by employees of the internal audit unit, their responsibility, decency and honesty;
maintaining confidentiality of information obtained in the course of the performance of official duties;
exclusion of a conflict of interest. Employees of the internal audit unit accepted from among bank employees are no allowed for the next 12 (twelve) months from the day they are transferred to the internal audit unit to conduct an audit of the unit in which they worked;
the employees of the internal audit unit comply with the requirements of internal documents, banking legislation of the Republic of Kazakhstan, the legislation of the Republic of Kazakhstan on joint stock companies.
111. The bank shall approve the regulation on the internal audit unit in order to ensure operational efficiency. The provision includes, but is no limited to:
1) the status of the internal audit unit in the bank, the powers, duties and internal procedures for interaction with other units of the bank;
2) the tasks and scope of the internal audit unit;
3) the responsibilities of the internal audit unit to inform the board of directors, the management board and other interested departments of the bank about the results of the work performed;
4) the conditions under which the internal audit unit provides advice;
5) responsibility and accountability of the hands of the breeder of the internal audit unit;
6) requirements to be guided by international standards of internal audit;
7) procedures for the interaction of the internal audit unit with the external auditor of the bank;
8) the powers of the internal audit unit in the course of business (including verification of any unit and type of activity of the bank and its subsidiaries, unlimited access to bank documents, data, material objects, management reporting, records and minutes of all meetings and meetings adopted decisions).
112. The scope of activity of the internal audit unit includes the assessment of:
1) the effectiveness of the risk management system and internal control;
2) the effectiveness of bank policies and procedures;
3) the reliability of the accounting system and information;
4) the reliability, efficiency and integrity of management reporting systems (including relevance, accuracy, completeness, accessibility, confidentiality and the comprehensive data);
5) the safety of assets and capital.
113. The activities of the internal audit unit adequately cover all issues of regulation of the bank's activities (based on a risk-based approach), in particular:
1) risk management, including:
assessment of the organization of the risk management process, including the responsibilities of structural units;
assessment of compliance of the bank's activities with a risk appetite strategy and risk appetite determination procedures;
assessment of the effectiveness of the internal procedure for informing and disseminating issues and decisions adopted in the framework of risk management;
assessment of the effectiveness of risk management systems, including identification, assessment, monitoring and control, response, reporting on risks arising in the activities of the bank;
assessment of the process of generating data in information systems, and used in the framework of risk management, with a view to ensuring accuracy, reliability and completeness;
assessment of the approval process and application of risk assessment models, including verification of the sequence of approaches, relevance, independence and reliability of the data sources used in these models.
If during inspections the internal audit unit revealed significant facts of decision-making by the bank's management in the presence of a negative opinion of the risk management unit(s), such facts shall be brought by the internal audit unit to the board of directors of the bank noice;
2) internal control system, including:
checking the organization of the internal control system;
assessment of processes and procedures of internal control;
assessment of management information on internal control for reliability, completeness and timeliness;
3) capital adequacy and liquidity, including:
assessment of the effectiveness of internal processes for assessing capital adequacy and liquidity, the adequacy of the ratio of capital, liquidity and risks taken by the bank, compliance with mandatory standards;
assessment of stress testing processes for capital and liquidity levels, taking into account the frequency of stress tests, testing tasks, realistic scenarios and assumptions made, process reliability;
4) regulatory and management reporting.
The internal audit unit shall evaluate the effectiveness of risk management and reporting processes for the bank management and the authorized body;
5) compliance.
Assessment of the effectiveness of processes and procedures for managing compliance risk and ML/FT risk;
6) the activities of the financial unit:
assessment of the process of generating initial financial data with a view to ensuring their adequacy, accuracy and completeness, and subsequent presentation of key data, including financial results, assessment of financial instruments and reduction of their value;
assessment of the approval process and application of pricing models, including verification of the sequence of approaches, relevance, independence and reliability of the data sources used in these models;
assessment of existing control mechanisms to prevent and detect violations of the rules of operations;
Assessment of bank procedures for measuring and monitoring bank positions in terms of liquidity, currency and interest rate for compliance with the risk profile of the bank, the external environment and minimum regulatory requirements;
selective testing of bank transactions for their compliance with policies and procedures during the audit and assessment of the effectiveness of internal control measures in relation to these transactions;
assessment of the effectiveness of accounting processes, including control procedures.
114. Based on the results of audits, a report shall be generated on the results of the internal audit, which contains, but is no limited to, the following:
1) general information, including goals, scope, timing of the audit, information on the composition of the audit team;
2) a list of violations and deficiencies identified during the audit, indicating the reasons for the violations and deficiencies, and their impact on the bank's activities;
3) recommendations for eliminating identified violations and deficiencies;
4) a list of executives to whom the audit report is sent.
The report on the results of the internal audit is sent to the board of the bank for review, the material facts and conclusions drawn are sent to the bank's audit committee and board of directors.
115. The head of the internal audit department shall be responsible for preparing the annual audit plan based on a risk-based approach, which includes, but is no limited to:
1) the purpose and scope of the audit;
2) areas subject to audit;
3) the timing of the audit;
4) the necessary personnel and other resources.
The annual audit plan shall be based on a risk assessment and, if necessary, shall be reviewed during the year.
Chapter 13. Outsourcing
116. In the case of outsourcing external contractors to carry out certain operations and (or) business processes, the board of directors of the bank shall ensure the existence of effective principles and practices for managing risks arising from the involvement of external contractors. Activities to attract external contractors shall include:
1) procedures for determining which functions are transferred to outsourcing g and how;
2) the process of verifying the reliability of the financial condition of the company when selecting potential counterparties;
3) reliable principles for concluding contracts with external contractors, taking into account the structure of their property, the conditions of confidentiality and providing for the right to terminate the contracts;
4) risk management and monitoring programs related to the conclusion of such contracts, taking into account the financial position of the service provider;
5) creation of conditions for effective control at the bank and in the organization that provides services;
6) the development of effective plans in case of unforeseen circumstances;
7) the implementation of complex contracts and (or) contracts for the provision of services with a clear distribution of responsibilities between the organization that provides services and the bank.
Chapter 14. Collateral management
Footnoe. The Rules are supplemented by Chapter 14 in accordance with the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated December 29, 2022 №. 119 (shall come into effect from July 1, 2023).
117. The bank shall ensure the functioning of a collateral service unit that takes into account the strategy, organizational structure, volume of assets, nature and level of complexity of the bank’s business. The collateral service unit shall have clearly defined powers. The resources of the collateral service unit shall be determined by the bank taking into account the need to perform its functions and responsibilities objectively and efficiently.
The head and employees of the collateral service department shall no hold positions in other structural units of the bank when there is a possible conflict of interest between their responsibilities for assessing collateral and any other responsibilities assigned to them.
The collateral service unit shall be guided in its activities by the requirements of the legislation of the Republic of Kazakhstan, assessment standards and (or) international valuation standards.
118. The internal documents of the bank help improve the efficiency of the collateral service unit by establishing:
1) requirements for the collateral service unit to conduct an internal assessment of collateral as part of making decisions on issuing a loan and managing credit risk;
2) requirements for employees of the collateral service unit to have sufficient knowledge about valuation activities and valuation methods, skills in collecting necessary and sufficient information, the ability to conduct analysis and evaluation to perform their job duties;
3) requirements to conduct periodic assessments of the effectiveness of the collateral service.
119. The effective operation of the collateral service unit shall be based on the following principles:
1) absence of a conflict of interest in the activities of employees of the collateral service unit;
2) the lack of connection between the remuneration of employees of the collateral service unit and the financial results of the activities of other individual structural units of the bank. The bonus portion of the remuneration of the head and employees of the collateral service unit shall be established in such a way as to exclude the emergence of a conflict of interest and no to cast doubt on the objectivity of the activities of the collateral service unit;
3) professional competence of the employees of the collateral service unit (the head of the collateral service unit shall have a certificate of qualification as an "appraiser" issued by the chamber of appraisers, and membership in one of the chambers of appraisers in accordance with the Law of the Republic of Kazakhstan "On appraisal activities in the Republic of Kazakhstan").
120. The bank shall approve the regulations on the collateral service unit to ensure the efficiency of activities. The provision shall include, but no be limited to, the following:
1) the status of the collateral service unit in the bank, powers, responsibilities and internal procedures for interaction with other units of the bank;
2) the tasks and scope of activity of the collateral service unit;
3) responsibility and accountability of the collateral service unit;
4) requirements for compliance with national assessment standards;
5) requirements for maintaining a statistical journal of the value of collateral.
Chapter 15. Fraud risk management in the use of banking services provided to individuals
Footnote. The Rules are supplemented by Chapter 15 in accordance with the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated 27.12.2024 № 93 (shall come into effect upon expiry of ten calendar days after the day of its first official publication).
121. The board of directors of the bank shall ensure that there is an effective fraud risk management system that is consistent with the market situation, strategy, volume of assets, level of complexity of the bank's operations and ensures effective detection, measurement, monitoring and control to combat fraud in the use of banking services and shall include, but not be limited to, the following:
1) anti-fraud policies and procedures;
2) management reporting system;
3) information technologies, including the bank’s anti-fraud system.
122. The functions of the bank's divisions within the framework of fraud risk management shall include, but not be limited to, the following:
1) development of an action plan for the implementation of the bank's anti-fraud strategy, which shall disclose, but not be limited to, the following:
determining resource requirements, including determining the budget required to implement anti-fraud processes;
a description of the required measures to combat fraud, indicating the deadlines and those responsible for their implementation;
2) development and implementation of preventive methods, models, technologies and processes to combat fraud against bank clients on external service channels and committed by bank employees;
3) implementation, provision, operation and continuous improvement of anti-fraud processes and digital channels for the provision of financial products and/or services;
4) assessment of business processes and implemented financial products and/or services for fraud risks;
5) ensuring compliance with regulatory requirements in the field of combating fraud in the provision of financial products and/or services, development and subsequent methodological support in establishing control procedures in the bank’s internal documents;
6) identification and analysis of external and internal data, as well as prevention of new fraud schemes;
7) development of a typology of suspicious transactions with signs of fraud;
8) creation of a list of persons carrying out suspicious transactions with signs of fraud and a list of fraudsters;
9) monitoring suspicious transactions with signs of fraud, behavior of clients, employees and third parties with signs of fraud;
10) maintaining and continuously updating a database of incidents with signs of fraud;
11) transfer of data on suspicious transactions with signs of fraud to the NBRK anti-fraud center around the clock and continuous enrichment with new information as it appears;
12) ensuring interaction with the anti-fraud center of the National Bank of the Republic of Kazakhstan in accordance with the Resolution of the Board of the National Bank of the Republic of Kazakhstan dated July 16, 2024 № 43 "On approval of the Requirements for the procedure for the implementation of the activities of the data exchange center for payment transactions with signs of fraud and its interaction with persons participating in its activities", registered in the State Register of Normative Legal Acts under № 34772;
13) ensuring increased awareness of bank clients, bank employees and third parties in the area of combating fraud through continuous (periodic) information;
14) identification, recording and analysis of facts of internal and external fraud;
15) participation in internal audits, development of corrective measures and recommendations based on the results of internal audits, monitoring their implementation and drawing up conclusions based on the results of the internal audit;
16) preparation of proposals for the adoption by the collegial body of decisions on issues of combating fraud, including compensation for damages or writing off a loan in the event of the bank’s failure to implement its algorithms and models for assessing the risk of fraud when conducting a transaction or issuing a loan (if necessary);
17) preparation and submission of management reports on the implementation of fraud risks, as well as on the elimination of their consequences in accordance with internal documents.
123. The bank's divisions, as part of fraud risk management, shall develop an internal document defining the procedure for fraud risk management, which shall include, but not be limited to, the following procedures:
1) identification of fraud risks and determination of indicators of early detection of exposure to fraud risks;
2) assessment of the probability and consequences of all identified fraud risks, using qualitative and/or quantitative assessment methods, including based on data on their implementation;
3) collection and storage of information on the implementation of significant risks of fraud;
4) formation of a risk register, including fraud risks;
5) development of measures to minimize the risks of fraud;
6) monitoring the implementation of measures to handle fraud risks.
124. The bank’s anti-fraud system shall meet the following requirements:
1) ensures technical integration with the NBRK anti-fraud center;
2) ensures the complete reflection of information on suspicious transactions with signs of fraud and fraud in the incident database and continuous transfer of data to the NBRK anti-fraud center around the clock;
3) uses specified algorithms of scenarios, models and rules to detect suspicious activity;
4) ensures: maintaining an internal list of persons carrying out suspicious transactions with signs of fraud;
automatic verification with the bank’s internal lists, including the lists of the NBRK anti-fraud center for all transactions;
if there is an order from the borrower to transfer the loan to a third-party account, automatic confirmation through the NBRK anti-fraud center by the recipient bank that the beneficiary of the payment is not on the recipient bank’s internal lists of persons carrying out suspicious transactions with signs of fraud;
5) it is possible to suspend and/or reject a transaction;
6) ensures the storage and security of data, the security of information exchange on fraud in accordance with Resolution № 48;
7) provides analysis and adjustment of parameters to identify suspicious transactions with signs of fraud, testing and making changes to the bank’s anti-fraud system.
125. Fraud risk management policies and procedures shall include, but not be limited to, the following:
1) assessing the risk of fraud associated with employees, customers and third parties, which helps prevent the establishment of inappropriate relationships;
2) a list of operations to be considered;
3) criteria for suspicious transactions with signs of fraud and fraud, established, among other things, by the authorized body;
4) the procedure for suspending the provision of electronic banking services to droppers for a period of at least one calendar year, including a mobile application and online banking, the criteria for resuming the provision of electronic banking services, as well as informing in the manner established by the agreement;
5) criteria for inclusion and exclusion from the list of persons carrying out suspicious transactions with signs of fraud and the list of fraudsters;
6) the methods, techniques and models for assessing fraud risks meet the following requirements:
qualitative and quantitative assessment methods;
methods, techniques and models must be adapted to new fraud methods and the level of complexity of bank operations, as well as changes in bank processes and legislation;
Fraud detection systems to identify anomalies in transactional and non-transactional data, as well as customer and employee behavior that may indicate suspicious transactions and fraud provide automated verification;
7) the procedure for interaction between bank divisions and data transfer in accordance with the rules of the NBRK anti-fraud center;
8) the procedure for conducting periodic training and certification of employees on issues of combating fraud;
9) the authentication procedure, which shall include, but not be limited to:
verification of the authenticity of the credentials of clients, employees and third parties;
instructions for ensuring the protection of the information asset and preventing unauthorized access or actions;
10) a prevention procedure that takes into account both internal and external fraud risks affecting the bank;
11) the order of detection, which shall include, but not be limited to:
data sources used to identify suspicious customer activity and suspicious transactions with signs of fraud;
control systems and technologies implemented to identify suspicious transactions with signs of fraud, to notify about important events or transactions, including to the management of the bank’s divisions;
roles and responsibilities of departments and employees when detecting suspicious transactions with signs of fraud;
12) a plan to respond to an actual or suspected fraud incident, which shall include, but not be limited to:
a work schedule for employees that ensures continuous response;
list of cases of suspension and resumption or rejection of a transaction;
deciding on the need to conduct an internal investigation;
13) the investigation procedure, which shall include, but not be limited to:
the procedure for interaction between bank divisions;
assessment of urgency, importance, collection and analysis of information;
documentation of investigative actions taken;
assessment of the fact of fraud and the date of completion of the investigation;
measures taken, including compensation for damage to the client, if applicable;
14) assessment of the effectiveness of the fraud risk management system, including the bank’s internal audit service.
126. Management information shall include, but not be limited to, the following:
1) fraud risk assessment results, fraud risk propensity indicators and compliance with thresholds and limits;
2) quantitative and qualitative analysis of suspicious transactions with signs of fraud in terms of bank products and payment type (if applicable) indicating the typology of fraud;
3) measures taken in response to fraud;
4) the bank’s operating losses associated with internal and external fraud and the amount of compensation for losses to consumers;
5) the volume of fraud requests by bank product and payment type (if applicable).
Chapter 16. Disclosure of information
Footnote. The Rules are supplemented by Chapter 16 in accordance with the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated 27.12.2024 № 93 (shall come into effect on 01.07.2025).
127. To increase the transparency of the activities of the bank and provide additional information to interested participants in the financial market, the bank shall disclose information on the methods and procedures for identifying, assessing and managing risks and capital in the manner established by the Rules.
Information on accepted risks, risk and capital management procedures shall include brief information on the main types of activities of the bank, accepted risks and statistical data that provide an idea of the level of accepted risks. The bank shall provide relevant and reliable information in an understandable form, with explanations of significant changes.
128. The bank's information shall disclose the procedure for implementing the risk management policy by the board of directors and the management board of the bank, determining the bank's risk appetite, assessing risks, and show the bank's current, potential, and possible risks. If necessary, the disclosed information shall be accompanied by references to the bank's annual financial statements provided in accordance with the requirements established by the Resolution of the Board of the National Bank of the Republic of Kazakhstan dated January 28, 2016 № 41 "On Approval of the Rules for Submission of Financial Statements by Financial Organizations", registered in the State Register of Normative Legal Acts under № 13504.
The disclosed information shall be comparable to the information disclosed in previous reporting periods and allow for a comparison of information on the activities of the bank with information disclosed by other banks.
New information, changes or exclusions of information disclosed in the current reporting period, in comparison with information disclosed in previous reporting periods, in connection with changes in the activities of the bank, in the legislation of the Republic of Kazakhstan or the financial market, shall be highlighted with the provision of appropriate explanations.
129. Information on accepted risks and risk management procedures shall be presented in a separate document, disclosed on an annual basis and posted on the bank’s Internet resource no later than July 30 of the year following the reporting year.
130. The bank shall disclose information on its equity capital, key indicators of equity capital, which shall include, but not be limited to, the following:
the bank's criteria and approaches in the field of equity capital management;
changes in the bank's risk management policy in the area of equity capital management;
description of approaches to assessing capital adequacy, compliance with capital adequacy requirements, and information on significant changes in capital levels;
information on the level of capital adequacy ratios taking into account buffers, the decrease of which is below the values established by part four of paragraph 6 of the Regulatory Values and Methodology for Calculating Prudential Standards and Other Mandatory Norms and Limits, the Amount of Bank Capital, approved by Resolution of the Board of the National Bank of the Republic of Kazakhstan dated September 13, 2017 № 170, registered in the State Register of Normative Legal Acts under № 15886 (hereinafter referred to as Regulations № 170), leads to a restriction on the use of the bank's undistributed net income in accordance with the Minimum Amount of Restriction on Undistributed Net Income in accordance with Annex 3 to Regulations № 170, in terms of terminating the payment of dividends and the buyback of shares, except for cases stipulated by the Law of the Republic of Kazakhstan "On Joint-Stock Companies".
Information on the level of capital adequacy ratios taking into account buffers shall be disclosed in accordance with Annex 2 to the Rules.
131. The bank shall disclose information on the extent of credit risk, which shall include, but not be limited to, the following:
criteria and approaches to credit risk management, limits, credit risk profile, the impact of the bank's business model on the level of credit risk, methods for reducing it, the volume of credit risk, including the volume of risk exposed to default;
organizational structure of bank divisions, procedures for interaction between divisions involved in credit risk management;
frequency of informing the board of directors, the risk management committee and the executive body about the level of credit risk, brief description of the report.
The bank shall disclose information on assets exposed to credit risk, information on credit risk in accordance with Annex 3 to the Rules. The table shall indicate the book value of loans, debt securities and contingent liabilities taken into account when calculating equity capital and equity capital adequacy ratios.
| Annex 1 to the Rules for the formation of a risk management and internal control system for second-tier banks, branches of non-resident banks of the Republic of Kazakhstan |
Structure of the report on compliance with the internal process for assessing capital adequacy and the internal liquidity adequacy assessment process
Footnoe. The Rules are supplemented by an Appendix in accordance with the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated December 29, 2022 №. 119 (shall be enforced ten calendar days after the day of its first official publication); as amended by the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated 27.12.2024 № 93 (shall come into effect upon expiry of ten calendar days after the date of its first official publication).
Chapter 1. General principles of the internal capital adequacy assessment process and the internal process of assessing liquidity adequacy
1. The general principles of the internal capital adequacy assessment process and the internal process of assessing liquidity adequacy shall include, but not be limited to, the following sections:
1) a general system of the internal process for assessing capital adequacy (hereinafter referred to as ICAAP) and the internal liquidity adequacy assessment process (hereinafter referred to as ILAAP);
2) information on the structure of risk appetite;
3) information on stress testing;
4) information systems.
2. The section "General system of ICAAP and ILAAP" shall include, but not be limited to, the following subsections:
1) a current business model.
Information on the current business model shall include, but not be limited to, the following description:
the chosen business model, indicating its main areas of activity, geographical territories, branches and products;
data that allows assessing the bank’s ability to generate profit, broken down by key profitability indicators, including ratios calculated by the bank (return on equity ratio, return on assets ratio);
data on the dynamics of regulatory capital adequacy;
data on the dynamics of assets and liabilities, including the funding structure;
data on compliance with minimum regulatory requirements regarding capital adequacy and liquidity ratios;
2) strategy and budget.
The strategy and budget information shall include, but not be limited to, the following description:
development strategies, including the bank’s goals and the timeframe for achieving them;
links between the ICAAP and ILAAP and the bank's strategy;
3) risk management and governance system.
Information on the governance and risk management system shall include, but not be limited to, the following description:
organizational structure and interaction between structural divisions on ICAAP and ILAAP issues, including the system of authorized collegial bodies of the bank, risk management rules and procedures;
the level of competence of the risk management committee members, including their general management skills, knowledge and experience;
regular meetings of the bank's authorized collegial bodies on ICAAP and ILAAP matters;
information on management reporting generated within the framework of the ICAAP and ILAAP, which are filled in in accordance with Table 1 of the annex to the Structure of the report on compliance with the internal process for assessing capital adequacy and the internal liquidity adequacy assessment process (hereinafter referred to as the Structure).
3. The section "Information on the risk appetite structure" shall contain, but not be limited to, the following description:
a general system for managing risk appetites, including the presence of authorized collegial bodies of the bank responsible for the implementation of processes, control measures and information systems;
accepted risks under which the bank operates within the framework of the implementation of the bank’s overall strategy;
risk profile of the bank's activities;
risk appetite levels;
the results of the assessment of the acceptability of the established risk appetite in the current period and to what extent it will be acceptable in the future;
Information on limits on risk appetite levels shall be filled in accordance with Table 2 of the annex to the Structure.
4. The Stress Testing Information section shall include, but not be limited to, the following description:
stress testing procedures and approved stress testing scenarios;
results of stress testing for risk metrics, strategy and budget indicators, risk appetite, and other indicators approved by the bank;
integration of stress testing results into the risk management and control system;
interactions (integrations) between solvency and liquidity stress tests, including stress tests specific to ICAAP and ILAAP.
5. The Information Systems section shall contain, but not be limited to, the following description:
information systems used to manage the bank's risks, including those used to monitor the quality of the loan portfolio, as well as ensuring the functioning of the liquidity risk management system;
information systems used to ensure complete, reliable and timely financial, regulatory and management information;
processes for collecting, storing and aggregating risk data at various levels;
data flow and data structure used for ICAAP and ILAAP, including a description of the data checks applied.
Chapter 2. Information on ICAAP
6. Information on the ICAAP shall include, but not be limited to, the following sections:
1) general system of ICAAP;
2) identification, assessment, control and monitoring of risks;
3) internal (economic) capital and distribution of internal (economic) capital;
4) stress testing;
5) self-esteem.
7. The section "General ICAAP system" shall contain, but not be limited to, the following subsections:
objectives and areas of application of the ICAAP;
information on the ICAAP processes, which are filled in in accordance with Table 3 of the annex to the Structure;
a list of risks provided for by the ICAAP, with a justification for possible differences between the risks covered by the ICAAP and the risk appetite.
8. The section "Identification, assessment, control and monitoring of risks" shall contain, but not be limited to, the following subsections:
1) identification and assessment of significant risks.
The identification information for significant risks shall include, but not be limited to, the following description:
risk identification methodologies, distribution by types of risks to which the bank is exposed or may be exposed in the future in the course of doing business and implementing strategy, determination of materiality;
risk assessment methodologies, including the use of quantitative and qualitative methods;
functions and responsibilities of departments within the process of identifying significant risks.
Information on the bank’s risk structure is filled in accordance with Table 4 of the annex to the Structure.
Information on the interest rate risk of a bank's portfolio shall include, but not be limited to, the following:
Information on the current value of the bank's banking book, filled in in accordance with Table 5 of the annex to the Structure;
Information on net interest income, completed in accordance with Table 6 of the annex to the Structure;
2) implementation of control and monitoring of significant risks.
Information on the implementation of control and monitoring of significant risks shall include, but not be limited to, the following description:
processes for control and monitoring of significant risks, indicating the functions and responsibilities of the bank's divisions;
the tools used to control, monitor and mitigate risks;
volumes of accepted risks, indicating established risk limits.
9. The section "Internal (Economic) Capital and Distribution of Internal (Economic) Capital" shall contain, but not be limited to, the following subsections:
1) internal (economic) capital.
Information on internal (economic) capital shall include, but not be limited to, the following:
description of the calculation methodology, models for assessing internal (economic) capital for all significant risks;
description of the data used to assess internal (economic) capital;
the amount of required internal (economic) capital.
Information on the assessment of internal (economic) and regulatory equity capital shall be filled in in accordance with Table 7 of the annex to the Structure;
2) distribution of capital.
The capital allocation information shall include, but not be limited to, the following description:
the methodology and assumptions used to allocate internal (economic) capital to each material type of risk;
application of stress testing results.
10. The Stress Testing section shall contain, but not be limited to, the following subsections:
1) stress testing scenarios.
Stress testing scenario information shall include, but not be limited to, the following:
description of stress testing methods and scenarios in terms of significant risks, their frequency, methodology and assumptions used;
justification for the reason for choosing the considered scenario for stress testing;
a list of the main financial and economic factors taken into account in stress testing;
sources of information on financial and economic factors.
Information on stress testing scenarios shall be completed in accordance with Table 8 of the annex to the Structure;
2) quantitative and qualitative analysis.
The quantitative and qualitative analysis information shall include, but not be limited to, the following description:
models and the validity of using the selected models;
the main results of the internal assessment of capital adequacy in stressful situations, indicating the impact on the financial condition of the bank, including an assessment of the size and adequacy of internal (economic) and regulatory capital;
the impact of the scenario results on the bank’s business model, strategy and significant risks within the framework of the ICAAP;
approach to integrating stress testing results into the process of setting internal limits.
11. The self-assessment section shall contain, but not be limited to, the following subsections:
1) planned activities for the reporting period.
The bank shall describe the activities planned for the reporting year, including activities that enable it to maintain the required level of internal (economic) capital, and the corresponding results of the measures taken;
2) overall assessment.
The bank shall conduct an analysis and assessment of the entire process, including internal rules, control measures, resources, measurement and reporting systems;
3) identifying areas requiring improvement.
The bank shall describe the areas requiring improvement and describe the results of the previous assessment, including corrective actions completed or being implemented;
4) corrective actions.
The bank shall describe the planned actions to improve the areas identified during the self-assessment.
Chapter 3 Information on the ILAAP
12. Information on the ILAAP shall include, but not be limited to, the following sections:
1) general system of the ILAAP;
2) identification, assessment, monitoring and control of liquidity risk;
3) funding strategy and contingency funding plan;
4) management of liquidity buffer and collateral;
5) stress testing;
6) self-esteem.
13. The section "General System of the ILAAP" shall contain, but not be limited to, the following subsections:
goals and areas of application of the ILAAP;
information on the processes of the ILAAP, which are filled in in accordance with Table 9 of the annex to the Structure.
14. The section "Identification, assessment, monitoring and control of liquidity risk" shall contain, but not be limited to, the following subsections:
1) identification and assessment of liquidity risk.
Information on identifying and assessing liquidity risk shall include, but not be limited to, the following description:
liquidity risk identification methodologies;
risk assessment methodologies, including the use of quantitative and qualitative methods;
the process of forecasting cash flows for assets, liabilities and off-balance sheet instruments over different time horizons;
description of the functions and responsibilities of departments within the process of identifying and assessing liquidity risks;
2) monitoring and control.
The information on liquidity risk monitoring and control shall include, but not be limited to, the following description:
processes for controlling and monitoring liquidity risks at different time horizons, indicating the functions and responsibilities of the bank’s divisions;
early warning indicators;
the instruments used to control, monitor and mitigate liquidity risk over different time horizons;
intraday liquidity risk management procedures;
volumes of accepted risks, indicating established limits on liquidity risk.
15. The Funding strategy and contingency plan section shall contain, but not be limited to, the following subsections:
1) funding strategy.
The funding strategy information shall include, but not be limited to, the following description:
types of funding sources in terms of products, instruments, and markets;
the main factors influencing the ability to attract funding;
alternative sources of funding;
assessment of their ability to attract funding, including indicating:
quantitative review of funds raised;
main markets and products used;
an overview of planned cash outflows, indicating the maturity dates of the obligation;
2) contingency financing plan.
The contingency funding plan information shall include, but not be limited to, the following description:
sources of funding in case of unforeseen circumstances;
the time required to attract additional funds from each of the contingency funding sources;
the procedure for developing a contingency financing plan with the identification of responsible persons;
an algorithm of actions for responsible persons to implement the financing plan in case of unforeseen circumstances;
Contingency funding plan testing results and update information.
16. The Liquidity buffers and collateral management section shall contain, but not be limited to, the following subsections:
1) liquidity buffer.
The bank shall describe the quantitative expression of the required volume of highly liquid assets, which is considered sufficient to meet liquidity needs, including under stress conditions, as well as the quantitative expression of the existing liquidity buffer.
Liquidity buffer information shall include, but not be limited to, the following:
methodology and assumptions for calculating the required liquidity reserve;
the definition applied by the bank concerning high-quality liquid assets and their composition;
criteria for determining the liquid value of assets;
description of concentration risk management within the liquidity buffer;
description of the comparability of the liquidity reserve with the established risk appetite;
2) management of collateral.
Collateral management information shall include, but not be limited to, the following:
a review of the methodology for managing collateral with a distinction between encumbered and unencumbered assets, as well as a quantitative review of the amount of collateral available;
a review of the monitoring of collateral requirements and limits (if any), which takes into account any additional requirements that arise as a result of potential liquidity problems (e.g. changes in market and/or financial position, changes in credit rating).
17. The Stress testing section shall contain, but not be limited to, the following subsections:
1) stress testing scenarios.
Information on stress testing scenarios shall include, but not be limited to, the following:
description of stress testing methods and scenarios, their frequency, methodology and assumptions used;
justification for the reason for choosing the considered scenario for stress testing;
a list of the main financial and economic factors taken into account in stress testing;
2) quantitative and qualitative analysis.
The quantitative and qualitative analysis information shall include, but not be limited to, the following description:
quantifying the impact of stress testing results on liquidity and funding metrics (indicating the impact on each risk metric);
integration of stress testing results into the process of strategic and budgetary planning and into the process of setting internal limits;
integrating stress testing results into the assessment and planning of the contingency funding plan, including correcting deficiencies in the contingency funding plan.
The information on the results of stress testing shall be filled in accordance with Table 10 of the annex to the Structure.
18. The Self-Assessment section shall contain, but not be limited to, the following subsections:
1) planned activities.
The bank shall describe the activities planned for the reporting year based on the results of the self-assessment carried out and the corresponding results of the measures taken;
2) overall assessment.
The bank shall conduct an assessment of organizational processes to identify process weaknesses in terms of liquidity management policy, process organization, procedures, systems and control actions, liquidity level and funding availability;
3) identifying areas requiring improvement.
The bank shall describe the areas requiring improvement and describe the results of the previous assessment, including corrective actions completed or being implemented;
4) corrective actions.
The bank shall describe the planned actions to improve the areas identified during the self-assessment.
| Annex to the Report Structure on Compliance with the Internal Capital Adequacy Assessment Process and the Internal Liquidity Adequacy Assessment Process |
|
| Table 1 |
Information on management reporting generated within the framework of the ICAAP and ILAAP
№ | Report Title | The authorized collegial body of the bank approving the report | Frequency and/or date of approval for the reporting period | Responsible department |
1 | 2 | 3 | 4 | 5 |
Note:
All reporting generated within the framework of the ICAAP and ILAAP process shall include, but not be limited to, a stress testing report, a credit risk report, a market risk report, an operational risk report, a report on liquidity positions by time horizon, a report on factors affecting the level of liquid assets, a report on the risk of concentration of funding, and a report on other material risks.
| Table 2 |
Information on limits by risk appetite levels
№ | Types of risk | Type of established limit | The value of the established limit (in thousands of tenge and/or percent) | The established level defined as acceptable on the reporting date (in thousands of tenge and/or percent) | |
as of the previous reporting date | as of the reporting date | ||||
1 | 2 | 3 | 4 | 5 | 6 |
1. | Credit risk | ||||
1.1 | |||||
1.2 | |||||
2 | Market risk | ||||
2.1 | |||||
2.2 | |||||
3 | Operational risk | ||||
3.1 | |||||
3.2 | |||||
4 | Liquidity risk | ||||
4.1 | |||||
4.2 | |||||
5 | Other significant risks (if any, please indicate which ones) | ||||
5.1 | |||||
5.2 | |||||
continuation of the table:
Failure to comply with limits | Reaching levels defined as acceptable | Reasons for non-compliance with limits and levels defined as acceptable | ||
number of cases | total length of days | number of cases | total length of days | |
7 | 8 | 9 | 10 | 11 |
Note:
in columns 4 and 5, for each of the risk appetite limits established by the bank, a numerical or percentage value shall be indicated;
in column 6, for each of the risk appetite limits established by the bank, the level defined as acceptable shall be indicated;
in column 7, for each of the established limits, the number of cases of its violation in the reporting period shall be indicated;
in column 8, the total duration of days of limit violation in the reporting period shall be indicated;
in column 9, for each of the established levels defined as acceptable, the number of cases of its achievement in the reporting period shall be indicated;
in column 10, the total duration of days for reaching the levels defined as acceptable in the reporting period shall be indicated;
in column 11, the reasons for non-compliance with risk appetite limits and levels defined as acceptable in the reporting period shall be indicated;
if the level defined as acceptable is not established, columns 6, 9 and 10 shall not be filled in.
| Table 3 |
Information on ICAAP processes
№ | Stage of the ICAAP process | Description | Responsible department | Internal document regulating the process |
1 | 2 | 3 | 4 | 5 |
1. | Identification of significant risks | |||
2. | Assessment of significant risks | |||
3. |
Calculation of internal (economic)/ | |||
4. | Conducting stress testing | |||
5. | Planning and assessment of the adequacy of internal (economic) and regulatory capital | |||
6. | Integrating ICAAP results in a risk appetite strategy | |||
7. | Self-assessment according to ICAAP |
Note:
Column 3 shall contain a description of the methodology used by the bank for each stage of the ICAAP;
Column 4 shall indicate the department responsible for carrying out the relevant stage;
Column 5 shall indicate the internal document regulating the relevant ICAAP process.
| Table 4 |
Information on the bank's risk structure
№ | Types and subtypes of risks | Methodology and/or models for identifying and assessing significant risks |
1 | 2 | 3 |
1 | Credit risk | |
1.1 | ||
… | ||
2 | Market risk | |
2.1 | ||
… | ||
3 | Operational risk | |
3.1 | ||
… | ||
4 | Other significant risks (if any, indicate which ones): | |
4.1 | ||
… |
Note:
Column 2 shall indicate the types and subtypes (if any) of risks;
Column 3 shall indicate the methodology and/or models used to identify and assess significant risks.
| Table 5 |
Information on the current value of the bank's bank book
| (thousand tenge) |
Indicators | Current value amount (fact) | ||||||||
up to 1 month | from 1 to 3 months | from 3 to 6 months | from 6 months to 1 year | from 1 to 2 years | from 2 to 3 years | from 3 to 5 years | from 5 to 10 years | over 10 years | |
1 | 2 | ||||||||
Income-generating assets | |||||||||
… | |||||||||
… | |||||||||
Obligations related to the payment of remuneration | |||||||||
… | |||||||||
… | |||||||||
Off-balance sheet position | |||||||||
EVE = Income-generating assets | |||||||||
continuation of the table:
Current value amount (fact) | Amount of cost in national currency (forecast) | Amount of value in foreign currency (forecast) | ||
+___ basis point | -____ basis point | +___ basis point | -_____ basis point | |
3 | 4 | 5 | 6 | 7 |
Note:
In column 2, assets and liabilities sensitive to interest rate changes shall be distributed among the number of time baskets in accordance with the bank’s internal methodology;
Columns 4 and 5 shall indicate the change in the economic value of the bank's assets and liabilities, in the event of a parallel change in the entire range of the yield curve of interest rates on assets and liabilities denominated in national currency, at basis points determined by the bank;
Columns 6 and 7 shall indicate the change in the economic value of the bank's assets and liabilities, in the event of a parallel change across the entire range of the yield curve of interest rates on assets and liabilities denominated in foreign currency, at basis points determined by the bank.
| Table 6 |
Net Interest Income Information
| (thousand tenge) |
Indicators | Current value amount (fact) | Amount of cost in national currency (forecast) | Amount of value in foreign currency (forecast) | |||
national currency | foreign currency |
+___ |
-___ |
+___ |
-____ | |
1 | 2 | 3 | 4 | 5 | 6 | 7 |
Interest income | ||||||
… | ||||||
… | ||||||
Interest expense | ||||||
… | ||||||
… | ||||||
Net interest income (expense) | ||||||
Note:
Columns 4 and 5 shall indicate changes in interest income and interest expenses, in the event of a parallel change in the yield curve of interest rates on claims and liabilities denominated in national currency, by basis points determined by the bank;
Columns 6 and 7 shall indicate changes in interest income and interest expenses, in the event of a parallel change in the yield curve of interest rates on claims and liabilities denominated in foreign currency, by basis points determined by the bank.
| Table 7 |
Information on the assessment of internal (economic) and regulatory equity capital
№ | Types of risks | Regulatory equity | Internal (economic) capital | ||||
Fact (t) |
Forecast | Stress-Based Forecast |
Fact |
Forecast | Stress-Based Forecast | ||
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 |
1. | Total amount of regulatory capital required/total amount of required internal (economic) capital | ||||||
2. | Credit risk-weighted assets | ||||||
3. | Market risk-weighted assets | ||||||
4. | Operational risk | ||||||
5. | Total risk-weighted assets | ||||||
6. | Capital requirements taking into account credit risk | ||||||
7. | Market risk-based capital requirements | ||||||
8. | Capital requirements taking into account operational risk | ||||||
9. | Other significant risks that need to be quantified (please specify) | ||||||
9.1. | |||||||
9.2. | |||||||
10. | Capital requirements taking into account significant risks | ||||||
Note:
Columns 3 and 4 shall indicate the actual and forecast value of capital for each type of risk, as well as the forecast value taking into account stress testing.
If not applicable, the abbreviation NP – "not applicable" – shall be used.
| Table 8 |
Information on stress testing scenarios
№ | Stress Testing Scenario | Scenario parameters | Time horizon, periodicity | Type of risk |
1 | 2 | 3 | 4 | 5 |
Note:
Column 2 shall provide a name for each stress-testing scenario;
in column 3, the value of the stress testing parameter shall be indicated for each scenario;
in column 4, for each stress scenario parameter, the time horizon and frequency of implementation shall be indicated;
In column 5, for each stress scenario parameter, the types of risks that it influences shall be indicated.
| Table 9 |
Information on the processes of the ICAAP
№ | Stage of the process of the ICAAP | Description | Responsible department | Internal document regulating the process |
1 | 2 | 3 | 4 | 5 |
1. | Identifying significant liquidity risks | |||
2. | Assessment of significant liquidity risks | |||
3. | Calculation of key liquidity risk indicators (liquidity coverage ratio, net stable funding ratio, etc.) | |||
4. | Short-term liquidity analysis | |||
5. | Long-term liquidity analysis | |||
6. | Funding sustainability analysis | |||
7. | Analysis of liquidity buffer and collateral management | |||
8. | Liquidity Risk Analysis in the New Product Approval Process | |||
9. | Conducting stress testing | |||
10. | Consistency with risk appetite strategy | |||
11. | Self-assessment according to ICAAP |
Note:
Column 3 shall contain a description of the methodology used by the bank for each stage of the ICAAP;
Column 4 shall indicate the responsible unit implementing the relevant stage;
Column 5 shall indicate the internal document regulating the relevant ICAAP process.
| Table 10 |
Stress Testing Results Information
№ | Indicator | Stress Testing Scenario | Scenario parameters | Fact (t) |
1 | 2 | 3 | 4 | 5 |
1. | Liquidity coverage ratio | |||
2. | Net stable funding ratio | |||
3. | Highly liquid assets | |||
4. | Liabilities on deposits of individuals | |||
5. | Short-term financing | |||
6. | Other indicator (if any, please specify) |
continuation of the table:
Taking into account stress (time horizon 1) | Note |
6 | 7 |
Note:
Column 5 shall indicate the actual value for the reporting period;
Column 6 shall indicate the values taking into account the application of the time horizon;
Column 7 shall contain notes on the table.
Liquidity coverage ratio and net stable funding ratio shall apply to all banks except Islamic banks.
The stress testing scenario and parameters shall be determined in accordance with the external operating environment, strategy, organizational structure, volume of assets, nature and level of complexity of the bank's operations.
| Annex 2 to the Rules for the formation of a risk management and internal control system for second-tier banks, branches of non-resident banks of the Republic of Kazakhstan |
Values of capital adequacy ratios taking into account the conservation buffer and the system buffer
Footnote. The rules are supplemented by Annex 2 in accordance with the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated 27.12.2024 № 93 shall come into effect on 01.07.2025).
№ | Name | Minimum acceptable level of capital adequacy ratios taking into account the conservation buffer and the system buffer (%) | Actual level of capital adequacy ratios taking into account the conservation buffer and system buffer (%) |
1 | 2 | 3 | 4 |
1. | Capital adequacy ratio (k1) | ||
2. | Tier 1 capital adequacy (k1-2) | ||
3. | Capital adequacy (k2) |
| Annex 3 to the Rules for the formation of a risk management and internal control system for second-tier banks, branches of non-resident banks of the Republic of Kazakhstan |
|
| Table 1 |
Information on bank assets exposed to credit risk
Footnote. The rules are supplemented by Annex 3 in accordance with the Resolution of the Board of the Agency of the Republic of Kazakhstan for Regulation and Development of the Financial Market dated 27.12.2024, № 93, shall come into effect on 01.07.2025.
| (thousand tenge) |
№ | Name | Claims in default | Claims with overdue debt on the principal debt and/or accrued interest over 90 (ninety) calendar days | Claims not in default | Claims with overdue debt on the principal debt and/or accrued interest of no more than 90 (ninety) calendar days | Provisions (reserves) | Net book value of assets |
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 |
1 | Loans | ||||||
2 | Debt securities | ||||||
3 | Off-balance sheet liabilities | ||||||
4 | Total: |
Note:
the table shall provide information on the total debt on loans, other transactions that involve credit risk, debt securities, and off-balance sheet liabilities;
Column 3 shall indicates the claims that are in a state of default, which is calculated in the manner prescribed by the Resolution of the Board of the National Bank of the Republic of Kazakhstan dated December 22, 2017 № 269 "On approval of the Rules for creating provisions (reserves) in accordance with international financial reporting standards and the requirements of the legislation of the Republic of Kazakhstan on accounting and financial reporting", registered in the State Register of Normative Legal Acts under № 16502;
Column 4 shall indicates claims with overdue debt claims with overdue debt on the principal debt and/or accrued interest over 90 (ninety) calendar days;
Column 5 shall indicate claims that are not in default;
Column 6 shall indicate claims with overdue debt on the principal debt and/or accrued interest of no more than 90 (ninety) calendar days;
Column 7 shall indicate the total amount of provisions (reserves) formed in accordance with international financial reporting standards;
Column 8 shall indicate the net book value of assets, which is calculated as the sum of columns 3 and 5, or columns 4 and 6, minus column 7.
| Table 2 |
Credit risk information
| (thousand tenge) |
№ | Name | Total | Unsecured claims | Claims secured by collateral | Claims secured by guarantees | Claims secured by derivative financial instruments |
1 | 2 | 3 | 4 | 5 | 6 | 7 |
1 | Credits | |||||
2 | Debt securities | |||||
3 | Total, of which: | |||||
4 | Claims in default |
Note:
The table shall provide information on the credit risk reduction instruments used by the bank to reduce capital requirements;
Column 4 shall contain information on claims not secured by collateral, minus provisions (reserves) formed in accordance with international financial reporting standards;
Column 5 shall contain information on claims secured by collateral (real estate, equipment and fixed assets, vehicles, subsoil use rights and other property);
Column 6 shall contain information on claims secured by guarantees, minus provisions (reserves) formed in accordance with international financial reporting standards;
Column 7 shall contain information on claims secured by derivative financial instruments, minus provisions (reserves) formed in accordance with international financial reporting standards.
| Annex to the Resolution of the Board of the National Bank of the Republic of Kazakhstan dated November 12, 2019 №. 188 |
The list of regulatory legal acts of the Republic of Kazakhstan, as well as structural elements of some regulatory legal acts of the Republic of Kazakhstan, recognized as terminated
1. Resolution of the Board of the National Bank of the Republic of Kazakhstan dated February 26, 2014 №. 29 “On approval of the Rules for the formation of a risk management and internal control system for second-tier banks” (registered in the State Register of normative Legal Acts under №. 9322, published on April 17, 2014 in the Legal Information System “Adilet”).
2. Paragraph 22 of the List of Regulatory Legal Acts of the Republic of Kazakhstan, amended and supplemented, approved by Resolution of the Board of the National Bank of the Republic of Kazakhstan dated August 27, 2014 №. 168 “On amendments and additions to some regulatory legal acts of the Republic of Kazakhstan” (registered in the State Register of normative Legal Acts under №. 9796, published on November 12, 2014 in the Legal Information System “Adilet”).
3. Paragraph 4 of the List of some regulatory legal acts of the Republic of Kazakhstan that amends and supplements on the regulation of the financial market, payments and payment systems, approved by the Resolution of the Board of the National Bank of the Republic of Kazakhstan dated October 29, 2018 №. 267 “On Amendments and Additions” to some regulatory legal acts of the Republic of Kazakhstan on the regulation of the financial market, payments and payment systems” (registered in the State Register of normative Legal Acts under №. 18123, published on January 11, 2019 in the Reference Control Bank of normative legal acts of the Republic of Kazakhstan).