Turkey: Financial Sector Assessment Program-Detailed Assessment of Observance of the Basel Core Principles for Effective Banking Supervision

International Monetary Fund. Monetary and Capital Markets Department

doi:10.5089/9781475576894.002.A001

Turkey

Financial Sector Assessment Program-Detailed Assessment of Observance of the Basel Core Principles for Effective Banking Supervision

Author:

International Monetary Fund. Monetary and Capital Markets Department

International Monetary Fund. Monetary and Capital Markets Department
Search for other papers by International Monetary Fund. Monetary and Capital Markets Department in
Current site
Google Scholar

Publication Date:: 08 Feb 2017

eISBN:: 9781475576894

Language:: English

Keywords:: ISCR; CR; risk management; board of directors; central bank; risk profile; credit system; corporate culture; country risk; require bank

Download PDF (1.7 MB)

This paper presents an assessment of observance of Basel Core Principles for Effective Banking Supervision in Turkey. Since the previous assessment conducted in 2011, the Banking Regulation and Supervisory Agency has made several significant improvements to its supervisory framework. There are areas that still warrant improvement, including addressing legal provisions that undermines supervisory independence, providing a deeper risk assessment focus to supervisory inspections and follow up, enhancing the forward-looking component of the assessments, streamlining risk management and corporate governance requirements, strengthening the supervisory enforcement regime, demanding recovery plans, developing group resolution plans, and increasing the ability to act at an early stage to address unsafe and unsound practices.

Abstract

List of Regulations

Abbreviation	Name of the Regulation or Guideline
BL	Banking Law No. 5411
CAFBDTS	The Communiqué on the Principles and Procedures for the Administrative Fines to be Imposed on Reportings Made within the Scope of Banking Data Transfer System
CAMA	Communiqué on Calculation of the Risk Weighted Exposure Amount for Operational Risk by Advanced Measurement Approach
CAROT	Communiqué on Principles and Procedures Concerning the Activities of Representative Offices in Turkey
CCFS	Communiqué on Preparation of Consolidated Financial Statements of Banks
CCRM	Communiqué on Credit Risk Mitigation Techniques
CDRM	Communiqué on Disclosures About Risk Management to be Announced to Public by Banks
CIRB	Communiqué on Calculation of the Risk Weighted Exposure Amount for Credit Risk by Internal-rating based Approaches
CITEA	Communiqué on Bank Information Systems and Banking Procedures Audits Performed by External Audit Firms
CITIECC	Communiqué on Principles of Information Systems Management by Information Exchange Firms, Custody Firms, and Clearing Firms and on Examination of Business Process and Information Systems
CMRO	Communiqué on the Calculation of Capital Requirement for Market Risk of Options, Using Standardized Approach
CMR-RMM	Communiqué on the Calculation of Market Risk by Risk Measurement Models and Assessment of Risk Measurement Model
CPD	Communiqué on the Financial Statements and Their Disclosures to be Announced to Public by Banks
CPITMB	Communiqué on the Principles of Information Systems Management by Banks
CSE	Communiqué on the Calculation of Risk Weighted Exposure Amount Related to Securitization
CSP	Communiqué on Structural Position
CUCA	Communiqué on The Uniform Chart of Accounts and its Prospectus
EBL	Enforcement and Bankruptcy Law
GAA	Guideline on The Assessment Criteria Considered in the Audits to be Performed by the Agency
GAPA	Guidelines on the Application Process of Internal Rating Based Approaches and Advanced Measurement Approach
GAVA	Guidelines on Assessment and Validation of Internal Rating Based Approaches and Advanced Measurement Approach
GBCP	Guideline on Best Compensation Practices
GCM	Guideline on Credit Management of Banks
GCPRM	Guideline on Counterparty Risk Management
GCRM	Guideline on Country Risk Management
GFVM	Guideline on Fair Value Measurement
GICAAPR	Guideline on ICAAP Report
GIRRM	Guideline on Interest Rate Risk Management
GLRM	Guideline for Liquidity Risk Management
GMCR	Guideline on The Management of Concentration Risk
GMRM	Guideline on Market Risk Management
GORM	Guideline on Operational Risk Management
GRRM	Guideline for Reputational Risk Management
GST	Guideline on Stress Testings to be Used by Banks in Capital and Liquidity Planning
RAA	Regulation on Principles and Procedures Concerning the Audit to be performed by the Banking Regulation and Supervision Agency
RAAVF	Regulation on the Principles regarding the Authorization and Activities of Valuation Firms
RAP	Regulation on the Procedures and Principles for Accounting Practices and Retention of Documents by Banks
RCA	Regulation on Measurement and Assessment of Capital Adequacy of Banks
RCB	Regulation On Capital Conservation and Countercyclical Capital Buffers
RCGB	Regulation on the Corporate Governance Principles of Banks
RCT	Regulation on Credit Transactions by Banks
REAB	Regulation on the External Audit of Banks
REOAMC	Regulation on Establishment and Operation of Asset Management Companies
REPL	Regulation on the Procedures and Principles for the Evaluation of loans and other receivables and Provisions
RFHC	Regulation on Financial Holding Companies
RGABCS	Regulation on Grants and Aids by Banks and Other Institutions Included in Consolidated Supervision
RIA	Regulation on Independent Audit
RICAAP	Regulation on Internal Systems and Internal Capital Adequacy Assessment Process of Banks
RIRRBB	Regulation on Measurement and Assessment of Interest Rate Risk in the Banking Book by Standard Shock Method
RITEA	Regulation on Bank Information Systems and Banking Procedures Audits Performed by External Audit Firms
RLA	Regulation on Measurement and Assessment of Liquidity Adequacy of Banks
RLCR	Regulation on Calculation of Liquidity Coverage Ratio of Banks
RMAL	Regulation on Measurement and Assessment of Leverage Level of Banks
RMSDE	Regulation on Merger, Sale, Disintegration, and Exchange of Shares
RNFER	Regulation on Calculation and Implementation of Net General Position of Foreign Exchange Over Own Funds Ratio for Banks on Non-Consolidated and Consolidated Basis
ROF	Regulation on Own funds of Banks
RPC	Regulation on Principles of Professional Conduct to be Observed by the Members of the BRSB and by the Staff of the BRSA
RPMCP	Regulation on Principles and Procedures Concerning the Trading Precious Metals and the Disposal of Commodity and Property Acquired due to Receivables
RPPAP	Regulation on Principles and Procedures Concerning the Preparation and Publication of Annual Report
RPPD	Regulation on the Procedures and Principles for Acceptance, Withdrawal and Time Limitation of Deposits and Participation Funds
RRA	Regulation on the Principles regarding the Authorization and Activities of Rating Agencies
RROS	Regulation on Receiving Outsourcing Services by Banks
RRRRTB	Regulation on Repo and Reverse Repo Transactions of Banks
RSMOD	Regulation on Declaration of the Whom to be Appointed to Managerial Position, Oath and Declaration of Property, and Holding Docket
RTSPIO	Regulation on Transactions Subject to Permission and Indirect Share Ownership
RVLB	Regulation on Voluntary Liquidation of Banks
SMBSP	Supervisory Manual on Banking Supervision Process
SMCEP	Supervisory Manual on Credit Examination Procedures
SMAMLCFT	Supervisory Manual on AML/CFT Issues
SMGAR	Supervisory Manual on General Assessment Report
SMIRASP	Supervisory Manual for Identifying Risky Areas and Supervision Planning
SMRAC	Supervisory Manual on Risk Assessment Criteria

Abbreviation	Name of the Regulation or Guideline
BL	Banking Law No. 5411
CAFBDTS	The Communiqué on the Principles and Procedures for the Administrative Fines to be Imposed on Reportings Made within the Scope of Banking Data Transfer System
CAMA	Communiqué on Calculation of the Risk Weighted Exposure Amount for Operational Risk by Advanced Measurement Approach
CAROT	Communiqué on Principles and Procedures Concerning the Activities of Representative Offices in Turkey
CCFS	Communiqué on Preparation of Consolidated Financial Statements of Banks
CCRM	Communiqué on Credit Risk Mitigation Techniques
CDRM	Communiqué on Disclosures About Risk Management to be Announced to Public by Banks
CIRB	Communiqué on Calculation of the Risk Weighted Exposure Amount for Credit Risk by Internal-rating based Approaches
CITEA	Communiqué on Bank Information Systems and Banking Procedures Audits Performed by External Audit Firms
CITIECC	Communiqué on Principles of Information Systems Management by Information Exchange Firms, Custody Firms, and Clearing Firms and on Examination of Business Process and Information Systems
CMRO	Communiqué on the Calculation of Capital Requirement for Market Risk of Options, Using Standardized Approach
CMR-RMM	Communiqué on the Calculation of Market Risk by Risk Measurement Models and Assessment of Risk Measurement Model
CPD	Communiqué on the Financial Statements and Their Disclosures to be Announced to Public by Banks
CPITMB	Communiqué on the Principles of Information Systems Management by Banks
CSE	Communiqué on the Calculation of Risk Weighted Exposure Amount Related to Securitization
CSP	Communiqué on Structural Position
CUCA	Communiqué on The Uniform Chart of Accounts and its Prospectus
EBL	Enforcement and Bankruptcy Law
GAA	Guideline on The Assessment Criteria Considered in the Audits to be Performed by the Agency
GAPA	Guidelines on the Application Process of Internal Rating Based Approaches and Advanced Measurement Approach
GAVA	Guidelines on Assessment and Validation of Internal Rating Based Approaches and Advanced Measurement Approach
GBCP	Guideline on Best Compensation Practices
GCM	Guideline on Credit Management of Banks
GCPRM	Guideline on Counterparty Risk Management
GCRM	Guideline on Country Risk Management
GFVM	Guideline on Fair Value Measurement
GICAAPR	Guideline on ICAAP Report
GIRRM	Guideline on Interest Rate Risk Management
GLRM	Guideline for Liquidity Risk Management
GMCR	Guideline on The Management of Concentration Risk
GMRM	Guideline on Market Risk Management
GORM	Guideline on Operational Risk Management
GRRM	Guideline for Reputational Risk Management
GST	Guideline on Stress Testings to be Used by Banks in Capital and Liquidity Planning
RAA	Regulation on Principles and Procedures Concerning the Audit to be performed by the Banking Regulation and Supervision Agency
RAAVF	Regulation on the Principles regarding the Authorization and Activities of Valuation Firms
RAP	Regulation on the Procedures and Principles for Accounting Practices and Retention of Documents by Banks
RCA	Regulation on Measurement and Assessment of Capital Adequacy of Banks
RCB	Regulation On Capital Conservation and Countercyclical Capital Buffers
RCGB	Regulation on the Corporate Governance Principles of Banks
RCT	Regulation on Credit Transactions by Banks
REAB	Regulation on the External Audit of Banks
REOAMC	Regulation on Establishment and Operation of Asset Management Companies
REPL	Regulation on the Procedures and Principles for the Evaluation of loans and other receivables and Provisions
RFHC	Regulation on Financial Holding Companies
RGABCS	Regulation on Grants and Aids by Banks and Other Institutions Included in Consolidated Supervision
RIA	Regulation on Independent Audit
RICAAP	Regulation on Internal Systems and Internal Capital Adequacy Assessment Process of Banks
RIRRBB	Regulation on Measurement and Assessment of Interest Rate Risk in the Banking Book by Standard Shock Method
RITEA	Regulation on Bank Information Systems and Banking Procedures Audits Performed by External Audit Firms
RLA	Regulation on Measurement and Assessment of Liquidity Adequacy of Banks
RLCR	Regulation on Calculation of Liquidity Coverage Ratio of Banks
RMAL	Regulation on Measurement and Assessment of Leverage Level of Banks
RMSDE	Regulation on Merger, Sale, Disintegration, and Exchange of Shares
RNFER	Regulation on Calculation and Implementation of Net General Position of Foreign Exchange Over Own Funds Ratio for Banks on Non-Consolidated and Consolidated Basis
ROF	Regulation on Own funds of Banks
RPC	Regulation on Principles of Professional Conduct to be Observed by the Members of the BRSB and by the Staff of the BRSA
RPMCP	Regulation on Principles and Procedures Concerning the Trading Precious Metals and the Disposal of Commodity and Property Acquired due to Receivables
RPPAP	Regulation on Principles and Procedures Concerning the Preparation and Publication of Annual Report
RPPD	Regulation on the Procedures and Principles for Acceptance, Withdrawal and Time Limitation of Deposits and Participation Funds
RRA	Regulation on the Principles regarding the Authorization and Activities of Rating Agencies
RROS	Regulation on Receiving Outsourcing Services by Banks
RRRRTB	Regulation on Repo and Reverse Repo Transactions of Banks
RSMOD	Regulation on Declaration of the Whom to be Appointed to Managerial Position, Oath and Declaration of Property, and Holding Docket
RTSPIO	Regulation on Transactions Subject to Permission and Indirect Share Ownership
RVLB	Regulation on Voluntary Liquidation of Banks
SMBSP	Supervisory Manual on Banking Supervision Process
SMCEP	Supervisory Manual on Credit Examination Procedures
SMAMLCFT	Supervisory Manual on AML/CFT Issues
SMGAR	Supervisory Manual on General Assessment Report
SMIRASP	Supervisory Manual for Identifying Risky Areas and Supervision Planning
SMRAC	Supervisory Manual on Risk Assessment Criteria

Introduction¹

1. This assessment of the current state of implementation of the Basel Core Principles for Effective Banking Supervision (BCPs) in Turkey has been completed as a part of a Financial Sector Assessment Program (FSAP) undertaken by the International Monetary Fund (IMF) and the World Bank during 2016. It reflects the regulatory and supervisory framework in place as of the date of the completion of the assessment. It is not intended to represent an analysis of the state of the banking sector or the crisis management framework, which have been addressed in the broad exercise.

2. The Banking Regulation and Supervisory Authority (BRSA) as a member of the Basel Committee on Banking Supervision (BCBS), is committed to the adoption of international standards and sound practices promulgated by the BCBS, as well as other relevant international standard-setting bodies. The BRSA has implemented, or is in the process of implementing, all of the BCBS standards, most notably those related to capital adequacy and liquidity with a high level of compliance. The BRSA is to be commended for its ongoing commitment to adhering to the highest standards for supervision and regulation.

3. Since the previous assessment conducted in 2011, the BRSA has made several significant improvements to its supervisory framework. Turkey has built a good foundation for banking supervision. The Banking Law (BL) provides a broadly appropriate supervision framework with clear responsibilities and necessary supervisory powers. The established methodology for banking supervision is comprehensive and grounded on extensive databases and on regulation largely in compliance with international standards. The BRSA has also made vast efforts to improve consolidated supervision, organizing supervisory colleges, signing a number of important Memorandum of Understanding (MoUs) and removing obstacles for the supervision of Turkish banks operations in foreign countries.

4. There are areas that still warrant improvement. These include, among others, addressing legal provisions that undermines supervisory independence, providing a deeper risk assessment focus to supervisory inspections and follow up, enhancing the forward looking component of the assessments, streamlining risk management and corporate governance requirements, strengthening the asset quality examination process and the accuracy of classification therein, strengthening the supervisory enforcement regime, demanding recovery plans, developing group resolution plans and increasing the ability to act at an early stage to address unsafe and unsound practices.

5. The Assessment has been conducted in accordance with the revised BCP assessment methodology approved by the Basel Committee. The Turkey supervisory regime was assessed and rated against the Essential Criteria (EC). The methodology requires that the assessment be based on (i) the legal and other documentary evidence; (ii) the work of the supervisory authority; and (iii) its implementation in the banking sector. Full compliance requires that all these prerequisites are met. The guidelines allow that a country may fulfill the compliance criteria in a different manner from those suggested, as long as it can prove that the overriding objectives of each Core Principle (CP) are achieved. Conversely, countries may sometimes be required to fulfill more than the minimum standards, such as in the event of structural weaknesses in that country. The methodology also states that the assessment is to be made on the factual situation of the date when the assessment is completed. However, where applicable, the assessors made note of regulatory initiatives that have yet to be completed or implemented.

6. The conclusions are based on extensive discussions with staff members of the BRSA and a review of related regulation and internal supervisory documents. The mission reviewed the BCP self-assessment undertaken by BRSA preceding this assessment, and detailed responses to a questionnaire addressing supervisory issues. The mission also reviewed a number of laws governing banking supervision powers and activities, including the BL and a number of regulations and decisions addressing prudential standards and risk management requirements. Special attention was given to inspection reports. The mission also held meetings with senior officials of local banks, an external auditing firm and a credit rating agency. A representative from the Turkish Treasury was present at all meetings.

7. An assessment of compliance with the CP is not, and is not intended to be, an exact science. Reaching conclusions require judgments by the assessment team. Banking systems differ from one country to another, as do domestic circumstances. Also, banking activities are changing rapidly around the world after the crisis and theories, policies and best practices are evolving rapidly. Nevertheless, by adhering to a common agreed methodology, the assessment should provide the Turkish authorities with an internationally consistent measure of quality of their banking supervision relative to the 2012 revision of the Core Principles, which are internationally recognized as minimum standards.

8. The assessors appreciated the cooperation received from the BRSA. The team sincerely thanks the staff of the BRSA for their high professionalism, for the spirit of active cooperation and for making enormous efforts to attend the information requests of the team.

Institutional and Market Structure—Overview

9. The Turkish financial sector is supervised by three main regulatory and supervisory authorities. The BRSA is the regulatory and supervisory authority for the banking industry as well as financial leasing, factoring, financial holding companies, electronic money institutions, consumer financing, some payment systems institutions and asset management companies; the Capital Markets Board of Turkey (CMB) is the regulatory and supervisory authority for the securities markets; the General Directorate of Insurance and the Insurance Supervisory Board operating under the Undersecretariat of Treasury (Treasury) are responsible for the insurance sector. The other authorities that have a role in the regulation and supervision of the banking system are the Central Bank of the Republic of Turkey (CBRT) as the monetary authority, the Financial Crimes Investigation Board (MASAK) as the authority for anti-money laundering (AML) and combating financing of terrorism (CFT); and the Savings Deposit Insurance Fund (SDIF) as the deposit insurance and bank resolution authority.

10. Banks, holding over 90 percent of the financial system by asset ownership, are vital to financial stability in Turkey. Nonbank financial institutions (NBFIs) are small by peer emerging market levels, with insurance and pension fund assets constituting less than two percent each of the sector (Figure 1). Capital market intermediation remains small. The overall financial system is about 122 percent of 2015 gross domestic product (GDP) by assets and has been growing significantly faster than GDP since 2008.

11. The banking system is of average size, although the proportion of credit financed by non-deposit channels is larger than in peer emerging markets (Figure 2, panels A—B). Concentration is not significant and market share is equally distributed among private domestic, foreign-owned, and state-owned banks (Figure 2; panels C—D). Acquisition-based entry by foreign banks in recent years has led to a substantial increase in their asset ownership share. By the end of December 2015, there are 34 deposit taking banks, 5 participation banks and 13 development and investment banks under the BRSA’s supervision.

12. Capital adequacy has declined over the past five years but remains relatively high in relation to international standards (Table 1). As nonperforming loans (NPLs) have been broadly constant around some 3 percent of gross lending since 2012, the deterioration in capital adequacy and returns owes to a combination of rapid balance-sheet expansion with a reorientation of lending towards lower margin corporate lending and a policy induced squeeze on retail credit margins.

Figure 1.

A Bank Dominated Financial Sector

Citation: IMF Staff Country Reports 2017, 046; 10.5089/9781475576894.002.A001

Source: EDSS, WEO, IMF FSI Annex, and World Bank FinStatsNotes: A)-(B) Financial sector assets-to-GDP; (C) Assets-to-total financial sector assets; (D) Pension fund assets-to-GDP; (E) Life insurance premiums-to-GDP; (F) Non-life insurance premiums-to-GDP.

Figure 2.

A Mid-sized Banking System Characteristics

Citation: IMF Staff Country Reports 2017, 046; 10.5089/9781475576894.002.A001

Source: World Bank FinStats and BRSA.

Table 1.

Turkey Financial Soundness Indicators (FSI)

Sources: IMF FSI, BIS, and IMF staff calculations.

^{^1/}Non FX adjusted.

^{^2/}Net of NPL provisions.

^{^3/}As provided by BRSA.

^{^4/}Current year data are annualized using 12 months rolling sums.

^{^5/}Proxied by T1 Capital over last 2 months average balance sheet assets and average off-balance sheets exposures (> 3 percent).

^{^6/}Including FX-indexed assets and liabilities.

Table 1.

Turkey Financial Soundness Indicators (FSI)

			2010	2011	2012	2013	2014	2015
Balance Sheet			Percent of GDP
	Total Assets		91.6	93.8	96.7	110.5	114.1	118.1
		o/w Gross Loans	47.9	52.6	56.1	66.8	71.0	74.4
	Liabilities		79.4	82.7	83.9	98.2	100.9	105.0
		o/w Deposits	56.2	53.6	54.5	60.3	60.2	62.4
	Shareholders’ Equity		12.2	11.1	12.8	12.4	13.3	13.1
Asset Quality			Percent
	NPLs / Gross Loans		3.7	2.7	2.9	2.8	2.9	3.1
	Provisions / Gross NPLs		83.8	79.4	75.2	76.3	73.9	74.6
	Credit Growth (YoY) ^1/		33.9	29.9	16.4	31.8	18.5	19.7
Profitabiity
	Total Interest Income / Interest Bearing Assets (Avg.)^2/^3/		9.2	8.2	9.1	7.6	7.9	7.8
	Interest Margin / Gross Income		62.5	65.2	64.4	65.4	68.1	75.3
	Non-interest Expenses / Gross Income		46.3	46.5	41.7	51.6	49.8	52.1
	ROAA ^3/		2.5	1.7	1.8	1.6	1.3	1.2
	ROAE ^3/		20.1	15.5	15.7	14.2	12.3	11.3
Funding and Liquidity
	Loan-to-Deposit ratio		85.2	98.2	102.9	110.7	117.9	119.2
	Loan-to-Deposit ratio (TL)		88.5	105.4	113.1	126.7	133.2	141.6
	Loan-to-Deposit ratio (FX)		77.4	84.1	82.0	83.8	91.9	89.0
	Leverage Ratio ^4/ ^5/		6.2	5.3	5.0	5.2	5.7	5.3
	Liquid Assets / Assets		28.2	26.2	26.0	24.3	23.3	21.6
	Liquid Assets / Short Term Liabilities		79.7	72.0	76.0	72.1	77.4	73.8
Capital Adequacy
	CAR		19.0	16.6	17.9	15.3	16.3	15.6
	CT1R		17.0	14.9	15.1	13.0	13.9	13.2
	RWA / Assets		72.0	78.4	80.2	84.3	83.4	83.5
FX Risk
	FX Assets / FX Liabilities (on-balance sheet) ^6/		84.0	83.7	85.9	82.5	82.8	84.5
	NOP / Regulatory Capital		0.1	0.4	2.0	−0.6	−2.2	1.3
	NOP before hedging / Regulatory Capital		−15.6	−21.2	−14.0	−28.9	−28.5	−30.0
House Price Index (THPL 2010=100)			100.0	110.2	123.1	138.7	158.8	188.0

Sources: IMF FSI, BIS, and IMF staff calculations.

^{^1/}Non FX adjusted.

^{^2/}Net of NPL provisions.

^{^3/}As provided by BRSA.

^{^4/}Current year data are annualized using 12 months rolling sums.

^{^5/}Proxied by T1 Capital over last 2 months average balance sheet assets and average off-balance sheets exposures (> 3 percent).

^{^6/}Including FX-indexed assets and liabilities.

Table 1.

Turkey Financial Soundness Indicators (FSI)

			2010	2011	2012	2013	2014	2015
Balance Sheet			Percent of GDP
	Total Assets		91.6	93.8	96.7	110.5	114.1	118.1
		o/w Gross Loans	47.9	52.6	56.1	66.8	71.0	74.4
	Liabilities		79.4	82.7	83.9	98.2	100.9	105.0
		o/w Deposits	56.2	53.6	54.5	60.3	60.2	62.4
	Shareholders’ Equity		12.2	11.1	12.8	12.4	13.3	13.1
Asset Quality			Percent
	NPLs / Gross Loans		3.7	2.7	2.9	2.8	2.9	3.1
	Provisions / Gross NPLs		83.8	79.4	75.2	76.3	73.9	74.6
	Credit Growth (YoY) ^1/		33.9	29.9	16.4	31.8	18.5	19.7
Profitabiity
	Total Interest Income / Interest Bearing Assets (Avg.)^2/^3/		9.2	8.2	9.1	7.6	7.9	7.8
	Interest Margin / Gross Income		62.5	65.2	64.4	65.4	68.1	75.3
	Non-interest Expenses / Gross Income		46.3	46.5	41.7	51.6	49.8	52.1
	ROAA ^3/		2.5	1.7	1.8	1.6	1.3	1.2
	ROAE ^3/		20.1	15.5	15.7	14.2	12.3	11.3
Funding and Liquidity
	Loan-to-Deposit ratio		85.2	98.2	102.9	110.7	117.9	119.2
	Loan-to-Deposit ratio (TL)		88.5	105.4	113.1	126.7	133.2	141.6
	Loan-to-Deposit ratio (FX)		77.4	84.1	82.0	83.8	91.9	89.0
	Leverage Ratio ^4/ ^5/		6.2	5.3	5.0	5.2	5.7	5.3
	Liquid Assets / Assets		28.2	26.2	26.0	24.3	23.3	21.6
	Liquid Assets / Short Term Liabilities		79.7	72.0	76.0	72.1	77.4	73.8
Capital Adequacy
	CAR		19.0	16.6	17.9	15.3	16.3	15.6
	CT1R		17.0	14.9	15.1	13.0	13.9	13.2
	RWA / Assets		72.0	78.4	80.2	84.3	83.4	83.5
FX Risk
	FX Assets / FX Liabilities (on-balance sheet) ^6/		84.0	83.7	85.9	82.5	82.8	84.5
	NOP / Regulatory Capital		0.1	0.4	2.0	−0.6	−2.2	1.3
	NOP before hedging / Regulatory Capital		−15.6	−21.2	−14.0	−28.9	−28.5	−30.0
House Price Index (THPL 2010=100)			100.0	110.2	123.1	138.7	158.8	188.0

Sources: IMF FSI, BIS, and IMF staff calculations.

^{^1/}Non FX adjusted.

^{^2/}Net of NPL provisions.

^{^3/}As provided by BRSA.

^{^4/}Current year data are annualized using 12 months rolling sums.

^{^5/}Proxied by T1 Capital over last 2 months average balance sheet assets and average off-balance sheets exposures (> 3 percent).

^{^6/}Including FX-indexed assets and liabilities.

Preconditions for Effective Banking Supervision

Macroeconomic and Financial Sector Policies

13. The financial sector operates in an uncertain economic environment. Growth is dependent on external finance. During 2016, domestic demand and growth are expected to remain relatively robust due to a 30 percent minimum wage increase, relaxation of macro prudential regulations, and accommodative monetary and fiscal policies. Nevertheless, the domestic savings rate is low, creating a dependence on external funds and making the economy vulnerable to external shocks. Inflation has also remained high and above target.

14. External imbalances demand attention. While the oil price decline and economic slowdown have attenuated the current account deficit, it is expected to rise again if these factors reverse going forward. It may rise also if term premia and funding costs decompress as the U.S. begins monetary policy normalization. Against this backdrop, the external position demands attention. External debt is high (at about 60 percent of GDP) and concentrated in private sector hands, annual financing needs are high (about 27 percent of GDP), capital inflows are mainly short-tenor and debt creating, the net international investment position (NIIP), at about -50 percent of GDP is weak by international standards, and net foreign exchange (FX) reserves, at US$29 billion, are low.

15. Macroprudential policies are coordinated through the Financial Stability Committee (FSC). The FSC is composed of the heads of all the major agencies having a stake in the maintenance of financial stability; viz., the Undersecretary of Treasury and the heads of the CBRT, BRSA,CMB and SDIF, under the chairmanship of the Deputy Prime Minister in charge of the Undersecretariat of the Treasury. The 2015 Financial Stability Board (FSB) Peer Review concluded that the FSC has helped to promote information sharing and the exchange of views as well as to coordinate some policy measures among its member institutions. Importantly, the authorities have a broad range of tools at their disposal and have used them in a proactive and flexible manner in recent years to slow down the rise in household leverage and to encourage banks to increase core funding. At the same time, further steps were identified to strengthen the framework in a number of areas such as integrating the systemic risk assessment and policy framework and improving institutional arrangements and public communication.

Public Infrastructure

16. Business laws are based on the Civil Law, dated 8/2001 and the New Turkish Commercial Code (TCC), dated July, 2012. The Code of Obligations, 2011, and the Competition Law, No. 4054, 1994, also form the framework of business laws as do the Law on the Protection of the Consumer No. 6502, 2014, and the Execution and Bankruptcy Code (EBC) of 1932 (amended 2003/4).

17. The New TCC was promulgated 2012. The New TCC aims to harmonize the Turkish and European Union Laws in order to strengthen foreign economic relations. One of the new features increased transparency by requiring stock companies to create a website dedicated to publishing all data relevant for shareholders, such as annual and interim financial statements and audit reports. The new TCC also aimed to reinforce the rights of shareholder and corporate governance.

18. The basic principles of the independence of courts and security of judges and public prosecutors are provided in the Constitution. The Turkish legal system does not provide for special courts for dealing with bank or financial sector related cases, however in some big cities specific courts are identified to deal only with banking related cases.

19. All listed and non-listed companies are obliged to apply financial reporting standards issued by the Public Oversight Accounting and Auditing Standards Authority (POA). POA issues Turkish Accounting Standards (TAS) and Turkish Financial Reporting Standards (TFRS) which correspond, respectively, to the International Accounting Standards (IAS) and the International Financial Reporting Standards (IFRS) issued by the International Accounting Standards Board (IASB). The authorities explained that the main difference between the implementation of IFRS and TFRS in Turkish banks is in loan loss provisioning. For loan loss provisioning, the Turkish banks apply the BRSA’s REPL instead of the impairment requirements of TAS 39 or IAS 39. The BRSA is planning to apply IFRS 9, including the provision rules, from 1 January 2017. By 2017, Turkish banks will be able to recognize provisions for credit losses in accordance with TFRS 9 which is considered by the Turkish authorities to be fully compliant with the IFRS 9 with the option of the recent amendments to the REPL. The last amendment entitles the banks to use existing provisions of the REPL or to apply TFRS 9. The auditing of companies is carried out in compliance with international auditing standards by independent auditors who meet the professional competence requirements.

20. The companies which are subject to independent audit are determined in the TCC. In addition, the companies which fall under the Capital Markets Law or the BL are automatically subject to the independent auditing requirement, whereas the companies such as the license holding companies operating under the regulations of the Energy Market Regulatory Authority and public companies under the Capital Markets Law are subject to the independent auditing requirement only if they meet certain criteria. The external auditing firms which meet the required criteria are authorized by POA. On the other hand, external audit activities conducted in banks and other financial institutions are also subject to the BL and REAB.

21. Payment and settlement systems in Turkey are well developed with a sound legal and regulatory framework and with the roles of regulators and overseers clearly established. The Overseers of the FMIs in Turkey are the CBRT and the CMB. In addition, the BRSA has responsibility for payment services, payment institutions, and electronic money. The authorities have been systematically reforming the National Payments System in Turkey covering implementation of the necessary infrastructure, internal organization arrangements and strengthening the legal and regulatory framework, and have achieved several critical National Payments System (NPS) objectives—most notably, as the result of on-going modernization efforts. A conducive legal and regulatory framework and the core components of the NPS are in place.

22. There is one credit bureau operating in Turkey. The Credit Registry Bureau, (CRB-KKB) was founded in 1995 as a private enterprise with the initiative of The Banks Association of Turkey (BAT) and partnership of 11 leading banks of the sector to facilitate the exchange of information and documents between credit institutions and financial institutions. Banking Law no: 5411 Article 73/4 grants special permission to the CRB to collect information from member institutions and to facilitate exchange of this information. In order to gather risk information about customers of credit institutions and other financial institutions, the Risk Center was established as a part of BAT in 2012. BAT and CRB signed a service contract, with the approval of the BRSA, in order to carry out all operations of the Risk Center in December 2012.

23. Statistical information availability is extensive in the Turkish banking system. The BRSA publishes regularly (weekly, monthly, quarterly, annual) data on bank and non-bank financial institutions. Data cover balance sheet, income statement, loans, consumer loans, SME loans, as well as deposits by type and maturity. Also fees and commissions faced by financial customers are also published on BRSA’s web site as a tool to strengthen market discipline. Deposit interest rates and price quotes about financial markets are available on a daily basis and are provided by related monetary, banking and financial market regulators.

24. The banking supervisor works closely with the deposit insurer and central bank on crisis management issues. The previous FSAP mission highlighted the broad range of measures that the BRSA has at its disposal to mitigate bank vulnerabilities, found the CBRT’s framework for the provision of emergency liquidity to be sound and characterized the SDIF as broadly conforming to best international practice. The 2015 FSB Peer Review for Turkey,² found that the absence of certain resolution powers—such as bridge banks, bail-in powers and temporary stays of early termination rights—may make it difficult for the authorities to resolve the largest banks in the system in a timely and cost-effective manner. The review also pointed out that, impediments to cross-border cooperation can challenge the effective resolution of banks with cross-border operations, while a lack of recovery and resolution planning requirements undermines resolution preparedness. The Turkish authorities have informed the mission that they are currently working to align the Turkish resolution framework with the FSB Key Attributes for Resolution Regimes.

Detailed Assessment

A. Supervisory Powers, Responsibilities, and Functions

B. Prudential Regulations and Requirements

Principle 14

Corporate governance. The supervisor determines that banks and banking groups have robust corporate governance policies and processes covering, for example, strategic direction, group and organizational structure, control environment, responsibilities of the banks’ Boards and senior management,³¹ and compensation. These policies and processes are commensurate with the risk profile and systemic importance of the bank.

Essential criteria

EC1

Laws, regulations or the supervisor establish the responsibilities of a bank’s Board and senior management with respect to corporate governance to ensure there is effective control over the bank’s entire business. The supervisor provides guidance to banks and banking groups on expectations for sound corporate governance.

Description and findings re EC1

Corporate governance features prominently in Turkish banking legislation. The legal and regulatory framework surrounding corporate governance resides in several key laws and is comprehensive. BL Article 1 establishes corporate governance as a part of ensuring confidence and stability in financial markets, the efficient functioning of the credit system and the protection of the rights and interests of depositors. It establishes that shareholders’ interests are secondary to the depositors’ interests for banks, and is generally aligned with Basel guidance and principles for corporate governance.

The BL, 3^rd part, explicitly addresses corporate governance. This part regulates the allocation of authority, qualifications and responsibilities of management, internal systems, authorized institutions and financial reporting. Related to these titles a number of sub-regulations, of which the most important are RICAAP and Regulation on the Corporate Governance Principles of Banks (RCGB), have been designed in order to implement the principles and enumerate responsibilities on corporate governance.

The responsibilities and authorities of the banks’ board is regulated in the Article 23 of BL. According to Article 23(3) the responsibilities of the board of directors shall include ensuring the establishment, functionality, appropriateness and adequacy of internal control, risk management and internal audit systems compliant with the applicable legislation; securing financial reporting systems; and specification of the powers and responsibilities within the bank.

Under the BL Article 23, the board of directors shall have at least 5 members including the general manager. The qualifications of a majority of members shall have similar qualifications as the general manager. The positions of chairman of the board and general manager (or chief executive officer) must be separate. The BRSA must be informed about (and approve) the appointment of the members. However, the BL nor subsidiary legislation requires the majority of the board to be non-executive and collectively act independently and objectively from the influence of other parties.

Article 24 goes on to direct that the board must appoint an audit committee of at least 2 board members. These 2 members shall not have executive functions within the bank. (RICAAP Article 6 goes on to define “non-executive” members which is very similar to the definition of independent given in the CMB’s Communique.)

While some bank boards in the system have populated this committee with more members, a minimum of 2 members is considered too few in order to execute the duties assigned to it in a robust and effective manner. In addition, the chair of this committee, in some banks is also the chairman of the board which does not reflect best practice and potentially represents a conflict of interest.

The duties and responsibilities of the audit committee include the supervision of the efficiency and adequacy of the bank’s internal control, risk management and internal audit systems and the accounting and reporting systems within the framework of BL. The audit committee shall also be responsible for ensuring that internal systems units and the external audit firms regularly provide reports regarding the execution of their tasks.

Given that the audit committee is responsible for the oversight of internal systems in which risk management is a part, many banks’ audit committees also fill the role of a board risk committee that would, in other circumstances be separate from the audit committee. The team was informed that in the more complex banks, there is, in fact, a separate risk committee.

RICAAP enumerates major provisions assigning responsibility to the board and senior management for establishing and monitoring of the internal systems. The term “internal system” includes internal audit, internal control and risk management systems. Article 5(1) of RICAAP provides that members of the board of directors are ultimately responsible for establishment and effective operation of the internal systems. They are also responsible for defining the powers and duties within the bank regarding these systems. Article 5(2) defines the responsibilities of the board in detail by mentioning the board’s overall responsibilities on determining the structure of the whole organization, human resources policies, senior management selection policies, and also with reference to the internal system’s structure, organization and policies, strategic policies, risk management and consumer complaints from conduct of business.

Article 7 of RICAAP sets forth in more detail the duties of the audit committee which must act in the name of the board of directors. The committee must supervise efficiency and adequacy of the internal systems. In this manner, the audit committee must supervise compliance with the provisions of RICAAP concerning internal control, internal audit and risk management and with the internal policies and implementation procedures approved by the board of directors and to make proposals to the board of directors in relation to measures which it is considered necessary to take. Furthermore Article 7(2) gives the details of these responsibilities such as: the establishment of communication channels in the bank; assessment of the adequacy of the internal systems; internal systems staff and management; establishment of whistle-blowing channels; evaluation of internal audit plans and follow up; evaluation of the adequacy of internal system staff, risk management tools, and infrastructure; the contact with internal and external auditors; monitoring of the financial reporting system; evaluation of outsourced activities.

Duties and responsibilities of the senior management are also regulated under RICAAP as well as in the Regulation on Corporate Management Principles of Banks (RCGB). According to Article 8, the senior management must fulfill their responsibilities to carry out their assigned responsibilities and ensure they do so efficiently. They must also report the board of directors about material risks to which the bank is exposed.

CMB also has its Communiqué on Corporate Governance³² (Communiqué) applicable to listed companies. According to the paragraph 4 of Annex 1 of the Communiqué, the board of directors keeps in balance a corporation’s risk, growth and returns at the most appropriate level through strategic decisions and manages and represents the corporation by firstly protecting the long-term benefits of the corporation through rational and prudent risk management. Board of directors also has to define the strategic targets of the corporation, establish the human and financial resources of the bank, and evaluate management performance. The board must be composed of a minimum of independent members for which the definition of “independent” is given. Among others, the Communiqué requires the board of directors to conduct its activities in a transparent, accountable, fair and responsible way.

There is not a special section in TCC for corporate governance principles, but these principles are spread through the Code. The TCC addresses, inter alia, duties of care and loyalty of the members of the board of directors, fair treatment of shareholders, and powers of the board of directors. It also defines the liability of the members of the board of directors and the managers for the damages they cause to the company, shareholders and the company’s creditors. It also compels companies to announce specific information on their websites.

EC2

The supervisor regularly assesses a bank’s corporate governance policies and practices, and their implementation, and determines that the bank has robust corporate governance policies and processes commensurate with its risk profile and systemic importance. The supervisor requires banks and banking groups to correct deficiencies in a timely manner.

Description and findings re EC2

There are a number of ways in which the BRSA assesses the various elements of corporate governance in banks. This is accomplished through on and offsite supervision as well as through the licensing process. The role of the board of directors and their responsibilities are clearly anchored in, firstly, the banking law as well as other attendant regulation. However, the validation of banks’ corporate governance on an ongoing basis through the examination process requires concrete strengthening through a more holistic approach, analysis, and well substantiated conclusions. This is a critical aspect of conducting effective risk focused supervision.

A. Supervisory Process

The on-site and off-site supervision by BRSA is regulated in the Article 95 of BL. According to Article 95(1) BRSA is responsible for the supervision of the implementation of the regulations by the banks beside the financial safety and soundness supervision and also the supervision of compliance with corporate governance principles. The supervision of compliance with corporate governance principles is solely and especially mentioned as one of the supervisory responsibilities of BRSA in this article. The sub-regulation related to supervision by BRSA is RAA which includes in its scope the supervision of the financial institutions’ compliance level to the corporate governance principles in its Article 2(1)(d). RAA also mentions the assessment of the quality of the corporate governance in financial institutions as a type of on-site supervision in the Article 14(1) (a-9).

As a part of the risk focused supervision (the IRA phase), the supervisors will scope the activities for the upcoming cycle through various means. This includes, in part, meeting with the board members, senior managers and independent auditors to understand recent changes in the bank’s profile and activities. As a part of the cycle planning process and to inform on governance, the supervisor will also review the board minutes, strategic plan, budgeting, policies, procedures, audit reports, MIS, etc. according to the size, activities, complexity and structure of the banks. Depending on the outcome of the IRA, special examinations will be conducted of areas identified as concerns or special supervisory interest.

The BRSA indicated that 3 special examinations focused on governance elements were conducted in 2014/15.

B. On-site Supervision

In practice compliance with corporate governance principles and the assessment of quality of compliance is taken into consideration during the CAMELS review/GAR methodology supervision. In assigning M (for management) the supervisor evaluates mainly the following elements:

MIS and its unrestricted access by examiners including the bank’s information systems and data including the bank’s foreign branches.
assessment of the accounting and financial reporting systems including adequacy of written processes for accounting and financial reporting, efficiency and effectiveness of the internal control/audit on these systems, the existence and number of manual and/or retrospective interventions on the accounting and financial reporting systems.
assessment of the internal systems which include internal control, risk management and internal audit which includes evaluation of the relevant structure, procedures, policies, compliance with the enforcement actions instructed by BRSA, and adequacy of contingency action plans.
assessment of the organization, management and business strategies including the objectives and reality of the strategic plan and its risks, organizational policies and procedures and internal regulations, duties and responsibilities of the staff, the relation between the bank’s board’s and senior managers’ success and the bank’s financial performance, risk management and compliance level.
assessment of human resources including evaluation of the policies and implementations in human resources management. As well, feedback from bank staff is considered and staff turnover in critical areas.

While assessing above mentioned elements, examiners more specifically address:

compliance of board numbers and qualifications;
if relevant policies, procedures, and workflows approved by the board and are they clearly defined; do conflicts of interest exist among procedures or workflows;
if a corporate governance committee exists; if an internal CG policy exists;
if a “corporate governance compliance report” exists;
policy on disclosure and transparency;
monitoring process for breaches in policies, procedures, limits and for informing the board.

Special examinations conducted by the examiners will feed into the CAMELS rating process in a more informal way, by providing insight into the function of selected areas of the bank. However, no concrete conclusions are drawn regarding the quality of board oversight or corporate governance in general.

Also, supervisory review of the ICAAP process highlights governance elements of risk management and more generally. Through this process, the GAR process, and the IRA work, the bank’s current business strategies are reviewed and compared to last year’s plan and projected numbers. The IRA process involves discussions with management, review of performance, review of strategies, evaluation of bank resources, etc. These steps feed into the responses to the CAMELS review/GAR process which in turn, creates the subcomponent ratings before leading to the assignment of the “M” in CAMELS which reflects governance elements. No analytical, critical narrative exists which reflects a collective view on corporate governance of a bank or the attendant systems and controls which compose it.

C. Other supervisory activities

Besides the regular CAMELS on-site supervision by BRSA, the BRSA reviews board member and senior management qualifications immediately following their appointment to their posts as per BL Articles 5 and 7.

Similarly, approval of the top management team is necessary before the BRSA will authorize a bank to operate in Turkey. Besides these prerequisites for establishment and operation authorization of banks’ operations, BL Article 13 requires the banks to take the corporate governance regulations of BL into account while opening a new branch in Turkey. And Article 14 requires the banks to be compliant with the corporate governance regulations of BL for approvals to operate abroad.

The BRSA has the authority to take corrective action when certain concerns and deficiencies are identified. Among these are failures by board and management to institute required internal systems in BL Article 67. Also, as a result of supervisory examinations and according to the severity of the findings and the responsibility of the board members, the composition of the board can be changed by BRSA according to these articles. The responsibility of supervision for determining the compliance with the corporate governance parameters is clearly mentioned in the Article 95(1) of BL and the related sub-regulation RAA Article 2 (d). The evaluation of the quality of the corporate governance management is one of the inevitable part of on-site supervision according to the Article 14(1)(a-9) of RAA.

The team reviewed several examples of work performed by the examiners to test how observations about corporate governance were formed and the supervisory response thereafter. The work conducted by the examiners, both on and offsite, is extensive. However, the team found, through the review of several special examinations and the GAR database, the results of the examinations and supervisory processes consistently stopped short of drawing conclusions, in analytical, narrative form, on the implications the findings have for other critical areas of the bank(s) which reflect directly on the overall corporate governance effectiveness of the bank. As a result supervisory observations are not easily collected in order to form a more cross-cutting, substantiated view on critical internal systems and therefore, the boards’ ability to oversee the bank’s’ business.

For instance, if a loan portfolio is reviewed, deficiencies may be identified but are not consistently linked to conclusions drawn about the 1) line and senior management and their ability to oversee their business and know their risks, 2) risk management adequacy and ability to proactively identify developing risks that management has not – and report such issues and trends to the board, 3) impact provisioning levels and implications on financial statement accuracy, 4) implications on internal audit’s role, 5) MIS particularly sent to the board, and 6) ultimately, board oversight. All of these linkages reflect directly on the strength and nature of corporate governance in a bank.

Without taking the examinations process further and drawing conclusions, assessment of governance adequacy is much less able to leverage examination efforts to substantiate, and perhaps change, the supervisory view on board and management ability to run and control the bank’s business. This ultimately can impact the integrity of the “M” in the CAMELS.

EC3

The supervisor determines that governance structures and processes for nominating and appointing Board members are appropriate for the bank and across the banking group. Board membership includes experienced non-executive members, where appropriate. Commensurate with the risk profile and systemic importance, Board structures include audit, risk oversight and remuneration committees with experienced non-executive members

Description and findings re EC3

Article 23(1) of BL states the minimum number of the members in a bank’s board of directors as five and also sets out the requirements for the members to be appointed. The qualifications required for the general manager in BL shall also be required for majority of the board of directors. So majority of the members must have at least undergraduate degrees in the disciplines of law, economics, finance, banking, business administration, public administration and related fields and those that have undergraduate degrees in engineering fields must have a graduate degree in the aforementioned fields, and they must have at least ten years of professional experience in the field of banking or business administration. Other financial and personal requirements for the members of the board of directors are listed in detail under Article 8. The board is held responsible for the establishment, effectiveness, compliance and efficiency of the internal control, risk management and internal audit systems according to the Article 23(3).

As mentioned above in EC 1, only 2 board members are required to be nonexecutive commensurate with the requirement that the Audit Committee be composed of at least 2 nonexecutive members. There are no requirements for the majority of board members to be nonexecutive. As a result, boards can potentially be composed of executive directors except for the 2 required nonexecutives. The only possible influence against this is the approval process conducted by the BRSA if it was to disapprove such a structure. However, there is no regulatory or practical support for this given the above structure of the law and regulation.

The one required board committee is the audit committee. As mentioned in EC 1 above, Article 24(1) of the BL provides that a banks’ board of directors shall establish audit committees for the execution of the audit and monitoring functions in the name of the board of directors and audit committee shall consist of minimum two non-executive board members. According to the Article 24(3) the main duties and responsibilities of the audit committee include the supervision of the efficiency and adequacy of the bank’s internal control, risk management and internal audit systems, functioning of these systems and the accounting and reporting systems and the integrity of the information produced. In RICAAP the Article 4(2) it is repeated that the internal systems units can only be established directly under the board. In the same paragraph it is clearly mentioned that the responsibility for the internal systems may only be fully or partially assigned to one of the non-executive directors or to committees composed of such directors or to the audit committee. In most banks, the audit committees are responsible risk oversight as well as the audit and control function oversight. However, some banks, depending on the size and complexity of their operations, have established board risk committees as well.

The remuneration committee for the banks is regulated under paragraph 12 of the Guideline on Best Compensation Practices of Banks (GBCP); it is not a required committee. This committee is comprised of at least two non-executive members of board of directors who have sufficient information and experience regarding remuneration policies and internal systems as a whole. Besides this sub-regulation the second paragraph of the Principle 6 of RCGB mentions that the remuneration committee which is responsible for the monitoring and supervision of the remuneration policies in the name of the board of directors to be comprised of two members. This committee is to evaluate the remuneration policies and implementations under the risk management principles and to report their findings to the board at least annually. The three largest banks have appointed remuneration committees.

The BRSA approves board and senior management appointments. In this way, the BRSA reviews the appointments process of the subject bank. Checklists have been prepared by BRSA for use in the evaluation process. The assessment process not only includes examining the documents submitted to the BRSA but also browsing the BRSA database. If the assessment shows that the individual is not fit and proper for the appointment, the bank will be informed about the situation and instructed to appoint a different individual. Furthermore, the board members and senior managers are responsible for notifying BRSA in case of a change in their situation after they are appointed (RSMOD, article 8). The appointments process itself is not a focus of examination to date.

As indicated above, the BRSA conducted 3 special examinations of governance elements during 2014/15; however, there is a need to form more holistic conclusions about governance on a more regular basis and conduct cross sector assessments of corporate governance, leveraging examination and offsite inputs.

EC4

Board members are suitably qualified, effective and exercise their “duty of care” and “duty of loyalty”.³³

Description and findings re EC 4

See EC3 above.

Board member and senior management qualifications criteria are set out in Article 23(1) of BL and addressed in EC 1 and 3 above.

Articles 7, 9 and 10 of BL requires the board members to meet the qualifications set out in corporate governance provisions as a prerequisite for establishment and operating permission. Besides the Article 7(1)(d), Article 9(d) requires the same qualifications for any bank established abroad that wants to operate in Turkey by opening branch.

Principle 3 of the RCGB requires that management shall have the qualifications to fulfill efficiently their duty and be conscious of their role; board members are to be well-intentioned, informative, wise, and ethical, to be aware of their duties and responsibilities, to have time and to participate actively in the bank business.

TCC Article 369 defines duty of care and duty of loyalty of the board members and the third persons in charge of management. According to this provision, these persons have to fulfill their duties with care as prudent managers and act in good faith while overseeing company’s interest.

EC5

The supervisor determines that the bank’s Board approves and oversees implementation of the bank’s strategic direction, risk appetite³⁴ and strategy, and related policies, establishes and communicates corporate culture and values (e.g., through a code of conduct), and establishes conflicts of interest policies and a strong control environment.

Description and findings re EC5

As mentioned in EC 1 according to the Article 23(3) of BL the responsibilities of the board of directors should include ensuring the establishment, functionality, appropriateness and adequacy of internal control, risk management and internal audit systems which are compliant with the regulations, and besides the specification of the powers and responsibilities within a bank.

Main regulations addressing risk appetite, strategic policies, communication channels and conflict of interest issues are covered in the RICAAP. Following the definition of risk appetite in the Article 3(1) (gg), the responsibilities of the board are regulated in the 5th Article. The Article 5(1) of RICAAP determines the board of directors as the ultimate responsible body for the establishment, effective, adequate and efficient implementation of internal systems in a bank. With respect to this responsibility, in the Article 5(2)(g) the board is held responsible for and authorized to determine and monitor the strategic decision making process and besides to maintain the determination of planning policies. Furthermore, in Article 5(2)(h) one of the board’s responsibilities is mentioned as to determine the bank’s policies and strategies relating to risk management in general and separately for each risk type, risk level the bank can take and related implementation procedures, to allocate maximum risk limits for units and their managers or the personnel working in those units. Article 5(2)(ı) requires the board to identify the bank’s risk appetite, to ensure that business lines, managers of the units within the scope of the internal systems and internal systems manager gather and exchange ideas, to resolve the communication problems between business lines within the aim of developing an effective risk management point of view throughout the bank and to ensure that business lines are informed about the developments, risks and risk mitigation techniques in the market.

The audit committee, as an extension of the board, according to Article 24 of BL, is also responsible for the supervision of the efficiency and adequacy of the bank’s internal systems, including the bank’s control environment, and the integrity of MIS therein.

Regarding potential conflicts of interest, requirements for functional division of tasks in a bank is regulated in RICAAP

article 10 in order to prevent mistakes, fraud, conflicts of interest, manipulation of information and misuse of resources at the bank. According to this article the powers and responsibilities of all units, personnel and committees within the bank shall be determined clearly and in writing, with a division of tasks in relation to the activities on the same subject. Banks need to comply with the regulation which requires that activities from which conflicts of interest may arise to be identified and minimized and the activities of approving transactions, accounting and recording transactions, and monitoring and managing the transaction are appropriately segregated. As well, RCGB Principle 1 addresses possible conflicts of interest within senior management responsibilities.

The establishment of communication structure and communication channels is regulated in the Article 12 of RICAAP. According to 12(1) it shall be ensured that information vertically and horizontally flows within the organizational structure of the bank so as to reach the relevant levels of management and the responsible personnel in safety and that the managers of lower units and the operational personnel are fully informed of the bank’s objectives, strategies, policies, implementation procedures and expectations. Information to be directed towards personnel shall include data concerning the policies related to bank activities, their implementation procedures, and the activity performance of the bank. It shall be ensured that the bank personnel are aware of the rules concerning their duties and responsibilities and that the necessary information rapidly reaches the concerned personnel.

Besides in the Article 7(2)(c) of the RICAAP audit committee members are held responsible for and authorized to establish communication channels which enable the committee to be informed and to check whether personnel who are authorized to lend have been involved in the evaluation and/or the decision making process of certain identified borrowers, e.g., themselves, their spouses, dependent children and other natural persons or legal entities which constitute a risk group.

While internal codes of conduct are not explicitly required, the team was informed that many banks do, in fact, have them. This, as well as strategy, risk appetite, and internal communication channels could all be topics addressed in a corporate governance evaluation by the supervisor.

EC6

The supervisor determines that the bank’s Board, except where required otherwise by laws or regulations, has established fit and proper standards in selecting senior management, maintains plans for succession, and actively and critically oversees senior management’s execution of Board strategies, including monitoring senior management’s performance against standards established for them.

Description and findings re EC6

The educational and experience requirements for the senior managers are mainly determined in Article 25 of BL. The Article 25(1) mentions the requirements for the general managers while Article 25(2) does the same for the deputy general managers.

The Principle 2 in RCGB requires the board of directors to determine the duties and responsibilities of the senior management in a bank while it also empowers the board to monitor the compliance level of senior management’s activities to the policies which have been put in place by the Board itself.

According to the points (a) and (c) of the Article 5(2) of the RICAAP, the board of directors of the bank is authorized and liable for

establishing the organizational structure and human resources policy of the bank and to determine the criteria for the appointment of senior management and
determining the written strategies, policies and the implementation procedures concerning the activities of the units included within the scope of the internal systems and ensuring that these are implemented and maintained effectively and coordinated with each other.

There currently is no requirement for banks to develop succession plans for key management positions. As mentioned in EC 5 and 3 above, there is not yet a cross-cutting supervisory evaluation process of a bank’s corporate governance function.

EC7

The supervisor determines that the bank’s Board actively oversees the design and operation of the bank’s and banking group’s compensation system, and that it has appropriate incentives, which are aligned with prudent risk taking. The compensation system, and related performance standards, are consistent with long-term objectives and financial soundness of the bank and is rectified if there are deficiencies.

Description and findings re EC7

Best practice guidelines for the structure and management of remuneration frameworks within an effective risk management environment are comprehensively enumerated in the GBCP. Paragraph 8 of this guideline states that it is the responsibility of board of directors of the bank to approve, periodically review and oversee the implementation of the remuneration policy. Remuneration policies and practices should be consistent with the complexity of activities, individual risk profile, risk appetite and strategy of a bank.

The GBCP paragraph 9 directs that the remuneration policy should support sound risk management within the bank and not be associated with excessive short-term profit-making goals and does not incentivize risk-taking that is beyond tolerated risk level of the institution. The remuneration policy should also be in line with the scope and size of the operations, risk management structure, business strategy, long-term financial soundness and capital adequacy level of the institution, and incorporates measures to avoid conflicts of interest.

Further, the GBCP paragraph 11 states that the bank should consider the impact of remuneration policies on soundness indicators such as capital and liquidity and in case of a threat against capital adequacy or when needed, a more conservative policy should be followed on all remuneration issues, mainly the variable remuneration. Further, variable pay levels should be established in relation to the performance of their unit as well as the bank’s overall performance. The impact of risk taken should also factor into remuneration formulas. When determining the performance of identified staff, financial and non-financial criteria should be considered.

As well, principle 6 of RCGB directs that remuneration framework should be aligned with a bank’s ethical values and strategic targets. Compensation shall not be based on short-term performance or be guaranteed in advance.

No explicit supervisory reviews have been undertaken to date to address banks’ remuneration frameworks. Again, as mentioned in EC 5 and 3 above, this could be an area to include in a cross-cutting supervisory evaluation process of a bank’s corporate governance function.

EC8

The supervisor determines that the bank’s Board and senior management know and understand the bank’s and banking group’s operational structure and its risks, including those arising from the use of structures that impede transparency (e.g., special-purpose or related structures). The supervisor determines that risks are effectively managed and mitigated, where appropriate.

Description and findings re EC8

Legislation does not explicitly direct boards and senior management to “know your structure” but they must have knowledge of the bank’s related structures in order to assess individual and consolidated risk exposures and to prepare ICAAP on a consolidated basis. The bank’s Board and senior management’s responsibilities are defined in RICAAP. Articles 5-8 regulate the responsibilities of top management (which includes key senior management and the board of directors) regarding the establishment of the internal systems (including risk management systems). This requires top management to set policies and strategies relating the risk management as well as to establish the bank’s risk appetite and maintain sufficient capital as determined through ICAAP. ICAAP must be prepared on a consolidated basis, therefore bank management must know and understand all the risks to which the bank is exposed. In addition; the “intra-group transactions report” that has to be prepared each year guarantees that the bank management sees the financial relationship between group entities. Please also refer to CP12 for consolidated supervision framework of BRSA.

EC9

The supervisor has the power to require changes in the composition of the bank’s Board if it believes that any individuals are not fulfilling their duties related to the satisfaction of these criteria.

Description and findings re EC9

According to the article 69 (b) of the BL, in the context of points (e), (f) and (g) of Article 67 to eliminate violations, the BRSB has the power to require the bank to call on the general assembly to convene an extraordinary meeting to change one or several or all of the members of board of directors or to appoint new members by increasing the number of board members if the board of directors’ members have responsibility in decisions, transactions and practices.

Furthermore; the article 70(c) of the BL clearly empowers the BRSB to require the bank to dismiss one or all of the board members or together with the general manager, deputy general managers, and/or relevant unit and branch directors in cases where the bank fails to take measures laid down in Article 68 and/or 69. The same article requires the approval of BRSA for persons to be appointed or selected in place of the persons removed from office.

The supervisor’s responsibility for detecting compliance with the corporate governance principles is laid out in the BL Article 95(1) and the RAA Article 2(d). The evaluation of the quality of the corporate governance management is one of the key parts of on-site supervision according to the Article 14(1)(a-9) of RAA. Findings regarding CG enables the BRSB to take action against the board or specific board members in case of breaches of CG regulations and principles.

Another tool held by BRSA, contained in BL Article 26(2), is the ability to revoke the signing authority of any bank employee who is found to have infringed provisions of BL or related regulation, has endangered the safety and soundness of the bank, and legal proceedings have been requested. These provisions apply to not only staff but also to board members. There have been cases where such signing authority has been revoked, mainly dealing with bank staff. Only one instance did such action involve a bank director.

Additional criteria

AC1

Laws, regulations or the supervisor require banks to notify the supervisor as soon as they become aware of any material and bona fide information that may negatively affect the fitness and propriety of a bank’s Board member or a member of the senior management.

Description and findings re AC1

Assessment of Principle 14

Materially Non-compliant

Comments

The legal framework surrounding the corporate governance framework for banks is extensive, but very heavily focused on board responsibilities regarding internal systems (risk management, internal control, internal audit). Examination processes (GAR and specialized examinations) have required steps to check board approvals, internal structures, and processes which reflect on the governance function. The BRSA approves board and senior management appointments. In this way, the BRSA reviews the appointments process of the bank.

However, the results of special examinations and supervisory processes consistently stop short of drawing conclusions, in analytical, narrative form, on the implications the findings have for critical areas that are directly linked to the examined area. These critical areas reflect directly on the corporate governance effectiveness of the bank (such as management oversight of business areas, adequacy of risk management and internal audit’s role in the subject areas, integrity of MIS that goes up to the board level, and ultimately, board oversight). As a result, supervisory observations are not easily collected in order to form a more cross-cutting, substantiated view on corporate governance and the adequacy of internal systems. Therefore, validation of the manner in which such internal systems and governance operates is not well supported. This impacts the degree to which the BRSA should place confidence in the systems that inform the board and itself, as well as the systems’ ability to generate early warning indicators of deterioration.

There is no requirement for the majority of the board to be composed of non-executive members which could result in, potentially, boards being composed of a majority of executive directors with only the 2 nonexecutives as currently required by the legal framework. However, practically speaking, 10 out of 53 banks are listed and must fall under the CMB Communique on governance which requires a majority of independent directors. Consideration should be given to upgrading banking legislation requiring the board to be composed of a majority of nonexecutive members, and ideally, with a certain minimum of independent individuals. (The definition of “independent” should be consistent with that used by the CMB in its Communiqué on Corporate Governance.)

Audit committee membership should be expanded. While some bank boards in the system have populated this committee with more members, a minimum of 2 members is considered too few in order to execute the duties assigned to it in a robust and effective manner. This is particularly so since the audit committee is considered an extension of the board and is assigned the task of internal systems oversight which includes risk management. In addition, the chair of this committee, in some banks, is also the chairman of the board which does not reflect best practice and potentially represents a conflict of interest. This committee should be expanded and should be composed of all independent directors. As well, legislation directs that the audit committees have oversight responsibility for internal systems which includes risk management. Under the current audit committee structures, proper oversight of both critical areas is difficult at best. Risk management oversight responsibility should be separated from the audit committee, particularly in the more complex institutions (it was noted that one bank has, in fact, constituted a separate risk management committee).

While (3) special inspections of governance elements have been conducted, there is a need to more regularly conduct cross-cutting assessment of corporate governance in a holistic manner which would, in part, leverage examination results and relevant offsite information as well as information generated from any enforcement actions. Consideration could be given to introducing such reviews on a more regular basis in order to enhance and better substantiate conclusions on the adequacy of a bank’s corporate governance.

Given the observations cited in the above ECs (board membership/objectivity, board nominations process, board committee structure and membership, management oversight and performance evaluation, succession planning, “know your structure requirements”, internal code of conduct, etc.) the BRSA should develop a more comprehensive corporate governance regulation that completes the elements of governance that already exist in guidelines and regulation. This type of instrument could be a focal point of supervisory corporate governance reviews in the future.

Principle 15

Risk management process. The supervisor determines that banks³⁵ have a comprehensive risk management process (including effective Board and senior management oversight) to identify, measure, evaluate, monitor, report and control or mitigate³⁶ all material risks on a timely basis and to assess the adequacy of their capital and liquidity in relation to their risk profile and market and macroeconomic conditions. This extends to development and review of contingency arrangements (including robust and credible recovery plans where warranted) that take into account the specific circumstances of the bank. The risk management process is commensurate with the risk profile and systemic importance of the bank.³⁷

Essential criteria

EC1

The supervisor determines that banks have appropriate risk management strategies that have been approved by the banks’ Boards and that the Boards set a suitable risk appetite to define the level of risk the banks are willing to assume or tolerate. The supervisor also determines that the Board ensures that:

a) a sound risk management culture is established throughout the bank;
b) policies and processes are developed for risk-taking, that are consistent with the risk management strategy and the established risk appetite;
c) uncertainties attached to risk measurement are recognized;
d) appropriate limits are established that are consistent with the bank’s risk appetite, risk profile and capital strength, and that are understood by, and regularly communicated to, relevant staff; and
e) senior management takes the steps necessary to monitor and control all material risks consistent with the approved strategies and risk appetite.

Description and findings re EC1

The focus of this BCP 15 is on both the framework for the overall risk management process in banks (both the legal and implementation aspects) as well as the BRSA’s supervisory process over this critical function. The actual implementation of the framework and supervisory process, and the results it renders, are specifically addressed in the respective Principles which follow.

The BL Articles 29 and 31 state the obligations pertaining to internal systems (internal control, risk management and internal audit systems). According to Article 29, banks are obliged to establish and operate adequate and efficient internal systems that are in harmony with the scope and structure of their activities, that can respond to changing conditions and that cover all their branches and undertakings subject to consolidation in order to monitor and control the risks that they encounter. In Article 31, within their risk management frameworks, banks shall establish, implement and report risk policies within the framework set by the BRSB. Risk management activities shall be performed by the risk management department and personnel who work under the board of directors.

Based on the above mentioned BL articles, RICAAP has been issued for the purpose of setting procedures and principles for the establishment and functioning of the internal systems (internal audit, internal control and risk management systems) and internal capital assessment process. While the ultimate output of ICAAP is the derivation of the internal capital requirement and capital projections for the upcoming three years under different economic scenarios, the process is highly dependent on banks’ internal risk management, their assessment of its adequacy, and the risk based measures of capital needs.

It is through this process that the BRSA has enumerated comprehensive regulation addressing requirements for robust risk management systems. This regulation, RICAAP, underpins to a very significant extent, BRSA’s expected risk management framework in banks which reflects much of what is international standard. The guidance offered by RICAAAP is cited throughout the risk section of this assessment and is pivotal to the evaluation of the adequacy of the system’s risk framework. Equally important, implementation of RICCAP and other essential regulation and directions have been evaluated to determine the extent that the requirements have taken root and are used effectively to identify, measure, and control risk.

ICAAP is a relatively recent development in the country’s banking system. As a result, banks’ are still developing their approach and implementing important systems. The BCP team’s review of supervisors’ working papers and discussion with banks indicated that banks as well as supervisors are, in fact, in a relatively early phase. The quality of banks reports and the scrutiny of the reports by supervisors will need to develop further before the results can be more reliable and more extensively used.

Risk appetite & risk strategies:

The BL directs that internal systems shall be established directly under the Board of Directors. The board may transfer all or part of its duties and responsibilities to the internal systems manager. It is also possible to have a senior manager such as an executive vice president who does not have any hierarchical link with CEO and whose performance evaluation is conducted by the board of directors or the audit committee. Furthermore, powers and duties of the board of directors, audit committee, and the senior management regarding the risk management system are determined in the RICAAP as well as establishment of internal capital assessment process.

As well, the board of directors of the bank is responsible for determining, in writing, the strategies, policies and the implementation procedures concerning the activities of the units included within the scope of the internal systems and to ensure that they are implemented and maintained effectively and coordinated with each other. The section further states that (the board of directors) will determine in writing the bank’s polices and strategies relating to risk management in general and separately for each risk type, risk level the bank can take and related implementation procedures, to allocate maximum risk limits for units and their managers or the personnel working in those units.

RICAAP Article 5 states that (the Board of Directors) will identify the bank’s risk appetite, to ensure that business lines, managers of the units within the scope of the internal systems and internal systems manager gather and exchange ideas, to resolve the communication problems between business lines within the aim of developing an effective risk management point of view throughout the bank and to ensure that business lines are informed about the developments, risks and risk mitigation techniques in the market.

As well, Article 39 (1) states that banks are obliged to establish a structure comprised of policies and processes to determine the risk appetite and monitor the conformity of units to the risk appetite. (2) Banks are obliged to set, measure, monitor and manage the risk limits for controlling the current risk profile in order not to exceed the risk appetite approved by the board of directors. Risk appetite structure shall be reviewed when necessary, once in a year at a minimum.

Culture, policies, processes, limits, and monitoring

RICAAP Article 38 (1-3) states that (banks must establish) risk limits associated clearly with the loss amount and allocated capital amount, connected with the risk appetite. Within this scope, risk appetite approved by the board of directors is shared to risk types, units, business lines and products as well as other levels deemed necessary and allocated. Furthermore, transaction limits are established per personnel, sub-unit or unit for risk limits in the required areas, mainly credit allocation and treasury transactions. Banks shall determine implementation procedures concerning proposal, assessment, approval, notifying in the bank, monitoring and audit processes of risk limits and the principles determined are approved by the board of directors. Surveillance responsibility for the bank’s risk profile not to exceed risk limits and values realized to be monitored by top management of the bank belongs to the board of directors. Risk limits are determined as a part of risk appetite on consolidated and non-consolidated basis by considering the size of bank in financial system. The risk limits shall be regularly reviewed and adapted in accordance with changes in market conditions and in the bank strategy.

RICAAP Article 35 (4) states that banks are obliged to establish and implement an effective risk management system for material risks in compliance with volume, complexity, and level of activities that bear risks. In addition to Pillar 1 risks, Pillar 2 risks shall also be taken into account considering their level of importance. Moreover, risks which are minor on their own but which may cause significant losses when combined with other risk types are also included.

RICAAP Article 38 requires banks to put in place board approved written limits and risk appetites for each risk type on consolidated and non-consolidated basis by considering the size of bank in the financial system. The risk limits are regularly reviewed and adapted in accordance with changes in market conditions and in the bank strategy. Risk limits are notified to related units and it is ensured that related personnel understands them. Limit usages are monitored closely and limit exceeding is notified to the senior management promptly in order to take necessary actions.

Article 4 of the RICAAP imposes banks to establish and operate adequate and effective internal systems in conformity with the scope and nature of their activities in order to monitor and control the risks to which they are exposed. BRSA requires banks to implement the principles by considering banks’ own scales, risk profiles; activities, volume, nature and complexity of their business and transactions. It’s also necessary to make written explanations and retentions for the principles which are not implemented totally or partially [Article (4)(1)(m) of RAA].

According to the Article 46 of RICAAP, banks are obliged to calculate the capital internally which will meet the risks exposed or which may be exposed on consolidated and non-consolidated basis and maintain their activities with a capital higher than this amount on consolidated and non-consolidated basis. The ICAAP process determines that the management body; a) accurately and comprehensively identify, measure, aggregate, monitor and report the bank’s risks, b) calculate and hold adequate internal capital in relation to the bank’s risk profile, risk management process, adequacy of internal systems, strategies and activity plan, c) establish and use sound risk management systems and develop them further. The ICAAP also considers the impact of economic cycles, and sensitivity to other external risks and factors. The ICAAP shall be integrated to the bank’s organizational structure, risk appetite framework and activity processes; and shall form a basis for them.

Supervisory (onsite) manual

There are several criteria in the Supervisory Manual on Risk Assessment Criteria (SMRAC) that require BRSA onsite examiners to take into consideration the strategies, policies and processes concerning following risk categories; credit risk, operational risk, strategic risk, reputational risk, liquidity risk, interest rate risk in the banking book, market risk, country and transfer risk, concentration risk, residual risk, model risk, counterparty credit risk. In SMRAC, there are assessment criteria for each risk category to evaluate the effectiveness of risk management.

For example, in the credit risk area, the criteria help the examiners to evaluate risk management strategy whether the Board and senior management set a suitable risk appetite to define the level of credit risk the bank is willing to assume or tolerate. In addition to this, the examiner determines that if a sound credit risk management culture is established throughout the bank; policy and processes are developed for risk taking that are consistent with the risk management strategy and the established risk appetite; appropriate credit limits are established that are consistent with the bank’s risk appetite, risk profile, and that are understood by relevant personnel; and senior management takes the necessary steps to monitor and control credit risk consistent with the approved strategies and risk appetite. The authority and liability of the relevant staff is defined clearly and the necessary steps in case of deficiency are defined.

CAMELS review/GAR methodology

The GAR process directs examiners to evaluate policies, strategies and processes, contingency plans to determine if they address material risks such as operational risk issues in departments such as corporate/small and medium enterprises/retail loans, credit cards, accounting and reporting systems, derivatives etc.

EC2

The supervisor requires banks to have comprehensive risk management policies and processes to identify, measure, evaluate, monitor, report and control or mitigate all material risks. The supervisor determines that these processes are adequate:

a) to provide a comprehensive “bank-wide” view of risk across all material risk types;
b) for the risk profile and systemic importance of the bank; and
c) to assess risks arising from the macroeconomic environment affecting the markets in which the bank operates and to incorporate such assessments into the bank’s risk management process.

Description and findings re EC2

As stated in EC1 above, RICAAP comprehensively addresses the risk management function in banks.

The complexity level of risk management system is formed in proportion with the bank’s size and the complexity of its activities. If BRSA finds the mentioned level insufficient, banks are obliged to remove this insufficiency within a timeframe to be determined by BRSA (Article 35(3) and 35(5)).

Banks should have comprehensive risk management policies and processes to identify, measure, evaluate, monitor, report and control or mitigate all material risks. In addition, the management of the material risks in the bank’s risk profile and providing a comprehensive “bank-wide” view of risk across all material risk types are arranged in the RICAAP Articles 5, 35, 37, 38, 39, 42, 45.

RICAAP Article 38 requires banks to put in place board approved written limits and risk appetites for each risk type on consolidated and non-consolidated basis by considering the size of bank in the financial system. The risk limits are regularly reviewed and adapted in accordance with changes in market conditions and in the bank strategy. Risk limits are notified to related units and it is ensured that related personnel understands them. Limit usages are monitored closely and limit exceeding is notified to the senior management promptly in order to take necessary actions.

The article 36(2) of the RICAAP states that risk management policies and implementation procedures must adapt to changing conditions. The board of directors or the relevant internal systems manager shall regularly assess their adequacy and make the necessary changes. In addition, according to the 42(6) of the RICAAP, the risk measurement methods and models should be periodically updated to reflect changing market conditions.

Macroeconomic environment affecting the markets in which the bank operates is assessed in ICAAP reports as stated in the GICAAPR (section “2. General Assessment and Expectations”) in a detailed manner because of the fact that it may cause material risks for the bank.

During the CAMELS review/GAR methodology process, as well as during special examinations, supervisors check whether a bank has suitable policies and processes that clearly articulate roles and responsibilities related to the identification, measurement, monitoring and control of the material risks. As well, the examiners review banks’ strategy, policies, procedures and growth budgets pertaining to various risks, including their implementation, and invites bank management’s attention to areas of concern. Banks’ business plans in relation to their risk profile, capital, manpower skills, historical performance, adequacy of procedures and controls are evaluated.

EC3

The supervisor determines that risk management strategies, policies, processes and limits are:

a) properly documented;
b) regularly reviewed and appropriately adjusted to reflect changing risk appetites, risk profiles and market and macroeconomic conditions; and
c) communicated within the bank.

The supervisor determines that exceptions to established policies, processes and limits receive the prompt attention of, and authorization by, the appropriate level of management and the bank’s Board where necessary.

Description and findings re EC3

RICAAP Article 5 and provisions that are mentioned in EC1 require that risk management strategies, policies, processes and limits are documented; regularly reviewed and adjusted to reflect changing risk appetites, risk profiles, market and macroeconomic conditions; communicated within the bank. Article 12 regulates establishment of the communication structure and communication channels within the bank.

How the risk management system (RMS) of banks shall be established, the purpose of RMS, which points have to be included in the policies and procedures, the activities of RMS, main aspects of risk limit setting, risk appetite framework, new products and services, responsibilities of risk management unit and personnel, risk measurement and its process, stress testing to be performed by bank, data management process and reporting of risks within the banks are regulated in Section Four (articles 35-45), “the Risk Management System” of the Regulation.

Due to RICAAP, article 63(6), banks are required to prepare ICAAP reports every year. In these reports, banks give detailed information about their risk management strategies, policies, processes, limits and risk appetites. Banks are obliged to submit these reports to BRSA in the first quarter of every year. Banks should have detailed risk management strategy documents to prepare these reports. Furthermore, in the section “5. Risk management” of GICAAPR, all material risks are taken into consideration in terms of identification, measurement, management/control and mitigation as well as risk appetite and risk limits.

In addition to this, banks are required to list internal regulations, communiqués, action plans and decisions by which the policies and procedures and business flows and processes are determined and duties and responsibilities are assigned relating to corporate governance, management of each risk type (identification, measurement, monitoring, control and reporting) capital and liquidity planning within risk management structure and submit these documents to the BRSA in the annex of the ICAAP Report. Inside the Report, amendments made to regulations within the period, as well as new regulations entered into force and justified information about abolished ones are given to express the progress in the bank’s risk management capacity and its elasticity face to changing conditions.

In the on-site supervision process, the BRSA examiners are informed about important decisions taken by banks and are able to access and assess banks’ policies, processes, strategies, exceptions and internal reports on an ongoing basis. On-site examination reports make observations on banks’ compliance with internal and regulatory limits. As a part of the routine examination, BRSA examiners evaluate whether the risk management strategies, policies, processes and limits are documented and limits are monitored by the top management with the help of GAR module.

EC4

The supervisor determines that the bank’s Board and senior management obtain sufficient information on, and understand, the nature and level of risk being taken by the bank and how this risk relates to adequate levels of capital and liquidity. The supervisor also determines that the Board and senior management regularly review and understand the implications and limitations (including the risk measurement uncertainties) of the risk management information that they receive.

Description and findings re EC4

RICAAP Article 5 stipulates that the bank’s Board and senior management get sufficient information on, and understand, the nature and level of material risks being taken by the bank and how these risks relate to adequate levels of capital and liquidity. In addition to this, the Board and senior management shall regularly review and understand the risk management information that they receive from the all units of the bank. RICAAP Article 5(3) states that the board of directors is responsible for ensuring that the bank has adequate capital to support its risks by means of establishment and implementation of the ICAAP. It needs to ensure that the bank management establishes a framework for assessing the various risks, develops a system to relate risk to the bank’s capital level, and establishes a method for monitoring compliance with internal policies. Also, information on the nature and level of risk being taken by the bank should be reported to the Board of directors and top management according to the article 45 of the RICAAP.

Banks shall prepare a report including their assessments on risk measurement, capital and liquidity planning as well as risk management abilities made within the scope of the ICAAP according to Article 56(1) of RICAAP.

In the Risk Assessment (CAMELS) phase of supervision, BRSA examiners assess whether the bank’s top management obtains sufficient information about material risks that are taken by the bank and regularly reviews and understands the implications and limitations of the risk management information that they receive.

EC5

The supervisor determines that banks have an appropriate internal process for assessing their overall capital and liquidity adequacy in relation to their risk appetite and risk profile. The supervisor reviews and evaluates banks’ internal capital and liquidity adequacy assessments and strategies.

Description and findings re EC5

In addition to abovementioned requirements (EC1-EC4), banks are also required to assess their internal capital and liquidity adequacy. They are required to have an ICAAP process and the provisions regarding this process are regulated in RICAAP. Banks are required to submit an ICAAP report once in a year and requirements of ICAAP reporting is regulated in GICAAPR.

In the ICAAP reports, banks assess their capital and liquidity adequacy according to section “6. Capital Planning” and “9. Liquidity Planning” of GICAAPR respectively. Moreover, there is detailed information about how to carry out these capital and liquidity plans in other parts of the GICAAPR.

According to Article 56(2) of the RICAAP, Bank’s analysis and assessments relating to capital and liquidity adequacy and planning in the ICAAP Report are assessed in the examinations made by the BRSA. In addition, there are also specific provisions concerning the audits conducted by the BRSA in terms of capital and liquidity adequacy, in the sections “3. Regulatory Capital Adequacy”, “4. Internal Capital Adequacy”, “5. Adequacy of Liquidity”, “6. Stress Tests” of the GAA.

As stated in EC 1, ICAAP is a relatively recent development in the country’s banking system. As a result, banks’ are still developing their approach and implementing important systems. The BCP team’s review of supervisors’ working papers and discussion with banks indicated that banks as well as supervisors are, in fact, in a learning phase. The quality of banks reports and the annual review of the reports by supervisors will need to develop further before the results can be more reliable and more extensively used.

EC6

Where banks use models to measure components of risk, the supervisor determines that:

a) banks comply with supervisory standards on their use;
b) the banks’ Boards and senior management understand the limitations and uncertainties relating to the output of the models and the risk inherent in their use; and
c) banks perform regular and independent validation and testing of the models
d) The supervisor assesses whether the model outputs appear reasonable as a reflection of the risks assumed.

Description and findings re EC6

There are 3 different communiques regarding standards for models used to measure market risk, credit risk and operational risk: Communiqué on the Calculation of Market Risk by Risk Measurement Models and Assessment of Risk Measurement Model (CMR-RMM), Communiqué on Calculation of the Risk Weighted Exposure Amount for Credit Risk by Internal-rating based Approaches (CIRB), Communiqué on Calculation of the Risk Weighted Exposure Amount for Operational Risk by Advanced Measurement Approach (CAMA) respectively. Additionally, there are Guidelines on Assessment and Validation of Internal Rating Based Approaches and Advanced Measurement Approach (GAVA) and Guidelines on the Application Process of Internal Rating Based Approaches and Advanced Measurement Approach (GAPA) guidelines regarding approval and validations processes for these models. These guidelines regulate the model use for regulatory capital requirement calculation purposes.

RICAAP has rules about model use for internal risk management purposes. RICAAP Article 5(2) (ğ) gives responsibility to the Board to have information about risks the bank is exposed to and measurement methods and management of those.

It is mentioned in the Articles 42, 45(2)(ç), 55(1) of the RICAAP that different measurement methods and models may be used to measure and assess risks. In these articles there are detailed information about the processes related to method or model.

Regulation states that banks’ internal audit units are given the responsibility to audit risk measurement models. If risk measurement models are used in the bank, the internal audit unit should audit: whether the results obtained from risk measurement models and methods are incorporated in daily risk management, the accuracy of data and assumptions used in risk measurement models, reliability, integrity and timely availability of the data source used and the accuracy of back-tests used for these models, etc. (Article 21(4) of the RICAAP).

The responsibility of the risk management department is “to participate in the process of designing, selecting and putting into practice the risk measurement models and giving preliminary approval, to review the models regularly and to make the necessary changes”. Article 41(1)(d), (e) of RICAAP.

RICAAP imposes separate roles to different internal system units regarding risk measurement models. Article 11(2)(b) requires that the information systems of the bank shall enable risks, including regulatory and internal capital adequacy calculations, to be measured using risk measurement methods or models and to be reported in a timely and effective manner. Article 15(2)(ç) gives internal control units the responsibility to interrogate the accuracy of transaction details, activities, and outputs related to risk management models.

Article 58 and 62 of the RICAAP arranges validation process of the internal model. The validation process to be made within the scope of Article 58 is assessed by the BRSA. According to article 58, validation of internal model used within the scope of ICAAP shall be made by a team independent from the units which develops methodology or independent from the executive units. Validation may be conducted by external experts. Validation report should be submitted to BRSA together with ICAAP report (Article 63(9)). In addition to the RICAAP, GICAAPR has numerous detailed provisions connected to the models or methods as well as validation processes of them.

Additionally, model risk is highlighted in risk management guidelines such as in Guideline on The Management of Concentration Risk (GMCR).

GAA, para 8, states that the Agency examines the regulatory capital adequacy and calculation process, models and assumptions. In paragraph 10, the issues that the bank considers while using the IRB approach are listed. According to paragraph 12, the Agency examines the internal capital adequacy and calculation process, models and assumptions that are used by banks.

The BRSA examiners examine compliance to the above mentioned regulations. To examine these processes, the BRSA examiners use GAR (risk assessment – CAMELS) module

EC7

The supervisor determines that banks have information systems that are adequate (both under normal circumstances and in periods of stress) for measuring, assessing and reporting on the size, composition and quality of exposures on a bank-wide basis across all risk types, products and counterparties. The supervisor also determines that these reports reflect the bank’s risk profile and capital and liquidity needs, and are provided on a timely basis to the bank’s Board and senior management in a form suitable for their use.

Description and findings re EC7

Article 11 of RICAAP addresses information systems. The structure of information systems must be commensurate with the scale of the bank and with nature and complexity of the products. The minimum outputs of these systems are regulated in RICAAP including regulatory and internal capital adequacy calculations, early warning indicators, timely reporting of breaches of maximum risk levels, allocation of capital requirement according to risk level, stress tests and scenario analysis to be made, etc. Also Article 45 gives information about reporting of risks within the bank.

RICAAP regulates the general requirements about information systems, however, in the risk management guidelines that are listed in Principle 1, EC3, there are additional specific requirements imposed regarding that specific risk. For example, Paragraphs 44-51 of Guideline for Liquidity Risk Management (GLRM) explains how an information system for liquidity risk management should be. GAA paragraphs 12(8), 12(11) mention about management information systems and reporting.

Banks’ reporting framework comprises of a wide range of call reports on several aspects of prudential importance, some of which pertain to the consolidated bank position. Banks are obliged to prepare the ICAAP report annually both on a consolidated basis and non-consolidated basis. Within the ICAAP report, the results of stress tests and scenario analyses must be presented. Banks’ reporting is subjected to test checks by the BRSA. Periodical internal systems audit conducted by external auditors and the BRSA provide assurance about the integrity and coverage of the internal and supervisory reports.

BRSA sets the standards for information systems of banks in CPITMB, RICAAP, and GICAAP and conducts IT examinations via its IT audit experts. Furthermore, annual external audit findings are utilized to evaluate the IT risks associated with a bank as well. Bank’s Board and senior management make self-assessments using Circular on Management Assertion and submit their assessments to the external auditor.

Through the CAMELS review/GAR methodology, under MIS in the Management component—the BRSA examiners assess whether banks have adequate information systems for measuring, assessing and reporting on the size, composition and quality of exposures on a bank-wide basis across all risk types. Through this process and procedure, they are to assess whether these reports reflect the bank’s risk profile and capital and liquidity needs, and are provided on a timely basis to the bank’s top management.

Furthermore, according to GAA paragraph 12(8); during the ICAAP examinations, the Agency assesses the quality of the bank’s management information reporting and systems, the manner in which business risks and activities are aggregated, and management’s record in response to emerging or changing risks.

EC8

The supervisor determines that banks have adequate policies and processes to ensure that the banks’ Boards and senior management understand the risks inherent in new products,³⁸ material modifications to existing products, and major management initiatives (such as changes in systems, processes, business model and major acquisitions). The supervisor determines that the Boards and senior management are able to monitor and manage these risks on an ongoing basis. The supervisor also determines that the bank’s policies and processes require the undertaking of any major activities of this nature to be approved by their Board or a specific committee of the Board.

Description and findings re EC8

RICAAP Article 5(2) points (ğ) and (ö) give the Board the responsibility to have information about risks the bank is exposed and to understand the risks of new products. Board is also given the responsibility to approve all policies and processes according to article 5(2) (i) and best practice guidelines. Article 40 requires banks to carefully assess new products and services offered by them. Banks are required to ensure that the necessary personnel, technology and financial resources are available for these products and services to be offered and that the top management is fully aware of the risks involved in the new products and services. Also in article 18 of the RICAAP it is stated that new transactions and products should be included in the compliance controls carried out by the internal control units of banks.

While Article 40 enumerates a number of the review requirements for new products, it does not explicitly extend the process to address material modifications to existing products and major acquisitions. It also does not require banks to restrict new products if they do not have the necessary controls, management, and resources to manage related risks.

In addition to this, BRSA is able to verify compliance to these regulations as part of its CAMELS rating methodology under the Management component during on-site examinations. For example, Financial Soundness Analysis Identification Number (FSAID) 2753 supports this examination.

EC9

The supervisor determines that banks have risk management functions covering all material risks with sufficient resources, independence, authority and access to the banks’ Boards to perform their duties effectively. The supervisor determines that their duties are clearly segregated from risk-taking functions in the bank and that they report on risk exposures directly to the Board and senior management. The supervisor also determines that the risk management function is subject to regular review by the internal audit function.

Description and findings re EC9

BL (Article 31) stipulates that the risk management activities shall be performed by the risk management department which will work under the board of directors. RICAAP Article 4 (2) also requires internal systems to be located under the board of directors. It furthermore requires the board of directors to determine the duties, powers and responsibilities of the internal systems units and of their managers clearly and without conflict of duties, to approve the working procedures and principles for the staff appointed in these units, and to ensure that the necessary resources are allocated.

Article 10(1) of RICAAP, provides information for the division of risk management functions/tasks in banks. Moreover, the BRSA verifies the independence of the risk management functions and recommend remedial measures if it is not observed.

In periodic and risk-based audits, the department audits the adequacy and effectiveness of the internal control and risk management systems and ICAAP is assessed by the internal audit unit. Additionally, the ICAAP report is also examined by the BRSA examiners.

The BCP team identified certain issues with the organization of the credit risk management function and the credit monitoring function which is a line management activity. The organizational arrangements discussed in BCP 17 do not adequately address independent credit risk monitoring at the individual credit and portfolio levels. See BCP 17.

EC10

The supervisor requires larger and more complex banks to have a dedicated risk management unit overseen by a Chief Risk Officer (CRO) or equivalent function. If the CRO of a bank is removed from his/her position for any reason, this should be done with the prior approval of the Board and generally should be disclosed publicly. The bank should also discuss the reasons for such removal with its supervisor.

Description and findings re EC10

In Turkey, risk management departments of banks are separate units that are directly under the board of directors. According to the Article 31 of BL, risk management activities shall be performed by the risk management department and personnel to work under the board of directors.

RICAAP Article 4 directs that banks assign a senior manager or an executive vice president, responsible for all internal systems departments, who has no hierarchical link with the CEO in the bank’s organization structure and whose assessments on performance as well as financial and personal rights are conducted by the board of directors or the audit committee. Also the articles 37(1) and 41(3) have provisions regarding risk management unit and personnel.

In Turkey, the risk management departments of banks are generally organized under a senior manager reporting directly to audit committee. However, some banks do have CRO type posts. Commensurate with their size and complexity of operations, banks should be specifically required to have qualified CROs with sufficient stature, position and authority within the organization to oversee risk management activities. The level of senior manager may not provide the necessary stature necessary to challenge high level risk decisions and processes.

According to RICAAP article 63(1), banks must notify the Agency in writing of the appointment or resignation of the internal systems manager or committee members, the members of the audit committee, and the senior managers of the units included within the scope of these systems, within seven working days from the date of the relevant decision. However, regulation should require, explicitly, if the CRO is removed from his/her position for any reason, that the Board has been informed and has given its approval. This action should be generally disclosed publicly. While the regulation requires banks to notify the BRSA promptly, the reasons for such removal should be presented and discussed.

EC11

The supervisor issues standards related to, in particular, credit risk, market risk, liquidity risk, interest rate risk in the banking book and operational risk.

Description and findings re EC11

BRSA has issued detailed specific guidelines articulating the standards related to credit risk, market risk, liquidity risk, and operational risk, interest rate risk in the banking book, country risk, reputational risk, and others.

EC12

The supervisor requires banks to have appropriate contingency arrangements, as an integral part of their risk management process, to address risks that may materialize and actions to be taken in stress conditions (including those that will pose a serious risk to their viability). If warranted by its risk profile and systemic importance, the contingency arrangements include robust and credible recovery plans that take into account the specific circumstances of the bank. The supervisor, working with resolution authorities as appropriate, assesses the adequacy of banks’ contingency arrangements in the light of their risk profile and systemic importance (including reviewing any recovery plans) and their likely feasibility during periods of stress. The supervisor seeks improvements if deficiencies are identified.

Description and findings re EC12

RICAAP Article 13 addresses the emergency and contingency plans and business continuity management. Banks must establish a business continuity management structure approved by the board of directors in order to ensure the sustainability of activities in case of an interruption or to save them time to minimize operational, financial, legal and reputational negative effects. There are also other provisions at RICAAP Article 13 that address payment and settlement systems and business disruption. For a possible emergency and contingency regarding the payment and settlement systems, communication arrangements shall be established between the authorities of the CBRT, the persons responsible for the interbank payments, agreements and settlement systems and the Agency as well as a communication channel or network open to the public and the customers. The continuity of information systems is handled in information systems continuity plan approved by the board of directors prepared within the scope of business continuity plan and in state of emergency and contingency plan. Banks have to mention their contingency arrangements in their ICAAP reports. Please refer to GICAAPR Annex section 6, paragraphs (1, 3, and 4), section 8 paragraph 4, section 9 paragraphs (2, 3, and 5(7)).

Provisions regarding business continuity plans are further regulated in GORM in a more detailed manner. According to GORM Principle 10, banks need to have a business continuity plan to be able to continue their activities on an ongoing basis and limit losses in the event of severe business disruption.

Negative condition scenarios created by the bank should be assessed for their financial, operational and reputational impact and the resulting risk assessment should be the foundation for recovery priorities and objectives (paragraph 71 of GORM).

All the disaster recovery and business continuity plans are tested at least once in a year according to RICAAP article 13. These tests are checked by the BRSA on-site examination teams as a part of the ratings process. This includes whether there is a business continuity plan approved by the board of directors and if this plan is tested by the bank.

EC13

The supervisor requires banks to have forward-looking stress testing programs, commensurate with their risk profile and systemic importance, as an integral part of their risk management process. The supervisor regularly assesses a bank’s stress testing program and determines that it captures material sources of risk and adopts plausible adverse scenarios. The supervisor also determines that the bank integrates the results into its decision-making, risk management processes (including contingency arrangements) and the assessment of its capital and liquidity levels. Where appropriate, the scope of the supervisor’s assessment includes the extent to which the stress testing program:

a) promotes risk identification and control, on a bank-wide basis
b) adopts suitably severe assumptions and seeks to address feedback effects and system-wide interaction between risks;
c) benefits from the active involvement of the Board and senior management; and
d) is appropriately documented and regularly maintained and updated.

The supervisor requires corrective action if material deficiencies are identified in a bank’s stress testing program or if the results of stress tests are not adequately taken into consideration in the bank’s decision-making process

Description and findings re EC13

RICAAP Article 43 stipulates that Banks shall establish and operate a stress testing program in order to measure its material risks and vulnerabilities which may arise from both negative developments peculiar to the bank and the developments in stressed economic and financial environment. Top management is responsible for establishment and implementation of a stress testing program as a whole. In addition to this, stress testing program shall be based on historical data including statistical risk and loss predictions and complementary for other risk management methods and qualitative implementations. Stress testing program shall include clearly defined purposes, well designed scenarios in compliance with the bank’s activities and its risk arising from those activities, written assumptions, a strong methodology, reporting supporting the decisions taken, revising stress testing processes in a continuous and efficient manner and management actions based on stress testing results. Stress testing program requires, an overall firm-wide stress testing, in addition to each material risk type.

Consistent with RICAAP Article 43(7), a Guideline on Stress Testing to be used by Banks In Capital and Liquidity Planning (GST) was published. GST is arranged to determine the principles on the implementation of the mentioned article and banks are expected to be in compliance to the extent with their structures, size and complexity of the Bank’s activities. Principles stated in the guideline also make a base for supervision and surveillance activities of the Agency. Within the scope of GST, stress testing defines all the implementations enabling the forward-looking evaluation of possible events or changes that could adversely impact the bank.

During the examinations conducted, BRSA reviews the key assumptions driving stress testing results and their continuing relevance in view of existing and potentially changing market conditions. BRSA evaluates banks on how stress testing is used in internal processes of banks and the way it affects decision-making.

EC14

The supervisor assesses whether banks appropriately account for risks (including liquidity impacts) in their internal pricing, performance measurement and new product approval process for all significant business activities.

Description and findings re EC14

Article 40 of RICAAP states that the top management should be fully aware of the risks involved in the new products and services. The bank must ensure that detailed assessment of the risks that may arise from the product or service, determination of the necessary resources to assess risk management practices and carry out effective risk management for the new product or service, implementation procedures to be followed in measuring, monitoring and controlling the risks that would arise from the new product or service are taken into account when a new product is offered.

Additional criteria

AC1

The supervisor requires banks to have appropriate policies and processes for assessing other material risks not directly addressed in the subsequent Principles, such as reputational and strategic risks.

Description and findings re AC1

Assessment of Principle 15

Largely Compliant

Comments

The RICAAP forms a part of the core of the BRSA’s regulatory framework for risk management. Given that the ICAAP is a relatively recent requirement, banks’ are still developing their approach and implementing important systems. The BCP team’s review of supervisors’ working papers and discussion with banks indicated that banks as well as supervisors are, in fact, in a learning phase. The quality of banks reports and the scrutiny of the reports by supervisors will need to develop further before the results can be more reliably and more extensively used.

Commensurate with their size and complexity of operations, banks should be specifically required to have qualified CROs with sufficient stature, position and authority within the organization to oversee risk management activities. The level of senior manager may not provide the necessary stature necessary to challenge high level risk decisions and processes.

As well, while there are comprehensive requirements for the evaluation of new products, parameters should be expanded to explicitly address material modifications to existing products and major acquisitions. It should also direct banks to restrict such products or activities if they do not have the necessary controls, management, and resources to manage related risks.

Principle 16

Capital adequacy.³⁹ The supervisor sets prudent and appropriate capital adequacy requirements for banks that reflect the risks undertaken by, and presented by, a bank in the context of the markets and macroeconomic conditions in which it operates. The supervisor defines the components of capital, bearing in mind their ability to absorb losses. At least for internationally active banks, capital requirements are not less than the applicable Basel standards.

Essential criteria

EC 1

Laws, regulations or the supervisor require banks to calculate and consistently observe prescribed capital requirements, including thresholds by reference to which a bank might be subject to supervisory action. Laws, regulations or the supervisor define the qualifying components of capital, ensuring that emphasis is given to those elements of capital permanently available to absorb losses on a going concern basis.

Description and findings re EC1

According to Article 45 of the BL all banks in Turkey need to hold a capital adequacy ratio (CAR) of at least 8%. The BL also authorizes the BRSB to increase the minimum CAR, to set different ratios for each bank and to revise the risk weight assets after taking into consideration the banks’ internal systems as well as their asset and financial structures.

Using these powers the BRSA has implemented a capital framework in compliance with Basel standards. For the regulatory minimum capital requirement, the BRSA sets the minimum standard for CET1, Tier 1 and Total Capital on a solo and consolidated level according to the Basel requirements, which are 4.5%, 6.0% and 8.0% of risk-weighted assets, respectively, and, as a parallel requirement, the BRSA also sets a targeted minimum total capital ratio of 12% of risk-weighted assets. Minimum levels are defined in the RCA (art. 29 and 30) while ROF defines the elements of regulatory capital.

Banks are also required to maintain a capital planning buffer above the minimum amounts based in their internal capital assessment and planning (RICAAP, art. 55 and 60).

EC2

At least for internationally active banks,⁴⁰ the definition of capital, the risk coverage, the method of calculation and thresholds for the prescribed requirements are not lower than those established in the applicable Basel standards.

Description and findings re EC2

The BRSA applies the Basel Framework on a consolidated basis to all credit institutions in Turkey, including credit banks and participation banks. The capital framework is mostly established in the Regulation on Own Funds (ROF) and in the Regulation of Measurement and Assessment of Capital Adequacy in Banks (RCA) and is in compliance with Basel Standards.

Some aspects of the regulation are more rigorous than the Basel framework. Turkish legislation, for instance, applies a more conservative approach in assigning risk weights based on ratings for exposures to corporates. All domestically incorporated corporates are subject to a risk weight of at least 100%. The floors applied to the IRB and AMA framework are also more conservative than the ones prescribed by Basel, although currently there is no bank authorized to calculate regulatory requirements following these approaches

Given the low materiality of securitization exposures in the Turkish banking system, the BRSA has not implemented the internal ratings-based approach for securitization.

The BRSA capital framework has been assessed as compliant by the Basel Committee Regulatory Assessment Program

EC3

The supervisor has the power to impose a specific capital charge and/or limits on all material risk exposures, if warranted, including in respect of risks that the supervisor considers not to have been adequately transferred or mitigated through transactions (e.g., securitization transactions)⁴¹ entered into by the bank. Both on-balance sheet and off-balance sheet risks are included in the calculation of prescribed capital requirements.

Description and findings re EC3

Article 45 of BL provide the BRSB the power to increase the minimum CAR and to set different ratios for each bank after taking into consideration the banks’ internal systems as well as their asset and financial structures.

In practice specific capital charges are established in the ICAAP and SREP review. The RICAAP Section 5 (ICAAP) requires banks to assess their capital needs, estimate capital charges for Pillar 2 risks and estimate a capital planning buffer based on stress scenario for the following three years. Banks are required to maintain a higher level than the amount estimated internally. The BRSA examines the ICAAP report and in case missing parts or errors are found, a new ICRR can be determined. Article 60 of the RICAAP also allows the BRSA to increase capital requirements if it considers that banks are not holding sufficient capital for Pillar1 and Pillar2 risks.

The regulation imposed by the BRSA is complex and difficult to enforce. Banks are allowed to use models to calculate the internal capital charge for Pillar 1 and Pillar 2 risks, to consider risk diversification benefits, and are provided a few constraints on the projections of their capital needs for the following years under stress. In addition to that, the specific capital charge may not be binding for several banks. Since the capital planning buffer is only applied when the results are higher than the capital conservation buffer, it is likely to fade in importance over the next few years as the capital conservation buffer will be fully phased-in. The 12% total capital parallel requirement imposed by the BRSA might also be the effective binding constraint for a number of banks.

EC4

The prescribed capital requirements reflect the risk profile and systemic importance of banks⁴² in the context of the markets and macroeconomic conditions in which they operate and constrain the build-up of leverage in banks and the banking sector. Laws and regulations in a particular jurisdiction may set higher overall capital adequacy standards than the applicable Basel requirements.

Description and findings re EC4

As explained in EC3, the BL authorizes the BRSA board to increase the minimum capital adequacy ratio and to set different ratios for each bank taking into consideration the banks’ internal systems as well as their asset and financial structures. The BRSA does that in practice through the ICAAP.

Systemic importance is taken into account imposing additional loss absorbency requirements for domestic systemically important banks. The BRSA methodology is similar to the one used by the FSB to identify and group G-SIBs. The regulation creates four groups of banks as shown in the table below and distributes the banks in the groups according to their systemic importance. Seven banks are expected to populate the bottom three groups of the table.

Groups	Domestic Systemically Important Banks (D-SIBs) Buffer rates (%)
Group 4- empty	3
Group 3	2
Group 2	1,5
Group 1	1

Macroeconomic conditions are taken into account through the countercyclical capital buffer. Following the Basel guidance, the BRSA’s capital framework prescribes a process whereby both national and cross-border conditions are taken into account. The national component of the buffer is currently set at zero. BRSA has established indicators and a process for monitoring the macroeconomic conditions in Turkey and update this value as needed. Banks should obtain the value of the foreign component of the buffer for each country where they contain exposures from the Basel Committee website.

Another tool implemented by the BRSA to limit leverage in the banking system is the leverage ratio. The regulation on Measurement and Assessment of Leverage Level of Banks (RMAL) establishes that the three-month simple arithmetic average of the leverage ratio should be at least three percent. The RMAL also provides the BRSB the power to establishes a different leverage ratio and consolidated leverage ratio by considering the internal systems, asset and financial structures of banks, the implementation of different ratio on the basis of the bank and change the calculation and reporting periods.

As explained in EC2, some aspects of the regulation set by the BRSA are more rigorous than the Basel framework. Turkish legislation, for instance, applies a more conservative approach in assigning risk weights based on ratings for the exposures to corporates. The BRSA also applies a parallel 12% capital adequacy ratio requirement.

EC5

The use of banks’ internal assessments of risk as inputs to the calculation of regulatory capital is approved by the supervisor. If the supervisor approves such use:

a) such assessments adhere to rigorous qualifying standards;
b) any cessation of such use, or any material modification of the bank’s processes and models for producing such internal assessments, are subject to the approval of the supervisor;
c) the supervisor has the capacity to evaluate a bank’s internal assessment process in order to determine that the relevant qualifying standards are met and that the bank’s internal assessments can be relied upon as a reasonable reflection of the risks undertaken;
d) the supervisor has the power to impose conditions on its approvals if the supervisor considers it prudent to do so; and
e) if a bank does not continue to meet the qualifying standards or the conditions imposed by the supervisor on an ongoing basis, the supervisor has the power to revoke its approval.

Description and findings re EC5

Currently there is no bank in Turkey authorized to use modeling approaches to calculate the Pillar 1 capital charge.

The use of internal models for calculating regulatory capital requirements is subject to BRSA approval (RCA, Articles 4, 9 and 24). The approval process to use internal assessments for various risk types are set out in related communiqués such as CIRB, CAMA, CMR-RMM.

Some large domestic banks and subsidiaries of international banks, are already using models for their internal risk management and lending process. These banks are in the process of calibrating and adjusting those models in order to appropriately capture the risks of the local market, before submitting them for regulatory approval by the BRSA. Some banks are expected to apply for the IRB approach.

The regulatory framework set out numerous requirements for banks utilizing internal models approaches. CIRB, CAMA and CMR-RMM set qualifying standards for credit risk, operational risk and market risk in accordance to the Basel II framework. The BRSA has a number of risk management specialists that are able to provide support during the authorization process.

According to the regulation, material modifications to the risk system after the authorization process require new BRSA approval. If a bank does not continue to meet the qualifying standards or the conditions imposed by the BRSA on an ongoing basis, the BRSA has the power to revoke its approval according to CIRB, CAMA, and CMR-RMM.

EC6

The supervisor has the power to require banks to adopt a forward-looking approach to capital management (including the conduct of appropriate stress testing).⁴³ The supervisor has the power to require banks:

a) to set capital levels and manage available capital in anticipation of possible events or changes in market conditions that could have an adverse effect; and
b) to have in place feasible contingency arrangements to maintain or strengthen capital positions in times of stress, as appropriate in the light of the risk profile and systemic importance of the bank.

Description and findings re EC6

RICAAP Articles 46-62 have detailed provisions concerning the ICAAP processes and reporting of banks. In particular, banks should have a risk based, comprehensive and forward-looking capital assessment processes which should include all the risks on a consolidated basis.

In particular, as discussed in EC3, banks are required to hold a capital planning buffer that is based on stress tests. Banks are required to project the evolution of their RWA and capital for the following three years under different stress scenarios. The methodology generates a capital charge associated with the lowest capital buffer in any one of these years.

Finally, banks are required to discuss and provide information on contingency arrangements to maintain their capital positions in times of stress as part of the ICAAP reports (GICAAPR).

AC1

For non-internationally active banks, capital requirements, including the definition of capital, the risk coverage, the method of calculation, the scope of application and the capital required, are broadly consistent with the principles of the applicable Basel standards relevant to internationally active banks.

Description and findings re AC1

AC2

The supervisor requires adequate distribution of capital within different entities of a banking group according to the allocation of risks.⁴⁴

Description and findings re AC2

Assessment of Principle 16

Compliant

Comments

The BRSA has adopted the various components of Basel II, 2.5 and III according to the framework established by the Basel Committee. Capital is calculated on a consolidated and solo basis for all banks and the BRSA has the authority to impose additional capital requirements on individual banks, as deemed necessary. The BRSA has applied the three Basel ratios (common equity tier 1, tier 1 and total capital) as well as countercyclical capital requirements, systemic important bank capital add-ons and a “capital planning buffer” that provides a forward looking nature to the capital regulation.

Going forward, as the BRSA gain experience with the ICAAP, it should consider simplifications to the framework to improve its enforceability and reduce banks compliance burden, particularly for non-systemic important banks. Simplifications that could be considered include restrictions on diversification benefits and use of models for credit, market and operational risk that have not been authorized for the Pillar 1 capital charge. The BRSA should also evaluate the interaction with other requirements such as the 12% parallel capital charge and the Basel capital buffers to prevent the effectiveness of the Pillar 2 regime from being damaged by another more stringent requirement that in practice makes the Pillar 2 charges redundant.

Principle 17

Credit risk.⁴⁵ The supervisor determines that banks have an adequate credit risk management process that takes into account their risk appetite, risk profile and market and macroeconomic conditions. This includes prudent policies and processes to identify, measure, evaluate, monitor, report and control or mitigate credit risk⁴⁶ (including counterparty credit risk)⁴⁷ on a timely basis. The full credit lifecycle is covered including credit underwriting, credit evaluation, and the ongoing management of the bank’s loan and investment portfolios.

Essential criteria

EC1

Laws, regulations or the supervisor require banks to have appropriate credit risk management processes that provide a comprehensive bank-wide view of credit risk exposures. The supervisor determines that the processes are consistent with the risk appetite, risk profile, systemic importance and capital strength of the bank, take into account market and macroeconomic conditions and result in prudent standards of credit underwriting, evaluation, administration and monitoring.

Description and findings re EC1

Article 23 of the BL assigns direct responsibility to the board of directors for “ensuring the establishment, functionality, appropriateness, and adequacy of internal control, risk management, and internal audit inconformity with the applicable legislation; securing financial reporting systems; and specification of the powers and responsibilities within the bank”. The Article 29 of the BL states that the banks are obliged to establish and operate adequate and efficient internal control, risk management and internal audit systems that are in harmony with the scope and structure of their activities.

The definition of a “loan” is provided articles 48 and article 50 and provides a comprehensive list of the prudential standards and limitations for extending loans to the risk group of the bank. Article 51 and article 52 of the BL includes the framework regarding credit administration and monitoring.

Standards of credit underwriting, evaluation, administration and monitoring are further enumerated in the Guideline on Credit Management of Banks (GCM). It states that the processes should be consistent with the risk appetite, risk profile, systemic importance and capital strength of a bank; that the processes should take market and macroeconomic conditions into account and result in prudent standards of credit underwriting, evaluation, administration and monitoring. Additionally, there is a separate Guideline on Counterparty Credit Risk Management (GCPRM).

In addition to the credit risk management provisions described above, the GCM defines ‘credit management’. It includes the areas of credit marketing, credit granting, and credit monitoring. The GCM states that certain organizational structures in the credit area should avoid conflicts of interest that may be caused by units reporting to the same vice general manager that are involved in credit monitoring and tracking together with credit marketing and credit granting. The GCM also addresses certain MIS requirements, conformity with limits, and management of collateral. The following provides a description of the organization of the 2 functions of (credit) risk management and credit monitoring as conveyed to the assessor team.

Credit Risk Oversight Organization

Credit oversight is laid out in a two-fold manner.

1. (Credit) Risk Management

The board is charged with effective risk management and organizationally, such a unit must fall directly under it. As such, the unit falls under the audit committee as an extension of the board.

The “legal” independence of this unit is expected via RICAAP which enumerates in detail the responsibilities of the board including determining its organizational structure, strategies, as well as human resource considerations. In this regard the board is responsible for the appointment and dismissal of unit managers and training of staff.

This unit conducts a variety of risk management activities including credit portfolio/exposure surveillance. However, it does not conduct evaluation of individual credits to determine their internal classification status (standard, special mention, substandard, doubtful, loss). It takes this information generated from the “risk management function”, a management line function, as source data from which to calculate relevant trend information. It adds to that other analysis to monitor higher level trends and issues that management and the board should receive. Some of the information generated at this level includes:

Internal limits and ratios
Legal limits and ratios
Individual borrower limits
Sector concentration limits
NPLs figures (received from the credit review department)
Recent trends and developments in the portfolio(s) taking into account market and macroeconomic information

This type of information, at this level, will first go to the audit committee and then to the full board.

Among other things, this department is also typically responsible for monitoring the overall risk trends in the bank, designing the risk rating system used by the management/business lines, policies and procedures, model development for credit approval processes, review of model validations conducted elsewhere in the bank, etc. However, no work or analysis is conducted at the individual credit level.

2. Credit Monitoring Function (line management department/unit)

This unit is a management line function as are the marketing and underwriting functions. The later 2 are involved in credit origination, analysis, approvals (according to delegated loan authorities and controls), and administration.

The credit monitoring function represents management’s execution of their responsibility to monitor the business risk they put on the books of the bank. The business line (should be) is the party responsible for first identifying and flagging credit risk deterioration. If accomplished in a timely manner, this allows early intervention and possible rectification of potential credit problems.

Credit risk monitoring starts as soon as the subject loan is granted and consists of monitoring:

Past due status of the borrowers
Change in system generated risk ratings
Collateral status and coverage
Customer limits
Risk Center monitoring for developing borrower(s) trends
Opines on restructuring loans
Deteriorating credit as detected from past due information

In general, once a credit hits NPL status, it is sent to the loan work-out unit for more active management.

This unit provides the source data on, intern alia, individual deteriorating/NPL credits and NPL trend data on homogeneous credits to the board via the risk management function described above. Such data are management reports which may have more current (and different) classifications of credit than the system generates due to the timing of information input to the system.

The BRSA also conveyed that the internal audit function plays an important role in the credit risk management framework. Audits in the credit areas are intended to determine whether the credit process is consistent with board approved policies and procedures and the accuracy of management reports, and board and audit committee reports. As well, the BRSA added that loan review is the most prevalent activity in the internal audit plan(s).

According to REPL, banks are required to review their loan portfolio in terms of classification at least quarterly and they are required to document those reviewed for the largest 200 loans (or the ones above 250.000 TL). The BRSA indicated that the loan review documentation for the largest 200 loans is usually prepared by internal audit.

The BRSA, in its credit portfolio reviews, determines the extent to which internal bank ratings are automatically generated, both the homogeneous portfolios as well as the larger, individual credit exposures. The examiners review and use both management problem loan reports and the system generated reports during portfolio inspections.

The credit risk management oversight (line management function) and credit risk management function and the organization therein create loopholes in the independence and integrity of credit risk monitoring and reporting to bank boards and the BRSA. Key observations on the credit risk oversight organization:

Based on this design, which may vary in practice from institution to institution, the board has indeed established a (credit) risk management unit that complies with the letter of the law. Through this mechanism, the unit is able to provide high level trend and other analysis information.

However, there is no ongoing, independent credit risk monitoring of large individual exposures or homogeneous portfolios. Important source data (identification of deteriorating credits that have not yet reached an NPL status—as well as special mention credit and status of NPLs) is generated by the credit monitoring unit which is a business line management function. This information is also reported to the BRSA for monitoring and examination purposes.

• There is no independent verification (i.e., independent loan review function) that determines that 1) management identification processes are accurate and timely, 2) management, itself, is accurately recognizing its business risk, and 3) timely borrower intervention is activated.
• This critical input forms the basis of important MIS going to the board.
• Examiners, through their inspection process, have identified important, clearly inaccurate classifications of credit that could easily indicate key issues with 1-3 above. However, the significance of these inaccurate classifications was not clear from the examination samples reviewed. Consistently, there was no indication of the size of the sample of reviewed credits, how significant the aggregate, inaccurately classified credit was to the total portfolio, and if such findings could be extrapolated to the entire portfolio.

GCM Principle 9 presents the activities of units included in the bank’s internal systems (internal audit, risk management, compliance). Banks are to make “internal controls” (internal audits) with the objective to assess credit management processes, determine compliance with legal and bank limits, and to avoid deterioration in the credit portfolio. Activities, at a minimum, include: periodically assess the largest 200 credits of the bank which have the highest risks, test adequacy of collateral, assess the adequacy and accuracy of credit files; test non-performing loan identification; and assess the risk arising from exceptional operations. The activity also is to determine compliance with credit policies and procedures including authorizations, maturity, quality, and reporting to senior management.

Results of internal systems’ (risk management, internal audit) reviews are to be shared with senior management and the audit committee. The GCM goes on to indicate that banks establish an internal ratings system to manage credit risk. Retail customers are monitored through behavioral models. Corporate credits must be rated once a year (the REPL requires quarterly). Board of directors and senior management of the bank should be regularly informed about rating results.

The CAMEL rating process/GAR module lays out specific review processes for evaluating the credit risk management processes. For example, questions aim to check whether banks have the necessary policies and procedures regarding the credit risk management, risk appetite and CCR.

The BRSA undertakes special examinations that target certain banking activities/credit portfolios according to the risk evaluations conducted at the beginning of a bank’s supervisory cycle. The assessor team reviewed a sample of 4 such examinations in the credit portfolio area. See EC 3 for detail of observations.

EC2

The supervisor determines that a bank’s Board approves, and regularly reviews, the credit risk management strategy and significant policies and processes for assuming,⁴⁸ identifying, measuring, evaluating, monitoring, reporting and controlling or mitigating credit risk (including counterparty credit risk and associated potential future exposure) and that these are consistent with the risk appetite set by the Board. The supervisor also determines that senior management implements the credit risk strategy approved by the Board and develops the aforementioned policies and processes.

Description and findings re EC2

GCM Principle 1 requires that the board of directors to determine, in writing, and approve the credit strategies in light of market conditions, the bank’s financial condition, risk appetite, etc. It goes on to direct that the board of directors periodically reviews the financial and economic indicators used in establishing the credit strategy and make the necessary changes in the strategy and practices. Implementation of the credit risk strategy by the senior management or another related unit of the bank is also addressed throughout the GCM.

Principle 2 requires banks to establish marketing, credit-granting and monitoring policies in line with their credit volume and complexity of activities. According to paragraph 13, those policies are approved by the board of directors and reviewed annually (Paragraph 15). Credit procedures are established in writing by senior management or the board of directors according to Paragraph 25.

GCPRM directs that the board of directors must approve counterparty credit risk (CCR) management strategies. The level of risk appetite should be reviewed periodically and the frequency and scope of this review should be determined according to CCR level and complexity of the bank. A sound CCR management framework shall include the identification, measurement, management, approval and internal reporting of CCR. The Guideline details requirements for the measurement, monitoring, and reporting of CCR to the board and senior management. Parameters for CCR risk mitigation practices are enumerated as well.

The BRSA conducts onsite review of credit risk management and the attendant strategies, policies and controls through its CAMELS review/GAR methodology process. During this process, the examiners may decide to conduct specialty examinations targeting areas such as corporate loans, commercial loans, SME loans etc. These activities provide the opportunity for the examiners to test management implementation of board established risk appetite and strategies and current bank practices.

For more detailed description of the credit examination process, see EC 3 below.

EC3

The supervisor requires, and regularly determines, that such policies and processes establish an appropriate and properly controlled credit risk environment, including:

a) a well-documented and effectively implemented strategy and sound policies and processes for assuming credit risk, without undue reliance on external credit assessments;
b) well defined criteria and policies and processes for approving new exposures (including prudent underwriting standards) as well as for renewing and refinancing existing exposures, and identifying the appropriate approval authority for the size and complexity of the exposures;
c) effective credit administration policies and processes, including continued analysis of a borrower’s ability and willingness to repay under the terms of the debt (including review of the performance of underlying assets in the case of securitization exposures); monitoring of documentation, legal covenants, contractual requirements, collateral and other forms of credit risk mitigation; and an appropriate asset grading or classification system;
d) effective information systems for accurate and timely identification, aggregation and reporting of credit risk exposures to the bank’s Board and senior management on an ongoing basis;
e) prudent and appropriate credit limits, consistent with the bank’s risk appetite, risk profile and capital strength, which are understood by, and regularly communicated to, relevant staff;
f) exception tracking and reporting processes that ensure prompt action at the appropriate level of the bank’s senior management or Board where necessary; and
g) effective controls (including in respect of the quality, reliability and relevancy of data and in respect of validation procedures) around the use of models to identify and measure credit risk and set limits.

Description and findings re EC3

Requirements addressing the above are contained in the BL, REPL, and GCM. REPL (Regulation on Procedures and Principles for Determination of Qualifications of Loans and other Receivables and Provisioning) has been revised and is awaiting publishing in the official Gazette. As relevant, the provisions in the new document are included.

a) policies for assuming credit risk w/o undue reliance on external assessments.

Article 52(1) of BL requires banks to measure credit risk; regularly analyze and monitor the financial standing of the counterparty; obtain the necessary information and documents; and establish the relevant procedures.

Principles 1-3 of the GCM require banks to establish credit strategies, credit policies and credit procedures. Specifically, principle 17 presents selected guidelines for determining customer limits, indebtedness, and solvency upon which to base credit granting – which relies on internal bank analysis. Principle 14 requires that banks obtain adequate information in order to assess the risk profile of the borrower and that (principle 13) banks have established assessment and approval functions for credit management and approvals.

b) procedures for new, renewed, and refinanced exposures; structured approval authorities.

Principles 11, 13 and 23 of GCM present parameters for approving new exposures, for renewing and refinancing existing exposures, and identifying the appropriate approval authority for the size and complexity of the exposures. Principle 13 requires banks to establish assessment and approval functions for an effective credit management. Requirements and standards for restructured credit are enumerated in principle 23.

Restructured Credit

The current REPL, Article 11, goes further in addressing terms for restructuring credit. Credits experiencing a temporary liquidity problem may be restructured in order to provide (reasonable) assurance that the debt will be repaid. The article requires monitoring of restructured credits for at least six months in the Third (substandard), Fourth (doubtful), Fifth (loss) groups of loans and other receivables. During this period, provisions are continued to be set aside for the said receivables at the rates of special provisions applied on the relevant group. Credits may be restructured twice, the second time providing that 20% of the existing principal is collected each year. The draft REPL is silent on the maximum number of times a loan may be restructured but prescribes rather extensive “probation periods” for classification of special mention credits to be upgraded to standard (one year). When a substandard loan is subject to forbearance (restructuring), it can only be upgraded to special mention if certain conditions are met (including performing as agreed for one year). If a restructured special mention credit goes past due 30 days, then it must be classified substandard. However, the draft REPL prescribes a rather extensive timeframe for writing off such a substandard credit that hits the loss classification. It states that once a restructured credit falls into the substandard category and is past due for one year, it will be classified in the 5th group (loss) and the bank will be required to write-off the uncollateralized portion within a maximum period of one year.

Further, the regulation allows restructuring of loans in the loss category. Credits in this loan classification generally should not have the opportunity to be restructured as they are, by definition, permanently impaired and considered “nonbankable” assets. In some systems, such credits are prohibited from being restructured. (The draft REPL is silent on this, but, in fact, should offer guidance here as silence may indicate approval of previously allowed (imprudent) restructuring of loss credit.)

Restructured credit facilities may be transferred and posted to the “Account of Loan Facilities Renewed and Subject to Redemption Plan” at the end of this period, providing that at least fifteen percent (15%) of the total amount of receivables is repaid, and they are traced and pursued in the same group for at least six months, and the repayments are not delayed. (The draft REPL extends the monitoring period to one year before consideration of a classification change.)

Discussions with the BRSA indicated that reports on a host of credit issues are received by the offsite department, including information on restructured credits. Examiners indicated that restructured credit is, in fact, reviewed when special credit examinations are conducted – as a part of the relevant portfolio.

c) continued analysis of a borrower’s ability and willingness to repay under the terms of the debt; monitoring of documentation, legal covenants, contractual requirements, collateral and other forms of credit risk mitigation; and an appropriate asset grading or classification system.

Article 52 of the BL requires banks to “measure (loan exposures); regularly analyze and monitor the financial standing of the counterparty; obtain the necessary information and documents; and establish the relevant procedures”. GCM principles 1-3 and principles 15, 17, 24, 25 and 26 detail the parameters regarding the monitoring of documentation, legal covenants, contractual requirements, collateral and other forms of credit risk mitigation; and an appropriate asset grading or classification system. The Communique on Credit Risk Mitigation Techniques (CCRM) sets down procedures and principles relating to credit risk mitigation techniques to be used by banks in calculation of regulatory capital requirement. REPL presents the terms and conditions for asset classification.

Loan Classification System

REPL enumerates loan classification requirements. The Second Part of the regulation directs that loans are categorized/classified based on the state of borrower creditworthiness and/or delinquency status. The following presents the minimum for credit classification. Still, much of the classification process by the banks and examiners is driven by the past due status of the given credit(s).

Special Mention (“close monitoring”) – > 30 up to 90 days
Substandard (“limited collectability”) - > 90 up to 180 days (provisioning: 20%)
Doubtful - > 180 days to 1 year (50%)
Loss - > over 1 year (100%)
Credits classified substandard and worse are considered nonperforming.

Review of special examinations of loan portfolios, mutually agreed by the BRSA and the BCP team identified a number of key issues which are further discussed in BCP 18 Problem Assets, Provisions, and Reserves. However, the issues identified with REPL content are presented in here.

Classification categories enumerated and required by REPL are internationally used. However, the definitions for the classifications themselves are unclear and substantially overlapping. This is particularly the case for the special mention and substandard categories.

Special mention includes, according to the REPL, credits that:

are required to be monitored closely due to such reasons as observation of negative developments in solvency or cash flow of the debtor, or suspecting of such developments, or the borrower’s bearing a substantial and material financial risk
These elements indicate that, on a financial basis, the current sound worth and paying capacity of the borrower is exhibiting well defined credit weaknesses – the concrete definition of substandard.
The substandard definition reflects very similar parameters and goes on to state:
(credits) which fully have a limited collectability due to inadequacy of shareholders’ equity or guarantees of the borrower in repayment of debts on due dates thereof, and which may probably cause damages and losses if the observed problems are not corrected or remedied; or
creditworthiness of the borrower weakened and which is accepted to have been weakened

Review of the sample portfolio examinations clearly indicated that both the banks and the examiners are blurring the use of these 2 classification categories, although more so the banks in the examples seen. Furthermore, the examples highlighted that banks also are maintaining “watch lists” which can be considered precursors to special mention classifications (or worse). Reviews by the examiners accurately identified credits in this group that rightly deserved to be in substandard or worse categories. This may be, in part due to the nature of the special mention category (as well as the desire to avoid additional provisioning and disclosure). (It should be noted that, in their loan portfolio special examinations, examiners typically do not dive into the accuracy of credits already classified as NPL, but focus on those that are carried on management’s “watch list” and special mention credits.) The impact of this is further discussion in BCP 18. However, the definitions and use of the classifications require clarification and strengthening. Review of the draft REPL indicated much the same issue with the definitions.

The framework for loan loss provisions and observations therein are provided in BCP 18.

d) MIS for accurate and timely identification, aggregation and reporting of credit risk exposures to the bank’s Board and senior management on an ongoing basis In addition to the general requirements regarding information systems of banks in RICAAP Article 11, Principles 6-8 of the GCM include the provisions for the documentation and information systems for credit risk. Principle 6 requires that information and documents concerning credits for each customer should be easily accessible, principle 7 requires banks to establish effective information systems with respect to the credit management. Moreover, in accordance with Principle 8 banks should design information systems in line with the size and complexity of their operations. Also in line with paragraph 56, results of internal system analysis will be shared regularly with senior management and audit committee regarding their importance.
e) prudent and appropriate credit limits, consistent with the bank’s risk appetite, risk profile and capital strength, which are understood by, and regularly communicated to, relevant staff The RICAAP, specifically Article 5, requires that boards set an appropriate risk appetite and that risk limits are established commensurate with the risk appetite, capital, and management resource of the bank. The regulation requires effective communication of the risk appetite and limit structures through the bank.
f) exception tracking and reporting processes that ensure prompt action at the appropriate level of the bank’s senior management or Board where necessary.

In accordance with paragraph 14 of the GCM, credit policies should address identifying and reporting exceptions to credit policy. Paragraph 59 of GCM require risk management units to assess and report the frequency of such credit exceptions.

g) effective controls (including in respect of the quality, reliability and relevancy of data and in respect of validation procedures) around the use of models to identify and measure credit risk and set limits.

BCP 27, EC 3 details the BRSA’s requirements for model validation as per the GFVM. For CCR, Paragraph 7 of GCPRM stipulates that where the bank is using an internal model for CCR, senior management must be aware of the limitations and assumptions of the model used.

From the IT point of view, banks’ information systems must meet the standards set in RITEA. For example, according to article 25 (2)(b) of RITEA banks’ processes regarding retail and corporate loans are audited by external auditors and results of this audit are submitted to BRSA. If any deficiencies regarding standards laid down in RITEA are observed during the IT audits conducted by external auditors those deficiencies are taken into account within the scope of regular on-site examinations.

BRSA Credit Examination Process

The management and risk control over the credit operations of a bank are evaluated through both the CAMELS review/GAR methodology. During this process, the examiners may decide to conduct specialty examinations targeting areas such as corporate loans, commercial loans, SME loans etc. It is during the specialized examination process that the examiners have the opportunity to assess the effectiveness of the bank’s credit underwriting, monitoring, early identification and classification processes as well as the risk management oversight mechanisms. Further comments on the adequacy of the examination process are offered in the rating comments below and in BCP 18.

EC4

The supervisor determines that banks have policies and processes to monitor the total indebtedness of entities to which they extend credit and any risk factors that may result in default including significant unhedged foreign exchange risk.

Description and findings re EC4

Banks are required to have policies and processes to monitor the total amount of customer indebtedness held by the bank. According to Article 107 of GCM, the foreign exchange risk exposure of customers in other banks is also taken into consideration in effective credit administration process.

In the CAMELS risk assessment process, GAR process directs examiners to have information about total indebtedness of firms in the market. Reviews of 4 sample examinations showed that aggregate customer indebtedness (on and off-balance sheet) is also gathered during certain specialized examinations and classified consistent with the borrower classification. However, the manner in which the examiners present and write up the credits that they review during the special examination does not clearly depict the nature and volume of other related exposures (in the given bank) which, if presented, would help put the overall borrower relationship in context.

EC5

The supervisor requires that banks make credit decisions free of conflicts of interest and on an arm’s length basis.

Description and findings re EC5

Article 50 of the BL requires banks that the loan conditions cannot vary from the loans made available to other persons and groups and from market conditions, in favor of the borrower. It explicitly states that all loans should be extended on an arm’s length basis.

Please also see BCP 20, Related Parties.

EC6

The supervisor requires that the credit policy prescribes that major credit risk exposures exceeding a certain amount or percentage of the bank’s capital are to be decided by the bank’s Board or senior management. The same applies to credit risk exposures that are especially risky or otherwise not in line with the mainstream of the bank’s activities.

Description and findings re EC6

According to Article 5(1) of Regulation on Credit Transactions by Banks (RCT), the powers for extension of credit in a bank basically rest with the board of directors and the board may delegate its powers for extension of credit to a credit committee or headquarters. According to Article 5(2) the maximum amounts the board of directors can delegate to credit committee or headquarters are up to 10 percent and up to 1 percent of own funds respectively.

EC7

The supervisor has full access to information in the credit and investment portfolios and to the bank officers involved in assuming, managing, controlling and reporting on credit risk.

Description and findings re EC7

Articles 65, 66, 95 and 96 of the BL grant the right to the BRSA to have full access to information in the credit and investment portfolios and to the bank officers involved in assuming, managing, controlling and reporting on credit risk. The institutions under the scope of BL and their activities shall be subject to supervision of the BRSA. The BRSA may send representatives to the meetings of the general assemblies of banks, for observation purposes. The institutions should keep their information and documents regarding their internal control, risk management and internal audit systems, accounting and financial reporting units, financial statements and reports as well as loans extended to risk groups, as ready and appropriate for consolidated supervision.

EC8

The supervisor requires banks to include their credit risk exposures into their stress testing programs for risk management purposes.

Description and findings re EC8

According to Article 43(4) of RICAAP, banks are required to have stress testing program which requires, an overall firm-wide stress testing, in addition to each material risk type, including credit risk.

According to principle 27 of GCM, banks should perform stress testing and scenario analysis in monitoring and measuring risks arising from credit portfolio. Banks are required to make analysis on the current and future capital requirements for credit risk. Banks are required to conduct stress testing on an individual risk level and also on a firm-wide basis. GCPRM principle 7 also gives guidance on counterparty credit risk stress testing program.

For a more expanded discussion on stress testing parameters and observations, see BCP 8 EC 5.

Assessment of Principle 17

Materially Non-compliant

Comment

The legal framework for credit risk is generally comprehensive. It establishes the responsibility of the board in this area, requires a framework for the credit business of banks, as well as prescribes properly controlled credit risk environment. However, several issues exist within the framework which compromise the effectiveness of this framework and its application.

As prescribed in regulation and organized in practice (verified through review of credit portfolio special examinations presented by the BRSA during the assessment) the credit risk management oversight (line management function) and credit risk management function and the organization therein create loopholes in independence and integrity of credit risk monitoring and reporting to bank boards and the BRSA:

1. The framework design does not require ongoing, independent (from the business line) credit risk monitoring of large individual exposures or homogeneous portfolios. Important source data (e.g., identification of deteriorating credits, level of (accurately) classified assets, status of restructured credits, etc.) is generated by a line management function (credit monitoring) without independent verification that 1) management identification processes are accurate and timely, 2) that management, itself, is well informed of the risk it is running and is upholding board prescribed underwriting standards, and therefore, accurately conveying its business risk, and that 3) timely borrower intervention is activated.

2. This (unverified) information generated by the line function is source data used by the risk management functions for audit committee and board reporting and is also likely the information also reported to the BRSA for monitoring and examination purposes.

Although the internal audit function plays an important role in ensuring a strong control environment, the function itself is not designed to play an ongoing surveillance role such as the independent credit risk management unit. It cannot replace the need to have such a function within the bank(s).

Highlighting the issues surrounding this organizational environment, examiners, through their inspection process, have identified important, clearly inaccurate classifications of credit that could easily indicate the existence of 1 and 2 above. However, the significance of these inaccurate classifications was not clear from the examination samples reviewed. Consistently, there was no indication of the size of the sample of reviewed credits, how significant the aggregate, inaccurately classified credit was to the total portfolio, and if such findings could be extrapolated to the entire portfolio.

Credit classification definitions, particularly in the special mention and substandard categories are overlapping. Evidence demonstrates that both the examiners, but especially the bankers, fluidly move credits among these categories which compromises the picture of the bank’s risk profile which accurate classification is intended to depict. As well, such movement and less rigorous classification impacts provisioning levels and ultimately, the accuracy of the bank’s financial statement.

The REPL explicitly allows restructuring of loss credit which is considering in many systems to be outright imprudent activity as such loans are, by definition, permanently impaired and considered “nonbankable” assets. In some systems, such credits are prohibited from being restructured. The draft REPL is silent on this issue but theoretically would allow this practice. This practice should be explicitly addressed (disallowed).

The manner in which the examiners present and write up the credits that they review during the special examination does not clearly depict the nature and volume of other related exposures (in the given bank) which, if presented, would help put the overall borrower relationship in context.

Principle 18

Problem assets, provisions and reserves.⁴⁹ The supervisor determines that banks have adequate policies and processes for the early identification and management of problem assets, and the maintenance of adequate provisions and reserves.⁵⁰

Essential criteria

EC1

Laws, regulations or the supervisor require banks to formulate policies and processes for identifying and managing problem assets. In addition, laws, regulations or the supervisor require regular review by banks of their problem assets (at an individual level or at a portfolio level for assets with homogenous characteristics) and asset classification, provisioning and write-offs.

Description and findings re EC1

Articles 52 and 53 of the BL stipulate the rules that banks must follow for loan evaluation. In particular, Article 52 of the BL requires banks to regularly analyze and monitor the financial standing of their borrowers and borrowers are obliged to provide the necessary information to the banks on both solo and consolidated basis. Article 53 requires banks to establish, implement, and regularly review the policies regarding the monitoring of the loans under follow-up and their loan loss provisions. In addition, the Regulation on the Procedures and Principles for the Evaluation of Loans and Other Receivables (REPL) sets the rules on classification of loans (into five groups) and the criteria for loan loss provisioning.

Article 12(9) of REPL requires banks to prepare an exclusive report containing views about the loans that exceed TL 250,000 and, in any case, the largest top 200 loans, on a quarterly basis or in case of occurrence of any risk event.

The article 16(10) and (12) of the Communiqué on Financial Statements and Their Disclosures to be Announced to Public by Banks (CPD) requires banks to disclose the amounts of write-offs as well as their policies and procedures on write-offs respectively.

On the other hand, the REPL does not include parameters for write-offs. The draft REPL specifies write-off criteria in relation to IFRS 9 requirements.

Additionally, in GCM, principle 28 states that banks should have written policies concerning the management of non-performing loans and receivables. The processes of credit monitoring and liquidation should be established in a way to secure collection efficiency. As well, banks should establish a unit apart from credit assessment and marketing units for the management of NPLs. Banks should identify the criteria concerning the determination and reporting of problematic loans which need to be monitored closely, classified into a different group, and which require provisioning and/or additional remedial measures.

The proper implementation of REPL is assessed during the on-site examinations and the data on Performing Loans, Non-Performing Loans, Restructured Loans and Provisions for Non-Performing Loans, Solo and Consolidated Compliance of Banks to Credit Limits are monitored offsite by means of call reports sent by banks on a monthly/quarterly basis.

Furthermore, audit committee reports and meetings are analyzed in terms of credit classification and provisioning. Management committee meetings and board decisions about the policies and strategies established for the management of problem assets are also evaluated during the on-site examination process.

Of note, the BRSA prepared a new draft REPL for which the responses of the stakeholders haves been received during the public consultation phase. Draft REPL is currently awaiting publication in the official gazette. The BRSA informed the BCP team that the draft takes into account IFRS 9 for provisioning purposes and keeps five group classification of the current regulation. Additionally;

* the entry and exit criteria of sub-groups are elaborated,

* the definition of non-performing loans is linked to the Basel II default definition and the stage 3 of the IFRS 9,

* forbearance is defined as a cross-cutting category based on EBA ITS dated 20.02.2015.

* criteria for reclassification from non-performing to performing loans is determined,

* write-off criteria are laid down by considering IFRS 9 requirements,

* expected loan loss provisions are required to be recognized in compliance with the IFRS 9, and

* Banks are required to review loans on a quarterly basis or in case of occurrence of any risk event for re-classification purposes. Also, the banks are required to document their assessments regarding the largest 200 loans or the loans exceeding TL 500.000.

EC2

The supervisor determines the adequacy of a bank’s policies and processes for grading and classifying its assets and establishing appropriate and robust provisioning levels. The reviews supporting the supervisor’s opinion may be conducted by external experts, with the supervisor reviewing the work of the external experts to determine the adequacy of the bank’s policies and processes

Description and findings re EC2

The on-site examiners assess the objectivity and adequacy of internal procedures and internal controls necessary for an independent inspection of bank lending activities. The SMCEP directs that this assessment as well as the assessment of the adequacy of a bank’s policies and processes for grading, classifying, and provisioning its assets are made taking into account several factors such as:

The effectiveness of the internal rating system of the bank,
Whether the internal procedures as well as the MIS system of the bank allow for the board and management to obtain timely and appropriate information on the condition of the loan portfolios,
Whether the internal procedures of the bank established for monitoring the loan portfolios and classification of the loans are in compliance with the relevant legislation,
Whether the findings of the internal audit and internal control groups about the problem assets are sufficiently taken into account by the bank’s management,
Robustness of the collateral data used for capital adequacy calculations,
The adequacy of the provisioning levels of the bank in relation to regulatory requirements and with respect to the risk profile and quality of the credit risk management system of the bank,
The accuracy of loan classification based on a sufficiently large examination sample of loans.

During the full scope examinations, with reference to SMCEP, the on-site team assesses a cross section of a significantly large sample of individual loans, including the highest risk exposures. In particular, loans are selected on the basis of different sources and criteria including, inter alia,

the loan reports produced by the bank,
list of loans categorized in the second group (special mention) pursuant to REPL,
list of loans past due,
the report of potential problem loans produced by the off-site team,
previous examination reports produced by the BRSA with respect to the loan portfolio of the bank,
list of obligors classified in the 2nd group (special mention) by other banks pursuant to the REPL,
list of restructured/rescheduled loans.
the selection of the sample of individual loans pays particular attention to the significance of the individual loan in the portfolio and to the fact that the examination sample adequately represents the total loan portfolio of the bank. In every instance, on-site team examines at least the 200 firms/obligors having the highest level of risk in the total loan portfolio.

Furthermore, notes to financial statements prepared according to the CPD and audited by external auditors, include various information on issues such as grading and classification of assets, and the loan loss provisioning levels. This information is also reviewed with respect to their consistency with the information provided by the bank and where appropriate, used as an input during the on-site examination process.

As well, examiners pay particular attention to the loans classified as special mention since these loans have a potential to be classified as NPL in the future. In that context, according to the SMCEP, on-site examiners take into account several factors including the following:

- whether the debtor is classified in the special mention group by other banks,

- whether the debtor has been refinanced by the bank under examination or by any other bank in the sector,

- whether the debtor has any reimbursed non-cash loans in the bank under examination or in any other bank in the sector,

- whether the debtor has any NPL in the bank under examination or in any other bank in the sector in the past.

Assessor Observations:

The BCP team reviewed special examinations of credit portfolios, mutually agreed by the assessors and the supervisors. The reviews focused on the process of the examination team, findings and subsequent supervisory response/corrective actions. The examination findings were thorough and demonstrated application of many of the above outlined objectives. At the same time, the review identified the following key points which are embedded in the analysis and results process:

• Of the credits reviewed, written up, and featured in the examination reports, the exam team did, in fact, identify important deficiencies in the subject bank’s classification and the (lack of) accuracy therein.

• Review of the examination report highlighted several issues:

○ Size and significance of the group credits sampled and reviewed was not enumerated.

○ A number of credits were re-classified by the examiners.

◾ There was no indication of the relative significance of the findings relative to the total portfolio, especially given some of the critical classification issues identified. No indication if the findings could be extrapolated to the rest of the portfolio.

◾ No indication if, based on the findings, expansion of the credit sample was warranted to support findings about the condition of the portfolio.

◾ The loan write-ups themselves were not complete enough to convey the nature of the credit relationship and any connected customer relationships/exposures. Total indebtedness did not break out the various, more significant on/off balance sheet extensions; context of the total credit relationship was not provided, i.e., payment history: number of times the credit—and associated credits—had been renewed or restructured, if interest was capitalized, if the credit was on nonaccrual, what the collateral position was and integrity of estimated values, etc.

◾ As a result of limited information in the write up, it was difficult to assess if the final classification was accurate or not.

◾ Provisioning impact was not presented.

◾ There was no documentation retained on the review of the “standard” loans in order to substantiate the reasonableness of maintaining the standard classification.

• Overall conclusions focused on internal control issues rather than higher level implications on the condition and management of the credit portfolio under examination.

• As a result, the examination exercise missed opportunity to identify very important linkages with and conclusions on:

○ Management’s understanding of their business and credit risk, ability to identify deterioration proactively – thereby allowing for early intervention.

○ Implications for internal systems => function, role, and independence of credit risk management – thereby validating the systems that both the bank’s board and the BRSA depends upon in order to effectively oversee the institution. As well, these systems are key to the exercise of risk based supervision by the BRSA.

○ Inputs to evaluate corporate governance of the bank.

○ Accuracy of information conveyed to the board and the BRSA

Drawing such conclusions and linkages to management adequacy and internal systems then, is critical to validating the systems risk based supervision depends upon. Also, it would provide the basis for supervisory response and, as required, corrective actions by the BRSA.

During discussions with the BCP team, the BRSA conveyed that although such linkages are not explicitly presented in the reports themselves, they are, indeed, very important inputs to the CAMELS risk rating process as well as to the risk matrix and profile. These instruments then convey the level of supervisory priority and serve as an input for future supervisory activities.

EC3

The supervisor determines that the bank’s system for classification and provisioning takes into account off-balance sheet exposures.⁵¹

Description and findings re EC3

With reference to article 48 of the BL, the REPL covers the rules for classification and provisioning of all off-balance sheet items. The draft regulation also covers the rules for classification and provisioning of all off-balance sheet items.

On-site examiners evaluate the adequacy of the classification of and provisioning for off-balance items, with respect to REPL, taking into account several factors such as

- whether the obligor has reimbursed non-cash loans,

- the ratio of reimbursed non-cash loans to total non-cash loan portfolio of the bank,

- past due days of the obligor with respect to cash loans,

- the level of concentration risk in off-balance sheet items.

EC4

The supervisor determines that banks have appropriate policies and processes to ensure that provisions and write-offs are timely and reflect realistic repayment and recovery expectations, taking into account market and macroeconomic conditions.

Description and findings re EC4

The minimum provisioning rates are determined according to the loan categories. Articles 6(3) and 6(4) of the REPL require banks to consider financial and macroeconomic factors including sectoral and firm specific conditions and to base their calculations on reasonable and supportable assumptions. Additionally, article 10(8) of the REPL allows banks to make higher provisions than the minimum rates stipulated in the article 8 of the REPL. REPL authorizes BRSB to set higher levels of general and special provisions taking into account the risks in different sectors and countries.

The draft REPL requires banks to recognize their loan loss provisions consistent with IFRS 9. The BRSB is authorized to increase general and special provisioning levels both for a specific bank or a specific loan type for the whole banking sector.

As mentioned in EC1, the REPL does not include a rule on write-offs. However, write-off criteria are laid down in draft Regulation on the Procedures and Principles for Accounting Practices and Retention of Documents by Banks (RAP) by considering IFRS 9 requirements which was opened for public consultation. In that context, article 10(A) of the draft RAP requires banks to write-off the uncollateralized portion of their non-performing loans within a maximum period of one year after their classification in the 5th group.

In addition to the above mentioned draft regulations, the BRSA will publish a guideline in alignment with the Guidance on Credit Risk and Accounting for the Expected Credit Loss (GACL) published by the BCBS so that the GACL will be incorporated into the national regulatory framework. As a result, within the context of IFRS 9 and the GACL, forward looking information and macroeconomic factors are to be taken into account by banks in provisioning.

The current provisioning requirements are as follows:

Asset Classification	Past Due Period	Provisioning (Net of Collateral for special provisions)
		Loans	Off-balance Sheet
Group 1/Standard⁵²	up to 30	.5% - 5.0%⁵³	O% - .20%
Retail w/extension		10%⁵⁴	0% - .20%
Group 2/Special	30 - 90	2%	.4%
Mention
Retail		10%	.4%
Group 3/Substandard	90 - 180	20%	20%
Group 4/Doubtful	180 - 360	50%	50%
Group 5/Loss	◾360	100%	100%

In addition to the provisioning requirements above, specific provisions are made net of collateral values. REPL assigns a haircut to collateral values depending on the item. Requirements for valuation of collateral are specified in CCRM and GFVM. The BCP team was informed that banks ensure that adequate collateral underpins the preponderance of their credit exposures, sometimes to the extent of over-collateralizing. Real estate composes the majority of the collateral. Banks use firms approved by the BRSA to value real estate. Underlying collateral must be revalued once a credit exposure is classified as NPL. In general, banks have approximately 75% loan loss coverage on current NPL levels.

Several observations are made on the provisioning for NPLs, special mention, and the general portfolio. The historical and statistical support for standard (general) and special mention loan categories is not substantiated by accumulated experience. It is not clear if appraised values, within a range, are being realized upon the sale of the properties or if provisioned amounts are adequately covering loss experience on classified loans. Clear parameters should be established for periodic valuation of underlying collateral on NPL exposures.

The on-site examination teams assess the adequacy of the provisioning levels of the bank with respect to regulatory requirements stipulated in REPL. Write-offs and loan sales are also considered in the context of the examination of NPL portfolio of the bank. In that context, on-site examiners analyze the internal policies, procedures and practices of the bank with respect to write-offs and asset sales.

Off-site supervision makes analysis complementary to the on-site work and produces early warning information regarding the loan portfolio. In that context, a Report on Potentially Problematic Loans on a semiannual basis is produced and sent to on-site examination teams. In that report, a loan is considered to be potentially problematic if it meets one of the following criteria:

- if the loan is classified as NPL by any bank,
- if the loan is classified as NPL by any non-bank financial institution,
- based on the information received from on-site supervision function, if it is classified as NPL by the on-site examination team,
- if the loan is transferred to an asset management company.

With regard to provisions of the SMCEP, on-site examiners to take into account the above mentioned report in their analysis of the loan portfolio and in the selection of the loan sample to be examined.

EC5

The supervisor determines that banks have appropriate policies and processes, and organizational resources for the early identification of deteriorating assets, for ongoing oversight of problem assets, and for collecting on past due obligations. For portfolios of credit exposures with homogeneous characteristics, the exposures are classified when payments are contractually in arrears for a minimum number of days (e.g., 30, 60, 90 days). The supervisor tests banks’ treatment of assets with a view to identifying any material circumvention of the classification and provisioning standards (e.g., rescheduling, refinancing or reclassification of loans).

Description and findings re EC5

Please refer to EC 1 and 4 for relevant regulations and credit portfolio review processes. The draft REPL states that loans that have an immaterial balance and that have homogenous characteristics with regard to the type, credit grading/scores, collateral, effective date, date to maturity, geographical location of the debtor and loan to value ratio can be assessed on a group basis.

Examiners review homogenous credits based on various inputs including delinquency status, trends in the portfolio and market, and review of banks’ internal risk rating models, if used.

EC6

The supervisor obtains information on a regular basis, and in relevant detail, or has full access to information concerning the classification of assets and provisioning. The supervisor requires banks to have adequate documentation to support their classification and provisioning levels.

Description and findings re EC6

REPL requires banks to record, classify, monitor, and asses their loans in alignment with Article 4 of the REPL. Banks are obliged to prepare an exclusive report containing views about the loans that exceed TL 250,000 and, in any case, the largest top 200 loans, on a quarterly basis or in case of any significant risk event.

The draft REPL also requires banks to maintain adequate documentation to support their asset classification and provisioning levels. Banks are required to review their loans on a quarterly basis or in case of occurrence of any risk event for re-classification purposes. Banks are required to document their assessments regarding the largest 200 loans or the loans exceeding TL 500.000.

Regarding the reports received by the BRSA with regard to classification of assets and provisioning, banks are obliged to submit off-site call reports on asset classification, asset quality and provisioning. The monthly detailed loan report (KR202AS) provides customer level details of each loan, including, loan classification, loan type (cash, non-cash), sector, collateral, date of default, and provision amount.

The BRSA also has access to the more detailed CRB data which also includes scoring information of debtors. In the BRSA reporting sets, asset management companies are also required to report their acquired portfolios (corporate, retail or other) on a quarterly basis. Moreover, supervisors always have access to banks’ records and staff when required.

EC7

The supervisor assesses whether the classification of the assets and the provisioning is adequate for prudential purposes. If asset classifications are inaccurate or provisions are deemed to be inadequate for prudential purposes (e.g., if the supervisor considers existing or anticipated deterioration in asset quality to be of concern or if the provisions do not fully reflect losses expected to be incurred), the supervisor has the power to require the bank to adjust its classifications of individual assets, increase its levels of provisioning, reserves or capital and, if necessary, impose other remedial measures.

Description and findings re EC7

In case on-site supervisors determine that asset classifications are inaccurate or provisions are deemed to be inadequate for prudential purposes (based on the classification criteria in Article 4 of REPL) then the bank is instructed to reclassify those assets and/or set aside additional provisions. Additionally, insufficient provisioning or misclassification of assets are breaches that lead to financial penalty according to Article 146(1)(i) and 148(1)(b) respectively.

Furthermore, pursuant to Articles 67 and 68 of the BL, the BRSA is authorized to require banks, as a part of corrective measures, to set aside higher provisions if, among other things, the quality of assets have deteriorated in such a manner that its financial structure will weaken.

As well, article 37 of BL states that, in cases where it is determined that the financial statements have been mispresented, the BRSB also can take necessary measures. So, if provisioning level of a bank presented on financial statements approved by external auditors is determined as insufficient by the BRSA examiners, the BRSB may require banks to set aside additional provisions.

Under the draft REPL the BRSB is authorized to increase general and special provisioning levels both for a specific bank or a specific loan type for the whole banking sector.

On-site examiners assess the accuracy of the loan classifications and adequacy of provisioning levels with respect to REPL as well as the risk profile of the bank and the quality of its credit risk management system.

Please refer to EC2, EC3, EC4 and EC5 for further details.

EC8

The supervisor requires banks to have appropriate mechanisms in place for regularly assessing the value of risk mitigants, including guarantees, credit derivatives and collateral. The valuation of collateral reflects the net realizable value, taking into account prevailing market conditions.

Description and findings re EC8

Articles 9 and 10 of REPL set forth the requirements pertaining to collateral including valuation and applicable haircuts when computing special provisions to be made by banks. Accordingly, the valuation of the collaterals is based on TAS. On the other hand, REPL lays down specific requirements to value real estate, lien on properties. Banks are also required to assess the value of the collateral in the incidence of a risk event or within reasonable intervals according to the article 10(1)(c).

The CCRM enumerates a number of guidelines on valuation of collateral. Additionally, Guideline on Fair Value Measurement (GFVM) provides principles for calculating the fair value of financial instruments which are classified as risk mitigants, credit derivatives or collaterals. As well, banks must have monitoring and control procedures and processes including valuation and risk of loss of effectiveness of credit risk mitigation.

Credit risk mitigation techniques are regulated in CCRM in order to set down procedures and principles to be used by banks in calculation of risk-weighted amount under the scope of Standardized Approach and risk weighted exposure amounts and expected loss under the scope of Foundation IRB Approach.

The draft REPL requires banks to value loan collateral, for calculation of the loan loss provisions, based on the net realizable value of the collateral. Since net realizable values takes into account the fair value, prevailing market conditions are factored into the valuation. In addition, valuations of real estate collateral is subject to principles set out in the RCA. Real estate collateral must be revalued at the time loans are classified as NPL.

EC9

Laws, regulations or the supervisor establish criteria for assets to be:

a) identified as a problem asset (e.g., a loan is identified as a problem asset when there is reason to believe that all amounts due, including principal and interest, will not be collected in accordance with the contractual terms of the loan agreement); and
b) reclassified as performing (e.g., a loan is reclassified as performing when all arrears have been cleared and the loan has been brought fully current, repayments have been made in a timely manner over a continuous repayment period and continued collection, in accordance with the contractual terms, is expected).

Description and findings re EC9

See EC 1-4 above. REPL defines problem assets taking into account past due days and credit worthiness of the obligor. As well, the draft REPL links the Basel II default definition and the stage 3 of the IFRS 9the to definition of non-performing loans. As such, although the regulation considers loans classified as special mention performing loans, banks are required to recognize life-time expected loss for this group of loans since they are mapped to 2nd stage of the IFRS 9. Additionally, banks are required to establish relevant systems for closely monitoring 2nd group loans pursuant to Article 18(4) of the draft regulation.

EC10

The supervisor determines that the bank’s Board obtains timely and appropriate information on the condition of the bank’s asset portfolio, including classification of assets, the level of provisions and reserves and major problem assets. The information includes, at a minimum, summary results of the latest asset review process, comparative trends in the overall quality of problem assets, and measurements of existing or anticipated deterioration in asset quality and losses expected to be incurred.

Description and findings re EC10

On-site examiners evaluate whether the MIS and internal procedures of the bank allow for the sufficient level of information flow to bank’s board so as to obtain timely and appropriate information with regard to the classification of loans, the provisioning levels and problem assets.

Please refer to EC2 for further details.

EC11

The supervisor requires that valuation, classification and provisioning, at least for significant exposures, are conducted on an individual item basis. For this purpose, supervisors require banks to set an appropriate threshold for the purpose of identifying significant exposures and to regularly review the level of the threshold.

Description and findings re EC11

Banks are obliged to prepare an exclusive report containing views about the loans that exceed TL 250,000 and, in any case, the largest top 200 loans, on a quarterly basis or in case of occurrence of any risk event according to the article 12(9) of the REPL. In the draft REPL, banks will be required to document their assessments of the largest 200 loans or loans exceeding TL 500.000.

EC12

The supervisor regularly assesses any trends and concentrations in risk and risk build-up across the banking sector in relation to banks’ problem assets and takes into account any observed concentration in the risk mitigation strategies adopted by banks and the potential effect on the efficacy of the mitigant in reducing loss. The supervisor considers the adequacy of provisions and reserves at the bank and banking system level in the light of this assessment.

Description and findings re EC12

Credit concentration risk and trends across the banking sector are monitored by loan types, geography and industry by off-site supervision department through monthly banking sector overview presentations and loan reports. Non-performing loans by segment, sectors, and provisioning rates as well as loans under follow up and restructured loans are also monitored.

Overview of the banking sector, risk concentrations and trends are presented to the BRSA Board and some committees such as FSC and CC where necessary actions will be discussed and initiated. Macro prudential measures on consumer loans such as credit restrictions (increasing minimum payment ratios of credit cards, maturity restriction for consumer loans, loan to value ratio for housing and vehicle loans etc.), increasing risk weights for capital adequacy, increasing general provision ratios in order to curb credit growth and risk accumulation may be given as recent examples.

Furthermore, stress tests are used for estimating following 2 years loan growth, NPL growth (PD and LGD for economic capital) under both baseline and adverse scenarios (please refer to CP 9 EC5 for further details).

Assessment of Principle 18

Materially Non-compliant

Comments

The framework for credit classification and provisioning is generally adequate. However, the accuracy asset classification by banks, and therefore the integrity reporting to boards and the BRSA is called into question given the nature of reclassifications assigned by onsite examiners and the lack of documentation therein. Loan write ups require more support and context as well as need to present nature of collateral and provision impact. Examination conclusions focus more on internal control issues rather than higher level implications for the condition and management of the credit portfolio under examination.

Given the lack of (documented) focus on the implications of important bank processes, the examination exercise missed opportunity to identify very important linkages with and conclusions on:

Management’s understanding of their business and credit risk, ability to identify deterioration proactively – thereby allowing for early intervention.
Implications for internal systems => function, role, and independence of credit risk management – thereby validating the systems that the bank’s board and the BRSA depends upon in order to effectively oversee the institution. As well, these systems are key to the exercise of risk based supervision by the BRSA.
Inputs to evaluate corporate governance of the bank.
Accuracy of information conveyed to the board and the BRSA

As well, the historical and statistical support for standard (general) and special mention loan categories is not substantiated by accumulated experience. It is not clear if appraised values, within a range, are being realized upon the sale of the properties or if provisioned amounts are adequately covering loss experience on classified loans. Clear parameters should be established for periodic valuation of underlying collateral on NPL exposures.

Principle 19

Concentration risk and large exposure limits. The supervisor determines that banks have adequate policies and processes to identify, measure, evaluate, monitor, report and control or mitigate concentrations of risk on a timely basis. Supervisors set prudential limits to restrict bank exposures to single counterparties or groups of connected counterparties.⁵⁵

Essential criteria

EC1

Laws, regulations or the supervisor require banks to have policies and processes that provide a comprehensive bank-wide view of significant sources of concentration risk.⁵⁶ Exposures arising from off-balance sheet as well as on-balance sheet items and from contingent liabilities are captured.

Description and findings re EC1

Article 48 of the BL contains a very comprehensive definition of a loan which includes both on and off balance sheet exposures. RICAAP article 35(4) requires banks to have effective risk management systems for key risks, based on their level of importance, including concentration risks. Further, the banks shall have a mechanism through which to evaluate the integrity of the risk management process including how large loans and risk concentrations are overseen.

GMCR is a principle based guideline which explains the best practices expected from banks in the area of management of concentration risk within the framework of RICAAP. Banks are to have a system of identifying exposures to single or connected counterparties in the same markets, sectors, supply chains, partnerships, guarantor relationship and geographic region or activity fields and capture both on-balance sheet and off-balance sheet positions as well as assets and liabilities, both on consolidated and non-consolidated basis. Banks are required to specify personnel and units responsible for the management of concentration risk and have written policies and procedures for active monitoring, control and mitigation of concentration of risk.

GCM directs that credit risk management processes should address concentration risk and diversification therein in the banks’ credit strategies and policies. As appropriate, banks should mitigate increases in credit risk concentrations using various management tool such as product price differentiation.

Concentration risk is an important focus of the CAMELS review/GAR methodology process. As well, it is captured in the ICAAP process and the supervisory review. Supervisory evaluation of concentration risk also feeds into the risk matrix prepared as a part of the supervisory cycle.

EC2

The supervisor determines that a bank’s information systems identify and aggregate on a timely basis, and facilitate active management of, exposures creating risk concentrations and large exposure⁵⁷ to single counterparties or groups of connected counterparties.

Description and findings re EC2

GCM Principle 8, directs that banks must have information systems which can monitor exposures by customer, group, sub-portfolios and all portfolio. GMCR Principle 3 requires banks to have adequate data management systems to identify concentrations across business lines and firm-wide and on an on- and off-balance sheet basis. Such concentrations must be reported to senior management and to relevant business units to support decision making.

Special examinations provide the opportunity for examiners to evaluate aggregation systems for concentrations of risk. More specifically, during on-site examinations of credit portfolios, examiners are required to pick up total customer relationship exposures in order to evaluate credit quality on an individual exposure basis. Through this, as the assessors review of a sample of special inspections revealed, the examiners are able to pick up issues with the subject bank’s system. The CAMELS review/GAR methodology requires supervisors to address concentration risk in counterparty, product, sector and geographical region groupings.

From the IT point of view, banks’ information systems are required to meet the standards set in RITEA. Banks’ retail and corporate loans systems (including monitoring loan limits) are audited by external auditors and results of this audit are submitted to BRSA. Identified deficiencies are taken into account during regular on-site examinations.

EC3

The supervisor determines that a bank’s risk management policies and processes establish thresholds for acceptable concentrations of risk, reflecting the bank’s risk appetite, risk profile and capital strength, which are understood by, and regularly communicated to, relevant staff. The supervisor also determines that the bank’s policies and processes require all material concentrations to be regularly reviewed and reported to the bank’s Board.

Description and findings re EC3

Concentration risk is addressed by banks through setting strategic planning and business objectives, establishing and monitoring counterparty specific, portfolio, product and other limit structures and position objectives, and risk oversight mechanisms. These elements are addressed, in part, in GMCR which requires banks to set limits in order to manage concentration risks.

Paragraphs 47 and 48 of GMCR require banks to have a system to report concentration risk timely, accurately and comprehensively to senior management, boards, and related units ensuring effective decision-making in the management of concentration risk. RICAAP requires the bank’s system of limits, risk appetite, etc. to be communicated throughout the bank.

Risk concentrations are captured in the ICAAP process which is reviewed by the BRSA.

A framework for risk concentration control and management is provided through regulation and the RICAAP process. However, review of the onsite examination process for credit risk (CP 17, 18) where issues surrounding risk identification as well as questions surrounding the implications of findings on the broader risk management processes were cited could have a bearing on the supervisory process for concentration risk identification, monitoring and control.

EC4

The supervisor regularly obtains information that enables concentrations within a bank’s portfolio, including sectoral, geographical and currency exposures, to be reviewed.

Description and findings re EC4

The surveillance call reports received from banks include details of sector, geography and currency information and risk concentration on customer basis (KR202AS-monthly). Monthly basis summary call reports on country risk and currency concentration (UL200AS, UL211AS) enable off-site supervisors to evaluate the extent of on and off-balance sheet concentration risk in banks. Single and group exposures (close to or in excess of 20% of regulatory capital for related party and 25% for other individual or group exposure); large exposures; top 25, 50 and 100 exposures are also received.

Supervision reports and reviews include concentrations including loan portfolio, sectoral, geographical, currency accumulations. Findings are compared against peer group and sector positions and used in banks’ risk assessment reports.

There are minimum regulatory requirements for loan concentrations which are closely monitored. These, which are determined by laws and regulations, include, inter alia, banks own risk group, major owners, large exposures (KS100AS and KS100UK, exposure limits consolidated and non-consolidated), real estate (GS100AS, real estate limits).

Furthermore, Article 12(9) of REPL requires banks to prepare an exclusive report containing views about the loans that exceed TL 250,000 and, in any case, the largest top 200 loans, on a quarterly basis or in case of occurrence of any risk event.

EC5

In respect of credit exposure to single counterparties or groups of connected counterparties, laws or regulations explicitly define, or the supervisor has the power to define, a “group of connected counterparties” to reflect actual risk exposure. The supervisor may exercise discretion in applying this definition on a case by case basis.

Description and findings re EC5

Article 49 of the BL defines the following four risk groups (a) group of counterparties unconnected with the bank, (b) related parties (those connected with the bank), (c) group of connected counterparties of state owned banks and (d) group of connected counterparties of state owned non-bank enterprises. The Article states that the “the BRSA shall set the principles and procedures of implementation of this Article and principles and procedures to be applicable to the identification of the (natural) and legal persons to be included in the same risk group….”. The BRSA has covered these elements in the RCT, which prescribes the norms for identifying risk groups and aggregating various types of cash and noncash exposures. Article 49 of the BL requires banks to include in the same risk group, real (natural) and legal persons that have surety, guarantee or similar relationships where the insolvency of one will lead to the insolvency of the other.

EC6

Laws, regulations or the supervisor set prudent and appropriate⁵⁸ requirements to control and constrain large credit exposures to a single counterparty or a group of connected counterparties. “Exposures” for this purpose include all claims and transactions (including those giving rise to counterparty credit risk exposure), on-balance sheet as well as offbalance sheet. The supervisor determines that senior management monitors these limits and that they are not exceeded on a solo or consolidated basis.

Description and findings re EC6

Article 54 of the BL set limits to the amount of loans to be granted to a single or group of connected counterparties. Article 48 provides a comprehensive definition of a loan, both on and off balance sheet. Article 49 provides a comprehensive definition of “risk group” or group of connected parties.

The total amount of loans to be extended by a bank to a real or a legal person or a risk group shall not be more than 25 %of its own funds. For the bank’s own risk group, the limit shall be set at 20%. The Board may increase this rate up to 25% or to lower it back down to the legal limit. For further limitations on a bank’s own risk group, see BCP 20.

Loans made available to a real or legal person or a risk group that are equal to or exceed 10% of own funds shall be considered large loans and the total of such loans shall not exceed 8 times of the own funds according to the article 54(4).

Pursuant to Article 43 of the BL, all ratios and limits in the BL are required to be calculated by parent banks on a solo and consolidated basis. Article 54 of the BL states that these limits are calculated on consolidated basis by parent banks.

Article 20 of the GMCR requires banks to measure, monitor, and report concentrations of risk.

As explained in EC 3, in GAR; supervisor examines thresholds and specific limits for all types of exposures including off-balance sheet risks, regarding concentrations of sector, product, customer, risk group, shareholders, reviews reporting to senior management, and reviews compliance with bank policies and internal and regulatory limits. The General Risk Limits (KS100AS-KS100UK) reports are used for monitoring the compliance with the above mentioned limits and if any deficiencies are observed, the necessary actions are taken by BRSA depending on the nature of incompliance.

EC7

The supervisor requires banks to include the impact of significant risk concentrations into their stress testing programs for risk management purposes.

Description and findings re EC7

RICAAP 43 requires banks to establish and operate a stress testing program in order to measure their material risks and vulnerabilities in general terms. GST Principle 12 requires banks to stress test their portfolios and business units to identify risk concentrations that may arise across their book. GMCR Principle 3 emphasizes the importance of concentration risk stress testing, including to identify and measure various hidden concentrations.

See BCP 8, EC 5 for further expansion on stress testing.

Additional criteria

AC1

In respect of credit exposure to single counterparties or groups of connected counterparties, banks are required to adhere to the following:

a) ten per cent or more of a bank’s capital is defined as a large exposure; and
b) twenty-five per cent of a bank’s capital is the limit for an individual large exposure to a private sector non-bank counterparty or a group of connected counterparties.

Minor deviations from these limits may be acceptable, especially if explicitly temporary or related to very small or specialized banks.

Description and findings re AC1

Assessment of Principle 19

Compliant

Comments

The legal framework addressing concentration risk and large exposures limits is generally in line with international standards. The definition of connected parties is comprehensive. The BRSA examines and monitors various exposures including, inter alia, large exposures, concentrations by sector, product, customer, and risk group.

Principle 20

Transactions with related parties. In order to prevent abuses arising in transactions with related parties⁵⁹ and to address the risk of conflict of interest, the supervisor requires banks to enter into any transactions with related parties⁶⁰ on an arm’s length basis; to monitor these transactions; to take appropriate steps to control or mitigate the risks; and to write off exposures to related parties in accordance with standard policies and processes.

Essential criteria

EC1

Laws or regulations provide, or the supervisor has the power to prescribe, a comprehensive definition of “related parties”. This considers the parties identified in the footnote to the Principle. The supervisor may exercise discretion in applying this definition on a case by case basis.

Description and findings re EC1

The definition of related parties is sufficiently comprehensive to capture relevant real and legal persons within the scope of the bank.

According to BL article 49 a bank and its qualified shareholders, members of its board of directors and its general manager as well as the undertakings they control individually or jointly, directly or indirectly or participate with unlimited responsibility or where they are members of board of directors or general manager constitute a risk group including the bank. Jointly-controlled undertakings shall be included in the risk group of each shareholder that controls together these undertakings. Risk groups include real and legal persons who have such relationships (surety, guarantee or similar relationships) where the insolvency of one will lead to the insolvency of the other. By the authority given in this article, BRSA may extend the risk group definition to include legal or real persons that may have material effects on the solvency of the risk group.

Article 50 of the BL prohibits banks from granting cash or non-cash (OBS) loans, purchasing bonds or similar securities to:

a) members of the board of directors, general manager, deputy general managers and employees that are authorized to extend loans; their spouses and children under their custody; and the undertakings where they individually or jointly own twenty-five percent or more of the capital,
b) employees other than those mentioned in sub-paragraph (a) and their spouses and children under their guardianship,
c) funds, associations, unions or foundations established by or for their employees.

Article 50 further directs that the prohibitions above will not apply to the loans made available to the board members and employees and family members thereof of the bank that do not exceed 5 times their monthly total net remuneration and credit in the form of check book and credit cards may not be granted over 3 times monthly total net remuneration. The total of these loans is very small in size.

For banks who are majority owned, separately or jointly by the Treasury Undersecretariat, Privatization Administration or the administrations subject to the general budget or annexed budget (i.e., State owned), are considered a risk group, together with their affiliated companies. The non-bank state economic enterprises or other public institutions and enterprises that are majority owned by the Privatization Administration shall constitute a risk group together with companies in which they own or influence management and supervision.

EC2

Laws, regulations or the supervisor require that transactions with related parties are not undertaken on more favorable terms (e.g., in credit assessment, tenor, interest rates, fees, amortization schedules, requirement for collateral) than corresponding transactions with non-related counterparties.⁶¹

Description and findings re EC2

BL article 50 of the BL directs that loans to natural and legal persons in the bank’s risk group requires approval of two thirds majority of the board of directors’ members and that the loan conditions shall not differ from the loans made available to other persons and groups and from market conditions, in favor of the borrower. Additionally, in order to ensure that credit to related parties are not undertaken on more favorable terms and to prevent conflict of interests the principle 3, paragraph 28 of the GCM states that, the approval processes and work flows for credits which are extended to the bank risk group should be separately determined.

While Article 48 of the BL provides a comprehensive definition of “loan”, it does not include other non-credit transactions within the limitations addressing related parties. Legislation should be expanded to explicitly capture all transactions, including loans, within the parameters of related party limits and requirements.

EC3

The supervisor requires that transactions with related parties and the write-off of related-party exposures exceeding specified amounts or otherwise posing special risks are subject to prior approval by the bank’s Board. The supervisor requires that Board members with conflicts of interest are excluded from the approval process of granting and managing related party transactions.

Description and findings re EC3

Article 50 of the BL stipulates that the decisions for loan extensions to natural and legal persons in the bank’s risk group are required to be made by two thirds majority of the board of directors’ members and that the loan conditions should not differ from the loans made available to other persons and groups and from market conditions, in favor of the borrower.

There is no explicit provision that requires prior approval of related party transactions by the bank’s board. No explicit provision requires approval (prior or post) of write-off of related party transactions. The assessor team was informed that no such write offs have occurred in the recent past.

According to Article 51 of the BL, bank personnel authorized to extend loans cannot take part in the evaluation and decision-making phases for the loan transactions involving themselves, their spouses, children or their related risk group. Additionally, in order to ensure that transactions with related parties are not undertaken on more favorable terms and to prevent conflicts of interest the principle 3, paragraph 28 of GCM requires banks to separate, independent approval processes and work flows for credits extended to the bank’s risk group.

EC4

The supervisor determines that banks have policies and processes to prevent persons benefiting from the transaction and/or persons related to such a person from being part of the process of granting and managing the transaction.

Description and findings re EC4

See also EC 2 above.

Article 7(2) (s) of RICAAP requires the bank’s audit committee to monitor whether personnel receiving bank credit participates in the decision making process. This includes any related credit extended to the person’s risk group. Appropriate communication channels must exist for reporting these issues to the audit committee.

According to GCM paragraph 78, the board of directors establishes the structure and practices which will prevent the shareholders, bank management or other relevant parties from intervening credit assessment process.

Additionally, in line with the principle 26, paragraph 156 of GCM, banks should assign qualified staff for monitoring the credits. These monitoring activities cover the conditions related to collaterals and guarantees for credits. In assigning this staff, banks are required to establish a monitoring structure which will not cause any potential conflicts of interest.

RCT, which regulates the procedures and principles for the credits extended by the banks, has also provisions for identification of natural persons and legal entities to be included in the bank’s risk group.

Related party exposures are examined as part of the loan review process during CAMELS on-site supervision.

EC5

Laws or regulations set, or the supervisor has the power to set on a general or case by case basis, limits for exposures to related parties, to deduct such exposures from capital when assessing capital adequacy, or to require collateralization of such exposures. When limits are set on aggregate exposures to related parties, those are at least as strict as those for single counterparties or groups of connected counterparties.

Description and findings re EC5

Article 50 establishes limitations on lending to a bank’s related parties. See EC 1 for the specific language. Thereafter, that allowable exposure is monitored and addressed within the context of legislation addressing credit exposures overall.

According to BL article 54(1), the total amount of loans to be extended by a bank to a natural or legal person or a risk group shall not exceed 25% of the bank’s own funds. This rate shall be applied as 20 % for the bank’s risk group. The BRSB may increase this rate up to 25% or to lower it down to the legal limit. The loans made available to an unincorporated undertaking shall be considered as made available to partners in proportionate to their responsibilities. (In practice, no such increase in a bank’s limit threshold to 25% has been granted by the BRSA.)

In any event paragraph 54 limits the total of loans extended by banks to all shareholders who have more than 1% share in the capital of banks, irrespective of whether they are controlling owners or whether they own qualified shares, and to persons who constitute a risk group with such persons, to no more than 50% of own funds.

In cases violations of the relevant law, articles 50 and 51 authorize the BRSA to deduct the excesses from a bank’s own funds or to require the bank to obtain additional own funds equal to the amount of such loans.

RCT article 13 of RCT directs that calculation of credit exposures for purposes of application of the limits to risk groups shall be on a consolidated basis – including the financial institution’s affiliates subject to consolidation.

EC6

The supervisor determines that banks have policies and processes to identify individual exposures to and transactions with related parties as well as the total amount of exposures, and to monitor and report on them through an independent credit review or audit process. The supervisor determines that exceptions to policies, processes and limits are reported to the appropriate level of the bank’s senior management and, if necessary, to the Board, for timely action. The supervisor also determines that senior management monitors related party transactions on an ongoing basis, and that the Board also provides oversight of these transactions.

Description and findings re EC6

Legislation largely addresses lending to related parties (the bank’s risk group) within the context of lending parameters in general. The BL specifically assigns responsibility to the board for implementing strong internal systems within the bank which includes effective risk management and internal audit processes. It is within this scope of activity that the monitoring of related party transactions occurs. Within this context, according to Article 51 of the BL, bank personnel authorized to extend loans cannot take part in the evaluation and decision-making phases for the loan transactions involving themselves, their spouses, children or their related risk group. (As stated in EC 5 above, lending to board members is currently prohibited except on very restricted terms.)

Additionally, in order to ensure that transactions with related parties are not undertaken on more favorable terms and to prevent conflicts of interest the principle 3, paragraph 28 of GCM requires banks to separate, independent approval processes and work flows for credits extended to the bank’s risk group.

Article 7(2) (s) of RICAAP requires the bank’s audit committee to monitor whether personnel receiving bank credit participates in the decision making process. This includes any related credit extended to the person’s risk group. Appropriate communication channels must exist for reporting these issues to the audit committee.

See also BCP 17/18 for credit risk monitoring and management. See also EC 3 above for the board approval processes for undertaking credit exposures to a bank’s risk group. During the CAMELS review/GAR methodology, related party exposures are examined as part of the loan review process. As well, examiners evaluate thresholds and specific limits for all types of exposures including related party exposures. Moreover, FSAID 2914 aims to review the level of ratio of loans extended to related parties to the regulatory capital. And this assessment affects the asset quality component of the CAMELS rating system.

It should be noted, however, that review of the onsite examination process for credit risk (CP 17, 18) where issues surrounding risk identification as well as questions surrounding the implications of findings on the broader risk management processes were cited could have a bearing on the supervisory process for related party transactions.

EC7

The supervisor obtains and reviews information on aggregate exposures to related parties.

Description and findings re EC7

Exposures to related parties are closely monitored by off-site supervisors by means of monthly call reports. Banks shall regularly report and update the names of all real and legal persons in their own risk group (KR105AS), their shareholders (HS200AS) and their affiliates and subsidiaries (IS200AS) on a monthly basis. Loans extended to related party (KR202AS), transactions with related party in financial sector (MS200AS), derivative transactions with related party (BD101GS), related party risk limits (exposure to bank’s own risk group shall not exceed 20% of regulatory capital-KS100AS) are the main surveillance call reports which are used for reviewing aggregate exposures to related parties. In addition to that banks disclose the information about transactions with their own risk group in the external audit reports quarterly as it is required by article 22 of CPD.

As well, banks prepare an intragroup transactions report annually for consolidated supervision. Supervision teams assess that report in their examination processes. The report covers transactions with financial/nonfinancial parties that the bank controls directly or indirectly, transactions of affiliate financial/nonfinancial parties amongst themselves of which bank is not a part, transactions of the bank and its financial/nonfinancial affiliates with the controlling shareholder, transactions of the bank and its financial/nonfinancial parties with the controlling shareholder’s other partnerships.

Assessment of Principle 20

Largely Compliant

Comments

The legal and regulatory framework for related parties is generally comprehensive. The offsite department receives and regularly monitors reporting from banks. Examiners evaluate related party exposures during the onsite review. Offsite monitoring is comprehensive.

There is no explicit provision that requires prior approval of related party transactions by the bank’s board. As well, no explicit provision requires approval (prior or post) of write-off of related party transactions.

As well, while Article 48 of the BL provides a comprehensive definition of “loan” and related party limitations address such, legislation does not include other non-credit transactions within the limitations addressing related parties. Legislation should be expanded to explicitly capture all transactions, including loans, within the parameters of related party limits and requirements.

The assessment team was informed that a draft revision of the BL is being prepared by the BRSA. Within this context, article 50 (a and b) may be revoked to allow board member borrowing from the bank. It will also address related party “transactions” as well. The assessment team cautions the BRSA on relaxing related party risk parameters. There are countries that continue to rigorously restrict extension of credit, as well as transactions with, related parties of the bank, including board members. This is an area which historically has proven consistently problematic in distressed bank situations. Therefore, the team advises caution in widening the scope for such exposures.

Principle 21

Country and transfer risks. The supervisor determines that banks have adequate policies and processes to identify, measure, evaluate, monitor, report and control or mitigate country risk⁶² and transfer risk⁶³ in their international lending and investment activities on a timely basis.

Essential criteria

EC1

The supervisor determines that a bank’s policies and processes give due regard to the identification, measurement, evaluation, monitoring, reporting and control or mitigation of country risk and transfer risk. The supervisor also determines that the processes are consistent with the risk profile, systemic importance and risk appetite of the bank, take into account market and macroeconomic conditions and provide a comprehensive bank-wide view of country and transfer risk exposure. Exposures (including, where relevant, intra-group exposures) are identified, monitored and managed on a regional and an individual country basis (in addition to the end-borrower/end-counterparty basis). Banks are required to monitor and evaluate developments in country risk and in transfer risk and apply appropriate countermeasures.

Description and findings re EC1

GCRM is a principle based guideline which explains the best practices expected from banks regarding the management of country risk within the framework of RICAAP Article 35 which determines purpose of risk management and implementation of risk management systems including country and transfer risks. Country and transfer risks are defined in this guideline as well as contagion risk, indirect foreign-exchange risk, indirect country risk, macroeconomic risk and sovereign risk. According to the guideline, banks should establish country risk management processes in accordance with their risk profile, systemic importance and risk appetite after identifying market and macroeconomic conditions and scope and depth of their country risk exposure.

GCRM Paragraph 3 draws a framework for adequate country risk management structure both on consolidated and non-consolidated basis considering the size and complexity of bank’s activities including senior management surveillance, strategy, policy and procedures, risk analysis, measurement, monitoring and controlling.

GCRM Paragraph 6-13 requires sovereign risk, transfer risk, contagion risk, and the categories of indirect exchange risk, macroeconomic risk and indirect country risk to be taken into account in management of country risk. A risk management process should be established in accordance with risk profile, systemic importance and risk appetite after identifying market and macroeconomic conditions, scope and depth of risk exposure. Country risk exposures must be identified, measured, monitored and managed on the basis of each country and country groups (considering the borrower on ultimate position and other counterparties), subsidiaries and participations. Emerging developments in relevant countries must be monitored.

GCRM Principle 1 states that banks should clearly identify the country risk strategy, policy and procedures and document them. Senior management is responsible for implementing, however the board of directors has the ultimate responsibility in establishing country risk strategy, policy and procedures.

BRSA examines the risks regarding Pillar II in terms of definition, measurement, assessment, surveillance, reporting, modelling, back testing and supervision of risks in on-site examination of banks. Country and transfer risk is one of the significant part of that examination. Management of country and transfer risk policies and procedures of banks are being examined within the scope of ICAAP.

One of the most significant objectives of supervision is assessment of risks and determination of risk profiles of the banks. SMRAC is the framework which is used to prepare the risk matrix all relevant risks. As one of the essential part of the supervision cycle, country and transfer risk is described in SMRAC to be considered in examination of the banks.

SMGAR requires examiners to consider country risk in assessment of banks. Supervisor assesses whether the bank has made an analysis evaluating the necessity of using a model for measurement of country and transfer risk within the scope of ICAAP (FSAID 2459) and examines validation/backtesting results in modelling policies for measuring required capital (FSAID 2466) and at the same time oversees the recognition of those results in decision making processes (FSAID 2471).

Through the CAMELS review/GAR methodology process, the examiners review the bank’s oversight and management process; oversight of country risks arising from bank’s partnerships, shareholders and shareholder’s partnerships; the volume of activity of its clients abroad, etc.

EC2

The supervisor determines that bank’ strategies, policies and processes for the management of country and transfer risks have been approved by the banks’ Boards and that the Boards oversee management in a way that ensures that these policies and processes are implemented effectively and fully integrated into the banks’ overall risk management process.

Description and findings re EC2

GCRM Principle 1 requires banks to identify the country risk strategy, policy and procedures, and to have them approved by the board of directors in order to ensure to be considered in all decision processes. Moreover, senior management is responsible for implementing these strategy, policy and procedures. Paragraph 17 also declares that board of directors shall regularly review the bank’s country risk exposure. Paragraph 38 requires country risk limits to be approved by the Board. As well, paragraph 38 requires that relevant limits should be approved by the board and linked to capital.

Through the CAMELS review/GAR methodology the examiners verify that the proper board approvals for policies and strategies have been given as well as the reports provided the board. The BRSA requires banks to have an effective organizational structure regarding management, limitation and supervision of country and transfer risks and allocation of authorized staff.

EC3

The supervisor determines that banks have information systems, risk management systems and internal control systems that accurately aggregate, monitor and report country exposures on a timely basis; and ensure adherence to established country exposure limits.

Description and findings re EC3

GCRM Principle 6 requires banks to have an information system, a risk management system and an internal control system that monitor and report country risks. Moreover, banks should regularly review IT systems to enable country limits to be monitored on a timely basis, to ensure appropriate measures to be taken where necessary, and to ensure adherence to established country exposure limits. The GCRM requires setting limits on an individual country basis and a system for establishing, controlling, monitoring and reporting country limits and risks.

Through the CAMELS review/GAR process, the examiner evaluates the country risk management process and verifies that internal audit addresses the key aspects of country risk management and internal controls.

It should be noted, however, that review of the onsite examination process for credit risk (CP 17, 18) where issues surrounding risk identification as well as questions surrounding the implications of findings on the broader risk management processes were cited could have a bearing on the supervisory process for country and transfer risk.

EC4

There is supervisory oversight of the setting of appropriate provisions against country risk and transfer risk. There are different international practices that are all acceptable as long as they lead to risk-based results. These include:

a) The supervisor (or some other official authority) decides on appropriate minimum provisioning by regularly setting fixed percentages for exposures to each country taking into account prevailing conditions. The supervisor reviews minimum provisioning levels where appropriate.
b) The supervisor (or some other official authority) regularly sets percentage ranges for each country, taking into account prevailing conditions and the banks may decide, within these ranges, which provisioning to apply for the individual exposures. The supervisor reviews percentage ranges for provisioning purposes where appropriate.
c) The bank itself (or some other body such as the national bankers association) sets percentages or guidelines or even decides for each individual loan on the appropriate provisioning. The adequacy of the provisioning will then be judged by the external auditor and/or by the supervisor.

Description and findings re EC4

BRSA implements the method (c). The Articles 7(9) and 8(4) of the REPL give authority to the BRSA to increase general and specific provisions for banks by considering country risk.

The draft REPL Article 10(2) and 11(2) requires banks to make additional provisions for country and transfer risks above the minimum amount determined for general and specific provisions.

GCRM Paragraph 13 directs a bank to reserve capital or make provisions for country risk exposures by considering its portfolio structure, size and emerging developments. Banks may apply various risk-based methods accepted in this context.

GCRM Paragraph 14 requires the written policies and procedures of a bank on country risk management shall include system, policy, methodology and processes applied in making provision or reserving capital.

During the ICAAP review, the examiners review the management process surrounding country risk management and the adequacy of provisioning for exposures therein.

EC5

The supervisor requires banks to include appropriate scenarios into their stress testing programs to reflect country and transfer risk analysis for risk management purposes.

Description and findings re EC5

RICAAP 43 requires banks to establish and operate a stress testing program in order to measure its material risks and vulnerabilities. GCRM Principle 5 requires banks to perform stress tests for country risk analysis including using sufficiently severe scenarios to adequately analyze the nature of exposures.

The examiners evaluate stress testing programs in the context of the ICAAP review and during examination of country and transfer risks when and as appropriate for the level and nature of the bank’s exposures.

EC6

The supervisor regularly obtains and reviews sufficient information on a timely basis on the country risk and transfer risk of banks. The supervisor also has the power to obtain additional information, as needed (e.g., in crisis situations).

Description and findings re EC6

The article 96(1) of the BL provides authority to the BRSA to request any related information from banks and related parties indicated in this article. By using this power, the BRSA can demand all needed document and information from banks.

Country risks are closely monitored through monthly basis two call reports: “UL200AS, Country And Foreign Currency Risks- Balance Sheet Accounts” and “UL211AS, Country And Foreign Currency Risk—Off-Balance Sheet Accounts”. Moreover, call reports such as Loans-detailed (KR202AS), “Transactions with Financial Sector (MS200AS) and “Cross Border Organizations Reporting Set” are used for country risk analysis. “Country Risk Report” and “Cross Border Organizations of the Banks Established in Turkey report” are the final off-site supervision products about country risks.

Additionally, reports or notes are prepared when needed in special cases or crisis (e.g., recent special notes on Greece Risks, Russian Risks). In these cases ad-hoc information other than regular call reports can always be gathered in a very short time from banks.

Assessment of Principle 21

Compliant

Comments

BRSA guidance adequately captures country and transfer risk as well as other relevant risks. Banks are expected to establish country risk parameters as well as systems for monitoring exposures, including indirect foreign-exchange risk and indirect country risk. Country risk is evaluated through the CAMELS review process and via the risk matrix of the bank.

Principle 22

Market risk. The supervisor determines that banks have an adequate market risk management process that takes into account their risk appetite, risk profile, and market and macroeconomic conditions and the risk of a significant deterioration in market liquidity. This includes prudent policies and processes to identify, measure, evaluate, monitor, report and control or mitigate market risks on a timely basis.

Essential criteria

EC1

Laws, regulations or the supervisor require banks to have appropriate market risk management processes that provide a comprehensive bank-wide view of market risk exposure. The supervisor determines that these processes are consistent with the risk appetite, risk profile, systemic importance and capital strength of the bank; take into account market and macroeconomic conditions and the risk of a significant deterioration in market liquidity; and clearly articulate the roles and responsibilities for identification, measuring, monitoring and control of market risk.

Description and findings re EC1

The Article 29 of the BL requires banks to implement adequate and efficient internal control, risk management and internal audit systems that are commensurate with the scope and structure of their activities, that can respond to changing conditions and that cover all their branches and undertakings subject to consolidation in order to monitor and control risks that they encounter. Foreign exchange risk is the primary market risk of banks in the Turkish system.

The overall framework of risk management is defined in RICAAP. Article 5 and 38 directly assigns responsibility to the board to establish the risk appetite and ensure fluid communication lines through the bank. The board is responsible for determining the organizational structure, policies, procedures, authorities of the units, etc. It further requires in article 38 that risk limits are established in relation to allocated capital and risk appetite. Responsibilities for identification, measuring, monitoring and control of each risk has been given to risk management unit of banks according to article 37. Management responsibilities and duties are articulated in article 41.

Banks shall manage their market risk according to the provisions of this Regulation beside the principles and procedures stated in the Guideline on Market Risk Management (GMRM) within the frame of principle of proportionality. GMRM is a principle based guideline explaining the best practices and processes expected from banks regarding the management of market risk. It advises a proportionality approach in which banks adopt processes in relation to the size and complexity of their activities. GMRM Principle 2 requires banks to establish a sound and comprehensive risk management framework, systems through which to concerning measure, monitor, and control market risk and to execute their business in accordance with them. Minimum factors to be included in the framework and processes regarding the measurement, monitoring, and controlling of the market risk are stated in this principle in detail.

GMRM Paragraph 8 states that banks should also take into account the general market and macroeconomic conditions in which they operate in their assessment and management of risks and their loss absorbing capacity. Moreover, Paragraph 23 clarifies that all significant risks should be measured and aggregated on a bank-wide basis. As well, policies should be applied on a consolidated and non-consolidated basis and should clearly determine the lines of responsibilities of the Board, senior management, units within the internal systems and other personnel responsible for managing market risk as well as identifying processes of reviewing or updating policies in cases of considerable changes occurred in the bank’s market risk profile.

During the CAMELS rating process/GAR methodology, examiners use GMRM as a manual for market risk supervision. Therefore, each principle and paragraph in GMRM determines the on-site supervision framework for market risk.

Examiners also assess the level of risks and risk profiles of the banks according to SMRAC which guides the preparation of the risk matrix. SMRAC has a special chapter for determining the risk level and the management quality of market risk. According to SMRAC, examiners determine risk profile and assess the adequacy of policies and procedures, the level of risk appetite, and the quality of risk measuring, monitoring and control functions including the roles and responsibilities.

The BRSA evaluates the level and management of market risk through the onsite GAR methodology. The process includes evaluating the bank’s related strategies and policies, risk appetite and risk tolerance. Examiners are further directed to check policies, strategies, limit structures, and valuation processes. The result of these steps feeds into the risk matrix and profile documents prepared at the end of the supervisory cycle. Banks’ foreign exchange exposures and business are regularly evaluated along with activity in the securities and other relevant areas. Two “test” specific examinations were conducted to pilot new questions and the implied processes within the context of the GAR methodology and for the draft GRMR. Conclusions were drawn and presented to the respective banks. As a matter of course, consolidated risk governance is reviewed during the ICAAP process.

EC2

The supervisor determines that bank’ strategies, policies and processes for the management of market risk have been approved by the banks’ Boards and that the Boards oversee management in a way that ensures that these policies and processes are implemented effectively and fully integrated into the banks’ overall risk management process.

Description and findings re EC2

See also EC 1 above.

RICAAP provides the parameters for the risk management process under which market risk falls. GMRM principle 1 requires banks to establish written strategies, policies, and procedures with the Board’s approval. The Board charges senior management with monitoring and controlling the risk in accordance with the strategies, policies, and procedures and fully integrating market risk processes into the bank’s overall risk management function (paragraph 17).

The adequacy of policies and board approvals are addressed through the CAMELS rating process/GAR methodology which is conducted onsite as well, on a higher level, through the ICAAP review process. Examiners are directed to check board approval of risk appetite and risk tolerance, board approval of strategies, board approval for policies, procedures and workflows, roles and responsibilities in policies, procedures and workflows, board approval of the definition of trading book, board oversight of the risk levels, consolidated level of market risk, periodic reports to board and senior management about risk management, and board oversight of implementation of policies, procedures and strategies.

EC3

The supervisor determines that the bank’s policies and processes establish an appropriate and properly controlled market risk environment including:

a) effective information systems for accurate and timely identification, aggregation, monitoring and reporting of market risk exposure to the bank’s Board and senior management;
b) appropriate market risk limits consistent with the bank’s risk appetite, risk profile and capital strength, and with the management’s ability to manage market risk and which are understood by, and regularly communicated to, relevant staff;
c) exception tracking and reporting processes that ensure prompt action at the appropriate level of the bank’s senior management or Board, where necessary;
d) effective controls around the use of models to identify and measure market risk, and set limits; and
e) sound policies and processes for allocation of exposures to the trading book.

Description and findings re EC3

RICAAP addresses the elements of a strong risk management function that must be in place along with the calculation and support of a well-defined internal capital allocation process. The Regulation requires banks to establish information systems, control of transactions and control of communication channels and information systems which are to be performed within the internal control function. It is the duty of internal audit system to audit risk measurement models used in the bank.

As indicated in EC 1 above, GMRM paragraph 21 articulates the factors for effective market risk framework and processes, inter alia:

a) a framework to identify risks;
b) an appropriately detailed structure of market risk limits that are consistent with the institution’s risk appetite, risk profile and capital strength, and which are understood by, and regularly communicated to, relevant staff;
c) guidelines and other parameters established by the bank and used to govern market risk-taking;
d) rules and criteria for allocation of positions to the trading book;
e) appropriate management information system (MIS) for accurate and timely identification, aggregation, monitoring, controlling, and reporting of market risk, including transactions between the bank and its affiliates, to the institution’s Board and senior management;
f) exception tracking and reporting processes that ensure prompt action at the Board or senior management level, where necessary;
g) effective controls around the use of models to identify and measure market risk;
h) valuation policies, including policies and processes for considering and making appropriate valuation adjustments for uncertainties in determining the fair value of assets and liabilities (concentrated or less liquid positions); and
i) action plans for possible concentrated risks (pricing differences, keeping more capital, more frequent reporting, etc.).

The Regulation on Calculation and Implementation of Net General Position of Foreign Exchange Over Own Funds Ratio for Banks on Non-Consolidated and Consolidated Basis (RNFER) sets standards/rules for forex risk. It requires banks to calculate their on- and offbalance sheet forex positions on a daily basis. The net aggregate position method is used to calculate the overall forex position. The net general forex position should not exceed ±20 percent of own funds. The BRSA is empowered to determine different ratios for different banks and banking groups, but has not exercised this power to date. The BRSA has not prescribed regulatory limits for other elements of market risk. These are generally left to bank managements’ discretion.

GMRM Paragraph 21 identifies the check points in for use during the CAMELS rating/GAR GAR methodology process. Besides the GMRM, the GAR methodology directs supervisors, according to the level and nature of a bank’s market risk activities, to specifically address accurate and timely identification and monitoring of risk through management information systems, other checks in addition to regulatory limits and definitions, internal models on market risk, back testing and validation for internal models on market risk, measurement methods under ICAAP, controls around measure of market risk, tracking systems for internal control and audit, the oversight of the of audit committee in this area, internal controls and audit on market risk, valuation of derivative positions, valuation of financial assets, valuation policies, business continuity plans, and concentration of risks within trading book.

Supervisors address this guidance, as relevant, in the CAMELS/GAR process, however as stated in EC 1 above, market risk otherwise would be captured in conjunction with the ICAAP review process and overall risk management reviews. (See also BCP # 15 above) Currently, individual, special market risk examinations have not been conducted, as a matter of routine. Two targeted market risk examinations were conducted in order to determine how this risk is measured and managed as well as the level of compliance with the GMRM regulation. Results of these exams were presented to the banks.

EC4

The supervisor determines that there are systems and controls to ensure that banks’ marked-to-market positions are revalued frequently. The supervisor also determines that all transactions are captured on a timely basis and that the valuation process uses consistent and prudent practices, and reliable market data verified by a function independent of the relevant risk-taking business units (or, in the absence of market prices, internal or industry-accepted models). To the extent that the bank relies on modeling for the purposes of valuation, the bank is required to ensure that the model is validated by a function independent of the relevant risk-taking businesses units. The supervisor requires banks to establish and maintain policies and processes for considering valuation adjustments for positions that otherwise cannot be prudently valued, including concentrated, less liquid, and stale positions.

Description and findings re EC4

Please refer to BCP Principle 27, EC 3 for a full discussion on valuation and model validation.

RCA Annex 3 regulates principles and procedures for prudent valuation and management of the trading book for market risk regulatory capital requirement calculations.

GMRM Paragraph 26 states that banks should ensure that transactions are captured on a timely basis and that marked-to-market positions are revalued frequently. Valuation of market risk positions should be robust and independent of the risk-taking function. The valuation process should use reliable market data verified independently of the business line. In the absence of market prices, internal or industry-accepted models should be used. Models and supporting statistical analyses used in valuations should be appropriate, consistently applied, and have reasonable assumptions. These should be independently validated before deployment. Staff involved in the validation process should be adequately qualified and independent of those who assume market risks and develop models. Models should be periodically reviewed. More frequent reviews may be necessary if there are changes in models or in the assumptions resulting from developments in market conditions. It should be ensured that these changes are cautiously taken into consideration by the model.

Additionally, there is a separate Guideline On Fair Value Measurement (GFVM), which explains the best practices expected from banks regarding the banks’ processes to measure the fair value of financial instruments and banks’ risk management and control processes related to fair valuation. In paragraph 23 of GFVM it is also emphasized that a valuation model must be validated before the implementation as well as after the implementation by an independent, suitably qualified group prior to usage, with periodic reviews to ensure the model remains suitable for its intended use. Details regarding a validation processes is also given in paragraphs 24-28.

GMRM Paragraph 21(h) points out that risk management framework should possess valuation policies, including policies and processes for considering and making appropriate valuation adjustments for uncertainties in determining the fair value of assets and liabilities (concentrated or less liquid positions). GMRM Paragraph 35 states that each of foreign exchange rates should be considered as a different risk factor in measurement of foreign exchange risk within market risk. The measurement should also consider the risks arising from changes in values or asset-liability mismatch.

Valuation adjustments and independent price verification processes are defined in GFVM paragraph 5(b) and (a). Paragraph 7 requires banks to establish and maintain governance structures and controls sufficient to provide prudent and reliable valuation estimates. Principle 6 of GFVM states that banks should have a rigorous and consistent process to determine valuation adjustments for risk management, regulatory and financial reporting purposes, where appropriate.

According to Principle 2 of GFVM, a bank should have adequate capacity, including during periods of stress, to establish and verify valuations for instruments in which it engages. Senior management should ensure that the bank has the resources and capabilities to estimate appropriately the inherent risks and the value of financial instruments, including complex and illiquid instruments. It is also stated that, for exposures that represent material risk, a bank should have the capacity to produce valuations using alternative methods in the event that primary inputs and approaches become unreliable, unavailable or not relevant due to market discontinuities or illiquidity or in stressed market conditions.

GMRM Paragraph 26 and Paragraph 21 point (h) identify the check points for supervisory review. Besides the GMRM, the CAMEL risk rating/GAR methodology have targeted questions for valuation including questions on fair value computations, on senior management oversight about valuation practices, on internal or external audits about valuation practices and management conducts about the findings, and on quality of risk management policies, systems and controls about valuation. Market risk is reflected in the CAMELS rating “S” and determined through GAR, risk matrix, and risk profile processes. As well, the offsite supervision department receives and monitors regulatory reporting information on a regular basis, including stress testing results on market risk (FX) positions.

The assessor team reviewed several examples of special examinations which had as a part of the process market risk elements. Conclusions, in fact, cited certain issues dealing transactional deficiencies in the market risk area such as lack of independence in the model validation process, etc. As well, the team reviewed selected GAR (onsite) activities in this area which reflected selected market risk exam steps and related documentation.

EC5

The supervisor determines that banks hold appropriate levels of capital against unexpected losses and make appropriate valuation adjustments for uncertainties in determining the fair value of assets and liabilities.

Description and findings re EC5

RICAAP Article 60(4) states that in case the Agency, within the scope of supervision and surveillance activities, detects the probability that the bank cannot meet the internal capital requirement ratio for the bank’s risk profile or detects the probability that the bank does not hold sufficient capital for each important risk type, it takes the measures deemed necessary, including directing the bank to increase capital. A Communique on the “Calculation of Market Risk Measurement Models and Assessment of Risk Measurement Models” (CMR-RMM) requires BRSA approval for any market risk models used in the specific calculation of related capital. The BRSA approval is not required if banks chose to use models for internal risk management or capital management purposes. However, requests for market risk capital calculation models have not been made to date.

GMRM Paragraph 10 states that the level of market risk and stop/loss thresholds should be set relative to the amount of market risk capital set aside against unexpected losses. As well, banks are required to establish the processes of determination of appropriate capital levels against unexpected losses.

GMRM Paragraph 21(h) and 21(i) require banks to implement valuation policies, including policies and processes for considering and making appropriate valuation adjustments for uncertainties in determining the fair value of assets and liabilities (concentrated or less liquid positions) and action plans for possible concentrated risks (pricing differences, keeping more capital, more frequent reporting etc.). Paragraph 26 directs that in the absence of market prices, internal or industry-accepted models should be used. Models and supporting statistical analyses used in valuations should be appropriate, consistently applied, and have reasonable assumptions. These should be validated before deployment. Staff involved in the validation process should be adequately qualified and independent of those who assume market risks and develop models. Models should be periodically reviewed.

The abovementioned regulations represent check points for the CAMELS review/on-site supervision. Besides the GMRM, the CAMEL risk rating process/GAR methodology has specific questions for valuation and additional capital needs.

In practice, several large banks are using models internally for managing market risks.

A responsibility of the independent risk management function (one of the 3 elements of internal systems) is to assure model validation. Model validation must be performed by a department separate from the unit using the model. In some cases, a bank my hire an external party to conduct the validation process. The BRSA reviews the model validations as a part of its GAR process but does not deploy specialist expertise to review the integrity of the validations. No bank has yet formally applied for using market risk models for capital adequacy purposes which would require BRSA approval.

EC6

The supervisor requires banks to include market risk exposure into their stress testing programs for risk management purposes.

Description and findings re EC6

RICAAP article 43 regulates general requirements that banks must follow for their stress testing programs. Article 43(1) requires banks to establish and operate a stress testing program in order to measure their material risks and vulnerabilities which may arise from both negative developments peculiar to the bank and the developments in stressed economic and financial environment. Article 43(4) requires overall firm-wide stress testing in addition to each material risk type. Article 43(5) states that stress tests on market and counterparty risk as well as bank’s total liquidity risk shall be made simultaneously once a month or more frequently and results are monitored closely by the top management.

The Guideline On Stress Testing To Be Used By Banks In Capital And Liquidity Planning (GST) also provides parameters for banks’ stress testing activities and has special provisions for stress testing on market risk. Paragraphs 91 to 97 deal with stress testing on market risk. Banks can consider a range of exceptional, but realistic, market shocks or scenarios for their trading book positions. The Guideline also addresses back testing and scenario analysis. Tests should be conducted on a bank-wide basis.

The CAMELS rating process/GAR methodology includes evaluation of market risk stress testing and scenario analysis as well as board and senior management oversight principles. Currently, the BRSA reviews market risk stress testing in the context of the overall stress testing conducted for/presented in the ICAAP process. As a part of the GAR review process, the market risk stress tests may be reviewed, however, specialist expertise is not deployed to evaluate the scenarios or calculation details of the process.

See also stress testing comments in CP8 EC5.

Assessment of Principle 22

Compliant

Comments

The BRSA has adopted comprehensive regulation and guidance through which to direct banks to identify, measure, and monitor their market risk exposures. This includes parameters for valuation, stress testing, and model use. For examination purposes, these elements are largely addressed through the CAMELS rating/GAR methodology review process, and on an overall basis, during the ICAAP review.

Of note, currently, specialist expertise is not deployed to evaluate the scenarios or calculation details of the stress testing exercises. Examiners review the models used to measure market risk. However, they also depend substantially on the banks’ model validation process. To deepen the work and enhance the forward looking aspect, the BRSA could consider deploying trained specialists to assess stress test approaches and mathematical integrity and to leverage resulting advice/input on specialized exams. As well, enhanced examiner expertise in the area of model evaluation could provide added assurance to the BRSA on the integrity of bank models used.

Principle 23

Interest rate risk in the banking book. The supervisor determines that banks have adequate systems to identify, measure, evaluate, monitor, report and control or mitigate interest rate risk⁶⁴ in the banking book on a timely basis. These systems take into account the bank’s risk appetite, risk profile and market and macroeconomic conditions.

Essential criteria

EC1

Laws, regulations or the supervisor require banks to have an appropriate interest rate risk strategy and interest rate risk management framework that provides a comprehensive bank-wide view of interest rate risk. This includes policies and processes to identify, measure, evaluate, monitor, report and control or mitigate material sources of interest rate risk. The supervisor determines that the bank’s strategy, policies and processes are consistent with the risk appetite, risk profile and systemic importance of the bank, take into account market and macroeconomic conditions, and are regularly reviewed and appropriately adjusted, where necessary, with the bank’s changing risk profile and market developments.

Description and findings re EC1

RICAAP article 35(4) directs that banks are obliged to establish and implement an effective risk management system for material risks including interest rate risk in the banking book. Regulation on Measurement and Assessment of the Interest Rate Risk Stemming from the Banking Book with Standardized Shock Method (RIRRBB) requires banks to have an appropriate interest rate risk strategy and interest rate risk management framework that provides a comprehensive bank-wide view of interest rate risk. The Guideline For Interest Rate Risk Management (GIRRM) enumerates the best practices and processes expected from banks regarding the management of interest rate risk.

GIRRM directs that interest rate risk (IRR) management systems should include: i) senior management surveillance, ii) in-bank policy and procedures concerning risk management which are approved by the board, iii) the process of adequate risk measurement, monitoring and controlling, and iv) controlling activities. The principles are to be applied on a consolidated and unconsolidated basis and consistent with the size and complexity of bank’s activities.

GIRRM Principle 4 requires that interest rate risk measurement systems assess the effects of interest rate changes on earnings and economic value. According to paragraph 30, banks measurement systems should address all material sources of IRR including repricing, yield curve, basis and option risk components.

GIRRM is also used as a guide during the (GAR) on-site supervision framework. Furthermore, the GAR methodology includes addressing interest rate risk strategies, risk appetite, and risk tolerance.

Examiners also assess the level of risks and risk profiles of the banks according to SMRAC which guides preparation of the risk matrix (level and management of risk). SMRAC has a special chapter for determining the risk level and the management quality of interest rate risk in the banking book. According to SMRAC, examiners determine risk profile and assess the adequacy of policies and procedures, the level of risk appetite, and the quality of risk measuring, monitoring and control functions including the roles and responsibilities. The questions in SMRAC are, in general, a subset of the GAR annex. This process is an output of the CAMELS/GAR methodology. IRR is also monitored regularly by the offsite monitoring process.

EC2

The supervisor determines that a bank’s strategy, policies and processes for the management of interest rate risk have been approved, and are regularly reviewed, by the bank’s Board. The supervisor also determines that senior management ensures that the strategy, policies and processes are developed and implemented effectively.

Description and findings re EC2

RICAAP draws general framework for all internal systems and GIRRM gives specific requirements for IRRBB. RICAAP article 5(2) defines the responsibilities of the Board which includes determination and approval of policies, procedures, strategy for each risk type and also identification of risk appetite. Article 8(2) also gives the responsibility and duty to senior management to implement the strategies and policies approved by the Board.

In addition, GIRRM Principle 1 requires banks to have a written strategy, policy and procedures concerning the interest rate risk management approved by the board of directors. The board approves and regularly assesses (through the internal systems and audit committee functions) the relevant IRR activities, strategies and policies. The board oversees that senior management takes the necessary steps to monitor and control the risks consistent with the approved strategies and policies. The board is to periodically review the adequacy of action plans and the results, measurement system and assumptions concerning stress tests.

Principle 2 requires senior management to ensure that the level of bank’s interest rate risk is effectively managed. They should establish necessary processes to ensure to control and to keep the risk within limits and enable required resources are available for performing these processes. They are responsible for maintaining risk limits, establishing effective internal controls for risk, etc. Paragraph 15 states that senior management periodically review the policies and procedures concerning the management of interest rate risk and report the necessary changes to the board of directors with their reasons. GIRRM Paragraph 22 sets that the policies and procedures of interest rate risk should be reviewed periodically.

Besides the GIRRM, as part of the CAMEL review/GAR methodology requires the supervisor to address: board approval for limits on interest rate risk; board and senior management oversight for interest rate risk; board approval of risk appetite, risk tolerance, strategies, and policies. It further requires the examiner to check roles and responsibilities in policies, procedures and workflows and implementation therein.

In practice, the supervisor covers elements of interest rate risk through the GAR process, as described in EC 1 above, which is conducted onsite but not to the depth of what a special examination would require. However, specialized examinations of this area are not yet conducted. There were two targeted reviews in two banks which focused on how IRR is measured and managed and tested compliance with GIRRBB. Also, off-site analysis is conducted on all banks to identify the treatment of IRRBB within the scope of ICAAP.

EC3

The supervisor determines that banks’ policies and processes establish an appropriate and properly controlled interest rate risk environment including:

a) comprehensive and appropriate interest rate risk measurement systems;
b) regular review, and independent (internal or external) validation, of any models used by the functions tasked with managing interest rate risk (including review of key model assumptions);
c) appropriate limits, approved by the banks’ Boards and senior management, that reflect the banks’ risk appetite, risk profile and capital strength, and are understood by, and regularly communicated to, relevant staff;
d) effective exception tracking and reporting processes which ensure prompt action at the appropriate level of the banks’ senior management or Boards where necessary; and
e) effective information systems for accurate and timely identification, aggregation, monitoring and reporting of interest rate risk exposure to the banks’ Boards and senior management.

Description and findings re EC3

a) GIRRM Principle 4 states that banks should establish interest rate risk measurement systems that include all significant sources of interest rate risk, that assess the effects of interest rate changes on earnings and economic value, and that are consistent with the scope and complexity of their activities. The minimum aspects of the system are presented paragraph 28. GIRRM paragraph 38 requires risk managers and senior management to review the assumptions in interest rate risk management system at least annually. Paragraph 41 directs that all the assumptions used in interest rate risk measurement system are comprehensively justified, are approved by risk management unit and senior management, and are reviewed at least annually.
b) Paragraph 68 of the GIRRM directs that the frequency and extent to which a bank should re-evaluate its risk measurement methodologies and models depend, in part, on the particular interest rate risk exposures created by holdings and activities, the pace and nature of market interest rate changes, and the pace and complexity of innovation with respect to measuring and managing interest rate risk. Further, banks should have measurement, monitoring and control functions that are reviewed regularly. The staff carried out the independent review should ensure that risk measurement system include all the important components of interest rate risk management arising from on and off balance sheet positions. Reviewing process should include, inter alia, the accuracy and relevancy of modelling assumptions. See also BCP Principle 27, EC 3.

RICAAP, the overall guiding risk management document, Article 58(1) states that an independent team shall validate the risk measurement methodology used in economic or/and regulatory capital management process within the ICAAP process. Independence means that the team should be independent from the units that developed the models or the executive units. Moreover, RICAAP Article 58(2) points out that banks can use external expertise in case there is insufficient scope for internal validation.

c) Principle 6 gives directions regarding the interest rate risk limits. Banks should determine interest rate risk limits appropriate to the internal risk management policies and implement these limits. Limits should be consistent with the overall approach to measuring interest rate risk. These limits should be established in conformity with the bank’s size nature and capital adequacy. The responsible senior manager should immediately be informed about the limit exceptions. Risk tolerance should be identified. Paragraph 19 requires banks to identify the specific actions necessary for exceptions to limits.

GIRRM Principle 9 requires banks to establish adequate and effective internal control systems for the interest rate risk management process. Internal control systems should include an independent review and assessment that will be carried out by internal audit unit to measure the effectiveness of system regularly and to ensure the improvement of internal control if necessary.

d) GIRRM paragraph 32 points out that banks should establish reliable management information systems to measure, monitor, control and report interest rate risk. The results of risk monitoring and measuring concerning interest rate risk should be reported to the board of directors, senior management and relevant business line managers in time. Paragraphs 61 and 62 articulates the content of the necessary reporting.

The CAMELS review/GAR methodology addresses elements of re-pricing risk, yield curve risk, basis risk and optionality risk; interest rate risk ratios; behavioral analysis of optionality; effect of interest rate risk on income; interest rate risk in the banking book under ICAAP; model validation for interest rate risk under ICAAP; internal control and audit for interest rate risk; the effect of interest rate risk on capital; reporting to board and senior management; internal models or approaches for measurement and monitoring of interest rate risk; independent evaluation of internal models and approaches; effectiveness of management information systems for interest rate risk; and consolidated monitoring techniques for interest rate risk.

From the IT point of view, banks’ information systems must meet the standards set in RITEA. For example, according to article 25 (2)(c) of RITEA banks’ processes regarding accounting processes regarding interest rate income and expenditure are audited by external auditors and results of this audit are submitted to BRSA. If any deficiencies regarding standards laid down in RITEA are observed during the IT audits conducted by external auditors those deficiencies are taken into account within the scope of the CAMELS review/examinations.

EC4

The supervisor requires banks to include appropriate scenarios into their stress testing programs to measure their vulnerability to loss under adverse interest rate movements.

Description and findings re EC4

See also BCP 8, EC 5 for comments on stress testing integrity.

RICAAP article 43 directs that banks shall establish and operate a stress testing program in order to measure its material risks and vulnerabilities which may arise from both negative developments peculiar to the bank and the developments in stressed economic and financial environment. More specific guidance to stress testing of interest rate risk is given in GIRRM and GST.

GIRRM Principle 7 states that banks should measure the effects of losses that may arise under certain stress conditions including that the assumptions considered in interest rate risk measurement may not reflect the truth.

GIRRM Paragraph 35 indicates that banks should use multiple scenarios including the possible interactions (for example yield curve risk and basis risk) across different interest rates as well as for changes in the overall level of interest rates. GIRRM paragraph 36 directs that projected/possible shifts in customer behavior—and potential responses to those shifts by the bank—should also be stressed/modeled. Also, GIRRM paragraph 37 states that banks consider the expectations concerning the possible path of interest rate in the future. Banks should use their own as well as the BRSA’s designated scenarios to determine shocks per material each currency on the bank’s books.

The CAMELS review/GAR methodology directs review of scenario analysis, simulations and stress testing for interest rate risk.

Additional criteria

AC1

The supervisor obtains from banks the results of their internal interest rate risk measurement systems, expressed in terms of the threat to economic value, including using a standardized interest rate shock on the banking book.

Description and findings re AC1

AC2

The supervisor assesses whether the internal capital measurement systems of banks adequately capture interest rate risk in the banking book.

Description and findings re AC2

Assessment of Principle 23

Compliant

Comments

BRSA supervision of interest rate risk is addressed through several activities. It is reviewed as a part of the overall ICAAP review process and captured as an input in the stress testing conducted therein. As well, the supervisor covers elements of interest rate risk through the GAR process, as described in EC 1 above, which is conducted onsite but not to the depth of what a special examination would require. However, specialized examinations of this area are not yet conducted.

The BRSA should develop specialized examination procedures for interest rate risk where it identifies increasing or high risk areas. The BRSA should use specialized expertise with which to evaluate scenarios and assumptions used for more complex stress testing as well as to review model validations during onsite examinations or, as an offsite exercise.

Principle 24

Liquidity risk. The supervisor sets prudent and appropriate liquidity requirements (which can include either quantitative or qualitative requirements or both) for banks that reflect the liquidity needs of the bank. The supervisor determines that banks have a strategy that enables prudent management of liquidity risk and compliance with liquidity requirements. The strategy takes into account the bank’s risk profile as well as market and macroeconomic conditions and includes prudent policies and processes, consistent with the bank’s risk appetite, to identify, measure, evaluate, monitor, report and control or mitigate liquidity risk over an appropriate set of time horizons. At least for internationally active banks, liquidity requirements are not lower than the applicable Basel standards.

Essential criteria

EC1

Laws, regulations or the supervisor require banks to consistently observe prescribed liquidity requirements including thresholds by reference to which a bank is subject to supervisory action. At least for internationally active banks, the prescribed requirements are not lower than, and the supervisor uses a range of liquidity monitoring tools no less extensive than, those prescribed in the applicable Basel standards.

Description and findings re EC1

The BRSA has set up a comprehensive framework for liquidity regulation, monitoring, and bank responsibilities. The framework is grounded in the provisions of the BL and are further expanded in regulation and guidance. The requirements contained therein as well as the requirements under development are consistent with, and in some cases, more strict than international standards. A wide range of monitoring tools are in place at the BRSA for monitoring banks’ liquidity positions and funding experience.

According to the Article 46 (Adequacy of Liquidity) of the BL, banks are required to calculate, achieve, perpetuate and report the minimum liquidity level in accordance with the principles and procedures to be set by the BRSB which are put forward in the Regulation on Measurement and Evaluation of Liquidity Adequacy of Banks (RLA) in 2006. The objective of this Regulation is to regulate banks’ procedures and principles for achievement and maintenance of adequate levels of liquidity in order to meet their liabilities with their assets.

In March 2014, in compliance with the Basel III LCR document⁶⁵, BRSA issued a Regulation on Liquidity Coverage Ratio (RLCR). The aim of RLCR is to determine the procedures and principles regarding banks’ having high quality liquid assets stock at a sufficient level to cover their net cash outflows in order to designate a minimum liquidity level, both at a consolidated and solo basis in terms of FX and total. After in-depth analysis, in line with the Basel framework, BRSB approved that deposit banks would calculate and achieve at least 60% LCR and 40% FX LCR throughout 2015 and these ratios would increase 10 basis points each year until 2019 and be 100% and 80% respectively unless otherwise indicated. Right now, for 2016, deposit banks are required to achieve at least 70% LCR and 50% FX LCR. Until January 1, 2017, consolidated LCR and FX LCR may be calculated as of the last day of the month. Beginning from 2017, consolidated LCR and FX LCR may be computed for each day and monthly arithmetic average is calculated. This approach is also in compliance with the Basel III LCR document as well as Basel III LCR disclosure document.

On the other hand, BRSB decided that until an appropriate LCR is determined for investment and development banks, they would calculate and report their LCRs to the BRSA but they do not have to meet the required LCR. On the other hand, those banks would continue to be subject to the provisions of RLA until otherwise approved by the BRSB.

Basel III LCR document set the minimum factors, cash outflow and inflow rates. This means that jurisdictions are entitled to set the factors and rates which would not be less than the international requirements. The Annex 1 and Annex 2 of RLCR, where factors, cash outflow and cash inflow rates for each high quality liquid asset and other items are explicitly stated, were designed after in depth analysis of the banking sector. Areas where Turkish LCR rules are stricter than the Basel standards are as follows:

The Basel standard allows supervisors to determine inflow percentages for other contractual cash inflows, as appropriate for each type of inflow. The BRSA has set 0% inflow rate for other contractual cash inflows.
Even though Basel standards require LCR standard and monitoring tools to be applied to internationally active banks, BRSA requires RLCR provisions to be applied by all banks except for investment and development banks until an appropriate level for LCR is determined. There is ongoing work to determine an appropriate LCR for investment and development banks.
The BRSA requires banks to calculate, report and disclose FX liquidity coverage ratio on both solo and consolidated basis as a regulatory standard ratio. Moreover, total LCR is also calculated, reported and disclosed on solo basis.

BRSB will decide when the first implementation date will be (2017 or 2019) as well as whether gradual approach would be preferred for those banks after reviewing the LCRs and banks’ risk profiles.

In addition to the minimum standard for the LCR, the Basel III LCR document also outlines the metrics to be used to monitor liquidity risks (“the monitoring tools”). The monitoring tools supplement the LCR standard and are a cornerstone for supervisors in assessing the liquidity risk of a bank. A list of the monitoring tools prescribed in the BCBS Basel III LCR document and the most important corresponding monitoring tools, their preparation and submission frequencies prescribed by the BRSA is given below:

	BCBS monitoring tool	BRSA’s corresponding reporting template	Effective since	Frequency of preparation	Frequency of submission to the BRSA
1	Contractual maturity mismatch	Statement of liquidity risk analysis – According to cash flow	6 December 2013	Weekly	Within 3 business days
2	Concentration of funding	Statement of deposits – According to the size, type, number of customers Statement of securities issuances Statement of repo transactions Statement of cross-border liabilities	Introduced in 2006, revised in 2010, last revision 1 March 2013 Introduced in 2002, revised in 2014 27 December 2002 27 December 2002	Monthly Monthly Weekly Weekly	Within 18 business days Within 18 business days Within 3 business days Within 3 business days
3	Available unencumbere d assets	Statement of securities – detailed Statement of securities – weekly	Introduced in 2002, revised in 2007 27 December 2002	Daily Weekly	Daily Within 3 business days
4	LCR by significant currency	FX LCR	1 January 2014	Weekly	Within 3 business days

There are two more monitoring tools. First one is market-related monitoring tools (where supervisors can monitor market-wide information, information on the financial sector, bank-specific information). For the market-related monitoring tools, as proposed by the Basel standard both BRSA and CBRT use several market wide information as early warning indicators in monitoring potential liquidity difficulties at banks. Market-wide information and information on the financial sector are monitored by both BRSA and CBRT.

Of note, in 2015 the BRSA underwent a Regulatory Consistency Assessment of its Basel III LCR regulations for which it received a “compliant” rating.

As for the bank-specific information, BRSA prepares regular off-site surveillance reports on banks liquidity position and shares these with on-site supervisors. On the other hand, BRSA conducts liquidity stress tests depending on market conditions when needed. In addition to that, banks are required to monitor market related information on equity prices, CDS spreads, money-market trading prices, the situation of roll-overs and prices for various lengths of funding according to Guideline on Liquidity Risk Management (GLRM).

The second one is Basel guidance on monitoring tools for intraday liquidity management. The BCBS issued a guidance on monitoring tools for intraday liquidity management in April 2013. In compliance with the requirements of this guidance, the BRSA has initiated a study and consulted the industry in 2015 on its proposal to implement in Turkey. Throughout 2015, meetings have taken place between the BRSA, CBRT and the banks to discuss the implementation of this new reporting requirement. BRSA’s goal is to implement the intraday liquidity management in Turkey before the end of 2016, prior to the time limit set by the BCBS of January 2017.

In addition to BL, RLCR and RLA, a best practice guideline on liquidity risk management is issued which is based on Article 35 of RICAAP. GLRM is a principle based comprehensive guideline explaining the best practices and processes expected from banks regarding the management of liquidity risk. It is prepared based on the paper “Principles for Sound Liquidity Risk Management and Supervision” of BCBS and countries’ best practices.

Liquidity is reflected in the “L” in CAMELS. However, there is no concretely defined threshold that triggers supervisory action. However, supervisory concern is elevated if negative trends are detected through off-site monitoring or the GAR process. This may trigger further review of liquidity levels and management in a specialized examination. See EC 4 for further detail on the supervisory process.

EC2

The prescribed liquidity requirements reflect the liquidity risk profile of banks (including on- and off-balance sheet risks) in the context of the markets and macroeconomic conditions in which they operate.

Description and findings re EC2

According to RICAAP Article 35(4) banks are obliged to establish and implement an effective risk management system for material risks including liquidity risk.

The GLRM, paragraph 22, 23 directs that a bank’s board should approve liquidity risk management strategies, policies and procedures established by senior management and review the approved strategy at an acceptable frequency within the economic, financial and operational standards and general strategy of bank (GLRM, Paragraph 23).

Further, GLRM Paragraph 16 states that banks should determine their vulnerabilities by using the quantitative measures about concentration of funding in various maturity, contingent liquidity obligations arising from off-balance sheet activities, maturity and currency mismatches, and liquid asset holdings.

GLRM Principle 3 states that the liquidity risk appetite approved by the board of directors should reflect the banks’ willingness under both normal and stressed economic conditions. In addition, GLRM Principle 1 points out that the liquidity risk framework of a bank should include a liquidity cushion that ensures it maintains sufficient liquidity in all economic conditions.

The above requirements are part and parcel to the CAMELS review/GAR process. The criteria contained therein plus the elements included in the GLRM are part and parcel to the review.

For further expansion of the supervisory process, see EC 1 above and EC 4 below.

EC3

The supervisor determines that banks have a robust liquidity management framework that requires the banks to maintain sufficient liquidity to withstand a range of stress events, and includes appropriate policies and processes for managing liquidity risk that have been approved by the banks’ Boards. The supervisor also determines that these policies and processes provide a comprehensive bank-wide view of liquidity risk and are consistent with the banks’ risk profile and systemic importance.

Description and findings re EC3

GLRM Principle 1 requires banks to establish a robust liquidity risk management framework including the strategy, policy and procedures that ensure they maintain their businesses soundly.

GLRM paragraph 6 states that banks should establish liquidity risk management framework considering that it can maintain its business positively under periods of liquidity stress the source of which may be bank-specific or market-wide and it can meet the daily liquidity needs.

According to GLRM Paragraph 13, while establishing a risk appetite, the board of directors should consider different factors including business objectives, strategic direction, financial structure, share in financial system, funding capacity and overall risk appetite. In addition, (GLRM, Paragraphs 17 and 18) the board is also responsible for establishing a liquidity risk management structure appropriate for the bank’s activities, scale, complexity, and size and for reviewing the appropriateness of the liquidity risk management structure in the light of developments and changes in scope of bank’s business. Another responsibility of the board in this sense, is establishing a structure to ensure that internal audit should regularly review the implementation and effectiveness of liquidity risk management.

The CAMELS review/GAR process directs the supervisor to evaluate, inter alia, board approval for policies, procedures and workflows; management roles and responsibilities in policies, procedures and workflows; board oversight of implementation; and board approval of strategies. In addition, the supervisor will review the ICAAP process as it pertains to liquidity and also the LCR level and trends.

As stated, stress testing is required by the GLRM. Overall institutional stress testing is conducted as a part of the ICAAP process. More specifically, banks are required to stress their liquidity positions and the BRSA will review how those stress tests are used in the management process.

EC4

The supervisor determines that banks’ liquidity strategy, policies and processes establish an appropriate and properly controlled liquidity risk environment including:

a) clear articulation of an overall liquidity risk appetite that is appropriate for the banks’ business and their role in the financial system and that is approved by the banks’ Boards;
b) sound day-to-day, and where appropriate intraday, liquidity risk management practices;
c) effective information systems to enable active identification, aggregation, monitoring and control of liquidity risk exposures and funding needs (including active management of collateral positions) bank-wide;
d) adequate oversight by the banks’ Boards in ensuring that management effectively implements policies and processes for the management of liquidity risk in a manner consistent with the banks’ liquidity risk appetite; and
e) regular review by the banks’ Boards (at least annually) and appropriate adjustment of the banks’ strategy, policies and processes for the management of liquidity risk in the light of the banks’ changing risk profile and external developments in the markets and macroeconomic conditions in which they operate.

Description and findings re EC4

The BRSA’s liquidity framework addresses each of the elements enumerated above. Please also refer to EC 1-3 above. Liquidity is comprehensively addressed through both the offsite and onsite (CAMELS review/GAR process) supervisory processes as well as through any specialized examinations deemed necessary. See the description below of the supervisory practice in this area.

As mentioned in paragraph 13 of GLRM; the board of directors should develop their liquidity risk appetite in light of the bank’s business objectives, strategic direction, financial structure, size in financial system, funding capacity and overall risk appetite.

GLRM Paragraph 29 determines that the liquidity risk management policy should take account of a bank’s liquidity needs under normal and stressed conditions and cover, at a minimum, the following key aspects:

Liquidity risk appetite established by the board of directors;
Liquidity risk management strategy—set out the general approach to liquidity (including goals and objectives ) and the liquidity risk management policies on particular aspects;
Liquidity risk management responsibilities including clearly defined authority and responsibilities of staff /unit /committee;
Liquidity risk management systems: the systems and tools for measuring, monitoring and controlling liquidity risk:

a) the setting of various liquidity limits and ratios (e.g., target liquidity ratio, maturity and currency mismatch limits, loan to deposit ratio, concentration risk limits),
b) the framework for conducting cash-flow analysis under normal and stressed economic conditions, including the techniques and behavioral assumptions used, and
c) reporting system of monitoring liquidity risk management;

Contingency plan: the approach and strategies for dealing with various types of liquidity crisis;
The new product approval process, liquidity costs in pricing and performance measuring, risks and profits (Liquidity Transfer Pricing).

According to GLRM Paragraph 24, the board of directors should be informed immediately of new and emerging concerns mentioned below:

increasing funding costs over thresholds,
the growing size of a funding gap in different maturities,
concentrations in funding sources,
negative developments in the markets from which significant funding provided,
drying up of alternative funding sources,
material or persistent breaches of limits,
a significant change/decline in the cushion of unencumbered, highly liquid assets,
increasing additional margin calls arising from the potential decline in the market price of collateral assets, and
changes in external market conditions which should signal future difficulties.

a) GLRM Principle 5 states that a bank should have a sound process for identifying, measuring, monitoring and controlling liquidity risk including projecting cash flows arising from assets, liabilities and off-balance sheet items over an appropriate set of time horizons. GLRM Paragraphs 34 to 43 articulate the details of liquidity metrics and measurement tools, risk limits, and early warning indicators.
b) GLRM Principle 10 is about Intraday Liquidity Risk Management and requires banks to actively manage their intraday liquidity to meet payment and settlement obligations on a timely basis under both normal and stressed economic conditions (paragraphs 169-175).

In addition to GLRM Paragraph 6, various paragraphs require banks to manage liquidity on a daily basis including monitoring funding requirements and measuring daily cash flows (Paragraphs 52, 57, 59, 94, 147, and 172)

c) GLRM Paragraph 44 states that banks should have a reliable management information system designed to provide the board of directors, senior management and other responsible staff with timely and forward-looking information. From GLRM Paragraph 45 (what the information systems enable banks to do) to Paragraph 51, many aspects of information systems are listed including its importance in securitizations or other financial instruments (Paragraph 46), its help for statistical or behavioral analysis (Paragraph 47), reporting purposes (Paragraphs 48 and 49).

In practice, BRSA reviews liquidity adequacy of banks and assesses the quality of liquidity management as well as banks’ internal liquidity assessments through several means. As mentioned above, the ongoing offsite monitoring process is comprehensive. As well, evaluation of liquidity, both the level and management of, is a part of the CAMELS review/GARS process conducted each supervisory cycle. Through this process, the supervisors review any changes in the bank’s stated risk appetite, policies and procedures, level of risk, and any changes in the bank’s overall business strategy. If elevated liquidity risk is identified, then the supervisors will initiate a more detailed review of the area. Two such specialized examinations were conducted in 2015.

A more detailed review of liquidity management through specialized examinations was reviewed to test implementation. Such specialized reviews begin with the IRA process (identified risk assessment). Relevant regulatory ratios will be reviewed, recent cost of funds trends (in light of the interest rate environment), any previous actions or observations. This helps feed the scope of the specialized examination.

In the specialized examination, the supervisor looks at the funding base and the mix of sources (for example, deposits, repurchase agreements, borrowings including securities issued, etc.). Large deposits (concentrations of funds providers) will be reviewed, rates paid, deposit volume and rates, available collateral, as well as the liquidity coverage ratio calculated by the bank. Scenarios can cover variable deposit outflows, movement in correspondent bank accounts, change in loan volume and off-balance sheet commitments, etc. Any relevant subsidiaries and their potential cash needs will be included. MIS will be reviewed as well as processes which might deserve increased internal control or internal audit involvement (such as manually prepared reports, monitoring tools, or transactions). If the bank has an oversight committee such as a Liquidity Risk

Committee, the supervisors may review its function. Contingency funding/liquidity plans will also be evaluated.

However, issues were identified, similar to those cited in CP 17, regarding the need for examiners to go further with their evaluations to assess the implications on internal systems and the bank(s) governance processes. For instance, the impact of a bank’s funding positions, and shifts therein, relative to the configuration of the balance sheet (high asset growth, nature and risk of growth, overall credit quality, loan: deposit ratio, etc.) should be evaluated and clearly presented. Linkages to conclusions on management and internal systems should be more explicitly provided.

EC5

The supervisor requires banks to establish, and regularly review, funding strategies and policies and processes for the ongoing measurement and monitoring of funding requirements and the effective management of funding risk. The policies and processes include consideration of how other risks (e.g., credit, market, operational and reputation risk) may impact the bank’s overall liquidity strategy, and include:

a) an analysis of funding requirements under alternative scenarios;
b) the maintenance of a cushion of high quality, unencumbered, liquid assets that can be used, without impediment, to obtain funding in times of stress;
c) diversification in the sources (including counterparties, instruments, currencies and markets) and tenor of funding, and regular review of concentration limits;
d) regular efforts to establish and maintain relationships with liability holders; and
e) regular assessment of the capacity to sell assets.

Description and findings re EC5

The GLRM addresses each of the funding parameters listed above. For example:

Paragraph 12 requires that senior management and the board of directors should have an adequate understanding of the close links between funding liquidity risk and market liquidity risk as well as how other risks (e.g., credit, market, operational and reputation risks) interact with liquidity risk and affect the liquidity risk management strategy.

According to GLRM Paragraph 52, banks should adopt a cash-flow approach in liquidity management that includes conducting regular cash-flow analysis on a range of stress scenarios. Net funding requirements are detailed in paragraphs 57-62. GLRM (Paragraphs 131, 135, and 137) states that banks should analyze the funding requirements under various stress scenarios including bank-specific scenarios, general market crisis scenarios, and combined scenarios.

GLRM Paragraph 91 requires banks to identify alternative funding sources that may be used to generate liquidity in case of needs, and assess the effectiveness of using such sources in different situations. Banks should assess the effectiveness of selling assets under various situations.

GLRM Principle 8 requires banks to maintain a cushion of unencumbered, high quality liquid assets to be held as insurance against a range of liquidity stress scenarios including those that involve the loss or impairment of unsecured and typically available secured funding sources. Paragraphs 144 to 157 clarify the properties of liquidity cushion including size and composition of cushion, characteristics of liquid assets, and operational requirements.

GLRM has a separate chapter for funding diversification and market access. Principle 6 says that banks should establish a liquidity strategy to diversify the funding sources and maturity effectively and be in a sound relationship with fund providers and strengthen presence in chosen funding markets in order to ensure funding diversification. Paragraph 79 requires banks to determine the concentration limits for each funding sources, assets and maturity segments. In determining the concentration limits, banks should take into account the type of asset and market; the nature of counterparty, issuer and fund provider; maturity; currency; geographical location and economic sector. Banks should avoid any potential concentrations in their reliance on particular funding markets or sources.

GLRM Paragraph 97 states that banks should identify and build strong relationships with current and potential investors and providers, even in funding markets facilitated by brokers and other third parties.

In Paragraph 92 the importance of market access is emphasized, senior management is made responsible to ensure that market access is being actively managed, monitored and tested by appropriate staff or unit. The following paragraphs 93-96 are related to market presence where the banks are asked to review their established systems and test their presence by borrowing funds even without need.

The CAMELS review/GAR process covers a host of issues addressing funding capacity, planning and stress testing. In addition, the sample specialized examination described in EC 4 above specifically evaluated the funding mix, shifts, contingency plans, and alternative sources of funding. Concentrations of funding were evaluated as was overall pricing and any potential shifts in market access.

EC6

The supervisor determines that banks have robust liquidity contingency funding plans to handle liquidity problems. The supervisor determines that the bank’s contingency funding plan is formally articulated, adequately documented and sets out the bank’s strategy for addressing liquidity shortfalls in a range of stress environments without placing reliance on lender of last resort support. The supervisor also determines that the bank’s contingency funding plan establishes clear lines of responsibility, includes clear communication plans (including communication with the supervisor) and is regularly tested and updated to ensure it is operationally robust. The supervisor assesses whether, in the light of the bank’s risk profile and systemic importance, the bank’s contingency funding plan is feasible and requires the bank to address any deficiencies.

Description and findings re EC6

GLRM has a separate chapter for contingency funding plan (CFP) which is defined in article 3 and explained in detail in article 13 of RICAAP. GLRM, Principle 12 requires banks to have a formal CFP that clearly sets out the strategies for addressing liquidity shortfalls in emergency situations. GLRM Paragraph 184 points out that the board of directors should approve the CFP.

GLRM Paragraph 186 states that the CFP should contain a set of policies, procedures and action plans that prepare a bank to deal with the relevant liquidity stress events assumed in the stress tests with clearly established lines of responsibility and invocation and escalation procedures. GLRM Paragraph 187 ensures that the CFP should be commensurate with a bank’s complexity, risk profile, scope of operations and role in the financial system. The design of a CFP, including its action plans and procedures, should be closely integrated with the bank’s ongoing analysis of liquidity risk, and with the results of the scenarios and assumptions used in stress tests.

GLRM Paragraph 189 points out that the CFP should articulate available potential contingency funding sources, along with the estimated amount of funds that can be derived from these sources, their expected degree of reliability, under what conditions these sources should be used and the lead time needed to tap additional funds from each of the sources.

GLRM Paragraphs 193 and 194 state that lender of last resort support should be considered as secondary sources of liquidity and banks should not assume that such support is automatically available to them during a crisis even if they have the eligible collateral.

GLRM Paragraph 196 says that the CFP should contain clear policies and procedures enabling a bank’s management to make timely and appropriate decisions, communicate the decisions effectively and execute contingency measures swiftly and proficiently. Additionally, the roles and responsibilities and internal procedures for crisis management should be defined.

GLRM Paragraph 200 points out that banks should develop a communication plan to deliver on a timely basis clear and consistent communication to internal and external parties including the central bank, the agency, correspondents and custodians, relevant local or overseas public authorities, major counterparties and customers, payment systems and other relevant parties.

GLRM Paragraph 202 states that the CFP should be subject to regular testing to ensure its effectiveness and operational feasibility, particularly in respect of the availability of the contingency sources of funding listed in it. GLRM Paragraph 205 ensures that senior management should review and update the CFP regularly, at an acceptable frequency or more often as business or market circumstances change, to ensure that it remains robust over time. Also, any changes to the CFP should be properly documented and approved by the board of directors.

The CAMELS review/GAR process directs the examiner to consider the following when evaluating the CFP including capital for liquidity risk under ICAAP; roles and responsibilities under contingency plan; operational risks emerged from deposit and money market operations; funding risk concentrations and impact on the contingency plan. Contingency funding plans are reviewed during the CAMELS process and as a part of any specialized examinations in this area.

EC7

The supervisor requires banks to include a variety of short-term and protracted bank-specific and market-wide liquidity stress scenarios (individually and in combination), using conservative and regularly reviewed assumptions, into their stress testing programs for risk management purposes. The supervisor determines that the results of the stress tests are used by the bank to adjust its liquidity risk management strategies, policies and positions and to develop effective contingency funding plans.

Description and findings re EC7

According to article 43 of RICAAP, banks shall establish and operate a stress testing program in order to measure its material risks and vulnerabilities which may arise from both negative developments peculiar to the bank and the developments in stressed economic and financial environment. More specific guidance to stress testing of liquidity risk is given in GLRM and GST.

GLRM has a separate section for stress tests. Principle 7 states that banks should conduct stress tests on a regular basis for a variety of short-term and protracted institution-specific and market-wide stress scenarios individually or in combination, to identify sources of potential liquidity strain and to ensure that current on- and off-balance sheet positions remain in accordance with banks’ established liquidity risk appetite. The outcomes should be used to adjust liquidity risk management strategies, policies and positions and to develop effective contingency plans. Paragraph 101 ensures that banks should evaluate the impact of scenarios of stressed economic conditions on consolidated and unconsolidated basis.

Additionally, GST has a special reference to liquidity risk. Paragraphs 140 to 149 deal with stress testing on liquidity risk.

As mentioned above, review of a bank’s stress tests are an important part of the ICAAP review process (which includes important liquidity considerations), the liquidity review under CAMELS, and as a part of any targeted specialized examinations. The examiners review the scenarios used by the bank and determine if the results are used for management purposes. They also evaluate how results are factored into the contingency plan.

EC8

The supervisor identifies those banks carrying out significant foreign currency liquidity transformation. Where a bank’s foreign currency business is significant, or-the bank has significant exposure in a given currency, the supervisor requires the bank to undertake separate analysis of its strategy and monitor its liquidity needs separately for each such significant currency. This includes the use of stress testing to determine the appropriateness of mismatches in that currency and, where appropriate, the setting and regular review of limits on the size of its cash flow mismatches for foreign currencies in aggregate and for each significant currency individually. In such cases, the supervisor also monitors the bank’s liquidity needs in each significant currency, and evaluates the bank’s ability to transfer liquidity from one currency to another across jurisdictions and legal entities.

Description and findings re EC8

GLRM has a separate section for Foreign Currency Liquidity Management. Paragraph 69 points out that banks should have adequate systems in place for measuring, monitoring and controlling their liquidity positions in each major currency in which they have significant activity or exposure. Paragraph 71 states that banks should formulate liquidity strategies and policies for all significant currencies and the effectiveness of such strategies and policies should be regularly reviewed. Paragraph 73 clarifies that banks should assess aggregate foreign currency liquidity needs under both normal and stressed business conditions and control currency mismatches within acceptable levels. According to paragraph 75, banks should set and regularly review the limits to control the size of cumulative net mismatches over particular time bands (one day, seven days and one month) for significant currencies.

Moreover, GLRM paragraph 103 ensures that stress tests should be performed for separately for significant currencies as well as for all currencies in aggregate.

Many banks in the system run large USD banking books and have meaningful foreign currency exposures. To a large extent, these exposures are hedged, though the hedges may be of shorter maturities than the exposures, creating roll over risk which it is important to assess and to manage. The supervisory process, both in the CAMELS review/GAR methodology process and in the specialized examinations as well as through offsite monitoring, is required to address foreign currency exposure management.

Additional criteria

AC1

The supervisor determines that banks’ levels of encumbered balance-sheet assets are managed within acceptable limits to mitigate the risks posed by excessive levels of encumbrance in terms of the impact on the banks’ cost of funding and the implications for the sustainability of their long-term liquidity position. The supervisor requires banks to commit to adequate disclosure and to set appropriate limits to mitigate identified risks.

Description and findings re AC1

Assessment of Principle 24

Compliant

Comments

The BRSA has set up a comprehensive framework for liquidity regulation, monitoring, and assignment of bank responsibilities. Regulation is in some cases more rigorous than international benchmarks. A wide range of tools is in place for monitoring banks’ liquidity positions and funding experience. The CAMELS review/GAR methodology addresses liquidity, and specialized examinations are conducted when a change in trends or strategy is detected. As well, the BRSA underwent a Regulatory Consistency Assessment of its Basel III LCR regulations for which it received a “compliant” rating.

However, review of onsite documents indicated that conclusions regarding liquidity, funding stability, and management processes stopped short of considering other areas of the balance sheet, growth trends, asset quality, and management processes, etc to support conclusions. Such issues are critical to the overall review process and should be captured and clearly conveyed in examination documents to supported supervisory observations. This is particularly important given that some banks may have tight liquidity positions including relatively high loan to deposit ratios.

The central bank has taken a number of steps in recent years to support the strengthening of foreign currency funding. There appears to be an opportunity to strengthen liaison between the BRSA and the CBRT on the monitoring and management of foreign liquidity risk. Given the potential foreign exchange roll over risk residing in banks’ positions, consideration could be given to increasing the ultimate target for the FX LCR from 80% to 100% to further strengthen the management of liquidity risk.

Principle 25

Operational risk. The supervisor determines that banks have an adequate operational risk management framework that takes into account their risk appetite, risk profile and market and macroeconomic conditions. This includes prudent policies and processes to identify, assess, evaluate, monitor, report and control or mitigate operational risk⁶⁶ on a timely basis.

Essential criteria

EC1

Law, regulations or the supervisor require banks to have appropriate operational risk management strategies, policies and processes to identify, assess, evaluate, monitor, report and control or mitigate operational risk. The supervisor determines that the bank’s strategy, policies and processes are consistent with the bank’s risk profile, systemic importance, risk appetite and capital strength, take into account market and macroeconomic conditions, and address all major aspects of operational risk prevalent in the businesses of the bank on a bank-wide basis (including periods when operational risk could increase).

Description and findings re EC1

BRSA published GORM, 2015, that is prepared based on “Principles for the Sound Management of Operational Risk” and other countries’ best practices. The principles contained in this guideline present a comprehensive approach to addressing operational risk within banks. It is prepared as a reference to effectively implement and establish operational risk management systems. As with all regulatory issuances, GORM is intended to be adapted to each bank’s level of size, activity and complexity.

Principle 6 of GORM requires banks to have a risk management process and appropriate means to be able to regularly identify, measure, assess, monitor and control the operational risk exposure due to their products, activities, processes and systems.

According to Principle 1 of GORM, a bank’s operational risk management framework should determine that operational risks are consistently and comprehensively identified, assessed, controlled, mitigated, monitored and reported. BRSA requires banks to implement the operational risk management framework considering; i) organizational structure (board oversight, senior management, business lines, independent corporate risk management unit, internal control and internal audit), ii) risk culture iii) operational risk management strategies, policies and procedures (including written work flow diagram) and iv) operational risk management process (the processes to identify, assess, monitor, control, mitigate and report operational risk ) and declare the framework in a written document.

Section VI of GORM gives requirements for building strategy, policies and procedures regarding operational risk as well as an example of determining operational risk strategy, policies and procedures and corporate strategy of a bank. Article 35 requires that, operational risk management process begins with the determination of the overall strategies and long-term objectives of a bank. Once determined, the bank can identify the associated inherent risks in its strategy and objectives, and thereby establish an operational risk management strategy and develop an operational risk management framework appropriate to all these strategies. Article 36 requires all business units⁶⁷ to develop supplementary policies and procedures specific to their business based on and in consistence with the corporate operational risk management framework. It has great importance to establish written work flow diagrams within the procedures.

According to paragraph 4 of the GORM, banks should consider these principles in accordance with their capital adequacy, risk profile and risk appetite. As well, a bank’s operational risk management should be commensurate with the organizational structure, size, complexity, risk profile and business line.

According to RICAAP Article 53(2) all banks are required to implement a measurement and assessment process to cover Pillar 1 risks including operational risk. Bank reporting to the board of directors on operational risk is detailed in GORM paragraph 45.

The level of operational risk in the system is considered moderate by the BRSA. The team was informed that the major sources of operational losses revolve largely around fraud and human error. The sophistication of the operational risk management systems in a bank is considered by the BRSA in relation to the size, complexity, and nature of a bank’s activities and systems. Banks are required to track their loss history over time. Operational loss history/risk must be conveyed through banks’ ICAAP reports. Banks are using either the BIA or STA approach to calculate capital charges.

Overall operational risk is assessed largely through the CAMELS review/GAR process. The examiners review all relevant policies, processes and strategies pertaining to operational risk across each relevant unit in the given bank. During this review a range of factors, including, banks size, nature, complexity, capital strength, risk appetite and risk profile are taken into consideration. Operational risk is a specific focus element in the preparation of the risk matrix, using the SMRAC procedures.

EC2

The supervisor requires banks’ strategies, policies and processes for the management of operational risk (including the banks’ risk appetite for operational risk) to be approved and regularly reviewed by the banks’ Boards. The supervisor also requires that the Board oversees management in ensuring that these policies and processes are implemented effectively.

Description and findings re EC2

RICAAP regulates general framework for all internal systems and GORM gives requirements that is only specific for operational risk. Article 5(2) of RICAAP defines responsibilities of the Board which includes determination and approval of policies, procedures, strategy for each risk type (including operational risk) and also identification of risk appetite. Article 8(2) also gives the responsibility and duty to senior management to implement the strategies and policies approved by the Board. Furthermore, the board of directors is responsible for approving and reviewing a risk appetite and tolerance statement on the basis of general and sub factors (e.g., business line, product, unit) for operational risk that articulates the nature, types and levels of operational risk that the bank is willing to assume and establish the system and processes for implementing these functions (GORM Principle 3).

The board of directors are required to oversee that the policies, processes and systems are implemented effectively at all decision levels. For example, GORM paragraph 45 requires regular reporting to the Board on overall status of operational risk in the bank, any particular risk areas or weaknesses, likely impact of major events on the bank’s operational risks, etc. As well, boards should be informed about operational risks that may arise with the introduction of new products.

As part of the routine supervision cycle, BRSA determines whether there is a reporting and monitoring process that enables Board of Directors to review limits, policies, procedures and processes concerning operational risk. The GAR process requires the examiners to evaluate whether policies, procedures and work flow diagrams are up to date and approved by Board of Directors.

EC3

The supervisor determines that the approved strategy and significant policies and processes for the management of operational risk are implemented effectively by management and fully integrated into the bank’s overall risk management process.

Description and findings re EC3

As stated in EC2, the Board of Directors are required to establish, approve and periodically review the operational risk framework (GORM Principle 2). Strategies, policies and procedures are a part of operational risk framework according to the GORM paragraph 7.

Operational risk management process begins with the determination of the overall strategies and long-term objectives of a bank. Once determined, the bank can identify the associated inherent risks in its strategy and objectives, and thereby establish an operational risk management strategy and develop an operational risk management framework appropriate to all these strategies. The risk appetite of the bank and basic elements regarding its management should be determined and documented in the operational risk management frame work (GORM 35). GORM presents an operational example of what such a process may be in paragraph 36.

Monitoring process of the operational risk, should be integrated with the bank’s routine activities and in this context the operational risk potential of each business line should be assessed, in this assessment process the frequency and nature of changes in the operating environment should also be taken into account (GORM 44).

Banks are required to give detailed information regarding identification, measurement, control and risk appetite of operational risk within their ICAAP reports. These sections are assessed through the CAMELS review/GAR methodology and off-site BRSA audit teams.

EC4

The supervisor reviews the quality and comprehensiveness of the bank’s disaster recovery and business continuity plans to assess their feasibility in scenarios of severe business disruption which might plausibly affect the bank. In so doing, the supervisor determines that the bank is able to operate as a going concern and minimize losses, including those that may arise from disturbances to payment and settlement systems, in the event of severe business disruption.

Description and findings re EC4

RICAAP Article 13 is about business continuity management and plan. Banks must establish a business continuity management structure approved by the board of directors in order to ensure the sustainability of activities in case of an interruption or to save them on time to minimize operational, financial, legal and reputational costs.

According to GORM Principle 10, banks need to have a business continuity plan to be able to continue their activities on an ongoing basis and limit losses in the event of severe business disruption. Negative condition scenarios created by the bank should be assessed for their financial, operational and reputational impact and the resulting risk assessment should be the foundation for recovery priorities and objectives (GORM paragraph 71).

Each bank should establish business continuity plans considering their size, activity nature, and complexity of their processes. These plans should outline possible responses according to different types of likely or plausible scenarios to which the bank may be vulnerable. Some of the possible events may include incidents that damage or render accessibility to the bank’s facilities, telecommunication or information technology infrastructures, or events that affect human resources as well as broader disruptions to the financial system altogether (GORM Paragraph 70). Continuity plans should be tested periodically including preparation of an impact analysis (GORM paragraph 71).

All the disaster recovery and business continuity plans are tested at least once in a year according to RICAAP article 13. These tests are reviewed by BRSA on-site examination teams during the GAR process once a year. Examiners are required to determine if there is a business continuity plan approved by Board of Directors and if this plan is tested by the bank. As well, they check to see if the business continuity plan contains the policies, responsibilities and duties during business disruption cases.

EC5

The supervisor determines that banks have established appropriate IT policies and processes to identify, assess, monitor and manage technology risks. The supervisor also determines that banks have appropriate and sound IT infrastructure to meet their current and projected business requirements (under normal circumstances and in periods of stress), which ensures data and system integrity, security and availability and supports integrated and comprehensive risk management.

Description and findings re EC5

BRSA uses framework explained in CP9/EC3 for identifying, assessing, monitoring and managing technology risks.

Also GORM has a special section on ‘IT capacity and security and change of IT systems, facilities and equipment’ provisions being explained in paragraphs 59-62.

Regarding IT, the BRSA requires banks to receive an IT audit every 2 years by the bank’s external auditor. The team was informed that most internal audit departments in banks have some resource in this area. The BRSA has IT specialists who review external audit’s IT reports, conduct their own examinations, and participate in the CAMELS onsite examinations as needed. On occasion, they may participate in MIS reviews conducted by the commercial examiners. They evaluate the external audits and also conduct their own examinations. The questions contained in GAR are relatively high level for which answers are derived primarily from the external audit IT report or are referred to the BRSA’s IT department.

EC6

The supervisor determines that banks have appropriate and effective information systems to:

a) monitor operational risk;
b) compile and analyze operational risk data; and
c) facilitate appropriate reporting mechanisms at the banks’ Boards, senior management and business line levels that support proactive management of operational risk.

Description and findings re EC6

BRSA uses framework explained in CP9/EC3 for identifying, assessing, monitoring and managing technology risks. As well, see EC 2 above for requirements for board reporting.

In RICAAP Article 21(3) requires internal audit system of banks to review information systems including electronic information system and electronic banking services and it also evaluates the accuracy and reliability of accounting records and financial reports.

Additionally, RICAAP Article 57 (1) internal audit system should review the adequacy of the system and processes and accuracy of the data used in the ICAAP Reports and send their findings to BRSA according to Article 63 (5).

Also GORM has a special section on ‘IT capacity and security and change of IT systems, facilities and equipment provisions being explained in paragraphs 59-62.

EC7

The supervisor requires that banks have appropriate reporting mechanisms to keep the supervisor apprised of developments affecting operational risk at banks in their jurisdictions.

Description and findings re EC7

Section IV of RCA is about calculation of RWA for operational risk for regulatory capital. The calculations are submitted to BRSA via two annual supervisory reports (OR500YS/OR500YK).

The reporting mechanisms for operational risk are viewed through the CAMELS review process/GAR methodology by on-site BRSA examiners as well. During relevant special examinations, examiners are required to evaluate certain systems and reporting. For example, examiners are required to determine if there is a system for reporting operational risks on SME, corporate, commercial loans (regarding incorrect operations, abuse, suspicious financial transactions). During the review of sample special examinations, the team observed issues and deficiencies in these areas cited and communicated in the reports and to bank management.

It is required that banks send their ICAAP reports to BRSA once in a year since 2013. Banks have to provide sufficient information about both Pillar 1 and Pillar 2 risks at ICAAAP report. In this context all banks have to give information about identification, measurement, management, control, risk appetite and risk limits. All ICAAP reports are evaluated by BRSA. Banks also must report their operational loss history to the BRSA.

EC8

The supervisor determines that banks have established appropriate policies and processes to assess, manage and monitor outsourced activities. The outsourcing risk management program covers:

a) conducting appropriate due diligence for selecting potential service providers;
b) structuring the outsourcing arrangement;
c) managing and monitoring the risks associated with the outsourcing arrangement;
d) ensuring an effective control environment; and
e) establishing viable contingency planning.

Outsourcing policies and processes require the bank to have comprehensive contracts and/or service level agreements with a clear allocation of responsibilities between the outsourcing provider and the bank.

Description and findings re EC8

According to the Article 35 of BL, the banks will, before outsourcing certain allowable activities, prepare a written report to be submitted to the Agency if and when it is required, containing the probable risks of outsourcing services to be received, and management of such risks, as well as the expected benefits and costs thereof.

The Article 5 (1) of Regulation on Receiving Outsourcing Services by Banks (RROS) states that banks contracting outsourcing services are obliged to:

a) Identify needed outsourcing services in each relevant area;
b) Studies for necessary transformation, internal regulation, infrastructure and training at the stage of transition to outsourcing services,
c) Coordination of responsibilities concerning the issues of supervision, measurement and evaluation, reporting and security in connection with outsourcing services
d) Risks that may have arisen from receiving outsourcing activities and a contingency plan to be implemented in case of any interruptions or delays in services in any manner along with the management of these risks and substitutability of received outsourcing services
e) The impact of outsourced areas on the internal control, internal audit, and risk management to be done by the bank for operations and process that are related to thereof.

According to the Article 7 of RROS it is obligatory that the contracts to be signed between the banks and of outsourcing service providers must explicitly state issues such as the subject matter, scope and term of outsourcing services, fees to be paid for services and responsibilities of the parties.

Within the scope of the above mentioned rules, BRSA examines compliance to these regulations. There is a specific question about this EC in the annex of GAR module. FSAID 2495 requires BRSA on-site examination teams to asses if there is an effective monitoring and controlling system of operational risk arising from outsourcing activities. While answering the question above-mentioned BRSA examiners sources are indicated in GAR module as below;

Due diligence activities,
Outsourcing contracts,
Activities to manage and monitor the risk arising from outsourcing activities,
Contingency plans to be implemented in unexpected cases.
Policies and processes about outsourcing activities.

Additional criteria

AC1

The supervisor regularly identifies any common points of exposure to operational risk or potential vulnerability (e.g., outsourcing of key operations by many banks to a common service provider or disruption to outsourcing providers of payment and settlement activities).

Description and findings re AC1

Assessment of Principle 25

Compliant

Comments

Oversight of operational risk is anchored in RICAAP and further expanded in the GORM which comprehensively addresses relevant aspects of this risk. The supervisory process explicitly addresses this risk through the evaluation of the ICAAP process and reports submitted by banks as well as through the GAR process and as a part of MIS evaluation and controls during specialized examinations.

Principle 26

Internal control and audit. The supervisor determines that banks have adequate internal control frameworks to establish and maintain a properly controlled operating environment for the conduct of their business taking into account their risk profile. These include clear arrangements for delegating authority and responsibility; separation of the functions that involve committing the bank, paying away its funds, and accounting for its assets and liabilities; reconciliation of these processes; safeguarding the bank’s assets; and appropriate independent⁶⁸ internal audit and compliance functions to test adherence to these controls as well as applicable laws and regulations.

Essential criteria

EC1

Laws, regulations or the supervisor require banks to have internal control frameworks that are adequate to establish a properly controlled operating environment for the conduct of their business, taking into account their risk profile. These controls are the responsibility of the bank’s Board and/or senior management and deal with organizational structure, accounting policies and processes, checks and balances, and the safeguarding of assets and investments (including measures for the prevention and early detection and reporting of misuse such as fraud, embezzlement, unauthorized trading and computer intrusion). More specifically, these controls address:

a) organizational structure: definitions of duties and responsibilities, including clear delegation of authority (e.g., clear loan approval limits), decision-making policies and processes, separation of critical functions (e.g., business origination, payments, reconciliation, risk management, accounting, audit and compliance);
b) accounting policies and processes: reconciliation of accounts, control lists, information for management;
c) checks and balances (or “four eyes principle”): segregation of duties, crosschecking, dual control of assets, double signatures; and
d) safeguarding assets and investments: including physical control and computer access.

Description and findings re EC1

Mainly, the BL and RICAAP regulate the issues regarding internal control and audit systems. In addition to these two, RCGB establishes the responsibilities of the board and senior management with respect to corporate governance to ensure that there is effective control over a bank’s entire business.

Article 23, 29 of the BL states that banks are obliged to establish and operate adequate and efficient internal control, risk management and internal audit systems that are in harmony with the scope and structure of their activities, that can respond to changing conditions and that cover all their branches and undertakings subject to consolidation in order to monitor and control the risks that they encounter. These systems should be compliant with relevant legislation, secure financial reporting systems, and assign authorities and responsibilities in the bank. These duties are further expanded in RICAAP.

Further, BL article 30 requires that banks:

(i) ensure the execution of their activities in compliance with the legislation, bank’s internal regulations and banking ethics;
(ii) secure the integrity and reliability of accounting and reporting systems and timely accessibility of information through continuous control activities to be complied with and performed by the personnel at any level;
(iii) ensure the functional separation of the duties and the sharing of powers and responsibilities regarding the payments of funds, the reconciliation of bank’s transactions, safeguarding assets and controlling liabilities;
(iv) identify and evaluate any risk encountered and prepare the infrastructure required for managing such risks; and
(v) construct an adequate network for information exchange.

Pursuant to the same article, internal control checks are required to be carried out by the internal control department; the internal control personnel must work under the board of directors. RICAAP further establishes reporting to the BRSA expands the obligations and requirements of BL article 30 cited above including requirements for independent internal audit and compliance functions to test adherence to these controls.

The BRSA follows a dynamic supervisory approach with a risk-focused point of view in order to ensure the efficiency, continuity and adequacy of the supervision process and efficient usage of supervision resources. Article 5 of the RAA defines the risk focused supervision approach. The RFS approach aims to configure the scope and intensity of the supervision as well as the allocation of supervision resources and supervision activities taking into consideration the risk profile, the existence and adequacy of internal control and risk management systems of the institutions subject to the regulation and supervision of the BRSA.

During the ICAAP examinations, the BRSA reviews the quality of the bank’s risk management, internal control and internal audit functions pursuant to section 4 of the GAA.

The CAMELS review/GAR process addresses internal systems, controls and internal audit in various areas. Special inspections also involve checks of internal controls as relevant. Internal Systems is defined as one of the main activity fields to be examined if it is assessed as a risky field by the on-site examination teams. However, see BCP principle 14/15 for issues on conclusions drawn during the supervisory process.

EC2

The supervisor determines that there is an appropriate balance in the skills and resources of the back office, control functions and operational management relative to the business origination units. The supervisor also determines that the staff of the back office and control functions have sufficient expertise and authority within the organization (and, where appropriate, in the case of control functions, sufficient access to the bank’s Board) to be an effective check and balance to the business origination units.

Description and findings re EC2

On-site examination teams review and determine whether the personnel responsible for control functions have sufficient skills and expertise. For example, questions in the GAR process address the sufficiency, effectiveness and frequency of the training activities surrounding anti-money laundering control activities. As well, steps in the GAR process direct the examiner to evaluate the follow-up mechanism for deficiencies cited in internal control and audit reports including to what extent the findings in these reports are corrected by relevant business units. Evaluation of the control functions and back office activities are guided by the GAR process as well as tested during special inspections. For example, review of several special inspection reports and procedures revealed shortcomings in the areas of internal controls and reporting. As well the GAR process directs examiners to determine if the performance of internal systems personnel is assessed by the board and not by the executive units of the bank. This is to provide the basis for assessing the independence of the internal systems personnel. During these processes, shortcomings and staffing issues with internal control staff as well as operational staff are able to be identified.

During the preparation of the risk matrix (one of the end products of the supervisory cycle), guided by SMRAC, requires input on internal control and audit functions.

Please also refer to EC1 for regulations regarding the internal systems of banks.

EC3

The supervisor determines that banks have an adequately staffed, permanent and independent compliance function⁶⁹ that assists senior management in managing effectively the compliance risks faced by the bank. The supervisor determines that staff within the compliance function is suitably trained, have relevant experience and have sufficient authority within the bank to perform their role effectively. The supervisor determines that the bank’s Board exercises oversight of the management of the compliance function.

Description and findings re EC3

Pursuant to Article 5(1) of the RICAAP, the board of directors has the ultimate responsibility for the establishment and sufficient and effective functioning of the internal systems.

Article 4(2) of RICAAP requires banks to establish their internal systems directly linked to the board of directors. In other words, in order to ensure the independency of the units in the internal systems of banks including compliance function, these units should not be established under business lines within the organizational structure of the bank. Although they are not obliged to according to RICAAP regulation, banks generally have separate compliance units directly connected to the Board of Directors. On-site examination teams assess the compliance of the bank’s internal systems with this regulation.

Please refer to EC1 for the assessments regarding the skills and training of the internal systems staff.

EC4

The supervisor determines that banks have an independent, permanent and effective internal audit function⁷⁰ charged with:

a) assessing whether existing policies, processes and internal controls (including risk management, compliance and corporate governance processes) are effective, appropriate and remain sufficient for the bank’s business; and
b) ensuring that policies and processes are complied with.

Description and findings re EC4

All banks are required to have independent and adequately functioning internal audit departments. As mentioned in EC2 and EC3, the BRSA evaluates the independence, permanence and effectiveness of the internal systems of the bank. All these assessments are valid for internal audit function as well. As a result, guided by the GAR methodology, on-site examination teams assess the independence of internal audit function as they assess the independence of internal systems. As well, examiners determine whether internal audit activities are effectively and sufficiently covered on a consolidated basis.

The GAR process also directs review of reports submitted to the board (audit committee). On-site examiners take into consideration the effectiveness of policies, process and internal controls while responding to these questions.

EC5

The supervisor determines that the internal audit function:

a) has sufficient resources, and staff that are suitably trained and have relevant experience to understand and evaluate the business they are auditing;
b) has appropriate independence with reporting lines to the bank’s Board or to an audit committee of the Board, and has status within the bank to ensure that senior management reacts to and acts upon its recommendations;
c) is kept informed in a timely manner of any material changes made to the bank’s risk management strategy, policies or processes;
d) has full access to and communication with any member of staff as well as full access to records, files or data of the bank and its affiliates, whenever relevant to the performance of its duties;
e) employs a methodology that identifies the material risks run by the bank;
f) prepares an audit plan, which is reviewed regularly, based on its own risk assessment and allocates its resources accordingly; and
g) has the authority to assess any outsourced functions.

Description and findings re EC5

With respect to (a); Article 5(2)(ç) of RICAAP requires the board of directors to ensure the allocation of sufficient resources for the units in internal systems of the bank. Additionally, RICAAP 22(3) (c) states that the manager of the internal audit unit is obliged to assess whether the internal auditors have the qualifications required by their powers and responsibilities, prepare training programs to improve their professional knowledge, skills and abilities, and monitor whether they are performing their duties independently and objectively with the necessary professional diligence and attention.

With respect to b), the BRSA legislation involves several provisions on the independence of internal auditors. As previously mentioned, the internal audit function, being a part of the internal systems of the bank, shall be directly under the board of directors. Further, Article 23(1) of RICAAP stipulates that the internal auditors are required to perform their duties and responsibilities objectively and independently. To this end, they shall not be accountable to anyone in the bank management other than the manager of the internal audit unit, the relevant internal systems manager and the board of directors and, in the performance of their duties, they are required to be free from any conflicts of interest stemming from reasons such as personal or family relations or their position within the bank. Audit findings are submitted to the audit committee and to the board of directors through the audit committee as well as the follow-up of the corrective actions pursued by the department subject to the audit.

With respect to (c), article 26(5) of RICAAP, states that the risk evaluations shall be regularly reviewed. Events that may affect the risk evaluations such as new products, new systems, changes to the Law and other applicable legislation, and changes in organization or personnel in important positions, vertical changes in volume and amount of activities shall be communicated by unit managers to the internal audit unit, which shall in turn review the risk evaluations in the light of such changes.

With respect to (d), Article 23(3) of RICAAP requires the board of directors to ensure that the internal auditors are properly authorized to access all units of the bank, to obtain information from any personnel of the bank, and to have access to all records, files and data of the bank, so that they may effectively perform their duties and responsibilities.

With respect to (e), Article 26 of the ICAAP requires banks to effectively perform their internal audit activities following a risk focused approach, based on the risk assessments of the internal audit unit. In that context, risk assessments, made on an annual basis, requires the utilization of risk measurement and rating systems to assess the activity and control risks in significant business units and products and to determine their materiality.

With respect to (f), Article 27 of the RICAAP include provisions on internal audit plans. In that context, internal audit plans are required to be prepared on the basis of the risk assessments made pursuant to Article 26 and to allocation of resources of the internal audit department. The internal audit plans can be reviewed and updated by the assent of the board of directors.

With respect to (g) Article 7(2)(o) of the RICAAP stipulates that members of the audit committee are responsible for making risk assessments about the support services received by the bank, for submitting their assessments to the board of directors and, monitoring the sufficiency of the support service provided to the bank.

Internal audit is assessed by the on-site examination teams through the CAMELS review/GAR methodology during the course of the supervisory cycle. Among the aspects evaluated in this area, the examiners i) review audit plans in comparison to previous years plans as well as relative to the understood risks of the bank; ii) review audit reports (including loan audits, branch reports, etc.); iii) staff adequacy and turnover as well a budget sufficiency; iv) training received; iv) audit access to business units and internal functions, etc. Observations and views on internal audit are factored into the CAMELS ratings process through the “M”.

Assessment of Principle 26

Compliant

Comments

The legal framework is comprehensive in this area, both as it is articulated in the requirements for internal systems and separately as requirements specifically directed to the internal audit function. Review of the internal audit process is an important part of the onsite (GAR) process covered each supervisory cycle. However, targeted or specialized examinations of the internal audit process, leveraging the GAR results as well as specialized examination results as partial inputs, could enhance the validation of this important function. Such validation by the BRSA is important in order for it to maintain or increase the degree of confidence (and therefore, dependence) it can place in audit outputs as early warning indicators of shifting risk.

Principle 27

Financial reporting and external audit. The supervisor determines that banks and banking groups maintain adequate and reliable records, prepare financial statements in accordance with accounting policies and practices that are widely accepted internationally and annually publish information that fairly reflects their financial condition and performance and bears an independent external auditor’s opinion. The supervisor also determines that banks and parent companies of banking groups have adequate governance and oversight of the external audit function.

Essential criteria

EC1

The supervisor⁷¹ holds the bank’s Board and management responsible for ensuring that financial statements are prepared in accordance with accounting policies and practices that are widely accepted internationally and that these are supported by recordkeeping systems in order to produce adequate and reliable data.

Description and findings re EC1

BL article 39 requires the financial reports prepared by banks to be signed, with names, surnames and titles indicated, by the chairman of the board of directors, the members of the audit committee, general manager, deputy general manager responsible for financial reporting as well as the relevant unit manager or equivalent authorities, declaring that the financial report is in compliance with the legislation pertaining to financial reporting and with the accounting records.

Additionally, BL article 37 requires banks, in line with the principles and procedures to be determined by the Board in consultation with POA and associations of institutions, to account all transactions in an accurate manner and to present financial reports in a clear, reliable, and comparable way. In cases where it is determined that the financial statements have been mispresented, the BRSB shall be authorized to take necessary measures.

Based on the BL, the RAP brings the Turkish banking system’s accounting practices in line with the TFRS which are issued by the POA as the Turkish translations of the IFRS. There are 2 notable differences in the implementation of TFRS in banks and financial institutions with IFRS: 1) a bank group’s consolidated accounts capture the financial subsidiaries but not the nonfinancial subsidiaries, and 2) loan loss provisions reflect the BRSA’s requirements. Banks will be required to implement the upcoming IFRS 9 for provisioning in line with the timeframe specified by the standards.

EC2

The supervisor holds the bank’s Board and management responsible for ensuring that the financial statements issued annually to the public bear an independent external auditor’s opinion as a result of an audit conducted in accordance with internationally accepted auditing practices and standards.

Description and findings re EC2

According to BL article 39 (2), the annual financial reports to be presented by banks to their general assembly, are required to be approved by independent audit firms. Article 4 (2) of the REAB requires independent auditing firms to conduct their audits in banks in alignment with the principles and procedures stipulated in the Turkish Auditing Standards (TSAs) which are issued as Turkish translation of International Standards of Audit (ISAs). In addition, article 4(4) of the REAB requires banks to have their quarterly financial statements audited by independent audit firms in compliance with the provisions laid down in REAB as well as the TSAs. In that context, financial statements of banks are required to be subject to interim limited audit as of the end of March, June and September and to annual full-scope audit as of the end of December.

EC3

The supervisor determines that banks use valuation practices consistent with accounting standards widely accepted internationally. The supervisor also determines that the framework, structure and processes for fair value estimation are subject to independent verification and validation, and that banks document any significant differences between the valuations used for financial reporting purposes and for regulatory purposes.

Description and findings re EC3

BRSA published GFVM in order to explain the best practices for determining the fair value of financial instruments as well as the associated risk management and internal procedures. Banks are required to classify and report financial instruments in their financial reports in alignment with relevant accounting and regulatory reporting requirements.

Further, GFVM paragraph 23 that any models used in the valuation process (internally developed or purchased from external sources), including any material changes made in the model, are required to be validated and regularly reviewed by an independent expert, both before it is used initially as well as during its use. The independent validation team should have reporting lines independent of risk taking units. The GFVM goes on to provide baseline parameters that should be addressed as a part of the validation process.

GFVM paragraph 29 also requires internal and external audit to review the control environment, the availability and reliability of information used in the valuation process, and the reliability of estimated fair values. External and internal audit should include the price verification processes and testing valuations of significant transactions. Audit programs should also evaluate whether the disclosures about fair values made by the bank are in accordance with the applicable accounting standards.

Paragraph 35 of GFVM states that any significant differences between fair values included in financial reporting and those used for risk management purposes or used in regulatory reporting, should be reported to the senior management. In cases where there is material uncertainty surrounding the valuation practices, the BRSA may consider conducting tests on portfolio valuations.

As a part of its supervisory process, the BRSA evaluates a bank’s financial instruments valuation practices incorporating relevant governance, risk management, and control practices and takes these evaluations into consideration when assessing capital adequacy. This includes an evaluation of the process of valuation including reviewing the pricing information used in the process, surrounding control environment, and determining the impact of the valuations on capital adequacy. The examiners also verify audit coverage of the processes and management’s response to any cited deficiencies. On-site examination teams also assess whether bank management adequately understands the valuation methodologies and calculations. The examiners also assess if computer systems are used in the valuation of banks’ securities and derivatives portfolios are validated by independent teams.

In addition, the assessment team reviewed an example of a special check on valuation and transaction activity the BRSA conducted. The objective of the review was to determine the propriety and risk involved in certain business areas. Thorough review of the valuation process was conducted.

EC4

Laws or regulations set, or the supervisor has the power to establish the scope of external audits of banks and the standards to be followed in performing such audits. These require the use of a risk and materiality based approach in planning and performing the external audit.

Description and findings re EC4

In general terms, the scope of external audit of banks is set by Article 4 of the REAB. Accordingly, external audit of banks is to be carried out in accordance with the TSAs which is the Turkish version of the ISAs, to provide a fair assurance on reliability and accuracy of financial statements as well as accounting and recording systems, including assessment of compliance, adequacy and effectiveness of banks’ internal and financial reporting systems. Also, BRSA is authorized to require banks or external auditors to initiate a special purpose external audit on specific matters regulated in the BL and related regulations, or on specific subjects of importance to be determined by BRSA.

TSA 320⁷², Turkish version of ISA 320, Materiality in Planning and Performing an Audit, regulates the responsibility of auditors to apply the concept of materiality in planning and performing an audit of financial statements. Paragraph 5 of the annex of TSA 320 states that “The concept of materiality is applied by the auditor both in planning and performing the audit, and in evaluating the effect of identified misstatements on the audit and of uncorrected misstatements, if any, on the financial statements and in forming the opinion in the auditor’s report.” and materiality and audit risk is explained in paragraph A1.

EC5

Supervisory guidelines or local auditing standards determine that audits cover areas such as the loan portfolio, loan loss provisions, non-performing assets, asset valuations, trading and other securities activities, derivatives, asset securitizations, consolidation of and other involvement with off-balance sheet vehicles and the adequacy of internal controls over financial reporting.

Description and findings re EC5

See also EC 1 & 2 enumerating use of TFRS and TSA standards in the auditing and accounting process. Article 4 of the REAB stipulates that the external audit of banks is conducted with the purpose of providing an opinion with regard to the accuracy and reliability of the accounts, records and financial statements of banks as well as their compliance with all relevant regulations issued pursuant to the BL. Article 17 covers the issues related to the assessment of the adequacy of internal controls over financial reporting of banks. As a consequence, external audit covers all areas mentioned in EC5.

As well, in the process of scoping and conducting CAMELS review/GAR methodology process, the external auditors’ IT audit reports and consolidated and non-consolidated audit reports are used as important inputs.

EC6

The supervisor has the power to reject and rescind the appointment of an external auditor who is deemed to have inadequate expertise or independence, or is not subject to or does not adhere to established professional standards.

Description and findings re EC6

The POA sets financial reporting and auditing standards in compliance with international standards. BL articles 15 and 33 empower the BRSA to authorize or terminate the appointment of banks’ external audit firms.

BL article 15, 33 authorizes the BRSA to evaluate and publish the names of audit firms deemed acceptable to conduct audits in banks. The BRSB has the power to remove the external audit firm from the list when it is deemed to have inadequate expertise or independence, or when it is not subject to or does not adhere to established professional standards.

EC7

The supervisor determines that banks rotate their external auditors (either the firm or individuals within the firm) from time to time.

Description and findings re EC7

Article 26 (1) (ç) of the Regulation on Independent Audit (RIA⁷³) issued by the POA states that external audit firms and auditors are not allowed to undertake the audits for the entities for which they have conducted the audit activity for seven years within the last ten years for audit firms and five years within the last seven years for auditors, including the ones employed at an audit firm, prior to the extinction of a three-year period following the date of the last audit.

EC8

The supervisor meets periodically with external audit firms to discuss issues of common interest relating to bank operations.

Description and findings re EC8

The BRSA started meeting with external auditors last year. The first meeting was held February 2015 and included 4 international firms and two domestic external auditing firms. Prior to that, BRSA had, on occasion, met with selected firms when important issues of common interest arose. As well, on-site examination teams meet with external auditing teams in the bank(s) frequently to discuss the issues of common interest. These meetings are arranged by on-site examiners when necessary.

EC9

The supervisor requires the external auditor, directly or through the bank, to report to the supervisor matters of material significance, for example failure to comply with the licensing criteria or breaches of banking or other laws, significant deficiencies and control weaknesses in the bank’s financial reporting process or other matters that they believe are likely to be of material significance to the functions of the supervisor. Laws or regulations provide that auditors who make any such reports in good faith cannot be held liable for breach of a duty of confidentiality.

Description and findings re EC9

BL article 33 (2) directs “If, during their audits, external audit firms detect any matter that may endanger the existence of the bank or an evidence demonstrating that their managers have severely violated the Law or the articles of association, the external audit firms shall promptly notify the BRSA thereof. Such notification does not mean the violation of the professional confidentiality principles and agreements or the obligations pertaining to confidentiality”.

Principles and procedures related to this obligation are also regulated in more detail in the Article 17 (3), (4), (5), (6) and (7) of the REAB.

Additional criteria

AC1

The supervisor has the power to access external auditors’ working papers, where necessary.

Description and findings re AC1

Assessment of Principle 27

Compliant

Comments

Procedures surrounding financial reporting and external audit are well established. Accounting standards closely follow IFRS and provisioning standards are set to dovetail with the implementation of IFRS 9. Valuation procedures for financial assets are comprehensive. BRSA conducts review of valuation procedures and of valuation models as a part of the onsite examination process. Parameters for banks’ external audit process are well established.

Principle 28

Disclosure and transparency. The supervisor determines that banks and banking groups regularly publish information on a consolidated and, where appropriate, solo basis that is easily accessible and fairly reflects their financial condition, performance, risk exposures, risk management strategies and corporate governance policies and processes.

Essential criteria

EC1

Laws, regulations or the supervisor require periodic public disclosures⁷⁴ of information by banks on a consolidated and, where appropriate, solo basis that adequately reflect the bank’s true financial condition and performance, and adhere to standards promoting comparability, relevance, reliability and timeliness of the information disclosed.

Description and findings re EC1

According to the BL article 37 banks are required to prepare their financial reports which include financial statements and disclosure in accordance with TASs and TFRSs (Turkish version of IASs and IFRSs) published by the POA. Article 10 of the RAP states that the year-end financial report includes financial statements, supplemental information required by the BRSA, and the external audit report. Article 14 of the RAP regulates rules and procedures on publication of banks’ financial reports. Additionally, pursuant to Articles 1 and 4(4) of the CPD, banks are required to prepare their public disclosures on a solo and consolidated basis quarterly and annually.

EC2

The supervisor determines that the required disclosures include both qualitative and quantitative information on a bank’s financial performance, financial position, risk management strategies and practices, risk exposures, aggregate exposures to related parties, transactions with related parties, accounting policies, and basic business, management, governance and remuneration. The scope and content of information provided and the level of disaggregation and detail is commensurate with the risk profile and systemic importance of the bank.

Description and findings re EC2

Pursuant to BL article 40, banks are required to prepare annual reports that contain information about banks’ status, management and organization structures, human resources, activities, financial situations, assessment of the management and expectations from the future; together with financial statements, summary of board of directors’ report and external auditing report. These annual reports are utilized during the planning phase of on-site supervision.

As well, other parameters for disclosure are covered in the RPPAP (Regulation on Principles and Procedures Concerning the Preparation and Publishing of Annual Reports), RAP (Regulation for Accounting Practices), CPD (Communique on Financial Statements Disclosed to the Public by Banks), and CDRM (Communique on Disclosures about Risk Management).

CPD article 4 stipulates the composition of financial statements: balance sheet, off balance sheet items, income statement, table concerning the income and expenses items recognized as equity, statement of changes in equity, statement of cash flow, and statement of profit distribution.

The structure of the bank and its basic business lines are required to be disclosed including the structure of the bank and the consolidated organization, capital structure of the parent bank and others, activities of the parent bank, risk exposures, transactions with related parties, and accounting policies. Risk disclosures are governed by articles 7-15.

RPPAP and RAP require banks to prepare and disclose annual reports and interim reports (quarterly). RPPAP article 6 (1) (b) addresses additional, nonfinancial information to be disclosed such corporate governance practices within the bank, intra-company transactions, etc.

CDRM, entering into force March 2016 focuses on the individual and consolidated risk management information to be disclosed by banks. This Communiqué is prepared in alignment with Basel Pillar III disclosure requirements. Risk management disclosure requirements in this Communiqué are complementary to the other disclosure requirements stated in the third section of CPD.

Remuneration disclosures laid out by GBCP should be provided as a part of Pillar III disclosures required by CDRM in accordance with the general principles and procedures set out in that Communiqué. Banks other than systemically important banks should implement mentioned requirements proportionately.

The CAMELS review/GAR methodology directs examiners, inter alia, to review various elements of banks’ annual reports and remuneration. As well, on-site examiners are to analyze the banks’ policies about disclosure and through the GAR process.

EC3

Laws, regulations or the supervisor require banks to disclose all material entities in the group structure.

Description and findings re EC3

According to CCFS, banks are required to prepare consolidated financial statements and announce them in their web sites. The scope/exemptions of this consolidation are laid down in article 5.

CPD article 4 (2) requires the disclosure of the information about the capital structure of the parent bank and direct and indirect parties who influence the management or supervision of the parent bank. Parent banks are required to disclose information on the name/commercial title of the natural or legal persons holding their qualified shares and information about the entities and the scope of consolidation. Banks are also required to give information on related parties consistent with TAS 24.

EC4

The supervisor or another government agency effectively reviews and enforces compliance with disclosure standards.

Description and findings re EC4

As of December 2015, there are 52 banks in Turkey and 16 of them are publicly traded. These 16 banks’ disclosure standards are reviewed by Public Disclosure Platform which is a governmental agency.

Furthermore, the Communiqué on Material Events Disclosure,⁷⁵ issued by the CMB, sets forth the principles and procedures related to public disclosure of information, events and development which may affect the value or price of securities or the investment decisions of investors. These disclosures are submitted to the Public Disclosure Platform via Borsa Istanbul, published in the web-site of the bank and kept in the web-site for 5 years.

BRSA regularly evaluates the timeliness and content of external audit/annual reports for compliance with regulatory parameters. It is within this context that the BRSA would review Pillar III disclosures.

EC5

The supervisor or other relevant bodies regularly publishes information on the banking system in aggregate to facilitate public understanding of the banking system and the exercise of market discipline. Such information includes aggregate data on balance sheet indicators and statistical parameters that reflect the principal aspects of banks’ operations (balance sheet structure, capital ratios, income earning capacity, and risk profiles).

Description and findings re EC5

BRSA has been quarterly publishing “Main Banking Indicators” series via internet since June 2014. The BRSA website also includes interactive daily, weekly and monthly bulletins and facilitates users’ requests for information by tailor made reports. (Please see the link in the footnote)⁷⁶.

Additional criteria

AC1

The disclosure requirements imposed promote disclosure of information that will help in understanding a bank’s risk exposures during a financial reporting period, for example on average exposures or turnover during the reporting period.

Description and findings re AC1

Assessment of Principle 28

Compliant

Comments

Banks are required to disclose their financial statements according to TFRS and TAS, the Turkish version of IFRS and IAS, on both a solo basis and consolidated basis. Disclosure requirements for nonfinancial information are adequate. BRSA regularly evaluates the timeliness and content of external audit/annual reports for compliance with regulatory parameters and Pillar III disclosures.

Principle 29

Abuse of financial services. The supervisor determines that banks have adequate policies and processes, including strict customer due diligence (CDD) rules to promote high ethical and professional standards in the financial sector and prevent the bank from being used, intentionally or unintentionally, for criminal activities.⁷⁷

Essential criteria

EC1

Laws or regulations establish the duties, responsibilities and powers of the supervisor related to the supervision of banks’ internal controls and enforcement of the relevant laws and regulations regarding criminal activities.

Description and findings re EC1

The Turkish regime against money laundering is governed by the Law no. 5549 on Prevention of Laundering Proceeds of Crime (AML Law). The last revision of the act was made in 2014. There is a separate Law no. 6415 on the Prevention of Financing of Terrorism (TF Law) adopted on 16.02.2013. The money laundering offense is set forth in the Article 282 of the Turkish Criminal Law.

The role of the Financial Intelligence Unit (FIU):

Turkey has established a FIU called MASAK. The duties and powers of MASAK are determined in the Article 19 of the AML Law and Article 16 of the TF Law.

MASAK is the main supervisory authority for AML/CFT related issues. Duties and powers of MASAK include developing policies and implementation strategies, preparing legislation, collecting and analyzing data, receiving suspicious transaction reports and deciding on and coordinating inspections regarding AML/CFT issues.

The supervision of AML/CFT obligations is exercised by different sector supervisors from the BRSA, Treasury and CMB on behalf of MASAK.

The role of the BRSA:

According to article 11 of the AML Law, on-site inspections are conducted by the MASAK through different sector supervisors including the bank examiners and experts of the BRSA. The BRSA serves as the “technical arm” of the MASAK for AML/CFT supervisory matters. The MASAK examination teams are formed according to the MASAK requirements on a case by case basis.

However, in addition to the inspections required by the MASAK, as a part of the on-site supervision of banks, the BRSA oversee AML/CFT compliance in the banking industry. In that context, the on-site teams examine and evaluate the adequacy and effectiveness of banks’ policies, procedures, work-flows, human resources management and internal control systems in relation to the relevant regulations. The GAR Module of the BRSA has specific questions on AML/CFT related issues.

In this context, AML/CFT policies, implementation procedures, human resources and control systems are examined by the BRSA. These examinations are mostly done during the ratings process assessing the following issues:

- Whether the bank employs relevant number of personnel charged for AML/CFT issues commensurate with its scale and operations and whether they are sufficiently qualified, whether bank’s personnel is subject to an adequate level of training with respect to AML/CFT issues and whether the frequency of training is commensurate with the scale and operations of the bank,
- Whether the bank uses an adequately structured IT framework with regard to AML/CFT issues commensurate with the scale and operations of the bank,
- Whether the criteria underlying the above mentioned IT framework are regularly reviewed, and updated where it is deemed necessary,
- Whether the authorization and responsibilities of the compliance officer is documented and is adequate,
- Whether the bank has a policy document regarding the AML/CFT issues approved by the Board of Directors and whether this document is adequate,
- Whether the bank has written criteria for detection of suspicious transactions,
- Whether the bank has adequately established procedures regarding the authorization of the relevant personnel for incorporating revisions to the IT framework established for the detection of suspicious transactions,
- Whether the bank has documented its CDD policies, including issues on documents to be demanded from the customers and procedures for verification of the accuracy of these documents,
- Whether the internal controls with regard to the effectiveness and applicability of cross controls are adequate,
- Whether the internal audit unit of the bank has special audits on AML/CFT issues,
- Whether the findings of the internal audit are followed up by the bank’s management,
- Whether the bank has an adequate internal assessment report about the AML/CFT issues,
- In the context of consolidated supervision, whether the parent company of the bank has written policy documents on AML/CFT issues,
- Whether the home country of the parent company is subject to the supervision of an FIU.

These assessments are then incorporated into the CAMELS rating methodology under the “Management” component.

Recently, the BRSA has established a Commission, composed of 4 senior bank examiners, responsible for coordinating AML/CFT examinations. These examinations will be conducted starting from the second half of 2016. For that purpose, the Commission prepared a Supervisory Manual on AML/CFT Issues (SMAMLCFT) approved by the Chairman.

According to this manual on-site examiners are initially required to make an AML/CFT related risk assessment of the bank. The manual includes analysis and assessments under 8 sections: Organizational Structure, Compliance, Training of the Personnel, Internal and External Audit, Reporting Requirements, Process Audits, Retention of Documents, Secrecy.

EC2

The supervisor determines that banks have adequate policies and processes that promote high ethical and professional standards and prevent the bank from being used, intentionally or unintentionally, for criminal activities. This includes the prevention and detection of criminal activity, and reporting of such suspected activities to the appropriate authorities.

Description and findings re EC2

The supervisory requirements on policies and processes to prevent institutions from being used for criminal activities are contained in the AML Law, TF Law and subsequent sub-regulations, namely the Regulation on Measures Regarding Prevention of Laundering proceeds of Crime and Financing of Terrorism (ROM), Regulation on Program of Compliance with Obligations of Anti-Money Laundering and Combating the Financing of Terrorism (ROC) and Regulation on the Procedures and Principles Regarding the Implementation of Law on the Prevention of Financing of Terrorism (ROT). Furthermore, the MASAK prepared a formal supervision manual in 2010 called “Guidance on the Supervision of Obligation”. This guidance involves check-lists for the obligors to provide examiners with formal supervisory tools.

AML general compliance inspections aim at preventing and detecting criminal activities in banks. As mentioned in EC1, the inspections are planned and coordinated by the MASAK using banking experts of the BRSA. The inspections follow a risk-based approach focusing on risk factors determined by the MASAK and relevant supervisory authorities. When elaborating the annual supervisory plans, the MASAK coordinates with the supervisory authorities the time frame and availability of human resources to AML/CFT supervision.

The examinations conducted in banks regarding AML/CFT issues by BRSA and MASAK during the last two years are summarized in the following table:

Year	Number of Banks Examined	Examination Type
2014	23	General Compliance with laws and regulations regarding AML/CFT
2015	11	General Compliance with laws and regulations regarding AML/CFT
2014	18	Examinations related to violations of Suspicious Transactions Reporting, CDD, Training-Internal Systems-Other Measures
2015	16	Examinations related to violations of Suspicious Transactions Reporting, CDD, Training-Internal Systems-Other Measures

The findings of these examinations are followed up by MASAK and shared with BRSA’s management along with the other related information when requested.

Banks obligation to report suspicious activities related to money laundering or terrorist financing activities are clearly established in article 4 of the AML Law and ROM, chapter 4. The obligation is to report these activities to the MASAK only.

EC3

In addition to reporting to the financial intelligence unit or other designated authorities, banks report to the banking supervisor suspicious activities and incidents of fraud when such activities/incidents are material to the safety, soundness or reputation of the bank.⁷⁸

Description and findings re EC3

Banks are required to report only to the MASAK any suspicious activities pursuant to the Article 4 of the AML Law.

EC4

If the supervisor becomes aware of any additional suspicious transactions, it informs the financial intelligence unit and, if applicable, other designated authority of such transactions. In addition, the supervisor, directly or indirectly, shares information related to suspected or actual criminal activities with relevant authorities.

Description and findings re EC4

Pursuant to the Article 40 of the ROM, the BRSA informs the MASAK when it becomes aware of any suspicious transactions or criminal activity. The MASAK is responsible for transmitting the information to judicial and other relevant authorities.

EC5

The supervisor determines that banks establish CDD policies and processes that are well documented and communicated to all relevant staff. The supervisor also determines that such policies and processes are integrated into the bank’s overall risk management and that there are appropriate steps to identify, assess, monitor, manage and mitigate risks of money laundering and the financing of terrorism with respect to customers, countries and regions, as well as to products, services, transactions and delivery channels on an ongoing basis. The CDD management program, on a group-wide basis, has as its essential elements:

a) a customer acceptance policy that identifies business relationships that the bank will not accept based on identified risks;
b) a customer identification, verification and due diligence programme on an ongoing basis; this encompasses verification of beneficial ownership, understanding the purpose and nature of the business relationship, and risk-based reviews to ensure that records are updated and relevant;
c) policies and processes to monitor and recognize unusual or potentially suspicious transactions;
d) enhanced due diligence on high-risk accounts (e.g., escalation to the bank’s senior management level of decisions on entering into business relationships with these accounts or maintaining such relationships when an existing relationship becomes high-risk);
e) enhanced due diligence on politically exposed persons (including, among other things, escalation to the bank’s senior management level of decisions on entering into business relationships with these persons); and
f) clear rules on what records must be kept on CDD and individual transactions and their retention period. Such records have at least a five year retention period.

Description and findings re EC5

Supervisory determinations on CDD policies and processes are mostly defined in the ROM and the ROC. As mentioned in EC1, the BRSA examines CDD and AML/CFT polices and process of banks under the management component of the ratings process. Regarding the essential elements of the CDD management program:

a) customer acceptance policy is not explicitly mentioned in the regulation;
b) customer identification, verification and due diligence program, including beneficial ownership are covered by the ROM, mostly on chapter 3.
c) policies and processes to monitor and recognize unusual or potentially suspicious transactions are covered by the RoM, chapter 4.
d) escalation to the senior management level of decisions on entering into business relationships with high-risk accounts is covered in articles 12 and 13 of the RoC.
e) enhanced due diligence on politically exposed persons is not defined in the regulation. The BRSA and MASAK explained that since PEPs are involved in high risk groups, they are indirectly subject to also the other obligations such as the obligation to pay special attention to certain transactions, the obligations concerning new technologies or risky countries (the Articles 18, 20 and 25 of the ROM, respectively).
f) rules on what records must be kept on CDD are established by article 8 of the AML Law. The obliged parties (including banks) should maintain the documents, books and records for eight years from the last record date, and must keep identification document for eight years from the last transaction date.

EC6

The supervisor determines that banks have in addition to normal due diligence, specific policies and processes regarding correspondent banking. Such policies and processes include:

a) gathering sufficient information about their respondent banks to understand fully the nature of their business and customer base, and how they are supervised; and
b) not establishing or continuing correspondent relationships with those that do not have adequate controls against criminal activities or that are not effectively supervised by the relevant authorities, or with those banks that are considered to be shell banks.

Description and findings re EC6

Article 23 of the ROM provides the measures to be taken by financial institutions with regard to correspondent banking and payable-through accounts. Financial institutions are obliged to apply enhanced due diligence measures in their correspondent banking relationships and assess the AML and terrorist financing system of the respondent financial institution.

More specifically, article 23 of the ROM states that financial institutions are required to take necessary measures in foreign correspondent relationships in order to obtain, by making use of publicly available resources, reliable information on whether the respondent financial institution has been subject to a money laundering and terrorist financing investigation and been punished, its business field, reputation and the adequacy of supervision on it. Banks are also required to assess AML and terrorist financing system of the respondent financial institution and to ascertain that the system is appropriate and effective. Financial institutions must also obtain approval from a senior manager before establishing new correspondent relationships.

According to Article 23 of the ROM, it is forbidden for financial institutions to establish correspondent relationship with shell banks and financial institutions about which they cannot be sure that these institutions do not permit their accounts to be used by shell banks.

EC7

The supervisor determines that banks have sufficient controls and systems to prevent, identify and report potential abuses of financial services, including money laundering and the financing of terrorism.

Description and findings re EC7

In addition to broad regulation on internal controls issued by the BRSA, including IRCAAP, the ROM requires financial institutions to establish appropriate risk management systems to follow up permanently the transactions made by their customers and analyze the compatibility of these transactions with the profile of the customer in order to identify and report potential suspicious transactions. Furthermore, ROC, chapter 7, establishes requirements for internal controls related to AML/CFT.

The BRSA assesses on a regular basis, as part of the ratings process, whether banks internal systems and controls are appropriately addressing AML/CFT issues. These inspections include, but are not limited to the adequacy of the IT framework, internal controls and bank’s policy and internal audit function in relation to AML/CFT. Furthermore, MASAK coordinates compliance inspections with AML/CFT regulation. Please refer to EC1.

EC8

The supervisor has adequate powers to take action against a bank that does not comply with its obligations related to relevant laws and regulations regarding criminal activities.

Description and findings re EC8

The MASAK is the only authority empowered to sanction financial institutions in case of non-compliance with the AML/CFT requirements.

Articles 13 and 14 of the AML Law specify the administrative fines and judicial penalties in failure to comply with obligations prescribed in the law. Furthermore, the Article 39(2) of the ROM, extends the administrative fines applicable for failure to comply with the CDD and suspicious transaction reporting obligations. Administrative fines are imposed by the MASAK.

The Article 14 of the TF Law stipulates that MASAK will monitor the compliance of institutions and persons holding assets with the freezing measures and the Article 15 of the TF Law sets out the penal sanctions applicable for failure to comply with freezing decisions.

The MASAK is also authorized to take any violation of Articles 4(2), 7 and 8 of the AML Law to the public prosecutor in order to allow the violating bank to be subjected to judicial penalty. (Article 4(2) is on disclosing the information in the suspicious transaction reports. Article 7 is on providing all kinds of information requested by MASAK. Article 8 is on the obligation of obliged parties to retain the documents, books and records for eight years.)

Although the powers of BRSA set out under the BL are not directly related to money laundering or terrorist financing crimes, the BRSA is authorized by law to implement administrative penalties to a bank that does not comply with its duties. The BRSA is also empowered to take any criminal activity by a bank to the public prosecutor. Among those criminal activities are failure to submit data and documents, failure to comply with the obligation of records keeping, false statement, non-recording transactions, non-factual accounting and embezzlement.

EC9

The supervisor determines that banks have:

a) requirements for internal audit and/or external experts⁷⁹ to independently evaluate the relevant risk management policies, processes and controls. The supervisor has access to their reports;
b) established policies and processes to designate compliance officers at the banks’ management level, and appoint a relevant dedicated officer to whom potential abuses of the banks’ financial services (including suspicious transactions) are reported;
c) adequate screening policies and processes to ensure high ethical and professional standards when hiring staff; or when entering into an agency or outsourcing relationship; and
d) ongoing training programs for their staff, including on CDD and methods to monitor and detect criminal and suspicious activities.

Description and findings re EC9

a) The requirements for internal audit are established in the RICAAP and are assessed by the on-site examiners of the BRSA. Please also refer to CP 26 on internal control and audit.
b) Requirements for establishing compliance programs are prescribed in the ROC. The regulation includes requirements regarding the adoption of policies and procedures, the establishment of monitoring processes and controls and the appointment of a compliance officer to whom potential abuses of the bank’s financial services are reported.
c) MASAK regulation includes provisions to ensure high ethical and professional standards when hiring staff but those measures only address the screening of senior management.
d) Chapter 6 of the ROC includes provisions on the training of the staff on AML/CFT matters.

EC10

The supervisor determines that banks have and follow clear policies and processes for staff to report any problems related to the abuse of the banks’ financial services to either local management or the relevant dedicated officer or to both. The supervisor also determines that banks have and utilize adequate management information systems to provide the banks’ Boards, management and the dedicated officers with timely and appropriate information on such activities.

Description and findings re EC10

MASAK (ROM) requires banks to report suspicious transactions (STR) via their compliance officers. The ROC, particularly chapter two, requires the establishment of institutional policies and procedures related to STR. Chapter 7 provides guidance on the internal controls.

Obliged parties send their institutional policies to MASAK that evaluate their adequacy. Additionally, articles 24 and 28 of the ROC requires the obligors to report detailed information on staff training and the works carried out in the scope of internal control activities.

General compliance inspections are carried out by the BRSA on behalf of MASAK. Please also refer to EC2.

EC11

Laws provide that a member of a bank’s staff who reports suspicious activity in good faith either internally or directly to the relevant authority cannot be held liable.

Description and findings re EC11

A member of a bank’s staff who reports suspicious activity in good faith will be protected under article 10 of the AML Law. According to this article, natural and legal persons fulfilling their obligations in accordance with this Law will not be subject to civil and criminal liability.

EC12

The supervisor, directly or indirectly, cooperates with the relevant domestic and foreign financial sector supervisory authorities or shares with them information related to suspected or actual criminal activities where this information is for supervisory purposes.

Description and findings re EC12

MASAK is authorized to exchange views and information on the subjects within the scope of its duties. In that manner, MASAK may exchange information and documents with foreign counterparts and sign MoU (art. 12 of the AML law) establishing the basis for cooperation.

MASAK has been a member of the Egmont Group of FIUs since 1998. As member, MASAK is able to exchange information related to money laundering, and predicate offenses resulting in money laundering, with other members of the Egmont Group using the Egmont Secure Web and in accordance with the “Statements of Purpose of the Egmont Group and its Principles for Information Exchange.

The BRSA is also authorized by Article 98 of the BL to cooperate and exchange information regarding financial institutions and financial markets with any counterpart supervisory authority. Please refer to CP13.

MASAK and BRSA have signed a protocol on information exchange and working arrangements. Please also refer to EC2.

EC13

Unless done by another authority, the supervisor has in-house resources with specialist expertise for addressing criminal activities. In this case, the supervisor regularly provides information on risks of money laundering and the financing of terrorism to the banks.

Description and findings re EC13

As explained in EC1, the MASAK is the main supervisory authority for AML/CFT related issues pursuant to the Articles 11 and 9(1) (i) of the AML Law. Duties and powers of the MASAK include developing policies and implementation strategies, preparing legislation, collecting and analyzing data, receiving suspicious transaction reports and coordinating inspections on AML/CFT issues.

The MASAK conducts training activities for the obligors as well as the relevant regulatory and supervisory authorities. Within this framework, the MASAK conducted 6 workshops in 2014 with 64 participants from the Tax Inspection Board, Customs and Trade Ministry Inspection Board, BRSA, Comptrollers Board of the Treasury, Insurance Supervision Board of the Treasury and Capital Markets Board. Additionally, 5 workshops were conducted with 490 participants from the obligors including banks, insurance and pensions corporations and Islamic banks.

The BRSA also maintains a team of experts on AML/CFT issues in charge of inspections, drafting manuals and disseminate the expertise.

Finally, the MASAK provides information on risks of money laundering and the financing of terrorism to the banks in the form of handbooks, workshops and frequent contacts and discussions.

Assessment of Principle 29

Largely Compliant

Comments

The scope of the assessment of this principle was limited to the applicable regulation and the BRSA activities. It did not include MASAK coordinated inspections and other activities.

The AML law and related regulations forms the framework to prevent the abuse of financial services. The framework includes customer due diligence (CDD) rules and procedures to report suspicious transactions but have shortcomings that need to be addressed. In particular, the CDD requirements should include a customer acceptance policy that identifies business relationships that the bank will not accepted based on identified risks and enhanced due diligence on politically exposed persons. The framework should also require banks to report to the BRSA suspicious activities and incidents of fraud when such activities/incidents are material to the safety and soundness or reputation of the bank.

Principle 14

Essential criteria

EC1

Description and findings re EC1

EC2

Description and findings re EC2

MIS and its unrestricted access by examiners including the bank’s information systems and data including the bank’s foreign branches.
assessment of the accounting and financial reporting systems including adequacy of written processes for accounting and financial reporting, efficiency and effectiveness of the internal control/audit on these systems, the existence and number of manual and/or retrospective interventions on the accounting and financial reporting systems.
assessment of the internal systems which include internal control, risk management and internal audit which includes evaluation of the relevant structure, procedures, policies, compliance with the enforcement actions instructed by BRSA, and adequacy of contingency action plans.
assessment of the organization, management and business strategies including the objectives and reality of the strategic plan and its risks, organizational policies and procedures and internal regulations, duties and responsibilities of the staff, the relation between the bank’s board’s and senior managers’ success and the bank’s financial performance, risk management and compliance level.
assessment of human resources including evaluation of the policies and implementations in human resources management. As well, feedback from bank staff is considered and staff turnover in critical areas.

While assessing above mentioned elements, examiners more specifically address:

compliance of board numbers and qualifications;
if relevant policies, procedures, and workflows approved by the board and are they clearly defined; do conflicts of interest exist among procedures or workflows;
if a corporate governance committee exists; if an internal CG policy exists;
if a “corporate governance compliance report” exists;
policy on disclosure and transparency;
monitoring process for breaches in policies, procedures, limits and for informing the board.

EC3

Description and findings re EC3

EC4

Board members are suitably qualified, effective and exercise their “duty of care” and “duty of loyalty”.³³

Description and findings re EC 4

See EC3 above.

EC5

Description and findings re EC5

EC6

Description and findings re EC6

establishing the organizational structure and human resources policy of the bank and to determine the criteria for the appointment of senior management and
determining the written strategies, policies and the implementation procedures concerning the activities of the units included within the scope of the internal systems and ensuring that these are implemented and maintained effectively and coordinated with each other.

EC7

Description and findings re EC7

EC8

Description and findings re EC8

EC9

Description and findings re EC9

Additional criteria

AC1

Description and findings re AC1

Assessment of Principle 14

Materially Non-compliant

Comments

Principle 15

Essential criteria

EC1

a) a sound risk management culture is established throughout the bank;
b) policies and processes are developed for risk-taking, that are consistent with the risk management strategy and the established risk appetite;
c) uncertainties attached to risk measurement are recognized;
d) appropriate limits are established that are consistent with the bank’s risk appetite, risk profile and capital strength, and that are understood by, and regularly communicated to, relevant staff; and
e) senior management takes the steps necessary to monitor and control all material risks consistent with the approved strategies and risk appetite.

Description and findings re EC1

EC2

a) to provide a comprehensive “bank-wide” view of risk across all material risk types;
b) for the risk profile and systemic importance of the bank; and
c) to assess risks arising from the macroeconomic environment affecting the markets in which the bank operates and to incorporate such assessments into the bank’s risk management process.

Description and findings re EC2

EC3

The supervisor determines that risk management strategies, policies, processes and limits are:

a) properly documented;
b) regularly reviewed and appropriately adjusted to reflect changing risk appetites, risk profiles and market and macroeconomic conditions; and
c) communicated within the bank.

Description and findings re EC3

EC4

Description and findings re EC4

EC5

Description and findings re EC5

EC6

Where banks use models to measure components of risk, the supervisor determines that:

a) banks comply with supervisory standards on their use;
b) the banks’ Boards and senior management understand the limitations and uncertainties relating to the output of the models and the risk inherent in their use; and
c) banks perform regular and independent validation and testing of the models
d) The supervisor assesses whether the model outputs appear reasonable as a reflection of the risks assumed.

Description and findings re EC6

EC7

Description and findings re EC7

EC8

Description and findings re EC8

EC9

Description and findings re EC9

EC10

Description and findings re EC10

EC11

The supervisor issues standards related to, in particular, credit risk, market risk, liquidity risk, interest rate risk in the banking book and operational risk.

Description and findings re EC11

EC12

Description and findings re EC12

EC13

a) promotes risk identification and control, on a bank-wide basis
b) adopts suitably severe assumptions and seeks to address feedback effects and system-wide interaction between risks;
c) benefits from the active involvement of the Board and senior management; and
d) is appropriately documented and regularly maintained and updated.

Description and findings re EC13

EC14

Description and findings re EC14

Additional criteria

AC1

Description and findings re AC1

Assessment of Principle 15

Largely Compliant

Comments

Principle 16

Essential criteria

EC 1

Description and findings re EC1

EC2

Description and findings re EC2

EC3

Description and findings re EC3

EC4

Description and findings re EC4

Groups	Domestic Systemically Important Banks (D-SIBs) Buffer rates (%)
Group 4- empty	3
Group 3	2
Group 2	1,5
Group 1	1

EC5

The use of banks’ internal assessments of risk as inputs to the calculation of regulatory capital is approved by the supervisor. If the supervisor approves such use:

a) such assessments adhere to rigorous qualifying standards;
b) any cessation of such use, or any material modification of the bank’s processes and models for producing such internal assessments, are subject to the approval of the supervisor;
c) the supervisor has the capacity to evaluate a bank’s internal assessment process in order to determine that the relevant qualifying standards are met and that the bank’s internal assessments can be relied upon as a reasonable reflection of the risks undertaken;
d) the supervisor has the power to impose conditions on its approvals if the supervisor considers it prudent to do so; and
e) if a bank does not continue to meet the qualifying standards or the conditions imposed by the supervisor on an ongoing basis, the supervisor has the power to revoke its approval.

Description and findings re EC5

EC6

a) to set capital levels and manage available capital in anticipation of possible events or changes in market conditions that could have an adverse effect; and
b) to have in place feasible contingency arrangements to maintain or strengthen capital positions in times of stress, as appropriate in the light of the risk profile and systemic importance of the bank.

Description and findings re EC6

AC1

Description and findings re AC1

AC2

The supervisor requires adequate distribution of capital within different entities of a banking group according to the allocation of risks.⁴⁴

Description and findings re AC2

Assessment of Principle 16

Compliant

Comments

Principle 17

Essential criteria

EC1

Description and findings re EC1

Internal limits and ratios
Legal limits and ratios
Individual borrower limits
Sector concentration limits
NPLs figures (received from the credit review department)
Recent trends and developments in the portfolio(s) taking into account market and macroeconomic information

Past due status of the borrowers
Change in system generated risk ratings
Collateral status and coverage
Customer limits
Risk Center monitoring for developing borrower(s) trends
Opines on restructuring loans
Deteriorating credit as detected from past due information

Based on this design, which may vary in practice from institution to institution, the board has indeed established a (credit) risk management unit that complies with the letter of the law. Through this mechanism, the unit is able to provide high level trend and other analysis information.

• There is no independent verification (i.e., independent loan review function) that determines that 1) management identification processes are accurate and timely, 2) management, itself, is accurately recognizing its business risk, and 3) timely borrower intervention is activated.
• This critical input forms the basis of important MIS going to the board.
• Examiners, through their inspection process, have identified important, clearly inaccurate classifications of credit that could easily indicate key issues with 1-3 above. However, the significance of these inaccurate classifications was not clear from the examination samples reviewed. Consistently, there was no indication of the size of the sample of reviewed credits, how significant the aggregate, inaccurately classified credit was to the total portfolio, and if such findings could be extrapolated to the entire portfolio.

EC2

Description and findings re EC2

EC3

The supervisor requires, and regularly determines, that such policies and processes establish an appropriate and properly controlled credit risk environment, including:

a) a well-documented and effectively implemented strategy and sound policies and processes for assuming credit risk, without undue reliance on external credit assessments;
b) well defined criteria and policies and processes for approving new exposures (including prudent underwriting standards) as well as for renewing and refinancing existing exposures, and identifying the appropriate approval authority for the size and complexity of the exposures;
c) effective credit administration policies and processes, including continued analysis of a borrower’s ability and willingness to repay under the terms of the debt (including review of the performance of underlying assets in the case of securitization exposures); monitoring of documentation, legal covenants, contractual requirements, collateral and other forms of credit risk mitigation; and an appropriate asset grading or classification system;
d) effective information systems for accurate and timely identification, aggregation and reporting of credit risk exposures to the bank’s Board and senior management on an ongoing basis;
e) prudent and appropriate credit limits, consistent with the bank’s risk appetite, risk profile and capital strength, which are understood by, and regularly communicated to, relevant staff;
f) exception tracking and reporting processes that ensure prompt action at the appropriate level of the bank’s senior management or Board where necessary; and
g) effective controls (including in respect of the quality, reliability and relevancy of data and in respect of validation procedures) around the use of models to identify and measure credit risk and set limits.

Description and findings re EC3

Special Mention (“close monitoring”) – > 30 up to 90 days
Substandard (“limited collectability”) - > 90 up to 180 days (provisioning: 20%)
Doubtful - > 180 days to 1 year (50%)
Loss - > over 1 year (100%)
Credits classified substandard and worse are considered nonperforming.

are required to be monitored closely due to such reasons as observation of negative developments in solvency or cash flow of the debtor, or suspecting of such developments, or the borrower’s bearing a substantial and material financial risk
These elements indicate that, on a financial basis, the current sound worth and paying capacity of the borrower is exhibiting well defined credit weaknesses – the concrete definition of substandard.
The substandard definition reflects very similar parameters and goes on to state:
(credits) which fully have a limited collectability due to inadequacy of shareholders’ equity or guarantees of the borrower in repayment of debts on due dates thereof, and which may probably cause damages and losses if the observed problems are not corrected or remedied; or
creditworthiness of the borrower weakened and which is accepted to have been weakened

d) MIS for accurate and timely identification, aggregation and reporting of credit risk exposures to the bank’s Board and senior management on an ongoing basis In addition to the general requirements regarding information systems of banks in RICAAP Article 11, Principles 6-8 of the GCM include the provisions for the documentation and information systems for credit risk. Principle 6 requires that information and documents concerning credits for each customer should be easily accessible, principle 7 requires banks to establish effective information systems with respect to the credit management. Moreover, in accordance with Principle 8 banks should design information systems in line with the size and complexity of their operations. Also in line with paragraph 56, results of internal system analysis will be shared regularly with senior management and audit committee regarding their importance.
e) prudent and appropriate credit limits, consistent with the bank’s risk appetite, risk profile and capital strength, which are understood by, and regularly communicated to, relevant staff The RICAAP, specifically Article 5, requires that boards set an appropriate risk appetite and that risk limits are established commensurate with the risk appetite, capital, and management resource of the bank. The regulation requires effective communication of the risk appetite and limit structures through the bank.
f) exception tracking and reporting processes that ensure prompt action at the appropriate level of the bank’s senior management or Board where necessary.

g) effective controls (including in respect of the quality, reliability and relevancy of data and in respect of validation procedures) around the use of models to identify and measure credit risk and set limits.

EC4

Description and findings re EC4

EC5

The supervisor requires that banks make credit decisions free of conflicts of interest and on an arm’s length basis.

Description and findings re EC5

EC6

Description and findings re EC6

EC7

The supervisor has full access to information in the credit and investment portfolios and to the bank officers involved in assuming, managing, controlling and reporting on credit risk.

Description and findings re EC7

EC8

The supervisor requires banks to include their credit risk exposures into their stress testing programs for risk management purposes.

Description and findings re EC8

Assessment of Principle 17

Materially Non-compliant

Comment

Principle 18

Essential criteria

EC1

Description and findings re EC1

EC2

Description and findings re EC2

The effectiveness of the internal rating system of the bank,
Whether the internal procedures as well as the MIS system of the bank allow for the board and management to obtain timely and appropriate information on the condition of the loan portfolios,
Whether the internal procedures of the bank established for monitoring the loan portfolios and classification of the loans are in compliance with the relevant legislation,
Whether the findings of the internal audit and internal control groups about the problem assets are sufficiently taken into account by the bank’s management,
Robustness of the collateral data used for capital adequacy calculations,
The adequacy of the provisioning levels of the bank in relation to regulatory requirements and with respect to the risk profile and quality of the credit risk management system of the bank,
The accuracy of loan classification based on a sufficiently large examination sample of loans.

the loan reports produced by the bank,
list of loans categorized in the second group (special mention) pursuant to REPL,
list of loans past due,
the report of potential problem loans produced by the off-site team,
previous examination reports produced by the BRSA with respect to the loan portfolio of the bank,
list of obligors classified in the 2nd group (special mention) by other banks pursuant to the REPL,
list of restructured/rescheduled loans.
the selection of the sample of individual loans pays particular attention to the significance of the individual loan in the portfolio and to the fact that the examination sample adequately represents the total loan portfolio of the bank. In every instance, on-site team examines at least the 200 firms/obligors having the highest level of risk in the total loan portfolio.

EC3

The supervisor determines that the bank’s system for classification and provisioning takes into account off-balance sheet exposures.⁵¹

Description and findings re EC3

EC4

Description and findings re EC4

Asset Classification	Past Due Period	Provisioning (Net of Collateral for special provisions)
		Loans	Off-balance Sheet
Group 1/Standard⁵²	up to 30	.5% - 5.0%⁵³	O% - .20%
Retail w/extension		10%⁵⁴	0% - .20%
Group 2/Special	30 - 90	2%	.4%
Mention
Retail		10%	.4%
Group 3/Substandard	90 - 180	20%	20%
Group 4/Doubtful	180 - 360	50%	50%
Group 5/Loss	◾360	100%	100%

- if the loan is classified as NPL by any bank,
- if the loan is classified as NPL by any non-bank financial institution,
- based on the information received from on-site supervision function, if it is classified as NPL by the on-site examination team,
- if the loan is transferred to an asset management company.

EC5

Description and findings re EC5

EC6

Description and findings re EC6

EC7

Description and findings re EC7

EC8

Description and findings re EC8

EC9

Laws, regulations or the supervisor establish criteria for assets to be:

a) identified as a problem asset (e.g., a loan is identified as a problem asset when there is reason to believe that all amounts due, including principal and interest, will not be collected in accordance with the contractual terms of the loan agreement); and
b) reclassified as performing (e.g., a loan is reclassified as performing when all arrears have been cleared and the loan has been brought fully current, repayments have been made in a timely manner over a continuous repayment period and continued collection, in accordance with the contractual terms, is expected).

Description and findings re EC9

EC10

Description and findings re EC10

EC11

Description and findings re EC11

EC12

Description and findings re EC12

Assessment of Principle 18

Materially Non-compliant

Comments

Management’s understanding of their business and credit risk, ability to identify deterioration proactively – thereby allowing for early intervention.
Implications for internal systems => function, role, and independence of credit risk management – thereby validating the systems that the bank’s board and the BRSA depends upon in order to effectively oversee the institution. As well, these systems are key to the exercise of risk based supervision by the BRSA.
Inputs to evaluate corporate governance of the bank.
Accuracy of information conveyed to the board and the BRSA

Principle 19

Essential criteria

EC1

Description and findings re EC1

EC2

Description and findings re EC2

EC3

Description and findings re EC3

EC4

The supervisor regularly obtains information that enables concentrations within a bank’s portfolio, including sectoral, geographical and currency exposures, to be reviewed.

Description and findings re EC4

EC5

Description and findings re EC5

EC6

Description and findings re EC6

EC7

The supervisor requires banks to include the impact of significant risk concentrations into their stress testing programs for risk management purposes.

Description and findings re EC7

Additional criteria

AC1

In respect of credit exposure to single counterparties or groups of connected counterparties, banks are required to adhere to the following:

a) ten per cent or more of a bank’s capital is defined as a large exposure; and
b) twenty-five per cent of a bank’s capital is the limit for an individual large exposure to a private sector non-bank counterparty or a group of connected counterparties.

Minor deviations from these limits may be acceptable, especially if explicitly temporary or related to very small or specialized banks.

Description and findings re AC1

Assessment of Principle 19

Compliant

Comments

Principle 20

Essential criteria

EC1

Description and findings re EC1

a) members of the board of directors, general manager, deputy general managers and employees that are authorized to extend loans; their spouses and children under their custody; and the undertakings where they individually or jointly own twenty-five percent or more of the capital,
b) employees other than those mentioned in sub-paragraph (a) and their spouses and children under their guardianship,
c) funds, associations, unions or foundations established by or for their employees.

EC2

Description and findings re EC2

EC3

Description and findings re EC3

EC4

Description and findings re EC4

EC5

Description and findings re EC5

EC6

Description and findings re EC6

EC7

The supervisor obtains and reviews information on aggregate exposures to related parties.

Description and findings re EC7

Assessment of Principle 20

Largely Compliant

Comments

Principle 21

Essential criteria

EC1

Description and findings re EC1

EC2

Description and findings re EC2

EC3

Description and findings re EC3

EC4

a) The supervisor (or some other official authority) decides on appropriate minimum provisioning by regularly setting fixed percentages for exposures to each country taking into account prevailing conditions. The supervisor reviews minimum provisioning levels where appropriate.
b) The supervisor (or some other official authority) regularly sets percentage ranges for each country, taking into account prevailing conditions and the banks may decide, within these ranges, which provisioning to apply for the individual exposures. The supervisor reviews percentage ranges for provisioning purposes where appropriate.
c) The bank itself (or some other body such as the national bankers association) sets percentages or guidelines or even decides for each individual loan on the appropriate provisioning. The adequacy of the provisioning will then be judged by the external auditor and/or by the supervisor.

Description and findings re EC4

EC5

The supervisor requires banks to include appropriate scenarios into their stress testing programs to reflect country and transfer risk analysis for risk management purposes.

Description and findings re EC5

EC6

Description and findings re EC6

Assessment of Principle 21

Compliant

Comments

Principle 22

Essential criteria

EC1

Description and findings re EC1

EC2

Description and findings re EC2

EC3

The supervisor determines that the bank’s policies and processes establish an appropriate and properly controlled market risk environment including:

a) effective information systems for accurate and timely identification, aggregation, monitoring and reporting of market risk exposure to the bank’s Board and senior management;
b) appropriate market risk limits consistent with the bank’s risk appetite, risk profile and capital strength, and with the management’s ability to manage market risk and which are understood by, and regularly communicated to, relevant staff;
c) exception tracking and reporting processes that ensure prompt action at the appropriate level of the bank’s senior management or Board, where necessary;
d) effective controls around the use of models to identify and measure market risk, and set limits; and
e) sound policies and processes for allocation of exposures to the trading book.

Description and findings re EC3

a) a framework to identify risks;
b) an appropriately detailed structure of market risk limits that are consistent with the institution’s risk appetite, risk profile and capital strength, and which are understood by, and regularly communicated to, relevant staff;
c) guidelines and other parameters established by the bank and used to govern market risk-taking;
d) rules and criteria for allocation of positions to the trading book;
e) appropriate management information system (MIS) for accurate and timely identification, aggregation, monitoring, controlling, and reporting of market risk, including transactions between the bank and its affiliates, to the institution’s Board and senior management;
f) exception tracking and reporting processes that ensure prompt action at the Board or senior management level, where necessary;
g) effective controls around the use of models to identify and measure market risk;
h) valuation policies, including policies and processes for considering and making appropriate valuation adjustments for uncertainties in determining the fair value of assets and liabilities (concentrated or less liquid positions); and
i) action plans for possible concentrated risks (pricing differences, keeping more capital, more frequent reporting, etc.).

EC4

Description and findings re EC4

EC5

Description and findings re EC5

EC6

The supervisor requires banks to include market risk exposure into their stress testing programs for risk management purposes.

Description and findings re EC6

Assessment of Principle 22

Compliant

Comments

Principle 23

Essential criteria

EC1

Description and findings re EC1

EC2

Description and findings re EC2

EC3

The supervisor determines that banks’ policies and processes establish an appropriate and properly controlled interest rate risk environment including:

a) comprehensive and appropriate interest rate risk measurement systems;
b) regular review, and independent (internal or external) validation, of any models used by the functions tasked with managing interest rate risk (including review of key model assumptions);
c) appropriate limits, approved by the banks’ Boards and senior management, that reflect the banks’ risk appetite, risk profile and capital strength, and are understood by, and regularly communicated to, relevant staff;
d) effective exception tracking and reporting processes which ensure prompt action at the appropriate level of the banks’ senior management or Boards where necessary; and
e) effective information systems for accurate and timely identification, aggregation, monitoring and reporting of interest rate risk exposure to the banks’ Boards and senior management.

Description and findings re EC3

a) GIRRM Principle 4 states that banks should establish interest rate risk measurement systems that include all significant sources of interest rate risk, that assess the effects of interest rate changes on earnings and economic value, and that are consistent with the scope and complexity of their activities. The minimum aspects of the system are presented paragraph 28. GIRRM paragraph 38 requires risk managers and senior management to review the assumptions in interest rate risk management system at least annually. Paragraph 41 directs that all the assumptions used in interest rate risk measurement system are comprehensively justified, are approved by risk management unit and senior management, and are reviewed at least annually.
b) Paragraph 68 of the GIRRM directs that the frequency and extent to which a bank should re-evaluate its risk measurement methodologies and models depend, in part, on the particular interest rate risk exposures created by holdings and activities, the pace and nature of market interest rate changes, and the pace and complexity of innovation with respect to measuring and managing interest rate risk. Further, banks should have measurement, monitoring and control functions that are reviewed regularly. The staff carried out the independent review should ensure that risk measurement system include all the important components of interest rate risk management arising from on and off balance sheet positions. Reviewing process should include, inter alia, the accuracy and relevancy of modelling assumptions. See also BCP Principle 27, EC 3.

c) Principle 6 gives directions regarding the interest rate risk limits. Banks should determine interest rate risk limits appropriate to the internal risk management policies and implement these limits. Limits should be consistent with the overall approach to measuring interest rate risk. These limits should be established in conformity with the bank’s size nature and capital adequacy. The responsible senior manager should immediately be informed about the limit exceptions. Risk tolerance should be identified. Paragraph 19 requires banks to identify the specific actions necessary for exceptions to limits.

d) GIRRM paragraph 32 points out that banks should establish reliable management information systems to measure, monitor, control and report interest rate risk. The results of risk monitoring and measuring concerning interest rate risk should be reported to the board of directors, senior management and relevant business line managers in time. Paragraphs 61 and 62 articulates the content of the necessary reporting.

EC4

The supervisor requires banks to include appropriate scenarios into their stress testing programs to measure their vulnerability to loss under adverse interest rate movements.

Description and findings re EC4

Additional criteria

AC1

Description and findings re AC1

AC2

The supervisor assesses whether the internal capital measurement systems of banks adequately capture interest rate risk in the banking book.

Description and findings re AC2

Assessment of Principle 23

Compliant

Comments

Principle 24

Essential criteria

EC1

Description and findings re EC1

The Basel standard allows supervisors to determine inflow percentages for other contractual cash inflows, as appropriate for each type of inflow. The BRSA has set 0% inflow rate for other contractual cash inflows.
Even though Basel standards require LCR standard and monitoring tools to be applied to internationally active banks, BRSA requires RLCR provisions to be applied by all banks except for investment and development banks until an appropriate level for LCR is determined. There is ongoing work to determine an appropriate LCR for investment and development banks.
The BRSA requires banks to calculate, report and disclose FX liquidity coverage ratio on both solo and consolidated basis as a regulatory standard ratio. Moreover, total LCR is also calculated, reported and disclosed on solo basis.

	BCBS monitoring tool	BRSA’s corresponding reporting template	Effective since	Frequency of preparation	Frequency of submission to the BRSA
1	Contractual maturity mismatch	Statement of liquidity risk analysis – According to cash flow	6 December 2013	Weekly	Within 3 business days
2	Concentration of funding	Statement of deposits – According to the size, type, number of customers Statement of securities issuances Statement of repo transactions Statement of cross-border liabilities	Introduced in 2006, revised in 2010, last revision 1 March 2013 Introduced in 2002, revised in 2014 27 December 2002 27 December 2002	Monthly Monthly Weekly Weekly	Within 18 business days Within 18 business days Within 3 business days Within 3 business days
3	Available unencumbere d assets	Statement of securities – detailed Statement of securities – weekly	Introduced in 2002, revised in 2007 27 December 2002	Daily Weekly	Daily Within 3 business days
4	LCR by significant currency	FX LCR	1 January 2014	Weekly	Within 3 business days

EC2

Description and findings re EC2

EC3

Description and findings re EC3

EC4

The supervisor determines that banks’ liquidity strategy, policies and processes establish an appropriate and properly controlled liquidity risk environment including:

a) clear articulation of an overall liquidity risk appetite that is appropriate for the banks’ business and their role in the financial system and that is approved by the banks’ Boards;
b) sound day-to-day, and where appropriate intraday, liquidity risk management practices;
c) effective information systems to enable active identification, aggregation, monitoring and control of liquidity risk exposures and funding needs (including active management of collateral positions) bank-wide;
d) adequate oversight by the banks’ Boards in ensuring that management effectively implements policies and processes for the management of liquidity risk in a manner consistent with the banks’ liquidity risk appetite; and
e) regular review by the banks’ Boards (at least annually) and appropriate adjustment of the banks’ strategy, policies and processes for the management of liquidity risk in the light of the banks’ changing risk profile and external developments in the markets and macroeconomic conditions in which they operate.

Description and findings re EC4

Liquidity risk appetite established by the board of directors;
Liquidity risk management strategy—set out the general approach to liquidity (including goals and objectives ) and the liquidity risk management policies on particular aspects;
Liquidity risk management responsibilities including clearly defined authority and responsibilities of staff /unit /committee;
Liquidity risk management systems: the systems and tools for measuring, monitoring and controlling liquidity risk:

a) the setting of various liquidity limits and ratios (e.g., target liquidity ratio, maturity and currency mismatch limits, loan to deposit ratio, concentration risk limits),
b) the framework for conducting cash-flow analysis under normal and stressed economic conditions, including the techniques and behavioral assumptions used, and
c) reporting system of monitoring liquidity risk management;

Contingency plan: the approach and strategies for dealing with various types of liquidity crisis;
The new product approval process, liquidity costs in pricing and performance measuring, risks and profits (Liquidity Transfer Pricing).

According to GLRM Paragraph 24, the board of directors should be informed immediately of new and emerging concerns mentioned below:

increasing funding costs over thresholds,
the growing size of a funding gap in different maturities,
concentrations in funding sources,
negative developments in the markets from which significant funding provided,
drying up of alternative funding sources,
material or persistent breaches of limits,
a significant change/decline in the cushion of unencumbered, highly liquid assets,
increasing additional margin calls arising from the potential decline in the market price of collateral assets, and
changes in external market conditions which should signal future difficulties.

a) GLRM Principle 5 states that a bank should have a sound process for identifying, measuring, monitoring and controlling liquidity risk including projecting cash flows arising from assets, liabilities and off-balance sheet items over an appropriate set of time horizons. GLRM Paragraphs 34 to 43 articulate the details of liquidity metrics and measurement tools, risk limits, and early warning indicators.
b) GLRM Principle 10 is about Intraday Liquidity Risk Management and requires banks to actively manage their intraday liquidity to meet payment and settlement obligations on a timely basis under both normal and stressed economic conditions (paragraphs 169-175).

c) GLRM Paragraph 44 states that banks should have a reliable management information system designed to provide the board of directors, senior management and other responsible staff with timely and forward-looking information. From GLRM Paragraph 45 (what the information systems enable banks to do) to Paragraph 51, many aspects of information systems are listed including its importance in securitizations or other financial instruments (Paragraph 46), its help for statistical or behavioral analysis (Paragraph 47), reporting purposes (Paragraphs 48 and 49).

EC5

a) an analysis of funding requirements under alternative scenarios;
b) the maintenance of a cushion of high quality, unencumbered, liquid assets that can be used, without impediment, to obtain funding in times of stress;
c) diversification in the sources (including counterparties, instruments, currencies and markets) and tenor of funding, and regular review of concentration limits;
d) regular efforts to establish and maintain relationships with liability holders; and
e) regular assessment of the capacity to sell assets.

Description and findings re EC5

EC6

Description and findings re EC6

EC7

Description and findings re EC7

EC8

Description and findings re EC8

Additional criteria

AC1

Description and findings re AC1

Assessment of Principle 24

Compliant

Comments

Principle 25

Essential criteria

EC1

Description and findings re EC1

EC2

Description and findings re EC2

EC3

Description and findings re EC3

EC4

Description and findings re EC4

EC5

Description and findings re EC5

EC6

The supervisor determines that banks have appropriate and effective information systems to:

a) monitor operational risk;
b) compile and analyze operational risk data; and
c) facilitate appropriate reporting mechanisms at the banks’ Boards, senior management and business line levels that support proactive management of operational risk.

Description and findings re EC6

EC7

The supervisor requires that banks have appropriate reporting mechanisms to keep the supervisor apprised of developments affecting operational risk at banks in their jurisdictions.

Description and findings re EC7

EC8

The supervisor determines that banks have established appropriate policies and processes to assess, manage and monitor outsourced activities. The outsourcing risk management program covers:

a) conducting appropriate due diligence for selecting potential service providers;
b) structuring the outsourcing arrangement;
c) managing and monitoring the risks associated with the outsourcing arrangement;
d) ensuring an effective control environment; and
e) establishing viable contingency planning.

Description and findings re EC8

a) Identify needed outsourcing services in each relevant area;
b) Studies for necessary transformation, internal regulation, infrastructure and training at the stage of transition to outsourcing services,
c) Coordination of responsibilities concerning the issues of supervision, measurement and evaluation, reporting and security in connection with outsourcing services
d) Risks that may have arisen from receiving outsourcing activities and a contingency plan to be implemented in case of any interruptions or delays in services in any manner along with the management of these risks and substitutability of received outsourcing services
e) The impact of outsourced areas on the internal control, internal audit, and risk management to be done by the bank for operations and process that are related to thereof.

Due diligence activities,
Outsourcing contracts,
Activities to manage and monitor the risk arising from outsourcing activities,
Contingency plans to be implemented in unexpected cases.
Policies and processes about outsourcing activities.

Additional criteria

AC1

Description and findings re AC1

Assessment of Principle 25

Compliant

Comments

Principle 26

Essential criteria

EC1

a) organizational structure: definitions of duties and responsibilities, including clear delegation of authority (e.g., clear loan approval limits), decision-making policies and processes, separation of critical functions (e.g., business origination, payments, reconciliation, risk management, accounting, audit and compliance);
b) accounting policies and processes: reconciliation of accounts, control lists, information for management;
c) checks and balances (or “four eyes principle”): segregation of duties, crosschecking, dual control of assets, double signatures; and
d) safeguarding assets and investments: including physical control and computer access.

Description and findings re EC1

(i) ensure the execution of their activities in compliance with the legislation, bank’s internal regulations and banking ethics;
(ii) secure the integrity and reliability of accounting and reporting systems and timely accessibility of information through continuous control activities to be complied with and performed by the personnel at any level;
(iii) ensure the functional separation of the duties and the sharing of powers and responsibilities regarding the payments of funds, the reconciliation of bank’s transactions, safeguarding assets and controlling liabilities;
(iv) identify and evaluate any risk encountered and prepare the infrastructure required for managing such risks; and
(v) construct an adequate network for information exchange.

EC2

Description and findings re EC2

EC3

Description and findings re EC3

EC4

The supervisor determines that banks have an independent, permanent and effective internal audit function⁷⁰ charged with:

a) assessing whether existing policies, processes and internal controls (including risk management, compliance and corporate governance processes) are effective, appropriate and remain sufficient for the bank’s business; and
b) ensuring that policies and processes are complied with.

Description and findings re EC4

EC5

The supervisor determines that the internal audit function:

a) has sufficient resources, and staff that are suitably trained and have relevant experience to understand and evaluate the business they are auditing;
b) has appropriate independence with reporting lines to the bank’s Board or to an audit committee of the Board, and has status within the bank to ensure that senior management reacts to and acts upon its recommendations;
c) is kept informed in a timely manner of any material changes made to the bank’s risk management strategy, policies or processes;
d) has full access to and communication with any member of staff as well as full access to records, files or data of the bank and its affiliates, whenever relevant to the performance of its duties;
e) employs a methodology that identifies the material risks run by the bank;
f) prepares an audit plan, which is reviewed regularly, based on its own risk assessment and allocates its resources accordingly; and
g) has the authority to assess any outsourced functions.

Description and findings re EC5

Assessment of Principle 26

Compliant

Comments

Principle 27

Essential criteria

EC1

Description and findings re EC1

EC2

Description and findings re EC2

EC3

Description and findings re EC3

EC4

Description and findings re EC4

EC5

Description and findings re EC5

EC6

Description and findings re EC6

EC7

The supervisor determines that banks rotate their external auditors (either the firm or individuals within the firm) from time to time.

Description and findings re EC7

EC8

The supervisor meets periodically with external audit firms to discuss issues of common interest relating to bank operations.

Description and findings re EC8

EC9

Description and findings re EC9

Additional criteria

AC1

The supervisor has the power to access external auditors’ working papers, where necessary.

Description and findings re AC1

Assessment of Principle 27

Compliant

Comments

Principle 28

Essential criteria

EC1

Description and findings re EC1

EC2

Description and findings re EC2

EC3

Laws, regulations or the supervisor require banks to disclose all material entities in the group structure.

Description and findings re EC3

EC4

The supervisor or another government agency effectively reviews and enforces compliance with disclosure standards.

Description and findings re EC4

EC5

Description and findings re EC5

Additional criteria

AC1

Description and findings re AC1

Assessment of Principle 28

Compliant

Comments

Principle 29

Essential criteria

EC1

Description and findings re EC1

- Whether the bank employs relevant number of personnel charged for AML/CFT issues commensurate with its scale and operations and whether they are sufficiently qualified, whether bank’s personnel is subject to an adequate level of training with respect to AML/CFT issues and whether the frequency of training is commensurate with the scale and operations of the bank,
- Whether the bank uses an adequately structured IT framework with regard to AML/CFT issues commensurate with the scale and operations of the bank,
- Whether the criteria underlying the above mentioned IT framework are regularly reviewed, and updated where it is deemed necessary,
- Whether the authorization and responsibilities of the compliance officer is documented and is adequate,
- Whether the bank has a policy document regarding the AML/CFT issues approved by the Board of Directors and whether this document is adequate,
- Whether the bank has written criteria for detection of suspicious transactions,
- Whether the bank has adequately established procedures regarding the authorization of the relevant personnel for incorporating revisions to the IT framework established for the detection of suspicious transactions,
- Whether the bank has documented its CDD policies, including issues on documents to be demanded from the customers and procedures for verification of the accuracy of these documents,
- Whether the internal controls with regard to the effectiveness and applicability of cross controls are adequate,
- Whether the internal audit unit of the bank has special audits on AML/CFT issues,
- Whether the findings of the internal audit are followed up by the bank’s management,
- Whether the bank has an adequate internal assessment report about the AML/CFT issues,
- In the context of consolidated supervision, whether the parent company of the bank has written policy documents on AML/CFT issues,
- Whether the home country of the parent company is subject to the supervision of an FIU.

EC2

Description and findings re EC2

Year	Number of Banks Examined	Examination Type
2014	23	General Compliance with laws and regulations regarding AML/CFT
2015	11	General Compliance with laws and regulations regarding AML/CFT
2014	18	Examinations related to violations of Suspicious Transactions Reporting, CDD, Training-Internal Systems-Other Measures
2015	16	Examinations related to violations of Suspicious Transactions Reporting, CDD, Training-Internal Systems-Other Measures

EC3

Description and findings re EC3

Banks are required to report only to the MASAK any suspicious activities pursuant to the Article 4 of the AML Law.

EC4

Description and findings re EC4

EC5

a) a customer acceptance policy that identifies business relationships that the bank will not accept based on identified risks;
b) a customer identification, verification and due diligence programme on an ongoing basis; this encompasses verification of beneficial ownership, understanding the purpose and nature of the business relationship, and risk-based reviews to ensure that records are updated and relevant;
c) policies and processes to monitor and recognize unusual or potentially suspicious transactions;
d) enhanced due diligence on high-risk accounts (e.g., escalation to the bank’s senior management level of decisions on entering into business relationships with these accounts or maintaining such relationships when an existing relationship becomes high-risk);
e) enhanced due diligence on politically exposed persons (including, among other things, escalation to the bank’s senior management level of decisions on entering into business relationships with these persons); and
f) clear rules on what records must be kept on CDD and individual transactions and their retention period. Such records have at least a five year retention period.

Description and findings re EC5

a) customer acceptance policy is not explicitly mentioned in the regulation;
b) customer identification, verification and due diligence program, including beneficial ownership are covered by the ROM, mostly on chapter 3.
c) policies and processes to monitor and recognize unusual or potentially suspicious transactions are covered by the RoM, chapter 4.
d) escalation to the senior management level of decisions on entering into business relationships with high-risk accounts is covered in articles 12 and 13 of the RoC.
e) enhanced due diligence on politically exposed persons is not defined in the regulation. The BRSA and MASAK explained that since PEPs are involved in high risk groups, they are indirectly subject to also the other obligations such as the obligation to pay special attention to certain transactions, the obligations concerning new technologies or risky countries (the Articles 18, 20 and 25 of the ROM, respectively).
f) rules on what records must be kept on CDD are established by article 8 of the AML Law. The obliged parties (including banks) should maintain the documents, books and records for eight years from the last record date, and must keep identification document for eight years from the last transaction date.

EC6

The supervisor determines that banks have in addition to normal due diligence, specific policies and processes regarding correspondent banking. Such policies and processes include:

a) gathering sufficient information about their respondent banks to understand fully the nature of their business and customer base, and how they are supervised; and
b) not establishing or continuing correspondent relationships with those that do not have adequate controls against criminal activities or that are not effectively supervised by the relevant authorities, or with those banks that are considered to be shell banks.

Description and findings re EC6

EC7

Description and findings re EC7

EC8

The supervisor has adequate powers to take action against a bank that does not comply with its obligations related to relevant laws and regulations regarding criminal activities.

Description and findings re EC8

EC9

The supervisor determines that banks have:

a) requirements for internal audit and/or external experts⁷⁹ to independently evaluate the relevant risk management policies, processes and controls. The supervisor has access to their reports;
b) established policies and processes to designate compliance officers at the banks’ management level, and appoint a relevant dedicated officer to whom potential abuses of the banks’ financial services (including suspicious transactions) are reported;
c) adequate screening policies and processes to ensure high ethical and professional standards when hiring staff; or when entering into an agency or outsourcing relationship; and
d) ongoing training programs for their staff, including on CDD and methods to monitor and detect criminal and suspicious activities.

Description and findings re EC9

a) The requirements for internal audit are established in the RICAAP and are assessed by the on-site examiners of the BRSA. Please also refer to CP 26 on internal control and audit.
b) Requirements for establishing compliance programs are prescribed in the ROC. The regulation includes requirements regarding the adoption of policies and procedures, the establishment of monitoring processes and controls and the appointment of a compliance officer to whom potential abuses of the bank’s financial services are reported.
c) MASAK regulation includes provisions to ensure high ethical and professional standards when hiring staff but those measures only address the screening of senior management.
d) Chapter 6 of the ROC includes provisions on the training of the staff on AML/CFT matters.

EC10

Description and findings re EC10

EC11

Laws provide that a member of a bank’s staff who reports suspicious activity in good faith either internally or directly to the relevant authority cannot be held liable.

Description and findings re EC11

EC12

Description and findings re EC12

EC13

Description and findings re EC13

Assessment of Principle 29

Largely Compliant

Comments

Summary Compliance with the Basel Core Principles

Core Principle	Grade	Comments
1. Responsibilities, objectives and powers	LC	The BL provides a broadly appropriate framework for regulating and supervising banks. It also provides clear responsibilities and adequate powers to the BRSA. However, the lack of appropriately defined hierarchy among the objectives of financial stability and development of the financial sector may cause potential conflicts and be harmful to the safety and soundness of banks. The assessors noted that some BRSA decisions (e.g., differentiations in loan loss provisions and loan restructuring rules) might be interpreted as rules that aim primarily to support financial development objectives. Such measures might affect the reputation of the supervisors and convey the message of forbearance. In order to be fully compliant with this principle the objective of development of the financial sector should be explicitly subordinated to financial stability in the BL
2. Independence, accountability, resourcing and legal protection for supervisors	MNC	The legal protection of the supervisor is broadly adequate. Nonetheless the institutional framework contains shortcomings that should be improved. The BL establishes the BRSA as an independent body but it contains provisions that might undermine independence in practice. There are several channels of interaction between the BRSA and the government that, considered together, may accommodate political influence: i) the appointments of the Chair and Board members are made by the Council of Ministers without any confirmation process by any other independent body; ii) before putting into force regulatory procedures the BRSA needs, by law, to consult the related Ministry; iii) the Prime Minister approves the removal of members of the Board, if conditions specified in the BL are met, without publishing the reasons; iv) the relevant minister may permit lawsuit against board members; and v) the BL allows the relevant ministry to file a lawsuit for the cancelation of the Boards regulatory decisions (art. 105). These possible channels of political influence over the Agency, particularly considering the large role played by state-owned banks in Turkey, might cause conflicts of interest that might undermine financial stability. The authorities should therefore amend the legislation to limit the cases that require the Minister’s involvement. In particular, it seems appropriate to establish a third party to perform a stronger role in the checks and balances framework such as, making regulatory consultation procedures more transparent, so that BRSA proposals and Ministry comments are published, introducing a process for appointments for the BRSA to be confirmed by a nonexecutive government body and removing the related minister permission for lawsuits for the cancelation of the BRSB regulatory decisions. There also seems to be room for improving the accountability framework. Despite the periodic briefings from the BRSA to the Council of Ministers, the assessors did not see evidence of a third party aiming to ensure that the powers delegated to the BRSA are exercised appropriately and that its operations are effective and in line with its mandate and objectives. Finally, in relation to resourcing, entry conditions to the BRSA are not attractive for the hiring of mid-career professionals and provide practical constraints in the event of a shortfall in experience levels.
3. Cooperation and collaboration	C	Legal provisions as well as operational frameworks for cooperation and collaboration with domestic and foreign authorities are in place. Protections on confidentiality appear appropriate. Regarding the lack of processes for recovery and resolution planning, the assessors do not see their absence as reflecting a lack of collaboration between authorities. See also CP9.
4. Permissible activities	C	The BL provides clear definitions of activities that are only permitted to be conducted by registered banks, including taking deposits from the public.
5. Licensing criteria	LC	Provisions in the laws and regulations related to licensing and the process followed by the BRSA provide a comprehensive framework to assess the adequacy of new registrations for banks, including foreign bank branches. The BRSA seems to have a broadly sound process to assess applications in practice. However, in order to maintain a licensing process fully compliant with the principle, the BRSA needs to additionally: i) impose requirements and assess if the bank’s board has a collectively sound knowledge of the material activities the bank intends to pursue; and ii) for cross-border banking operations, determine whether the home supervisor practices global consolidated supervision.
6. Transfer of significant ownership	C	The power given to the supervisor by laws and regulations as well as the current procedures provide broadly sound control and oversight regarding significant ownership of a bank and a controlling company.
7. Major acquisitions	C	The regulatory framework subjects major acquisitions and investments by banks and controlling companies to prior approval by the BRSA. The BRSA also has well established supervisory practices to limit and monitor risks arising from such activities. Going forward, supervisors should consider more extensively and formally the effectiveness of supervision in host countries.
8. Supervisory approach	MNC	The BRSA has an established and comprehensive methodology to supervise banks. This methodology is documented in a number of manuals and leverages comprehensive databases and a broadly appropriate regulatory framework. Nevertheless, the practical implementation of the process is subject to shortcomings that needs to be addressed: The inspections need to develop a more profound and forward-looking risk assessment nature, producing a clear view of the risks faced by and posed by the bank. Current conclusions tend to focus mostly on compliance issues and do not identify and make clear if there is need for broader and more forceful supervisory action. Supervisors also need to derive and highlight the implications of the specific findings for the broader risk assessment of the bank. The BRSA should not take excessive comfort from the fact that issues are analyzed during the ratings process. By its own nature, and as currently applied by the BRSA, the ratings process is not deep enough to generate firm and actionable conclusions. From time to time, the scope of special inspections needs to encompass issues that are currently addressed only during the ratings phase. The BRSA needs to enhance the forward-looking components of its assessments. Results of the ICAAP need to be more thoroughly analyzed and discussed with banks. Stress tests results should play a larger role in the assessment framework. In addition, the ratings methodology could explicitly incorporate the expected trend for each component. Banks, particularly the systemically important ones, should be required to develop recovery plans and the BRSA should assess their resolvability. The assessors understand that the BRSA is already developing actions to address some of the above issues and encourage the authorities to keep working to improve the efficiency of the process.
9. Supervisory techniques and tools	LC	The BRSA employs an array of tools and techniques to carry out its supervisory responsibilities. On-site and off-site functions are relevant and well developed. The different departments also share their findings with each other, but their work seems to be conducted in parallel with little coordination. The departments do not seem to have joint projects and supervisors do not exchange views beyond written reports. As required by EC1, it is important for the BRSA to develop policies and processes to assess the effectiveness and integration of on-site and off-site functions, and to address any weaknesses that are identified. Increasing the rotation between on- and off-site supervisors could also help the integration of the areas. Communication with banks could also be improved. The BRSA should consider setting policies establishing at least one annual meeting between supervisors and the board of the bank. The end of the CAMELS rating process, when the supervisor summarizes its opinion of the bank, might be an appropriate occasion to explain to the board the views and concerns of the BRSA. The assessors understand that this is frequently done, but not systematically with all banks. Additionally, other important analyses done by the BRSA, such as the stress testing exercises could also be more clearly discussed with banks.
10. Supervisory reporting	C	The regulatory framework requires banks and controlling companies to periodically submit a broad range of information. Regulatory and supervisory processes exist to ensure accuracy and comparability of submitted returns. Developed procedures for analyzing collected information and feeding into supervisory activities are in place. Going forward the BRSA could consider formalizing the process of periodically review of the information collected, to determine that it remains appropriate and satisfies its needs.
11. Corrective and sanctioning powers of supervisors	LC	The BRSA has available an appropriate range of supervisory tools to use when, in the supervisor’s judgment, a bank is not complying with the regulations or represents a risk for the financial sector. Nevertheless, in practice, the remedial and corrective actions provided for in the law are rarely used at an early stage as a preventative measure. The BRSA seems to rely more heavily on administrative fines whose scope of application is more clearly defined in the BL than on taking actionsat an early stage to address unsafe and unsound practices that require supervisory judgment. The assessors were presented evidence of BRSA actions requiring banks to make adjustments to practices and processes. Nevertheless, such action had a scope limited to specific issues such as the classification of particular loan operations. Evidence was not observed of supervisors addressing broader concerns about the risks posed and faced by banks from a deepening and expansion of the initial review, a point reinforced in the comments of banks. The supervisory review process within the BRSA also seems to play a role towards limiting the issues that supervisors raise with banks. Although reviews of supervisory reports are necessary, the current process seems relatively skewed towards validation of compliance processes and thus constrains active supervisory judgments and decisions. Consideration could also be given to integration of supervision and enforcement, particularly in terms of communication with financial institutions, which might support a more risk focused and less compliance based supervisory approach. In order to become fully compliant with this principle the BRSA needs to incorporate the results of forward looking tools more heavily in its decision making process and act at an early stage to restore weak banks and correct examples of unsound practices, even if formal prudential ratios haven’t been breached.
12. Consolidated supervision	LC	The regulatory and reporting framework provides a broadly appropriate structure for monitoring and assessing risks to banks from non-banking and foreign banking operations in banking groups. However, the current limitations of the CAMELS rating and ICAAP process, the BRSA should make further effort to monitor and manage risks arising from nonbanking and foreign activities or parent entities of a financial group. In this regard, as described in CP 8 and 9, the BRSA should deepen the analyses and strengthen its techniques, such as group-wide stress testing, to monitor and assess these risks. It is important to further improve the group-wide strategic view of the banking group operations and risks. Authorities should further improve the recovery and resolution planning of large banking groups particularly once the necessary power is given to the supervisor by the expected new legislation. Such planning should also consider scenarios where shocks originate from non-banking entities or parent groups. Taking into account that these shortcomings have already been reflected in other principles, particularly CP 8 and 9, the assessors considered this principle compliant.
13. Home-host relationships	LC	The BRSA has made vast efforts to improve home-host relationship during the last few years. Among several initiatives the agency has started organizing colleges, signed a number of important MoUs and removed obstacles that weakened the supervision of Turkish banks’ operations in several countries. Nevertheless, considering that some Turkish banks hold material operations abroad, it is important to improve the relationship even further. In particular, it is essential to develop a framework for cross-border crisis coordination with relevant host authorities and the development of resolution plans that pay special attention to cross border issues.
14. Corporate governance	MNC	The legal framework surrounding the corporate governance framework for banks is extensive, but very heavily focused on board responsibilities regarding internal systems (risk management, internal control, internal audit). Examination processes (GAR and specialized examinations) have required steps to check board approvals, internal structures, and processes which reflect on the governance function. The BRSA approves board and senior management appointments. In this way, the BRSA reviews the appointments process of the bank. However, the results of special examinations and supervisory processes consistently stop short of drawing conclusions, in analytical, narrative form, on the implications the findings have for critical areas that are directly linked to the examined area. These critical areas reflect directly on the corporate governance effectiveness of the bank (such as management oversight of business areas, adequacy of risk management and internal audit’s role in the subject areas, integrity of MIS that goes up to the board level, and ultimately, board oversight). As a result, supervisory observations are not easily collected in order to form a more cross-cutting, substantiated view on corporate governance and the adequacy of internal systems. Therefore, validation of the manner in which such internal systems and governance operates is not well supported. This impacts the degree to which the BRSA should place confidence in the systems that inform the board and itself, as well as the systems’ ability to generate early warning indicators of deterioration. There is no requirement for the majority of the board to be composed of non-executive members which could result in, potentially, boards being composed of a majority of executive directors with only the 2 nonexecutives as currently required by the legal framework. However, practically speaking, 10 out of 53 banks are listed and must fall under the CMB Communique on governance which requires a majority of independent directors. Consideration should be given to upgrading legislation requiring the board to be composed of a majority of nonexecutive members, and ideally, with a certain minimum of independent individuals. (The definition of “independent” should be consistent with that used by the CMB in its Communiqué on Corporate Governance.) Audit committee membership should be expanded. While some bank boards in the system have populated this committee with more members, a minimum of 2 members is considered too few in order to execute the duties assigned to it in a robust and effective manner. This is particularly so since the audit committee is considered an extension of the board and is assigned the task of internal systems oversight which includes risk management. In addition, the chair of this committee, in some banks, is also the chairman of the board which does not reflect best practice and potentially represents a conflict of interest. This committee should be expanded and should be composed of all independent directors. As well, legislation directs that audit committees have oversight responsibility for internal systems which includes risk management. Under the current audit committee structures, proper oversight of both critical areas is difficult at best. Risk management oversight responsibility should be separated from the audit committee, particularly in the more complex institutions (it was noted that one bank, in fact, constituted a separate risk management committee). While three special examinations of governance elements have been conducted, there is a need to more regularly conduct cross-cutting assessments of corporate governance in a holistic manner which would, in part, leverage recent examination results and relevant offsite information as well as information generated from any enforcement actions. Consideration could be given to introducing such a review in order to enhance and better substantiate conclusions on the adequacy of a bank’s corporate governance. Given the observations cited in the above ECs (board membership/objectivity, board nominations process, board committee structure and membership, management oversight and performance evaluation, succession planning, “know your structure requirements”, internal code of conduct, etc.) the BRSA should develop a more comprehensive corporate governance regulation that completes the elements of governance that already exist in guidelines and regulation. This type of instrument could be a focal point of supervisory corporate governance reviews in the future.
15. Risk management process	LC	The RICAAP forms a part of the core of the BRSA’s regulatory framework for risk management. Given that the ICAAP is a relatively recent requirement, banks’ are still developing their approach and implementing important systems. The BCP team’s review of supervisors’ working papers and discussion with banks indicated that banks as well as supervisors are, in fact, in a learning phase. The quality of banks reports and the scrutiny of the reports by supervisors will need to develop further before the results can be more reliably and more extensively used. Commensurate with their size and complexity of operations, banks should be specifically required to have qualified CROs with sufficient stature, position and authority within the organization to oversee risk management activities. The level of senior manager may not provide the necessary stature necessary to challenge high level risk decisions and processes. As well, while there are comprehensive requirements for the evaluation of new products, parameters should be expanded to explicitly address material modifications to existing products and major acquisitions. It should also direct banks to restrict such products or activities if they do not have the necessary controls, management, and resources to manage related risks.
16. Capital adequacy	C	The BRSA has adopted the various components of Basel II, 2.5 and III according to the framework established by the Basel Committee. Capital is calculated on a consolidated and solo basis for all banks and the BRSA has the authority to impose additional capital requirements on individual banks, as deemed necessary. The BRSA has applied the three Basel ratios (common equity tier 1, tier 1 and total capital) as well as countercyclical capital requirements, systemically important bank capital add-ons and a “capital planning buffer” that provides a forward looking nature to the capital regulation. Going forward, as the BRSA gain experience with the ICAAP, it should consider simplifications to the framework to improve its enforceability and reduce banks’ compliance burden, particularly for non-systemically important banks. Simplifications that could be considered include restrictions on diversification benefits and use of models for credit, market and operational risk that have not been authorized for the Pillar 1 capital charge. The BRSA should also evaluate the interaction with other requirements such as the 12% parallel capital charge and the Basel capital buffers to prevent the effectiveness of the Pillar 2 regime from being damaged by another more stringent requirement that in practice makes the Pillar 2 charges irrelevant.
17. Credit risk	MNC	The legal framework for credit risk is generally comprehensive. It establishes the responsibility of the board in this area, requires a framework for the credit business of banks, as well as prescribes a properly controlled credit risk environment. However, several issues exist which compromise the effectiveness the framework and its application. As prescribed in regulation and organized in practice (verified through review of credit portfolio special examinations presented by the BRSA during the assessment) the credit risk management oversight (line management function) and credit risk management function and the organization therein create loopholes in independence and integrity of credit risk monitoring and reporting to bank boards and the BRSA: 1. The framework design does not require ongoing, independent (from the business line) credit risk monitoring of large individual exposures or homogeneous portfolios. Important source data (e.g., identification of deteriorating credits, level of (accurately) classified assets, status of restructured credits, etc.) is generated by a line management function (credit monitoring) without independent verification that 1) management identification processes are accurate and timely, 2) that management, itself, is well informed of the risk and that it is running and is upholding board prescribed underwriting standards, and therefore, accurately conveying its business risk, and that 3) timely borrower intervention is activated. 2. This (unverified) information generated by the line function is source data used by the risk management functions for audit committee and board reporting and is also likely the information also reported to the BRSA for monitoring and examination purposes. Although the internal audit function plays an important role in ensuring a strong control environment, the function itself is not designed to play an ongoing surveillance role such as the independent credit risk management unit. It cannot replace the need to have such a function within the bank(s). Highlighting the issues surrounding this organizational environment, examiners, through their inspection process, have identified important, clearly inaccurate classifications of credit that could easily indicate the existence of 1 and 2 above. However, the significance of these inaccurate classifications was not clear from the examination samples reviewed. Consistently, there was no indication of the size of the sample of reviewed credits, how significant the aggregate, inaccurately classified credit was to the total portfolio, and if such findings could be extrapolated to the entire portfolio. Credit classification definitions, particularly in the special mention and substandard categories are overlapping. Evidence demonstrates that both the examiners, but especially the bankers, fluidly move credits among these categories which compromises the picture of the bank’s risk profile which accurate classification is intended to depict. As well, such movement and less rigorous classification impacts provisioning levels and ultimately, the accuracy of the bank’s financial statement. The REPL explicitly allows restructuring of loss credit which is considering in many systems to be imprudent activity as such loans are, by definition, permanently impaired and considered “nonbankable” assets. In some systems, such credits are prohibited from being restructured. The draft REPL is silent on this issue but theoretically would allow this practice. This practice should be explicitly addressed (disallowed). The manner in which the examiners present and write up the credits that they review during the special examination does not clearly depict the nature and volume of other related exposures (in the given bank) which, if presented, would help put the overall borrower relationship in context.
18. Problem assets, provisions, and reserves	MNC	The framework for credit classification and provisioning is generally adequate. However, the accuracy of asset classification by banks, and therefore the integrity of reporting to boards and the BRSA is called into question given the nature of reclassifications assigned by onsite examiners and the lack of documentation therein. Loan write ups require more support and context as well as need to present nature of collateral and provision impact. Examination conclusions focus more on internal control issues rather than higher level implications for the condition and management of the credit portfolio under examination. Given the lack of (documented) focus on the implications of important bank processes, the examination exercise missed the opportunity to identify very important linkages with and conclusions on: Management’s understanding of their business and credit risk, ability to identify deterioration proactively - thereby allowing for early intervention. Implications for internal systems => function, role, and independence of credit risk management – thereby validating the systems that the bank’s board and the BRSA depends upon in order to effectively oversee the institution. As well, these systems are key to the exercise of risk based supervision by the BRSA. Inputs to evaluate corporate governance of the bank. Accuracy of information conveyed to the board and the BRSA The historical and statistical support for standard (general) and special mention loan categories is not substantiated by accumulated loss experience. It is not clear if appraised values, within a range, are being realized upon the sale of the properties or if provisioned amounts are adequately covering loss experience on classified loans. Clear parameters should be established for periodic valuation of underlying collateral on NPL exposures.
19. Concentration risk and large exposure limits	C	The legal framework addressing concentration risk and large exposures limits is generally in line with international standards. The definition of connected parties is comprehensive. The BRSA examines and monitors various exposures including, inter alia, large exposures, concentrations by sector, product, customer, and risk group.
20. Transactions with related parties	LC	The legal and regulatory framework for related parties is comprehensive. The offsite department receives and regularly monitors reporting from banks. The onsite review process for related parties is well structured; related party exposures and the controls and board processes therein are reviewed during the onsite processes. However, there is no explicit provision that requires prior approval of related party transactions by the bank’s board. As well, no explicit provision requires approval (prior or post) of write-off of related party transactions. While Article 48 of the BL provides a comprehensive definition of “loan” and related party limitations address such, legislation does not include other non-crediting transactions within the limitations addressing related parties. Legislation should be expanded to explicitly capture all transactions, including loans, within the parameters of related party limits and requirements. The assessment team was informed that a draft revision of the BL is being prepared by the BRSA. Within this context, article 50 (a and b) may be revoked to allow board member borrowing from the bank. It will also address related party “transactions” as well. The assessment team cautions the BRSA on relaxing related party risk parameters. There are countries that continue to rigorously restrict extension of credit, as well as transactions with, related parties of the bank, including board members. This is an area which historically has proven consistently problematic in distressed bank situations. Therefore, the team advises caution in widening the scope for such exposures.
21. Country and transfer risks	C	BRSA guidance adequately captures country and transfer risk as well as other relevant risks. Banks are expected to establish country risk parameters as well as systems for monitoring exposures, including indirect foreign-exchange risk and indirect country risk. Country risk is evaluated through the CAMELS review process and via the risk matrix of the bank.
22. Market risk	C	The BRSA has adopted comprehensive regulation and guidance through which to direct banks to identify, measure, and monitor their market risk exposures. This includes parameters for valuation, stress testing, and model use. For examination purposes, these elements are largely addressed through the CAMELS rating/GAR methodology review process, and on an overall basis, during the ICAAP review. Of note, currently, specialist expertise is not deployed to evaluate the scenarios or calculation details of the stress testing exercises. Examiners review the models used to measure market risk. However, they also depend substantially on the banks’ model validation process. To deepen the work and enhance the forward looking aspect, the BRSA could consider deploying trained specialists to assess stress test approaches and mathematical integrity and to leverage resulting advice/input on specialized exams. As well, enhanced examiner expertise in the area of model evaluation could provide added assurance to the BRSA on the integrity of bank models used.
23. Interest rate risk in the banking book	C	BRSA supervision of interest rate risk is addressed through several activities. It is reviewed as a part of the overall ICAAP review process and captured as an input in the stress testing conducted therein. As well, the supervisor covers elements of interest rate risk through the GAR process, as described in EC 1 above, which is conducted onsite but not to the depth of what a special examination would require. However, specialized examinations of this area are not yet conducted. The BRSA should develop specialized examination procedures for interest rate risk where it identifies increasing or high risk areas. The BRSA should use specialized expertise with which to evaluate scenarios and assumptions used for more complex stress testing as well as to review model validations during onsite examinations or, as an offsite exercise.
24. Liquidity risk	C	The BRSA has set up a comprehensive framework for liquidity regulation, monitoring, and assignment of bank responsibilities. Regulation is in some cases more rigorous than international benchmarks. A wide range of tools is in place for monitoring banks’ liquidity positions and funding experience. The CAMELS review/GAR methodology addresses liquidity, and specialized examinations are conducted when a change in trends or strategy is detected. As well, the BRSA underwent a Regulatory Consistency Assessment of its Basel III LCR regulations for which it received a “compliant” rating. However, review of onsite documents indicated that conclusions regarding liquidity, funding stability, and management processes stopped short of considering other areas of the balance sheet, growth trends, asset quality, and management processes, etc. to support conclusions. Such issues are critical to the overall review process and should be captured and clearly conveyed in examination documents to supported supervisory observations. This is particularly important given that some banks may have tight liquidity positions including relatively high loan to deposit ratios. The central bank has taken a number of steps in recent years to support the strengthening of foreign currency funding. There appears to be an opportunity to strengthen liaison between the BRSA and the CBRT on the monitoring and management of foreign liquidity risk. Given the potential foreign exchange roll over risk residing in banks’ positions, consideration could be given to increasing the ultimate target for the FX LCR from 80% to 100% to further strengthen the management of liquidity risk.
25. Operational risk	C	Oversight of operational risk is anchored in RICAAP and further expanded in the GORM which comprehensively addresses relevant aspects of this risk. The supervisory process explicitly addresses this risk through the evaluation of the ICAAP process and reports submitted by banks as well as through the GAR process and as a part of MIS evaluation and controls during specialized examinations.
26. Internal control and audit	C	The legal framework is comprehensive in this area, both as it is articulated in the requirements for internal systems and separately as requirements specifically directed to the internal audit function. Review of the internal audit process is an important part of the onsite (GAR) process covered each supervisory cycle. However, targeted or specialized examinations of the internal audit process, leveraging the GAR results as well as specialized examination results as partial inputs, could enhance the validation of this important function. Such validation by the BRSA is important in order for it to maintain or increase the degree of confidence (and therefore, dependence) it can place in audit outputs as early warning indicators of shifting risk.
27. Financial reporting and external audit	C	Procedures surrounding financial reporting and external audit are well established. Accounting standards closely follow IFRS and provisioning standards are set to dovetail with the implementation of IFRS 9. Valuation procedures for financial assets are comprehensive. BRSA conducts review of valuation procedures and of valuation models as a part of the onsite examination process. Parameters for banks’ external audit process are well established.
28. Disclosure and transparency	C	Banks are required to disclose their financial statements according to TFRS and TAS, the Turkish version of IFRS and IAS, on both a solo basis and consolidated basis. Disclosure requirements for nonfinancial information are adequate. BRSA regularly evaluates the timeliness and content of external audit/annual reports for compliance with regulatory parameters and Pillar III disclosures.
29. Abuse of financial services	LC	The scope of the assessment of this principle was limited to the applicable regulation and the BRSA activities. It did not include MASAK coordinated inspections and other activities. The AML law and related regulations form the framework to prevent the abuse of financial services. The framework includes customer due diligence (CDD) rules and procedures to report suspicious transactions but have shortcomings that need to be addressed. In particular, the CDD requirements should include a customer acceptance policy that identifies business relationships that the bank will not accept based on identified risks and enhanced due diligence on politically exposed persons. The framework should also require banks to report to the BRSA suspicious activities and incidents of fraud when such activities/incidents are material to the safety and soundness or reputation of the bank.

Core Principle	Grade	Comments
1. Responsibilities, objectives and powers	LC	The BL provides a broadly appropriate framework for regulating and supervising banks. It also provides clear responsibilities and adequate powers to the BRSA. However, the lack of appropriately defined hierarchy among the objectives of financial stability and development of the financial sector may cause potential conflicts and be harmful to the safety and soundness of banks. The assessors noted that some BRSA decisions (e.g., differentiations in loan loss provisions and loan restructuring rules) might be interpreted as rules that aim primarily to support financial development objectives. Such measures might affect the reputation of the supervisors and convey the message of forbearance. In order to be fully compliant with this principle the objective of development of the financial sector should be explicitly subordinated to financial stability in the BL
2. Independence, accountability, resourcing and legal protection for supervisors	MNC	The legal protection of the supervisor is broadly adequate. Nonetheless the institutional framework contains shortcomings that should be improved. The BL establishes the BRSA as an independent body but it contains provisions that might undermine independence in practice. There are several channels of interaction between the BRSA and the government that, considered together, may accommodate political influence: i) the appointments of the Chair and Board members are made by the Council of Ministers without any confirmation process by any other independent body; ii) before putting into force regulatory procedures the BRSA needs, by law, to consult the related Ministry; iii) the Prime Minister approves the removal of members of the Board, if conditions specified in the BL are met, without publishing the reasons; iv) the relevant minister may permit lawsuit against board members; and v) the BL allows the relevant ministry to file a lawsuit for the cancelation of the Boards regulatory decisions (art. 105). These possible channels of political influence over the Agency, particularly considering the large role played by state-owned banks in Turkey, might cause conflicts of interest that might undermine financial stability. The authorities should therefore amend the legislation to limit the cases that require the Minister’s involvement. In particular, it seems appropriate to establish a third party to perform a stronger role in the checks and balances framework such as, making regulatory consultation procedures more transparent, so that BRSA proposals and Ministry comments are published, introducing a process for appointments for the BRSA to be confirmed by a nonexecutive government body and removing the related minister permission for lawsuits for the cancelation of the BRSB regulatory decisions. There also seems to be room for improving the accountability framework. Despite the periodic briefings from the BRSA to the Council of Ministers, the assessors did not see evidence of a third party aiming to ensure that the powers delegated to the BRSA are exercised appropriately and that its operations are effective and in line with its mandate and objectives. Finally, in relation to resourcing, entry conditions to the BRSA are not attractive for the hiring of mid-career professionals and provide practical constraints in the event of a shortfall in experience levels.
3. Cooperation and collaboration	C	Legal provisions as well as operational frameworks for cooperation and collaboration with domestic and foreign authorities are in place. Protections on confidentiality appear appropriate. Regarding the lack of processes for recovery and resolution planning, the assessors do not see their absence as reflecting a lack of collaboration between authorities. See also CP9.
4. Permissible activities	C	The BL provides clear definitions of activities that are only permitted to be conducted by registered banks, including taking deposits from the public.
5. Licensing criteria	LC	Provisions in the laws and regulations related to licensing and the process followed by the BRSA provide a comprehensive framework to assess the adequacy of new registrations for banks, including foreign bank branches. The BRSA seems to have a broadly sound process to assess applications in practice. However, in order to maintain a licensing process fully compliant with the principle, the BRSA needs to additionally: i) impose requirements and assess if the bank’s board has a collectively sound knowledge of the material activities the bank intends to pursue; and ii) for cross-border banking operations, determine whether the home supervisor practices global consolidated supervision.
6. Transfer of significant ownership	C	The power given to the supervisor by laws and regulations as well as the current procedures provide broadly sound control and oversight regarding significant ownership of a bank and a controlling company.
7. Major acquisitions	C	The regulatory framework subjects major acquisitions and investments by banks and controlling companies to prior approval by the BRSA. The BRSA also has well established supervisory practices to limit and monitor risks arising from such activities. Going forward, supervisors should consider more extensively and formally the effectiveness of supervision in host countries.
8. Supervisory approach	MNC	The BRSA has an established and comprehensive methodology to supervise banks. This methodology is documented in a number of manuals and leverages comprehensive databases and a broadly appropriate regulatory framework. Nevertheless, the practical implementation of the process is subject to shortcomings that needs to be addressed: The inspections need to develop a more profound and forward-looking risk assessment nature, producing a clear view of the risks faced by and posed by the bank. Current conclusions tend to focus mostly on compliance issues and do not identify and make clear if there is need for broader and more forceful supervisory action. Supervisors also need to derive and highlight the implications of the specific findings for the broader risk assessment of the bank. The BRSA should not take excessive comfort from the fact that issues are analyzed during the ratings process. By its own nature, and as currently applied by the BRSA, the ratings process is not deep enough to generate firm and actionable conclusions. From time to time, the scope of special inspections needs to encompass issues that are currently addressed only during the ratings phase. The BRSA needs to enhance the forward-looking components of its assessments. Results of the ICAAP need to be more thoroughly analyzed and discussed with banks. Stress tests results should play a larger role in the assessment framework. In addition, the ratings methodology could explicitly incorporate the expected trend for each component. Banks, particularly the systemically important ones, should be required to develop recovery plans and the BRSA should assess their resolvability. The assessors understand that the BRSA is already developing actions to address some of the above issues and encourage the authorities to keep working to improve the efficiency of the process.
9. Supervisory techniques and tools	LC	The BRSA employs an array of tools and techniques to carry out its supervisory responsibilities. On-site and off-site functions are relevant and well developed. The different departments also share their findings with each other, but their work seems to be conducted in parallel with little coordination. The departments do not seem to have joint projects and supervisors do not exchange views beyond written reports. As required by EC1, it is important for the BRSA to develop policies and processes to assess the effectiveness and integration of on-site and off-site functions, and to address any weaknesses that are identified. Increasing the rotation between on- and off-site supervisors could also help the integration of the areas. Communication with banks could also be improved. The BRSA should consider setting policies establishing at least one annual meeting between supervisors and the board of the bank. The end of the CAMELS rating process, when the supervisor summarizes its opinion of the bank, might be an appropriate occasion to explain to the board the views and concerns of the BRSA. The assessors understand that this is frequently done, but not systematically with all banks. Additionally, other important analyses done by the BRSA, such as the stress testing exercises could also be more clearly discussed with banks.
10. Supervisory reporting	C	The regulatory framework requires banks and controlling companies to periodically submit a broad range of information. Regulatory and supervisory processes exist to ensure accuracy and comparability of submitted returns. Developed procedures for analyzing collected information and feeding into supervisory activities are in place. Going forward the BRSA could consider formalizing the process of periodically review of the information collected, to determine that it remains appropriate and satisfies its needs.
11. Corrective and sanctioning powers of supervisors	LC	The BRSA has available an appropriate range of supervisory tools to use when, in the supervisor’s judgment, a bank is not complying with the regulations or represents a risk for the financial sector. Nevertheless, in practice, the remedial and corrective actions provided for in the law are rarely used at an early stage as a preventative measure. The BRSA seems to rely more heavily on administrative fines whose scope of application is more clearly defined in the BL than on taking actionsat an early stage to address unsafe and unsound practices that require supervisory judgment. The assessors were presented evidence of BRSA actions requiring banks to make adjustments to practices and processes. Nevertheless, such action had a scope limited to specific issues such as the classification of particular loan operations. Evidence was not observed of supervisors addressing broader concerns about the risks posed and faced by banks from a deepening and expansion of the initial review, a point reinforced in the comments of banks. The supervisory review process within the BRSA also seems to play a role towards limiting the issues that supervisors raise with banks. Although reviews of supervisory reports are necessary, the current process seems relatively skewed towards validation of compliance processes and thus constrains active supervisory judgments and decisions. Consideration could also be given to integration of supervision and enforcement, particularly in terms of communication with financial institutions, which might support a more risk focused and less compliance based supervisory approach. In order to become fully compliant with this principle the BRSA needs to incorporate the results of forward looking tools more heavily in its decision making process and act at an early stage to restore weak banks and correct examples of unsound practices, even if formal prudential ratios haven’t been breached.
12. Consolidated supervision	LC	The regulatory and reporting framework provides a broadly appropriate structure for monitoring and assessing risks to banks from non-banking and foreign banking operations in banking groups. However, the current limitations of the CAMELS rating and ICAAP process, the BRSA should make further effort to monitor and manage risks arising from nonbanking and foreign activities or parent entities of a financial group. In this regard, as described in CP 8 and 9, the BRSA should deepen the analyses and strengthen its techniques, such as group-wide stress testing, to monitor and assess these risks. It is important to further improve the group-wide strategic view of the banking group operations and risks. Authorities should further improve the recovery and resolution planning of large banking groups particularly once the necessary power is given to the supervisor by the expected new legislation. Such planning should also consider scenarios where shocks originate from non-banking entities or parent groups. Taking into account that these shortcomings have already been reflected in other principles, particularly CP 8 and 9, the assessors considered this principle compliant.
13. Home-host relationships	LC	The BRSA has made vast efforts to improve home-host relationship during the last few years. Among several initiatives the agency has started organizing colleges, signed a number of important MoUs and removed obstacles that weakened the supervision of Turkish banks’ operations in several countries. Nevertheless, considering that some Turkish banks hold material operations abroad, it is important to improve the relationship even further. In particular, it is essential to develop a framework for cross-border crisis coordination with relevant host authorities and the development of resolution plans that pay special attention to cross border issues.
14. Corporate governance	MNC	The legal framework surrounding the corporate governance framework for banks is extensive, but very heavily focused on board responsibilities regarding internal systems (risk management, internal control, internal audit). Examination processes (GAR and specialized examinations) have required steps to check board approvals, internal structures, and processes which reflect on the governance function. The BRSA approves board and senior management appointments. In this way, the BRSA reviews the appointments process of the bank. However, the results of special examinations and supervisory processes consistently stop short of drawing conclusions, in analytical, narrative form, on the implications the findings have for critical areas that are directly linked to the examined area. These critical areas reflect directly on the corporate governance effectiveness of the bank (such as management oversight of business areas, adequacy of risk management and internal audit’s role in the subject areas, integrity of MIS that goes up to the board level, and ultimately, board oversight). As a result, supervisory observations are not easily collected in order to form a more cross-cutting, substantiated view on corporate governance and the adequacy of internal systems. Therefore, validation of the manner in which such internal systems and governance operates is not well supported. This impacts the degree to which the BRSA should place confidence in the systems that inform the board and itself, as well as the systems’ ability to generate early warning indicators of deterioration. There is no requirement for the majority of the board to be composed of non-executive members which could result in, potentially, boards being composed of a majority of executive directors with only the 2 nonexecutives as currently required by the legal framework. However, practically speaking, 10 out of 53 banks are listed and must fall under the CMB Communique on governance which requires a majority of independent directors. Consideration should be given to upgrading legislation requiring the board to be composed of a majority of nonexecutive members, and ideally, with a certain minimum of independent individuals. (The definition of “independent” should be consistent with that used by the CMB in its Communiqué on Corporate Governance.) Audit committee membership should be expanded. While some bank boards in the system have populated this committee with more members, a minimum of 2 members is considered too few in order to execute the duties assigned to it in a robust and effective manner. This is particularly so since the audit committee is considered an extension of the board and is assigned the task of internal systems oversight which includes risk management. In addition, the chair of this committee, in some banks, is also the chairman of the board which does not reflect best practice and potentially represents a conflict of interest. This committee should be expanded and should be composed of all independent directors. As well, legislation directs that audit committees have oversight responsibility for internal systems which includes risk management. Under the current audit committee structures, proper oversight of both critical areas is difficult at best. Risk management oversight responsibility should be separated from the audit committee, particularly in the more complex institutions (it was noted that one bank, in fact, constituted a separate risk management committee). While three special examinations of governance elements have been conducted, there is a need to more regularly conduct cross-cutting assessments of corporate governance in a holistic manner which would, in part, leverage recent examination results and relevant offsite information as well as information generated from any enforcement actions. Consideration could be given to introducing such a review in order to enhance and better substantiate conclusions on the adequacy of a bank’s corporate governance. Given the observations cited in the above ECs (board membership/objectivity, board nominations process, board committee structure and membership, management oversight and performance evaluation, succession planning, “know your structure requirements”, internal code of conduct, etc.) the BRSA should develop a more comprehensive corporate governance regulation that completes the elements of governance that already exist in guidelines and regulation. This type of instrument could be a focal point of supervisory corporate governance reviews in the future.
15. Risk management process	LC	The RICAAP forms a part of the core of the BRSA’s regulatory framework for risk management. Given that the ICAAP is a relatively recent requirement, banks’ are still developing their approach and implementing important systems. The BCP team’s review of supervisors’ working papers and discussion with banks indicated that banks as well as supervisors are, in fact, in a learning phase. The quality of banks reports and the scrutiny of the reports by supervisors will need to develop further before the results can be more reliably and more extensively used. Commensurate with their size and complexity of operations, banks should be specifically required to have qualified CROs with sufficient stature, position and authority within the organization to oversee risk management activities. The level of senior manager may not provide the necessary stature necessary to challenge high level risk decisions and processes. As well, while there are comprehensive requirements for the evaluation of new products, parameters should be expanded to explicitly address material modifications to existing products and major acquisitions. It should also direct banks to restrict such products or activities if they do not have the necessary controls, management, and resources to manage related risks.
16. Capital adequacy	C	The BRSA has adopted the various components of Basel II, 2.5 and III according to the framework established by the Basel Committee. Capital is calculated on a consolidated and solo basis for all banks and the BRSA has the authority to impose additional capital requirements on individual banks, as deemed necessary. The BRSA has applied the three Basel ratios (common equity tier 1, tier 1 and total capital) as well as countercyclical capital requirements, systemically important bank capital add-ons and a “capital planning buffer” that provides a forward looking nature to the capital regulation. Going forward, as the BRSA gain experience with the ICAAP, it should consider simplifications to the framework to improve its enforceability and reduce banks’ compliance burden, particularly for non-systemically important banks. Simplifications that could be considered include restrictions on diversification benefits and use of models for credit, market and operational risk that have not been authorized for the Pillar 1 capital charge. The BRSA should also evaluate the interaction with other requirements such as the 12% parallel capital charge and the Basel capital buffers to prevent the effectiveness of the Pillar 2 regime from being damaged by another more stringent requirement that in practice makes the Pillar 2 charges irrelevant.
17. Credit risk	MNC	The legal framework for credit risk is generally comprehensive. It establishes the responsibility of the board in this area, requires a framework for the credit business of banks, as well as prescribes a properly controlled credit risk environment. However, several issues exist which compromise the effectiveness the framework and its application. As prescribed in regulation and organized in practice (verified through review of credit portfolio special examinations presented by the BRSA during the assessment) the credit risk management oversight (line management function) and credit risk management function and the organization therein create loopholes in independence and integrity of credit risk monitoring and reporting to bank boards and the BRSA: 1. The framework design does not require ongoing, independent (from the business line) credit risk monitoring of large individual exposures or homogeneous portfolios. Important source data (e.g., identification of deteriorating credits, level of (accurately) classified assets, status of restructured credits, etc.) is generated by a line management function (credit monitoring) without independent verification that 1) management identification processes are accurate and timely, 2) that management, itself, is well informed of the risk and that it is running and is upholding board prescribed underwriting standards, and therefore, accurately conveying its business risk, and that 3) timely borrower intervention is activated. 2. This (unverified) information generated by the line function is source data used by the risk management functions for audit committee and board reporting and is also likely the information also reported to the BRSA for monitoring and examination purposes. Although the internal audit function plays an important role in ensuring a strong control environment, the function itself is not designed to play an ongoing surveillance role such as the independent credit risk management unit. It cannot replace the need to have such a function within the bank(s). Highlighting the issues surrounding this organizational environment, examiners, through their inspection process, have identified important, clearly inaccurate classifications of credit that could easily indicate the existence of 1 and 2 above. However, the significance of these inaccurate classifications was not clear from the examination samples reviewed. Consistently, there was no indication of the size of the sample of reviewed credits, how significant the aggregate, inaccurately classified credit was to the total portfolio, and if such findings could be extrapolated to the entire portfolio. Credit classification definitions, particularly in the special mention and substandard categories are overlapping. Evidence demonstrates that both the examiners, but especially the bankers, fluidly move credits among these categories which compromises the picture of the bank’s risk profile which accurate classification is intended to depict. As well, such movement and less rigorous classification impacts provisioning levels and ultimately, the accuracy of the bank’s financial statement. The REPL explicitly allows restructuring of loss credit which is considering in many systems to be imprudent activity as such loans are, by definition, permanently impaired and considered “nonbankable” assets. In some systems, such credits are prohibited from being restructured. The draft REPL is silent on this issue but theoretically would allow this practice. This practice should be explicitly addressed (disallowed). The manner in which the examiners present and write up the credits that they review during the special examination does not clearly depict the nature and volume of other related exposures (in the given bank) which, if presented, would help put the overall borrower relationship in context.
18. Problem assets, provisions, and reserves	MNC	The framework for credit classification and provisioning is generally adequate. However, the accuracy of asset classification by banks, and therefore the integrity of reporting to boards and the BRSA is called into question given the nature of reclassifications assigned by onsite examiners and the lack of documentation therein. Loan write ups require more support and context as well as need to present nature of collateral and provision impact. Examination conclusions focus more on internal control issues rather than higher level implications for the condition and management of the credit portfolio under examination. Given the lack of (documented) focus on the implications of important bank processes, the examination exercise missed the opportunity to identify very important linkages with and conclusions on: Management’s understanding of their business and credit risk, ability to identify deterioration proactively - thereby allowing for early intervention. Implications for internal systems => function, role, and independence of credit risk management – thereby validating the systems that the bank’s board and the BRSA depends upon in order to effectively oversee the institution. As well, these systems are key to the exercise of risk based supervision by the BRSA. Inputs to evaluate corporate governance of the bank. Accuracy of information conveyed to the board and the BRSA The historical and statistical support for standard (general) and special mention loan categories is not substantiated by accumulated loss experience. It is not clear if appraised values, within a range, are being realized upon the sale of the properties or if provisioned amounts are adequately covering loss experience on classified loans. Clear parameters should be established for periodic valuation of underlying collateral on NPL exposures.
19. Concentration risk and large exposure limits	C	The legal framework addressing concentration risk and large exposures limits is generally in line with international standards. The definition of connected parties is comprehensive. The BRSA examines and monitors various exposures including, inter alia, large exposures, concentrations by sector, product, customer, and risk group.
20. Transactions with related parties	LC	The legal and regulatory framework for related parties is comprehensive. The offsite department receives and regularly monitors reporting from banks. The onsite review process for related parties is well structured; related party exposures and the controls and board processes therein are reviewed during the onsite processes. However, there is no explicit provision that requires prior approval of related party transactions by the bank’s board. As well, no explicit provision requires approval (prior or post) of write-off of related party transactions. While Article 48 of the BL provides a comprehensive definition of “loan” and related party limitations address such, legislation does not include other non-crediting transactions within the limitations addressing related parties. Legislation should be expanded to explicitly capture all transactions, including loans, within the parameters of related party limits and requirements. The assessment team was informed that a draft revision of the BL is being prepared by the BRSA. Within this context, article 50 (a and b) may be revoked to allow board member borrowing from the bank. It will also address related party “transactions” as well. The assessment team cautions the BRSA on relaxing related party risk parameters. There are countries that continue to rigorously restrict extension of credit, as well as transactions with, related parties of the bank, including board members. This is an area which historically has proven consistently problematic in distressed bank situations. Therefore, the team advises caution in widening the scope for such exposures.
21. Country and transfer risks	C	BRSA guidance adequately captures country and transfer risk as well as other relevant risks. Banks are expected to establish country risk parameters as well as systems for monitoring exposures, including indirect foreign-exchange risk and indirect country risk. Country risk is evaluated through the CAMELS review process and via the risk matrix of the bank.
22. Market risk	C	The BRSA has adopted comprehensive regulation and guidance through which to direct banks to identify, measure, and monitor their market risk exposures. This includes parameters for valuation, stress testing, and model use. For examination purposes, these elements are largely addressed through the CAMELS rating/GAR methodology review process, and on an overall basis, during the ICAAP review. Of note, currently, specialist expertise is not deployed to evaluate the scenarios or calculation details of the stress testing exercises. Examiners review the models used to measure market risk. However, they also depend substantially on the banks’ model validation process. To deepen the work and enhance the forward looking aspect, the BRSA could consider deploying trained specialists to assess stress test approaches and mathematical integrity and to leverage resulting advice/input on specialized exams. As well, enhanced examiner expertise in the area of model evaluation could provide added assurance to the BRSA on the integrity of bank models used.
23. Interest rate risk in the banking book	C	BRSA supervision of interest rate risk is addressed through several activities. It is reviewed as a part of the overall ICAAP review process and captured as an input in the stress testing conducted therein. As well, the supervisor covers elements of interest rate risk through the GAR process, as described in EC 1 above, which is conducted onsite but not to the depth of what a special examination would require. However, specialized examinations of this area are not yet conducted. The BRSA should develop specialized examination procedures for interest rate risk where it identifies increasing or high risk areas. The BRSA should use specialized expertise with which to evaluate scenarios and assumptions used for more complex stress testing as well as to review model validations during onsite examinations or, as an offsite exercise.
24. Liquidity risk	C	The BRSA has set up a comprehensive framework for liquidity regulation, monitoring, and assignment of bank responsibilities. Regulation is in some cases more rigorous than international benchmarks. A wide range of tools is in place for monitoring banks’ liquidity positions and funding experience. The CAMELS review/GAR methodology addresses liquidity, and specialized examinations are conducted when a change in trends or strategy is detected. As well, the BRSA underwent a Regulatory Consistency Assessment of its Basel III LCR regulations for which it received a “compliant” rating. However, review of onsite documents indicated that conclusions regarding liquidity, funding stability, and management processes stopped short of considering other areas of the balance sheet, growth trends, asset quality, and management processes, etc. to support conclusions. Such issues are critical to the overall review process and should be captured and clearly conveyed in examination documents to supported supervisory observations. This is particularly important given that some banks may have tight liquidity positions including relatively high loan to deposit ratios. The central bank has taken a number of steps in recent years to support the strengthening of foreign currency funding. There appears to be an opportunity to strengthen liaison between the BRSA and the CBRT on the monitoring and management of foreign liquidity risk. Given the potential foreign exchange roll over risk residing in banks’ positions, consideration could be given to increasing the ultimate target for the FX LCR from 80% to 100% to further strengthen the management of liquidity risk.
25. Operational risk	C	Oversight of operational risk is anchored in RICAAP and further expanded in the GORM which comprehensively addresses relevant aspects of this risk. The supervisory process explicitly addresses this risk through the evaluation of the ICAAP process and reports submitted by banks as well as through the GAR process and as a part of MIS evaluation and controls during specialized examinations.
26. Internal control and audit	C	The legal framework is comprehensive in this area, both as it is articulated in the requirements for internal systems and separately as requirements specifically directed to the internal audit function. Review of the internal audit process is an important part of the onsite (GAR) process covered each supervisory cycle. However, targeted or specialized examinations of the internal audit process, leveraging the GAR results as well as specialized examination results as partial inputs, could enhance the validation of this important function. Such validation by the BRSA is important in order for it to maintain or increase the degree of confidence (and therefore, dependence) it can place in audit outputs as early warning indicators of shifting risk.
27. Financial reporting and external audit	C	Procedures surrounding financial reporting and external audit are well established. Accounting standards closely follow IFRS and provisioning standards are set to dovetail with the implementation of IFRS 9. Valuation procedures for financial assets are comprehensive. BRSA conducts review of valuation procedures and of valuation models as a part of the onsite examination process. Parameters for banks’ external audit process are well established.
28. Disclosure and transparency	C	Banks are required to disclose their financial statements according to TFRS and TAS, the Turkish version of IFRS and IAS, on both a solo basis and consolidated basis. Disclosure requirements for nonfinancial information are adequate. BRSA regularly evaluates the timeliness and content of external audit/annual reports for compliance with regulatory parameters and Pillar III disclosures.
29. Abuse of financial services	LC	The scope of the assessment of this principle was limited to the applicable regulation and the BRSA activities. It did not include MASAK coordinated inspections and other activities. The AML law and related regulations form the framework to prevent the abuse of financial services. The framework includes customer due diligence (CDD) rules and procedures to report suspicious transactions but have shortcomings that need to be addressed. In particular, the CDD requirements should include a customer acceptance policy that identifies business relationships that the bank will not accept based on identified risks and enhanced due diligence on politically exposed persons. The framework should also require banks to report to the BRSA suspicious activities and incidents of fraud when such activities/incidents are material to the safety and soundness or reputation of the bank.

Recommended Actions and Authorities’ Comments

A. Recommended Actions

Recommended Actions to Improve Compliance with the Basel Core Principles and the Effectiveness of Regulatory and Supervisory Frameworks
Reference Principle	Recommended Action
Principle 1	Subordinate the objective of development of the financial sector to the objective of financial stability in the BL.
Principle 2	Review the legislation to limit the cases that require the Minister’s involvement with BRSA activities. Improve the accountability framework to enhance the scrutiny of the activities of the agency in relation to its objectives. Create alternative arrangements that facilitate the possibility of hiring experienced experts when needed.
Principle 5	Impose requirements and assess if the bank’s board has a collective sound knowledge of the material activities the bank intends to pursue. Determine whether the home supervisor practices global consolidated supervision, for cross-border banking operations.
Principle 8	Develop a more profound risk assessment nature for the inspections. Produce a clear view on the risks faced by and posed by the bank. Derive implications of the specific findings for the broader risk assessment of the bank. Incorporate within the scope of special inspections issues that are currently addressed only during the ratings phase. Enhance the forward-looking components of the assessments: results of the ICAAP need to be more thoroughly analyzed and discussed with banks; stress tests results should play a larger role in the assessment framework and; the ratings methodology could explicitly incorporate the expected trend for each component. Require banks to develop recovery plans. Assess the resolvability of the banks.
Principle 9	Develop policies and processes to assess the effectiveness and integration of on-site and off-site functions, and address any weaknesses that are identified. Consider the case for integrating the supervisory and enforcement functions. Improve communication with banks. The BRSA should consider setting policies establishing at least one annual meeting between supervisors and the board of the bank. Important analyses done by the BRSA, such as the stress testing exercises could also be more clearly discussed with banks.
Principle 11	Incorporate the results of forward looking tools more heavily in the BRSA decision making process and act at an early stage to restore weak banks and correct unsound practices, even if formal prudential ratios have not been breached.
Principle 12	Make further efforts to monitor and manage risks arising from nonbanking and from foreign activities or parent entities of a financial group. Deepen the analyses and strengthen BRSA techniques, such as group-wide stress testing, to monitor and assess these risks. Improve the recovery and resolution planning of large banking groups particularly once the necessary power is given to the supervisor by the expected new legislation. Consider scenarios where shocks originate from nonbanking entities or parent groups in such planning.
Principle 13	Develop a framework for cross-border crisis coordination with relevant host authorities and the development of resolution plans that pay special attention to cross border issues.
Principle 14	Develop a more comprehensive corporate governance regulation (and/or introduce changes to primary law) that completes the elements of governance that already exist in guidelines and regulation. Utilize this type of instrument as a focal point for supervisory corporate governance reviews in the future. Expand the qualifications of the collective board by requiring the majority to be composed of independent directors. Provide a comprehensive definition of independent. Expand the minimum number of (independent) directors on the audit committee. As bank activities warrant, separate risk management responsibilities from the audit committee and require that banks establish risk management committees. Enhance examination conclusions in special reviews by extending conclusions to comment upon the integrity and independent of relevant internal systems, the quality of management oversight and capacity, MIS and board reporting, etc. Develop a cross-cutting, more holistic assessment methodology for corporate governance which would, in part, leverage GAR and special examination results and relevant offsite information as well as information generated from any enforcement actions. Introduce such a review in order to enhance and better substantiate conclusions on the adequacy of a bank’s corporate governance.
Principle 15	See P 8 recommendation on further strengthening the ICAAP process. Require banks, commensurate with their size and activities, to have qualified CROs with sufficient stature, position and authority within the organization to oversee risk management activities, as the current level of senior manager as head of risk management (as enumerated in law) may not provide the stature necessary to challenge high level risk decisions and processes.
Principle 17	Evaluate and revise the relevant legislative and practical aspects of banks’ credit risk monitoring and risk management organizational arrangements. Address the independence and integrity of the internal credit risk rating process and the need for independent verification of line management ratings and actions and the functions’ ability to generate early warning information. Evaluate the implications of the current structure on the integrity and accuracy of monitoring and reporting to bank boards and the BRSA. Evaluate and revise the definition of credit classifications, particularly the special mention and substandard categories, making them more concise and clear cut, thereby enhancing their application by bankers and BRSA. Enumerate the BRSA’s position on rebooking of charged off credit in the REPL.
Principle 18	Upgrade written conclusions and write ups of credits classified during the examination process in order to more clearly substantiate the context of the classified credits and implications of findings on other areas, including management oversight and capacity, risk management process and accuracy, and ultimately corporate governance and financial statement accuracy. Present additional relevant information in examiner loan write ups to further substantiate the overall credit relationship, the creditworthiness of the borrower and its impact on the overall credit exposure, and further support for the credit re-classification. Substantiate findings in credit areas where no re-classifications were determined necessary by the examiner(s). Develop historical and statistical support for required provisioning levels, documenting whether amounts are adequately covering loss experience on standard, special mention, and classified loans. Develop clear parameters for periodic valuation of underlying collateral on NPL exposures.
Principle 20	Enumerate explicit legal provisions that require prior approval of related party transactions by the bank’s board as well as board approval of related party exposures that are written off the bank’s books. Expand the requirements surrounding related parties to capture all transactions with related parties, not just loans. Exercise caution on relaxing related party risk parameters and possible revocation of parameters surrounding board member borrowings.
Principle 22	Deploy trained specialists to assess banks’ stress test approaches and the mathematical integrity therein and to leverage resulting advice/input on specialized exams. Enhance examiner expertise in the area of model evaluation to provide added assurance to the BRSA on the integrity of models used by banks.
Principle 23	Develop specialized examination procedures for interest rate risk in the banking book. Deploy specialized expertise with which to evaluate scenarios and assumptions used for more complex stress testing as well as to review model validations during onsite examinations or, as an offsite exercise
Principle 24	Expand written analysis during liquidity/funding risk examinations to capture the impact of and relation to of other areas of the balance sheet, growth trends, asset quality, and management processes, etc. to support higher level conclusions. Strengthen liaison between the BRSA and the CBRT on the monitoring and management of foreign liquidity risk. Consider increasing the ultimate target for the FX LCR from 80% to 100% to further strengthen the management of liquidity risk.
Principle 29	Include in the CDD framework a customer acceptance policy that identifies business relationships that the bank will not accept based on identified risks and enhanced due diligence on politically exposed persons. Require banks to report to the BRSA suspicious activities and incidents of fraud when such activities/incidents are material to the safety and soundness or reputation of the bank.

Recommended Actions to Improve Compliance with the Basel Core Principles and the Effectiveness of Regulatory and Supervisory Frameworks
Reference Principle	Recommended Action
Principle 1	Subordinate the objective of development of the financial sector to the objective of financial stability in the BL.
Principle 2	Review the legislation to limit the cases that require the Minister’s involvement with BRSA activities. Improve the accountability framework to enhance the scrutiny of the activities of the agency in relation to its objectives. Create alternative arrangements that facilitate the possibility of hiring experienced experts when needed.
Principle 5	Impose requirements and assess if the bank’s board has a collective sound knowledge of the material activities the bank intends to pursue. Determine whether the home supervisor practices global consolidated supervision, for cross-border banking operations.
Principle 8	Develop a more profound risk assessment nature for the inspections. Produce a clear view on the risks faced by and posed by the bank. Derive implications of the specific findings for the broader risk assessment of the bank. Incorporate within the scope of special inspections issues that are currently addressed only during the ratings phase. Enhance the forward-looking components of the assessments: results of the ICAAP need to be more thoroughly analyzed and discussed with banks; stress tests results should play a larger role in the assessment framework and; the ratings methodology could explicitly incorporate the expected trend for each component. Require banks to develop recovery plans. Assess the resolvability of the banks.
Principle 9	Develop policies and processes to assess the effectiveness and integration of on-site and off-site functions, and address any weaknesses that are identified. Consider the case for integrating the supervisory and enforcement functions. Improve communication with banks. The BRSA should consider setting policies establishing at least one annual meeting between supervisors and the board of the bank. Important analyses done by the BRSA, such as the stress testing exercises could also be more clearly discussed with banks.
Principle 11	Incorporate the results of forward looking tools more heavily in the BRSA decision making process and act at an early stage to restore weak banks and correct unsound practices, even if formal prudential ratios have not been breached.
Principle 12	Make further efforts to monitor and manage risks arising from nonbanking and from foreign activities or parent entities of a financial group. Deepen the analyses and strengthen BRSA techniques, such as group-wide stress testing, to monitor and assess these risks. Improve the recovery and resolution planning of large banking groups particularly once the necessary power is given to the supervisor by the expected new legislation. Consider scenarios where shocks originate from nonbanking entities or parent groups in such planning.
Principle 13	Develop a framework for cross-border crisis coordination with relevant host authorities and the development of resolution plans that pay special attention to cross border issues.
Principle 14	Develop a more comprehensive corporate governance regulation (and/or introduce changes to primary law) that completes the elements of governance that already exist in guidelines and regulation. Utilize this type of instrument as a focal point for supervisory corporate governance reviews in the future. Expand the qualifications of the collective board by requiring the majority to be composed of independent directors. Provide a comprehensive definition of independent. Expand the minimum number of (independent) directors on the audit committee. As bank activities warrant, separate risk management responsibilities from the audit committee and require that banks establish risk management committees. Enhance examination conclusions in special reviews by extending conclusions to comment upon the integrity and independent of relevant internal systems, the quality of management oversight and capacity, MIS and board reporting, etc. Develop a cross-cutting, more holistic assessment methodology for corporate governance which would, in part, leverage GAR and special examination results and relevant offsite information as well as information generated from any enforcement actions. Introduce such a review in order to enhance and better substantiate conclusions on the adequacy of a bank’s corporate governance.
Principle 15	See P 8 recommendation on further strengthening the ICAAP process. Require banks, commensurate with their size and activities, to have qualified CROs with sufficient stature, position and authority within the organization to oversee risk management activities, as the current level of senior manager as head of risk management (as enumerated in law) may not provide the stature necessary to challenge high level risk decisions and processes.
Principle 17	Evaluate and revise the relevant legislative and practical aspects of banks’ credit risk monitoring and risk management organizational arrangements. Address the independence and integrity of the internal credit risk rating process and the need for independent verification of line management ratings and actions and the functions’ ability to generate early warning information. Evaluate the implications of the current structure on the integrity and accuracy of monitoring and reporting to bank boards and the BRSA. Evaluate and revise the definition of credit classifications, particularly the special mention and substandard categories, making them more concise and clear cut, thereby enhancing their application by bankers and BRSA. Enumerate the BRSA’s position on rebooking of charged off credit in the REPL.
Principle 18	Upgrade written conclusions and write ups of credits classified during the examination process in order to more clearly substantiate the context of the classified credits and implications of findings on other areas, including management oversight and capacity, risk management process and accuracy, and ultimately corporate governance and financial statement accuracy. Present additional relevant information in examiner loan write ups to further substantiate the overall credit relationship, the creditworthiness of the borrower and its impact on the overall credit exposure, and further support for the credit re-classification. Substantiate findings in credit areas where no re-classifications were determined necessary by the examiner(s). Develop historical and statistical support for required provisioning levels, documenting whether amounts are adequately covering loss experience on standard, special mention, and classified loans. Develop clear parameters for periodic valuation of underlying collateral on NPL exposures.
Principle 20	Enumerate explicit legal provisions that require prior approval of related party transactions by the bank’s board as well as board approval of related party exposures that are written off the bank’s books. Expand the requirements surrounding related parties to capture all transactions with related parties, not just loans. Exercise caution on relaxing related party risk parameters and possible revocation of parameters surrounding board member borrowings.
Principle 22	Deploy trained specialists to assess banks’ stress test approaches and the mathematical integrity therein and to leverage resulting advice/input on specialized exams. Enhance examiner expertise in the area of model evaluation to provide added assurance to the BRSA on the integrity of models used by banks.
Principle 23	Develop specialized examination procedures for interest rate risk in the banking book. Deploy specialized expertise with which to evaluate scenarios and assumptions used for more complex stress testing as well as to review model validations during onsite examinations or, as an offsite exercise
Principle 24	Expand written analysis during liquidity/funding risk examinations to capture the impact of and relation to of other areas of the balance sheet, growth trends, asset quality, and management processes, etc. to support higher level conclusions. Strengthen liaison between the BRSA and the CBRT on the monitoring and management of foreign liquidity risk. Consider increasing the ultimate target for the FX LCR from 80% to 100% to further strengthen the management of liquidity risk.
Principle 29	Include in the CDD framework a customer acceptance policy that identifies business relationships that the bank will not accept based on identified risks and enhanced due diligence on politically exposed persons. Require banks to report to the BRSA suspicious activities and incidents of fraud when such activities/incidents are material to the safety and soundness or reputation of the bank.

B. Authorities’ Response to the Assessment⁸⁰

25. The BRSA of Turkey would like to thank the IMF, the World Bank, and the FSAP mission team for their BCP assessment work. It must be noted that the whole FSAP mission brought forward essential value added to the effectiveness of the supervisory process. BRSA intends to fully utilize the assessment outcome as an opportunity to further improve and strengthen Turkey’s banking regulation and supervision. BRSA will take into account and carefully consider recommendations drafted by the FSAP mission team both within the scope of the actions that BRSA has already started to take and for future arrangements towards increasing compliance with the Basel Core principles for effective banking supervision. In fact, BRSA has already started on some of the mission team’s recommendations and plans to work on the remaining recommendations under an appropriate timetable.

26. It must be noted that since the assessments conducted in 2006 and 2011, the bar of the standards has been raised by BCBS (the BCP methodology was revised in 2012). This assessment, consequently, is not appropriate for comparison with either previous assessments or other countries’ assessments.

27. BRSA has prepared a list of action points towards increasing compliance with the Basel Core principles for effective banking supervision. BRSA also would like to express additional arguments for some of the CPs in order to bring greater balance to the FSAP mission team’s assessment.

Responsibilities, Objectives and Powers; Independence and Accountability (Principle 1-2):

28. Although there is no explicit statement in the BL regarding financial safety and soundness is being the primary objective, it is implied in BRSA’s regulatory and supervisory functions. All regulations and sub-regulations as well as supervisory manuals issued stress the financial safety and soundness objective of BRSA. Nevertheless, BRSA will review the current objectives and consider subordinating the objective of development of the financial sector to the objective of financial stability in BL.

29. Regarding the limiting of the related ministry’s involvement with BRSA’s activities, there is an ongoing process of drafting an amendment to BL that proposes the revocation of article 105 which enables related ministry to file a lawsuit to revoke BRSB’s regulatory decisions.

30. BRSA will review its alternatives regarding the transparent scrutiny of its activities in relation to its objectives and responsibilities without hindering its independence and autonomy.

Supervisory Approach, Techniques and Tools (Principle 8-9):

31. BRSA would like to note that within the current framework of supervision, all risks that banks are exposed to as well as the financial safety and soundness of banks are adequately supervised and BRSA has a well understanding of both individual banks and banking industry as a whole. However, BRSA agrees with the assessment that supervision products need to have explicit and clear narratives about supervisory view on the risks faced by banks. In this respect, BRSA has already developed actions and started to revise its supervisory manuals and processes as part of an established ongoing improvement framework.

32. BRSA will enhance forward-looking components of its supervisory framework by incorporating an expected trend element for each CAMELS component and risk type within its ratings and risk assessment methodology. Furthermore, BRSA is planning to fully incorporate the results of ICAAP and stress tests to its supervisory framework and to increase the depth of the current analysis conducted on stress test and ICAAP results.

33. In 2013, BRSA and SDIF have jointly established a working group to conduct a self-assessment of current resolution procedures with respect to the FSB Key Attributes. Based on the recommendations of this working group, a draft legislation has been prepared to align the national framework with the above mentioned international standards. Currently, joint task group established by BRSA and the SDIF has been reviewing the technical details to finalize the mentioned draft, which includes the principles of recovery planning and resolvability assessment. BRSA will continue its efforts to decrease the gaps in its regulatory and supervisory framework regarding recovery planning and resolvability assessments.

34. In the organization of BRSA, on-site and off-site examination functions are organized under different departments. Nevertheless, there are both formal and informal communication channels between on-site and off-site functions in order to ensure effective supervision of banks. Periodic bank-specific surveillance reports and sector-wide reports are sent to on-site examiner, and off-site function is notified about the on-site supervision findings continuously. Enforcement departments, which are responsible for formal correspondence of supervisory findings, are also organized separate from on-site and off-site functions to serve as a mean for internal review and evaluation of examination products. All of the supervisory findings stated in reports are communicated to bank without exception formally by enforcement departments.

35. BRSA will review its alternatives in order to further improve coordination and integration among its on-site, off-site examination and enforcement functions.

36. On-site examiners are in constant dialogue with banks management during the regular examinations. In addition to entry and exit meetings held with senior management and audit committee members, on-site examiners hold several meetings with banks managers and directors, when needed. Furthermore, BRSA management also hold meetings with bank managers and directors (especially the audit committee members) when there is an issue to discuss, although there is no periodic meetings held with the whole board of directors. On the other hand, if there are serious issues regarding bank and the actions stated in article 68, 69 and 70 are required, the instructions are directed to BOD of the bank. In order to further improve the communication with banks, BRSA will consider establishing periodic meetings between supervisors and the board of the bank.

Corporate Governance (Principle 14)

37. The Turkish banking legislation is based on one-tier structure where the members of the board who do not have any management responsibilities are non-executive members. In practice except the general manager (CEO) who is a natural member of the board, the members generally do not have management responsibilities in the bank. In order to ensure the existence of non-executive members in the boards the BL has imposed banks to have minimum 2 non-executive board members while in practice the majority of domestic systemically important banks do have more than 2 independent members in the board. This regulation is in line with the paragraph 47 of “Guideline on Corporate Governance Principles of Banks”, issued by the Basel Committee on Banking Supervision in July 2015, stating that board of the bank should be comprised of a sufficient number of independent directors”. Furthermore, current executives (except general manager) of banks cannot be elected as board members according to BRSB resolution.

38. Besides, RICAAP Article 6 defines the non-executive members in a way that is very similar to the definition of independence given in the CMB Communiqués. Therefore, the non-executives are expected to be objective and independent from the influence of other parties according to this sub-regulation.

39. CMB’s Communiqué on Corporate Governance (CMB’s Communiqué), which is applicable to publicly traded companies including banks, requires that (1) majority of board of directors should consist of non-executive directors, (2) there should be independent directors who are able to perform their tasks without any influence from the third parties, (3) the number of independent board members should correspond to at least one thirds of the total number of members. Also, CMB’s Communiqué elaborates the required qualifications of the independent board members, which are very similar to the ones mentioned for non-executive members given in RICAAP.

40. Since 10 deposit banks in Turkish Banking Industry are publicly traded (6 of them are large scale banks), they are subject to CMB’s Communiqué. As a result, a publicly traded bank with 5 members of the board of directors is required to have at least 3 independent directors.

41. According to CMB’s Communiqué, these banks are required to include the Corporate Governance Principles Compliance Report as a separate section in their annual reports. These reports should involve explanations about the proper adoption of the CMB corporate governance principles (as articulated in the Communiqué) and the conflicts of interest resulting from not wholly adopting these principles. Furthermore, in these reports, banks are required to disclose the structure of their board of directors, with reference to the number of non-executive as well as the number of independent directors.

42. According to the above mentioned corporate governance compliance reports, number of board members of the large scaled publicly traded banks range between 9 and 14. Five of these banks have 2 members and one of them has 5 members in their audit committee. In addition to the independent members, who are also non-executive and members of the audit committee, publicly traded banks have additional independent members in order to meet the requirements of the CMB’s Communiqué. In that context, five of the large scaled publicly traded banks have 3 and one of them has 5 independent members. All of these banks have the non-executive directors corresponding to the majority of the total number of members, the number of non-executive directors ranging between five and ten. In all cases, the chairman of the board of directors is nonexecutive.

43. With regard to the independency and objectivity of the board, principle 3 of the RCGP requires the board of directors to be able to make independent evaluations about the operations of the bank. In that context, the board of directors should make objective recommendations and should consist of a sufficient number and composition of members providing the basis for a decision making process free of any influence from other parties and free of conflicts of interest.

44. Furthermore, BRSA has communicated its expectations to banks regarding corporate governance principles through RICAAP, RCGB and the best practice guidelines issued recently.

45. Nevertheless, for following the recommendations of FSAP mission team, BRSA will review its current regulatory framework for Corporate Governance and will consider expanding the qualifications of the collective board, reviewing its definition of “nonexecutive/independent member”, expanding the minimum number of directors on the audit committee and explicitly requiring banks to establish risk committees.

46. Currently, governance structures of banks are examined in detail within the scope of Special Inspections conducted for Organization, Management and Strategy. In fact, in 2014 and 2015 three Special Examinations were conducted in three banks and those examinations focused on corporate governance issues. Besides, effectiveness and efficiency of corporate governance structure is also assessed during CRRE process based on a number of criteria under the component of “M”anagement. This assessment mainly focuses on effectiveness of board oversight, capabilities of board of directors, board meetings, implementation of policies and procedures approved by board, treatment of exceptions to limits or policies and procedures, contents of Board MIS. The conclusions from this assessment affect the Management component rating and the final rating of the bank.

47. Furthermore, during Special Inspections conducted in other areas like loan portfolio or liquidity, if examiners identify an issue that may be an indicator for a serious weakness in corporate governance structure of bank, it is most certainly included in report in writing and it is communicated to the bank immediately before the examination is finalized.

48. In order to further improve its supervisory framework for corporate governance, BRSA will enhance its examination procedures for corporate governance issues in order to incorporate clear narratives on implications of supervisory findings over integrity of internal systems, quality of management oversight and capacity, MIS. BRSA will also consider conducting holistic assessment for corporate governance in an appropriate time frame.

Credit Risk, Problem Assets, Provisions and Reserves (Principle 17-18)

49. In Turkey, organization of Credit Risk Management in banks, which is governed by RICAAP and GCM, has four key parts: active board and senior management oversight over credit function, adequate loan policies and procedures, adequate credit risk measurement, monitoring and MIS, adequate internal control and internal audit functions over loan activities.

50. Risk Management Unit within internal systems and credit monitoring departments are parts of the credit risk management framework together with credit operations (back office), financial control, internal control and internal audit functions etc.

51. According to GCM, loan activities of banks should be organized in a way that enables functional segregation of duties and prevents any conflict of interest. In practice, in line with the principles stated in GCM, loan activities of banks are organized under three main functions generally: marketing, underwriting and monitoring, which are all line management functions. GCM requires banks to establish these three functions separately without causing any conflict of interest.

52. Banks are required to have information systems that enable credit monitoring department to conduct those functions on the basis of customer, group, and portfolio. According to GCM Principle 7, banks’ information systems related to credit monitoring are required to be based on reliable data and should be validated periodically.

53. Besides to credit monitoring departments, internal audit is also an important function in credit risk management framework. According to GCM, loan activities of banks are reviewed regularly by internal systems units. Accuracy and reliability of reports submitted to the board of directors and the audit committee is also reviewed by internal audit units according to RICAAP article 21.

54. According to REPL, banks are required to review their loan portfolio in terms of classification at least quarterly and they are required to document those review for the largest 200 loans (or the ones above 250.000 TL). The loan review documentation for the largest 200 loans is usually prepared by internal audit. Besides, internal audit units conduct loan review within the scope of regular audit activities.

55. The adequacy of banks’ credit risk management is assessed regularly by on-site examinations both in Special Inspections and CRRE process. Loan activities are frequently subjected to Special Inspections. In fact, in 2014 and 2015, 70 Special Inspections were conducted in 27 banks. During Special Inspections, both size of the credit risk and the adequacy of the credit risk management are assessed. If any weakness is identified during these special inspections, the issues are communicated to banks both during the inspections and the formal correspondence stage. Furthermore, the conclusions from special inspections are fed into CRRE process in which the final rating of the bank is assigned.

56. Therefore, banks in Turkey have generally well established credit risk monitoring structures and these structures are adequately supervised by BRSA. Nevertheless, following the recommendations drafted by FSAP mission team, BRSA will review regulatory and practical aspects of credit risk monitoring and risk management organizational arrangements in order to further improve the independence, effectiveness and efficiency of the credit risk management organizations in banks. Also, BRSA is planning to increase the standardization in examiner loan write-up so that they include all relevant information needed to further substantiate the overall credit relationship, the creditworthiness of the borrower and its impact on the overall credit exposure, and to incorporate clear narratives in loan review reports regarding implications of findings on other areas such as management oversight and capacity, risk management process and corporate governance.

57. Furthermore, BRSA will consider reviewing current definition of credit classifications in order to make them more concise and clear cut.

58. To conclude, BRSA has recently issued an extensive number of best practice guidelines and made numerous changes in regulations in order to increase compliance level of its regulatory framework to international best practices. Although there is a natural time gap between regulations and implementations, BRSA has committed itself to increasing compliance level of its regulatory and supervisory framework and will take the remaining recommendations of FSAP mission in the Report into consideration for future arrangements towards increasing compliance with the Basel Core principles for effective banking supervision.

This Detailed Assessment Report has been prepared by Caio Fonseca Ferreira, IMF and Laura Ard, World Bank.

http://www.fsb.org/wp-content/uploads/Turkey-peer-review-report-19Nov15.pdf.

In this document, “banking group” includes the holding company, the bank and its offices, subsidiaries, affiliates and joint ventures, both domestic and foreign. Risks from other entities in the wider group, for example non-bank (including non-financial) entities, may also be relevant. This group-wide approach to supervision goes beyond accounting consolidation.

The activities of authorising banks, ongoing supervision and corrective actions are elaborated in the subsequent Principles.

Such authority is called “the supervisor” throughout this paper, except where the longer form “the banking supervisor” has been necessary for clarification.

In this document, “risk profile” refers to the nature and scale of the risk exposures undertaken by a bank.

In this document, “systemic importance” is determined by the size, interconnectedness, substitutability, global or cross-jurisdictional activity (if any), and complexity of the bank, as set out in the BCBS paper on Global systemically important banks: assessment methodology and the additional loss absorbency requirement, November 2011.

Please refer to Principle 1, Essential Criterion 1.

Principle 3 is developed further in the Principles dealing with “Consolidated supervision” (12), “Home-host relationships” (13) and “Abuse of financial services” (29).

The Committee recognizes the presence in some countries of non-banking financial institutions that take deposits but may be regulated differently from banks. These institutions should be subject to a form of regulation commensurate to the type and size of their business and, collectively, should not hold a significant proportion of deposits in the financial system.

This document refers to a governance structure composed of a board and senior management. The Committee recognizes that there are significant differences in the legislative and regulatory frameworks across countries regarding these functions. Some countries use a two-tier board structure, where the supervisory function of the board is performed by a separate entity known as a supervisory board, which has no executive functions. Other countries, in contrast, use a one-tier board structure in which the board has a broader role. Owing to these differences, this document does not advocate a specific board structure. Consequently, in this document, the terms “board” and “senior management” are only used as a way to refer to the oversight function and the management function in general and should be interpreted throughout the document in accordance with the applicable law within each jurisdiction.

Therefore, shell banks shall not be licensed. (Reference document: BCBS paper on shell banks, January 2003.)

Please refer to Principle 14, Essential Criterion 8.

Please refer to Principle 29.

While the term “supervisor” is used throughout Principle 6, the Committee recognizes that in a few countries these issues might be addressed by a separate licensing authority.

In the case of major acquisitions, this determination may take into account whether the acquisition or investment creates obstacles to the orderly resolution of the bank.

Please refer to Footnote 33 under Principle 7, Essential Criterion 3

On-site work is used as a tool to provide independent verification that adequate policies, procedures and controls exist at banks, determine that information reported by banks is reliable, obtain additional information on the bank and its related companies needed for the assessment of the condition of the bank, monitor the bank’s follow-up on supervisory concerns, etc.

Off-site work is used as a tool to regularly review and analyze the financial condition of banks, follow up on matters requiring further attention, identify and evaluate developing risks and help identify the priorities, scope of further off-site and on-site work, etc.

Please refer to Principle 10.

In the context of this Principle, “prudential reports and statistical returns” are distinct from and in addition to required accounting reports. The former are addressed by this Principle, and the latter are addressed in Principle 27.

Please refer to Principle 2.

Please refer to Principle 1, Essential Criterion 5.

As of May 31, 2016, 1 TL equals 0.34 US$

Maybe external auditors or other qualified external parties, commissioned with an appropriate mandate, and subject to appropriate confidentiality restrictions.

Maybe external auditors or other qualified external parties, commissioned with an appropriate mandate, and subject to appropriate confidentiality restrictions. External experts may conduct reviews used by the supervisor, yet it is ultimately the supervisor that must be satisfied with the results of the reviews conducted by such external experts.

Please refer to Principle 1.

Please refer to footnote 19 under Principle 1.

Please refer to Principle 16, Additional Criterion 2.

See Illustrative example of information exchange in colleges of the October 2010 BCBS Good practice principles on supervisory colleges for further information on the extent of information sharing expected.

Please refer to footnote 27 under Principle 5.

http://www.cmb.gov.tr/apps/teblig/displayteblig.aspx?id=479&ct=f&action=displayfile

The OECD (OECD glossary of corporate governance-related terms in “Experiences from the Regional Corporate Governance Roundtables”, 2003, www.oecd.org/dataoecd/19/26/23742340.pdf.) defines “duty of care” as “The duty of a board member to act on an informed and prudent basis in decisions with respect to the company. Often interpreted as requiring the board member to approach the affairs of the company in the same way that a ‘prudent man’ would approach their own affairs. Liability under the duty of care is frequently mitigated by the business judgment rule.” The OECD defines “duty of loyalty” as “The duty of the board member to act in the interest of the company and shareholders. The duty of loyalty should prevent individual board members from acting in their own interest, or the interest of another individual or group, at the expense of the company and all shareholders.”

“Risk appetite” reflects the level of aggregate risk that the bank’s Board is willing to assume and manage in the pursuit of the bank’s business objectives. Risk appetite may include both quantitative and qualitative elements, as appropriate, and encompass a range of measures. For the purposes of this document, the terms “risk appetite” and “risk tolerance” are treated synonymously.

For the purposes of assessing risk management by banks in the context of Principles 15 to 25, a bank’s risk management framework should take an integrated “bank-wide” perspective of the bank’s risk exposure, encompassing the bank’s individual business lines and business units. Where a bank is a member of a group of companies, the risk management framework should in addition cover the risk exposure across and within the “banking group” (see footnote 19 under Principle 1) and should also take account of risks posed to the bank or members of the banking group through other entities in the wider group.

To some extent the precise requirements may vary from risk type to risk type (Principles 15 to 25) as reflected by the underlying reference documents.

It should be noted that while, in this and other Principles, the supervisor is required to determine that banks’ risk management policies and processes are being adhered to, the responsibility for ensuring adherence remains with a bank’s Board and senior management.

New products include those developed by the bank or by a third party and purchased or distributed by the bank.

The Core Principles do not require a jurisdiction to comply with the capital adequacy regimes of Basel I, Basel II and/or Basel III. The Committee does not consider implementation of the Basel-based framework a prerequisite for compliance with the Core Principles, and compliance with one of the regimes is only required of those jurisdictions that have declared that they have voluntarily implemented it.

The Basel Capital Accord was designed to apply to internationally active banks, which must calculate and apply capital adequacy ratios on a consolidated basis, including subsidiaries undertaking banking and financial business. Jurisdictions adopting the Basel II and Basel III capital adequacy frameworks would apply such ratios on a fully consolidated basis to all internationally active banks and their holding companies; in addition, supervisors must test that banks are adequately capitalized on a stand-alone basis.

Reference documents: Enhancements to the Basel II framework, July 2009 and: International convergence of capital measurement and capital standards: a revised framework, comprehensive version, June 2006.

In assessing the adequacy of a bank’s capital levels in light of its risk profile, the supervisor critically focuses, among other things, on (a) the potential loss absorbency of the instruments included in the bank’s capital base, (b) the appropriateness of risk weights as a proxy for the risk profile of its exposures, (c) the adequacy of provisions and reserves to cover loss expected on its exposures and (d) the quality of its risk management and controls. Consequently, capital requirements may vary from bank to bank to ensure that each bank is operating with the appropriate level of capital to support the risks it is running and the risks it poses.

“Stress testing” comprises a range of activities from simple sensitivity analysis to more complex scenario analyses and reverses stress testing.

Please refer to Principle 12, Essential Criterion 7.

Principle 17 covers the evaluation of assets in greater detail; Principle 18 covers the management of problem assets.

Credit risk may result from the following: on-balance sheet and off-balance sheet exposures, including loans and advances, investments, inter-bank lending, derivative transactions, securities financing transactions and trading activities.

Counterparty credit risk includes credit risk exposures arising from OTC derivative and other financial instruments.

“Assuming” includes the assumption of all types of risk that give rise to credit risk, including credit risk or counterparty risk associated with various financial instruments.

Principle 17 covers the evaluation of assets in greater detail; Principle 18 covers the management of problem assets.

Reserves for the purposes of this Principle are “below the line” non-distributable appropriations of profit required by a supervisor in addition to provisions (“above the line” charges to profit).

It is recognized that there are two different types of off-balance sheet exposures: those that can be unilaterally cancelled by the bank (based on contractual arrangements and therefore may not be subject to provisioning), and those that cannot be unilaterally cancelled.

Export trade 0%.

general provision is 2.5% for group SME credits that have had their loans extended, for group-cash commercial corporate = 5%.

Retail loans carry a higher provisioning rate due to efforts to slow credit growth in this area. General provisions for retail loans excl mortgages and credit cards = 4%. Provisioning requirements go up to 10% for group retail loans that have been extended.

Connected counterparties may include natural persons as well as a group of companies related financially or by common ownership, management or any combination thereof.

This includes credit concentrations through exposure to: single counterparties and groups of connected counterparties both direct and indirect (such as through exposure to collateral or to credit protection provided by a single counterparty), counterparties in the same industry, economic sector or geographic region and counterparties whose financial performance is dependent on the same activity or commodity as well as off-balance sheet exposures (including guarantees and other commitments) and also market and other risk concentrations where a bank is overly exposed to particular asset classes, products, collateral, or currencies.

The measure of credit exposure, in the context of large exposures to single counterparties and groups of connected counterparties, should reflect the maximum possible loss from their failure (i.e., it should encompass actual claims and potential claims as well as contingent liabilities). The risk weighting concept adopted in the Basel capital standards should not be used in measuring credit exposure for this purpose as the relevant risk weights were devised as a measure of credit risk on a basket basis and their use for measuring credit concentrations could significantly underestimate potential losses (see “Measuring and controlling large credit exposures, January 1991).

Such requirements should, at least for internationally active banks, reflect the applicable Basel standards. As of September 2012, a new Basel standard on large exposures is still under consideration.

Related parties can include, among other things, the bank’s subsidiaries, affiliates, and any party (including their subsidiaries, affiliates and special purpose entities) that the bank exerts control over or that exerts control over the bank, the bank’s major shareholders, Board members, senior management and key staff, their direct and related interests, and their close family members as well as corresponding persons in affiliated companies.

Related party transactions include on-balance sheet and off-balance sheet credit exposures and claims, as well as, dealings such as service contracts, asset purchases and sales, construction contracts, lease agreements, derivative transactions, borrowings, and write-offs. The term transaction should be interpreted broadly to incorporate not only transactions that are entered into with related parties but also situations in which an unrelated party (with whom a bank has an existing exposure) subsequently becomes a related party.

An exception may be appropriate for beneficial terms that are part of overall remuneration packages (e.g., staff receiving credit at favorable rates).

Country risk is the risk of exposure to loss caused by events in a foreign country. The concept is broader than sovereign risk as all forms of lending or investment activity whether to/with individuals, corporate, banks or governments are covered.

Transfer risk is the risk that a borrower will not be able to convert local currency into foreign exchange and so will be unable to make debt service payments in foreign currency. The risk normally arises from exchange restrictions imposed by the government in the borrower’s country. (Reference document: IMF paper on External Debt Statistics – Guide for compilers and users, 2003.)

Wherever “interest rate risk” is used in this Principle the term refers to interest rate risk in the banking book. Interest rate risk in the trading book is covered under Principle 22.

Reference Document: Basel III: The Liquidity Coverage Ratio and liquidity risk monitoring tools, January 2013, BCBS.

The Committee has defined operational risk as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. The definition includes legal risk but excludes strategic and reputational risk.

Business units imply basic units such as corporate financing, retail banking etc.

In assessing independence, supervisors give due regard to the control systems designed to avoid conflicts of interest in the performance measurement of staff in the compliance, control and internal audit functions. For example, the remuneration of such staff should be determined independently of the business lines that they oversee.

The term “compliance function” does not necessarily denote an organizational unit. Compliance staff may reside in operating business units or local subsidiaries and report up to operating business line management or local management, provided such staff also have a reporting line through to the head of compliance who should be independent from business lines.

The term “internal audit function” does not necessarily denote an organizational unit. Some countries allow small banks to implement a system of independent reviews, e.g., conducted by external experts, of key internal controls as an alternative.

In this Essential Criterion, the supervisor is not necessarily limited to the banking supervisor. The responsibility for ensuring that financial statements are prepared in accordance with accounting policies and practices may also be vested with securities and market supervisors.

Link to Turkish version of TSA 320: https://www.kgk.gov.tr/contents/files/BDS/BDS_320.pdf

http://www.kgk.gov.tr/eng/contents/files/Pdf/Bagimsiz-Denetim-Yonetmeligi eng.pdf

For the purposes of this Essential Criterion, the disclosure requirement may be found in applicable accounting, stock exchange listing, or other similar rules, instead of or in addition to directives issued by the supervisor.

http://www.cmb.gov.tr/apps/teblig/displayteblig.aspx?id = 501&ct=f&action=displayfile

http://www.bddk.org.tr/WebSitesi/enqlish/Statistical Data/Statistical Data.aspx

The Committee is aware that, in some jurisdictions, other authorities, such as a financial intelligence unit (FIU), rather than a banking supervisor, may have primary responsibility for assessing compliance with laws and regulations regarding criminal activities in banks, such as fraud, money laundering and the financing of terrorism. Thus, in the context of this Principle, “the supervisor” might refer to such other authorities, in particular in Essential Criteria 7, 8 and 10. In such jurisdictions, the banking supervisor cooperates with such authorities to achieve adherence with the criteria mentioned in this Principle.

Consistent with international standards, banks are to report suspicious activities involving cases of potential money laundering and the financing of terrorism to the relevant national centre, established either as an independent governmental authority or within an existing authority or authorities that serves as an FIU.

These could be external auditors or other qualified parties, commissioned with an appropriate mandate, and subject to appropriate confidentiality restrictions.

If no such response is provided within a reasonable time frame, the assessors should note this explicitly and provide a brief summary of the authorities’ initial response provided during the discussion between the authorities and the assessors at the end of the assessment mission (“wrap-up meeting”).

Same Series

Other Publishers

Save
Cite
Email this content

Share Link

Copy this link, or click below to email it to a friend
Email this content
or copy the link directly:

https://www.elibrary.imf.org/view/journals/002/2017/046/article-A001-en.xml
The link was not copied. Your current browser may not support copying via this button.

Link copied successfully

Collapse
Expand

Turkey: Financial Sector Assessment Program-Detailed Assessment of Observance of the Basel Core Principles for Effective Banking Supervision

Author:

International Monetary Fund. Monetary and Capital Markets Department

Volume/Issue:: Volume 2017: Issue 046

Publisher:: International Monetary Fund

ISBN:: 9781475576894

ISSN:: 1934-7685

Pages:: 249

DOI:: https://doi.org/10.5089/9781475576894.002

Keywords
List of Regulations
Introduction1
Institutional and Market Structure—Overview
Preconditions for Effective Banking Supervision
- Macroeconomic and Financial Sector Policies
- Public Infrastructure
Detailed Assessment
- A. Supervisory Powers, Responsibilities, and Functions
- B. Prudential Regulations and Requirements
Summary Compliance with the Basel Core Principles
Recommended Actions and Authorities’ Comments
- A. Recommended Actions
- B. Authorities’ Response to the Assessment80

View raw image

Figure 1.

A Bank Dominated Financial Sector

View raw image

Figure 2.

A Mid-sized Banking System Characteristics

Recommended Actions to Improve Compliance with the Basel Core Principles and the Effectiveness of Regulatory and Supervisory Frameworks
Reference Principle	Recommended Action
Principle 1	Subordinate the objective of development of the financial sector to the objective of financial stability in the BL.
Principle 2	Review the legislation to limit the cases that require the Minister’s involvement with BRSA activities. Improve the accountability framework to enhance the scrutiny of the activities of the agency in relation to its objectives. Create alternative arrangements that facilitate the possibility of hiring experienced experts when needed.
Principle 5	Impose requirements and assess if the bank’s board has a collective sound knowledge of the material activities the bank intends to pursue. Determine whether the home supervisor practices global consolidated supervision, for cross-border banking operations.
Principle 8	Develop a more profound risk assessment nature for the inspections. Produce a clear view on the risks faced by and posed by the bank. Derive implications of the specific findings for the broader risk assessment of the bank. Incorporate within the scope of special inspections issues that are currently addressed only during the ratings phase. Enhance the forward-looking components of the assessments: results of the ICAAP need to be more thoroughly analyzed and discussed with banks; stress tests results should play a larger role in the assessment framework and; the ratings methodology could explicitly incorporate the expected trend for each component. Require banks to develop recovery plans. Assess the resolvability of the banks.
Principle 9	Develop policies and processes to assess the effectiveness and integration of on-site and off-site functions, and address any weaknesses that are identified. Consider the case for integrating the supervisory and enforcement functions. Improve communication with banks. The BRSA should consider setting policies establishing at least one annual meeting between supervisors and the board of the bank. Important analyses done by the BRSA, such as the stress testing exercises could also be more clearly discussed with banks.
Principle 11	Incorporate the results of forward looking tools more heavily in the BRSA decision making process and act at an early stage to restore weak banks and correct unsound practices, even if formal prudential ratios have not been breached.
Principle 12	Make further efforts to monitor and manage risks arising from nonbanking and from foreign activities or parent entities of a financial group. Deepen the analyses and strengthen BRSA techniques, such as group-wide stress testing, to monitor and assess these risks. Improve the recovery and resolution planning of large banking groups particularly once the necessary power is given to the supervisor by the expected new legislation. Consider scenarios where shocks originate from nonbanking entities or parent groups in such planning.
Principle 13	Develop a framework for cross-border crisis coordination with relevant host authorities and the development of resolution plans that pay special attention to cross border issues.
Principle 14	Develop a more comprehensive corporate governance regulation (and/or introduce changes to primary law) that completes the elements of governance that already exist in guidelines and regulation. Utilize this type of instrument as a focal point for supervisory corporate governance reviews in the future. Expand the qualifications of the collective board by requiring the majority to be composed of independent directors. Provide a comprehensive definition of independent. Expand the minimum number of (independent) directors on the audit committee. As bank activities warrant, separate risk management responsibilities from the audit committee and require that banks establish risk management committees. Enhance examination conclusions in special reviews by extending conclusions to comment upon the integrity and independent of relevant internal systems, the quality of management oversight and capacity, MIS and board reporting, etc. Develop a cross-cutting, more holistic assessment methodology for corporate governance which would, in part, leverage GAR and special examination results and relevant offsite information as well as information generated from any enforcement actions. Introduce such a review in order to enhance and better substantiate conclusions on the adequacy of a bank’s corporate governance.
Principle 15	See P 8 recommendation on further strengthening the ICAAP process. Require banks, commensurate with their size and activities, to have qualified CROs with sufficient stature, position and authority within the organization to oversee risk management activities, as the current level of senior manager as head of risk management (as enumerated in law) may not provide the stature necessary to challenge high level risk decisions and processes.
Principle 17	Evaluate and revise the relevant legislative and practical aspects of banks’ credit risk monitoring and risk management organizational arrangements. Address the independence and integrity of the internal credit risk rating process and the need for independent verification of line management ratings and actions and the functions’ ability to generate early warning information. Evaluate the implications of the current structure on the integrity and accuracy of monitoring and reporting to bank boards and the BRSA. Evaluate and revise the definition of credit classifications, particularly the special mention and substandard categories, making them more concise and clear cut, thereby enhancing their application by bankers and BRSA. Enumerate the BRSA’s position on rebooking of charged off credit in the REPL.
Principle 18	Upgrade written conclusions and write ups of credits classified during the examination process in order to more clearly substantiate the context of the classified credits and implications of findings on other areas, including management oversight and capacity, risk management process and accuracy, and ultimately corporate governance and financial statement accuracy. Present additional relevant information in examiner loan write ups to further substantiate the overall credit relationship, the creditworthiness of the borrower and its impact on the overall credit exposure, and further support for the credit re-classification. Substantiate findings in credit areas where no re-classifications were determined necessary by the examiner(s). Develop historical and statistical support for required provisioning levels, documenting whether amounts are adequately covering loss experience on standard, special mention, and classified loans. Develop clear parameters for periodic valuation of underlying collateral on NPL exposures.
Principle 20	Enumerate explicit legal provisions that require prior approval of related party transactions by the bank’s board as well as board approval of related party exposures that are written off the bank’s books. Expand the requirements surrounding related parties to capture all transactions with related parties, not just loans. Exercise caution on relaxing related party risk parameters and possible revocation of parameters surrounding board member borrowings.
Principle 22	Deploy trained specialists to assess banks’ stress test approaches and the mathematical integrity therein and to leverage resulting advice/input on specialized exams. Enhance examiner expertise in the area of model evaluation to provide added assurance to the BRSA on the integrity of models used by banks.
Principle 23	Develop specialized examination procedures for interest rate risk in the banking book. Deploy specialized expertise with which to evaluate scenarios and assumptions used for more complex stress testing as well as to review model validations during onsite examinations or, as an offsite exercise
Principle 24	Expand written analysis during liquidity/funding risk examinations to capture the impact of and relation to of other areas of the balance sheet, growth trends, asset quality, and management processes, etc. to support higher level conclusions. Strengthen liaison between the BRSA and the CBRT on the monitoring and management of foreign liquidity risk. Consider increasing the ultimate target for the FX LCR from 80% to 100% to further strengthen the management of liquidity risk.
Principle 29	Include in the CDD framework a customer acceptance policy that identifies business relationships that the bank will not accept based on identified risks and enhanced due diligence on politically exposed persons. Require banks to report to the BRSA suspicious activities and incidents of fraud when such activities/incidents are material to the safety and soundness or reputation of the bank.

Topics

Countries

Series

About

Resources

Abstract

List of Regulations

Introduction1

Institutional and Market Structure—Overview

Preconditions for Effective Banking Supervision

Macroeconomic and Financial Sector Policies

Public Infrastructure

Detailed Assessment

A. Supervisory Powers, Responsibilities, and Functions

B. Prudential Regulations and Requirements

Summary Compliance with the Basel Core Principles

Recommended Actions and Authorities’ Comments

A. Recommended Actions

B. Authorities’ Response to the Assessment80

Same Series

Other IMF Content

Other Publishers

Inter-American Development Bank

The World Bank

Share Link

Table of Contents

Headings

Figures

Metrics

Introduction¹

B. Authorities’ Response to the Assessment⁸⁰